Hi, This patch series contains a proposed extension to pKVM that allows MTE to be exposed to the protected guests. It is based on the base pKVM series previously sent to the list [1] and later rebased to 5.19-rc2 and uploaded to [2]. This series takes precautions against host compromise of the guests via direct access to their tag storage, by preventing the host from accessing the tag storage via stage 2 page tables. The device tree must describe the physical memory address of the tag storage, if any, and the memory nodes must declare that the tag storage location is described. Otherwise, the MTE feature is disabled in protected guests. Now that we can easily do so, we also prevent the host from accessing any unmapped reserved-memory regions without a driver, as the host has no business accessing that memory. A proposed extension to the devicetree specification is available at [3], a patched version of QEMU that produces the required device tree nodes is available at [4] and a patched version of the crosvm hypervisor that enables MTE is available at [5]. [1] https://lore.kernel.org/all/20220519134204.5379-1-will@xxxxxxxxxx/ [2] https://android-kvm.googlesource.com/linux/ for-upstream/pkvm-base-v2 [3] https://github.com/pcc/devicetree-specification mte-alloc [4] https://github.com/pcc/qemu mte-shared-alloc [5] https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3719324 Peter Collingbourne (3): KVM: arm64: add a hypercall for disowning pages KVM: arm64: disown unused reserved-memory regions KVM: arm64: allow MTE in protected VMs if the tag storage is known arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/kvm_host.h | 6 ++ arch/arm64/include/asm/kvm_pkvm.h | 4 +- arch/arm64/kernel/image-vars.h | 3 + arch/arm64/kvm/arm.c | 83 ++++++++++++++++++- arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 1 + arch/arm64/kvm/hyp/include/nvhe/pkvm.h | 1 + arch/arm64/kvm/hyp/nvhe/hyp-main.c | 9 ++ arch/arm64/kvm/hyp/nvhe/mem_protect.c | 11 +++ arch/arm64/kvm/hyp/nvhe/pkvm.c | 8 +- arch/arm64/kvm/hyp/pgtable.c | 5 +- arch/arm64/kvm/mmu.c | 4 +- 12 files changed, 126 insertions(+), 10 deletions(-) -- 2.37.0.rc0.104.g0611611a94-goog _______________________________________________ kvmarm mailing list kvmarm@xxxxxxxxxxxxxxxxxxxxx https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
