This patch set is part-6 of this RFC patches. It introduces EPT emulation for pKVM on Intel platform. Add EPT emulation through shadowing vEPT in host VM. Host VM launches its guest, and manage such guest's memory through a EPT page table maintained in host KVM. Meanwhile this EPT page table is untrusted to pKVM, so pKVM shall not directly use this EPT as guest's active EPT. To ensure isolating of guest memory for protected VM, pKVM hypervisor shadows such guest's EPT in host KVM, to build out active EPT page table after necessary check (the check is based on page state management which will be introduced later). It's actually an emulation for guest EPT page table, the guest EPT page table in host KVM is called "virtual EPT", while the active EPT page table in pKVM is called "shadow EPT". Shadow EPT in pKVM is initialized with empty mapping. Guest EPT violation leads to the EPT shadowing. The EPT shadowing first walks virtual EPT in host VM to find out the virtual mapping, then setup the same mapping in shadow EPT - this will be updated in the future to be managed by page state. And for invept emulation, just simply free all the mapping of shadow EPT now. pKVM on ARM is using PV ops to directly manage stage-2 MMU page table in the hypervisor, while pKVM on Intel platform choose above EPT emulation solution - it increases the complexity by doing EPT shadowing but avoids changes in the KVM MMU code. Chuanxiao Dong (12): pkvm: x86: Pre-define the maximum number of supported VMs pkvm: x86: init: Reserve memory for shadow EPT pkvm: x86: Initialize the shadow EPT pool pkvm: x86: Introduce shadow EPT pkvm: x86: Introduce vEPT to record guest EPT information pkvm: x86: Add API to get the max phys address bits pkvm: x86: Initialize ept_zero_check pkvm: x86: Add support for pKVM to handle the nested EPT violation pkvm: x86: Introduce PKVM_ASSERT pkvm: x86: add pkvm_pgtable_unmap_safe for a safe unmap pkvm: x86: Add INVEPT instruction emulation pkvm: x86: Switch to use shadow EPT for nested guests Jason Chen CJ (1): pkvm: x86: Introduce shadow EPT invalidation support arch/x86/include/asm/kvm_pkvm.h | 34 ++++ arch/x86/kvm/vmx/pkvm/hyp/bug.h | 23 +++ arch/x86/kvm/vmx/pkvm/hyp/ept.c | 238 +++++++++++++++++++++- arch/x86/kvm/vmx/pkvm/hyp/ept.h | 24 +++ arch/x86/kvm/vmx/pkvm/hyp/init_finalise.c | 13 ++ arch/x86/kvm/vmx/pkvm/hyp/memory.c | 27 +++ arch/x86/kvm/vmx/pkvm/hyp/memory.h | 3 + arch/x86/kvm/vmx/pkvm/hyp/mmu.c | 4 +- arch/x86/kvm/vmx/pkvm/hyp/mmu.h | 3 +- arch/x86/kvm/vmx/pkvm/hyp/nested.c | 191 +++++++++++++++++ arch/x86/kvm/vmx/pkvm/hyp/nested.h | 1 + arch/x86/kvm/vmx/pkvm/hyp/pgtable.c | 67 ++++-- arch/x86/kvm/vmx/pkvm/hyp/pgtable.h | 4 +- arch/x86/kvm/vmx/pkvm/hyp/pkvm.c | 36 +++- arch/x86/kvm/vmx/pkvm/hyp/pkvm_hyp.h | 32 +++ arch/x86/kvm/vmx/pkvm/hyp/vmexit.c | 3 + arch/x86/kvm/vmx/pkvm/hyp/vmx.h | 31 +++ arch/x86/kvm/vmx/pkvm/pkvm_constants.c | 3 +- arch/x86/kvm/vmx/pkvm/pkvm_host.c | 3 + 19 files changed, 711 insertions(+), 29 deletions(-) create mode 100644 arch/x86/kvm/vmx/pkvm/hyp/bug.h -- 2.25.1
