From: Gavin Shan <gshan@redhat.com>
To: Steven Price <steven.price@arm.com>,
kvm@vger.kernel.org, kvmarm@lists.linux.dev
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>,
James Morse <james.morse@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Joey Gouly <joey.gouly@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Christoffer Dall <christoffer.dall@arm.com>,
Fuad Tabba <tabba@google.com>,
linux-coco@lists.linux.dev,
Ganapatrao Kulkarni <gankulkarni@os.amperecomputing.com>,
Shanker Donthineni <sdonthineni@nvidia.com>,
Alper Gun <alpergun@google.com>,
"Aneesh Kumar K . V" <aneesh.kumar@kernel.org>
Subject: Re: [PATCH v7 23/45] KVM: arm64: Validate register access for a Realm VM
Date: Tue, 4 Mar 2025 15:29:38 +1000 [thread overview]
Message-ID: <b4cc58db-b9d8-4cdb-8954-8697972a54ae@redhat.com> (raw)
In-Reply-To: <20250213161426.102987-24-steven.price@arm.com>
On 2/14/25 2:14 AM, Steven Price wrote:
> The RMM only allows setting the GPRS (x0-x30) and PC for a realm
> guest. Check this in kvm_arm_set_reg() so that the VMM can receive a
> suitable error return if other registers are accessed.
>
> Signed-off-by: Steven Price <steven.price@arm.com>
> ---
> Changes since v5:
> * Upper GPRS can be set as part of a HOST_CALL return, so fix up the
> test to allow them.
> ---
> arch/arm64/kvm/guest.c | 40 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 40 insertions(+)
>
The subject isn't 100% matching with what has been done in this patch.
It's actually to limit the scope for the write operations. The question
is do we need similar limitation for the read operations? If not, it's
nice to explain in the change log :)
> diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
> index 2196979a24a3..ff0306650b39 100644
> --- a/arch/arm64/kvm/guest.c
> +++ b/arch/arm64/kvm/guest.c
> @@ -73,6 +73,24 @@ static u64 core_reg_offset_from_id(u64 id)
> return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE);
> }
>
> +static bool kvm_realm_validate_core_reg(u64 off)
> +{
> + /*
> + * Note that GPRs can only sometimes be controlled by the VMM.
> + * For PSCI only X0-X6 are used, higher registers are ignored (restored
> + * from the REC).
> + * For HOST_CALL all of X0-X30 are copied to the RsiHostCall structure.
> + * For emulated MMIO X0 is always used.
> + */
> + switch (off) {
> + case KVM_REG_ARM_CORE_REG(regs.regs[0]) ...
> + KVM_REG_ARM_CORE_REG(regs.regs[30]):
> + case KVM_REG_ARM_CORE_REG(regs.pc):
> + return true;
> + }
> + return false;
> +}
> +
> static int core_reg_size_from_offset(const struct kvm_vcpu *vcpu, u64 off)
> {
> int size;
> @@ -783,12 +801,34 @@ int kvm_arm_get_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> return kvm_arm_sys_reg_get_reg(vcpu, reg);
> }
>
> +/*
> + * The RMI ABI only enables setting some GPRs and PC. The selection of GPRs
> + * that are available depends on the Realm state and the reason for the last
> + * exit. All other registers are reset to architectural or otherwise defined
> + * reset values by the RMM, except for a few configuration fields that
> + * correspond to Realm parameters.
> + */
> +static bool validate_realm_set_reg(struct kvm_vcpu *vcpu,
> + const struct kvm_one_reg *reg)
> +{
> + if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_CORE) {
> + u64 off = core_reg_offset_from_id(reg->id);
> +
> + return kvm_realm_validate_core_reg(off);
> + }
> +
> + return false;
> +}
> +
> int kvm_arm_set_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> {
> /* We currently use nothing arch-specific in upper 32 bits */
> if ((reg->id & ~KVM_REG_SIZE_MASK) >> 32 != KVM_REG_ARM64 >> 32)
> return -EINVAL;
>
> + if (kvm_is_realm(vcpu->kvm) && !validate_realm_set_reg(vcpu, reg))
> + return -EINVAL;
> +
> switch (reg->id & KVM_REG_ARM_COPROC_MASK) {
> case KVM_REG_ARM_CORE: return set_core_reg(vcpu, reg);
> case KVM_REG_ARM_FW:
Thanks,
Gavin
next prev parent reply other threads:[~2025-03-04 5:29 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-13 16:13 [PATCH v7 00/45] arm64: Support for Arm CCA in KVM Steven Price
2025-02-13 16:13 ` [PATCH v7 01/45] KVM: Prepare for handling only shared mappings in mmu_notifier events Steven Price
2025-03-02 23:36 ` Gavin Shan
2025-03-03 15:05 ` Steven Price
2025-02-13 16:13 ` [PATCH v7 02/45] kvm: arm64: Include kvm_emulate.h in kvm/arm_psci.h Steven Price
2025-03-02 23:39 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 03/45] arm64: RME: Handle Granule Protection Faults (GPFs) Steven Price
2025-03-02 23:43 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 04/45] arm64: RME: Add SMC definitions for calling the RMM Steven Price
2025-03-02 23:52 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 05/45] arm64: RME: Add wrappers for RMI calls Steven Price
2025-03-03 3:42 ` Gavin Shan
2025-03-03 15:05 ` Steven Price
2025-03-05 0:15 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 06/45] arm64: RME: Check for RME support at KVM init Steven Price
2025-03-03 3:58 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 07/45] arm64: RME: Define the user ABI Steven Price
2025-02-14 13:09 ` Aneesh Kumar K.V
2025-03-03 4:10 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 08/45] arm64: RME: ioctls to create and configure realms Steven Price
2025-03-03 4:42 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 09/45] kvm: arm64: Expose debug HW register numbers for Realm Steven Price
2025-03-03 4:48 ` Gavin Shan
2025-03-05 16:25 ` Steven Price
2025-03-05 23:31 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 10/45] arm64: kvm: Allow passing machine type in KVM creation Steven Price
2025-03-03 4:53 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 11/45] arm64: RME: RTT tear down Steven Price
2025-03-03 6:25 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 12/45] arm64: RME: Allocate/free RECs to match vCPUs Steven Price
2025-03-03 7:08 ` Gavin Shan
2025-03-07 15:43 ` Steven Price
2025-04-08 4:55 ` Gavin Shan
2025-04-07 15:06 ` Wei-Lin Chang
2025-02-13 16:13 ` [PATCH v7 13/45] KVM: arm64: vgic: Provide helper for number of list registers Steven Price
2025-02-13 16:13 ` [PATCH v7 14/45] arm64: RME: Support for the VGIC in realms Steven Price
2025-03-03 18:02 ` Suzuki K Poulose
2025-02-13 16:13 ` [PATCH v7 15/45] KVM: arm64: Support timers in realm RECs Steven Price
2025-03-04 17:59 ` Suzuki K Poulose
2025-02-13 16:13 ` [PATCH v7 16/45] arm64: RME: Allow VMM to set RIPAS Steven Price
2025-03-04 0:45 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 17/45] arm64: RME: Handle realm enter/exit Steven Price
2025-03-04 1:03 ` Gavin Shan
2025-04-07 16:34 ` Steven Price
2025-04-08 5:03 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 18/45] arm64: RME: Handle RMI_EXIT_RIPAS_CHANGE Steven Price
2025-03-04 4:35 ` Gavin Shan
2025-04-07 16:34 ` Steven Price
2025-04-09 0:13 ` Gavin Shan
2025-02-13 16:13 ` [PATCH v7 19/45] KVM: arm64: Handle realm MMIO emulation Steven Price
2025-03-04 4:52 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 20/45] arm64: RME: Allow populating initial contents Steven Price
2025-03-04 5:09 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 21/45] arm64: RME: Runtime faulting of memory Steven Price
2025-02-13 16:14 ` [PATCH v7 22/45] KVM: arm64: Handle realm VCPU load Steven Price
2025-03-04 5:15 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 23/45] KVM: arm64: Validate register access for a Realm VM Steven Price
2025-03-04 5:29 ` Gavin Shan [this message]
2025-02-13 16:14 ` [PATCH v7 24/45] KVM: arm64: Handle Realm PSCI requests Steven Price
2025-03-04 5:38 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 25/45] KVM: arm64: WARN on injected undef exceptions Steven Price
2025-03-04 5:39 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 26/45] arm64: Don't expose stolen time for realm guests Steven Price
2025-03-04 5:42 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 27/45] arm64: rme: allow userspace to inject aborts Steven Price
2025-03-04 5:47 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 28/45] arm64: rme: support RSI_HOST_CALL Steven Price
2025-03-04 6:01 ` Gavin Shan
2025-04-07 16:34 ` Steven Price
2025-04-08 5:19 ` Gavin Shan
2025-04-09 17:31 ` Steven Price
2025-02-13 16:14 ` [PATCH v7 29/45] arm64: rme: Allow checking SVE on VM instance Steven Price
2025-03-04 6:02 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 30/45] arm64: RME: Always use 4k pages for realms Steven Price
2025-03-04 6:23 ` Gavin Shan
2025-04-07 16:34 ` Steven Price
2025-02-13 16:14 ` [PATCH v7 31/45] arm64: rme: Prevent Device mappings for Realms Steven Price
2025-03-04 6:27 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 32/45] arm_pmu: Provide a mechanism for disabling the physical IRQ Steven Price
2025-02-13 16:14 ` [PATCH v7 33/45] arm64: rme: Enable PMU support with a realm guest Steven Price
2025-02-13 16:14 ` [PATCH v7 34/45] kvm: rme: Hide KVM_CAP_READONLY_MEM for realm guests Steven Price
2025-03-04 11:51 ` Gavin Shan
2025-04-07 16:34 ` Steven Price
2025-04-08 6:37 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 35/45] arm64: RME: Propagate number of breakpoints and watchpoints to userspace Steven Price
2025-03-04 23:45 ` Gavin Shan
2025-04-07 16:35 ` Steven Price
2025-04-08 6:39 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 36/45] arm64: RME: Set breakpoint parameters through SET_ONE_REG Steven Price
2025-03-04 23:46 ` Gavin Shan
2025-02-13 16:14 ` [PATCH v7 37/45] arm64: RME: Initialize PMCR.N with number counter supported by RMM Steven Price
2025-02-13 16:14 ` [PATCH v7 38/45] arm64: RME: Propagate max SVE vector length from RMM Steven Price
2025-02-13 16:14 ` [PATCH v7 39/45] arm64: RME: Configure max SVE vector length for a Realm Steven Price
2025-02-13 16:14 ` [PATCH v7 40/45] arm64: RME: Provide register list for unfinalized RME RECs Steven Price
2025-02-13 16:14 ` [PATCH v7 41/45] arm64: RME: Provide accurate register list Steven Price
2025-02-13 16:14 ` [PATCH v7 42/45] arm64: kvm: Expose support for private memory Steven Price
2025-02-13 16:14 ` [PATCH v7 43/45] KVM: arm64: Expose KVM_ARM_VCPU_REC to user space Steven Price
2025-02-13 16:14 ` [PATCH v7 44/45] KVM: arm64: Allow activating realms Steven Price
2025-02-13 16:14 ` [PATCH v7 45/45] WIP: Enable support for PAGE_SIZE>4k Steven Price
2025-03-05 3:53 ` [PATCH v7 00/45] arm64: Support for Arm CCA in KVM Gavin Shan
2025-03-26 2:14 ` Emi Kisanuki (Fujitsu)
2025-03-26 6:14 ` Oliver Upton
2025-04-01 6:54 ` Emi Kisanuki (Fujitsu)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4cc58db-b9d8-4cdb-8954-8697972a54ae@redhat.com \
--to=gshan@redhat.com \
--cc=alexandru.elisei@arm.com \
--cc=alpergun@google.com \
--cc=aneesh.kumar@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=christoffer.dall@arm.com \
--cc=gankulkarni@os.amperecomputing.com \
--cc=james.morse@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=oliver.upton@linux.dev \
--cc=sdonthineni@nvidia.com \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox