- Feb 09, 2023
-
-
Suzuki Poulose authored
Signed-off-by:Suzuki K Poulose <suzuki.poulose@arm.com>
-
- Jan 26, 2023
-
-
Steven Price authored
The upstream RMM currently advertises the major version of an internal prototype (v56.0) rather than the expected version from the RMM architecture specification (v1.0). Add a config option to enable support for the prototype RMI v56.0. Signed-off-by:Steven Price <steven.price@arm.com>
-
Steven Price authored
Always split up huge pages to avoid problems managing huge pages. There are two issues currently: 1. The uABI for the VMM allows populating memory on 4k boundaries even if the underlying allocator (e.g. hugetlbfs) is using a larger page size. Using a memfd for private allocations will push this issue onto the VMM as it will need to respect the granularity of the allocator. 2. The guest is able to request arbitrary ranges to be remapped as shared. Again with a memfd approach it will be up to the VMM to deal with the complexity and either overmap (need the huge mapping and add an additional 'overlapping' shared mapping) or reject the request as invalid due to the use of a huge page allocator. For now just break everything down to 4k pages in the RMM controlled stage 2. Signed-off-by: -
Given we have different types of VMs supported, check the support for SVE for the given instance of the VM to accurately report the status. Signed-off-by:
-
Forward RSI_HOST_CALLS to KVM's HVC handler. Signed-off-by:
Joey Gouly <joey.gouly@arm.com> Signed-off-by:
-
Extend KVM_SET_VCPU_EVENTS to support realms, where KVM cannot set the system registers, and the RMM must perform it on next REC entry. Signed-off-by:
-
Steven Price authored
Add the ioctl to activate a realm and set the static branch to enable access to the realm functionality if the RMM is detected. Signed-off-by: -
Steven Price authored
It doesn't make much sense and with the ABI as it is it's a footgun for the VMM which makes fatal granule protection faults easy to trigger. Signed-off-by: -
Steven Price authored
The RMM doesn't allow injection of a undefined exception into a realm guest. Add a WARN to catch if this ever happens. Signed-off-by: -
Steven Price authored
The RMM needs to be informed of the target REC when a PSCI call is made with an MPIDR argument. Signed-off-by: -
Steven Price authored
The RMM only allows setting the lower GPRS (x0-x7) and PC for a realm guest. Check this in kvm_arm_set_reg() so that the VMM can receive a suitable error return if other registers are accessed. Signed-off-by: -
Steven Price authored
When loading a realm VCPU much of the work is handled by the RMM so only some of the actions are required. Rearrange kvm_arch_vcpu_load() slightly so we can bail out early for a realm guest. Signed-off-by: -
Steven Price authored
At runtime if the realm guest accesses memory which hasn't yet been mapped then KVM needs to either populate the region or fault the guest. For memory in the lower (protected) region of IPA a fresh page is provided to the RMM which will zero the contents. For memory in the upper (shared) region of IPA, the memory from the memslot is mapped into the realm VM non secure. Signed-off-by: -
Steven Price authored
The VMM needs to populate the realm with some data before starting (e.g. a kernel and initrd). This is measured by the RMM and used as part of the attestation later on. Signed-off-by: -
Steven Price authored
MMIO emulation for a realm cannot be done directly with the VM's registers as they are protected from the host. However the RMM interface provides a structure member for providing the read/written value and we can transfer this to the appropriate VCPU's register entry and then depend on the generic MMIO handling code in KVM. Signed-off-by: -
Steven Price authored
Entering a realm is done using a SMC call to the RMM. On exit the exit-codes need to be handled slightly differently to the normal KVM path so define our own functions for realm enter/exit and hook them in if the guest is a realm guest. Signed-off-by: -
Steven Price authored
Each page within the protected region of the realm guest can be marked as either RAM or EMPTY. Allow the VMM to control this before the guest has started and provide the equivalent functions to change this (with the guest's approval) at runtime. Signed-off-by: -
Steven Price authored
The RMM keeps track of the timer while the realm REC is running, but on exit to the normal world KVM is responsible for handling the timers. Signed-off-by: -
Steven Price authored
The RMM provides emulation of a VGIC to the realm guest but delegates much of the handling to the host. Implement support in KVM for saving/restoring state to/from the REC structure. Signed-off-by: -
Steven Price authored
The RMM maintains a data structure known as the Realm Execution Context (or REC). It is similar to struct kvm_vcpu and tracks the state of the virtual CPUs. KVM must delegate memory and request the structures are created when vCPUs are created, and suitably tear down on destruction. Signed-off-by: -
Steven Price authored
The RMM owns the stage 2 page tables for a realm, and KVM must request that the RMM creates/destroys entries as necessary. The physical pages to store the page tables are delegated to the realm as required, and can be undelegated when no longer used. Signed-off-by: -
Steven Price authored
Pages can only be populated/destroyed on the RMM at the 4KB granule, this requires creating the full depth of RTTs. However if the pages are going to be combined into a 4MB huge page the last RTT is only temporarily needed. Similarly when freeing memory the huge page must be temporarily split requiring temporary usage of the full depth oF RTTs. To avoid needing to perform a temporary allocation and delegation of a page for this purpose we keep a spare delegated page around. In particular this avoids the need for memory allocation while destroying the realm guest. Signed-off-by: -
Steven Price authored
Previously machine type was used purely for specifying the physical address size of the guest. Reserve the higher bits to specify an ARM specific machine type and declare a new type 'KVM_VM_TYPE_ARM_REALM' used to create a realm guest. Signed-off-by: -
Steven Price authored
Add the KVM_CAP_ARM_RME_CREATE_FD ioctl to create a realm. This involves delegating pages to the RMM to hold the Realm Descriptor (RD) and for the base level of the Realm Translation Tables (RTT). A VMID also need to be picked, since the RMM has a separate VMID address space a dedicated allocator is added for this purpose. KVM_CAP_ARM_RME_CONFIG_REALM is provided to allow configuring the realm before it is created. Signed-off-by: -
Steven Price authored
There is one (multiplexed) CAP which can be used to create, populate and then activate the realm. Signed-off-by: -
Steven Price authored
Query the RMI version number and check if it is a compatible version. A static key is also provided to signal that a supported RMM is available. Functions are provided to query if a VM or VCPU is a realm (or rec) which currently will always return false. Signed-off-by: -
Steven Price authored
The wrappers make the call sites easier to read and deal with the boiler plate of handling the error codes from the RMM. Signed-off-by: -
Steven Price authored
The RMM (Realm Management Monitor) provides functionality that can be accessed by SMC calls from the host. The SMC definitions are based on DEN0137[1] version A-bet0. [1] https://developer.arm.com/documentation/den0137/latest Signed-off-by:
-
Steven Price authored
If the host attempts to access granules that have been delegated for use in a realm these accesses will be caught and will trigger a Granule Protection Fault (GPF). A fault during a page walk signals a bug in the kernel and is handled by oopsing the kernel. A non-page walk fault could be caused by user space having access to a page which has been delegated to the kernel and will trigger a SIGBUS to allow debugging why user space is trying to access a delegated page. Signed-off-by:
-
- Jan 23, 2023
-
-
Steven Price authored
The upstream RMM currently advertises the major version of an internal prototype (v12.0) rather than the expected version from the RMM architecture specification (v1.0). Add a config option to enable support for the prototype RSI v12.0. Signed-off-by:
-
- Jan 20, 2023
-
-
Steven Price authored
Within a realm guest the ITS is emulated by the host. This means the allocations must have been made available to the host by a call to set_memory_decrypted(). Introduce an allocation function which performs this extra call. Co-developed-by:
-
Device mappings need to be emualted by the VMM so must be mapped shared with the host. Signed-off-by:
-
Device mappings (currently) need to be emulated by the VMM so must be mapped shared with the host. Signed-off-by:
-
Steven Price authored
Use the memory encryption APIs to trigger a RSI call to request a transition between protected memory and shared memory (or vice versa) and updating the kernel's linear map of modified pages to flip the top bit of the IPA. This requires that block mappings are not used in the direct map for realm guests. Co-developed-by:
-
Steven Price authored
Within a realm guest it's not possible for a device emulated by the VMM to access arbitrary guest memory. So force the use of bounce buffers to ensure that the memory the emulated devices are accessing is in memory which is explicitly shared with the host. Co-developed-by:
-
Steven Price authored
Make the PHYS_MASK_SHIFT dynamic for Realms. This is only is required for masking the PFN from a pte entry. Elsewhere, we could still use the PA bits configured by the kernel. So, this patch: -> renames PHYS_MASK_SHIFT -> MAX_PHYS_SHIFT as supported by the kernel -> Makes PHYS_MASK_SHIFT -> Dynamic value of the (I)PA bit width -> For a realm: reduces phys_mask_shift if the RMM reports a smaller configured size for the guest. Co-developed-by: -
Override the set_fixmap_io to set shared permission for the host in case of a CC guest. For now we mark it shared unconditionally. Future changes could filter the physical address and make the decision accordingly. Signed-off-by:
-
For a realm guest it will be necessary to ensure IO mappings are shared so that the VMM can emulate the device. The following patch will provide an implementation of set_fixmap_io for arm64 setting the shared bit (if in a realm). Signed-off-by:
-
Steven Price authored
All I/O is by default considered non-secure for realms. As such mark them as shared with the host. Co-developed-by:
-
Steven Price authored
The top bit of the configured IPA size is used as an attribute to control whether the address is protected or shared. Query the configuration from the RMM to assertain which bit this is. Co-developed-by:
-
