Re: [PATCH v6 30/43] arm64: rme: Prevent Device mappings for Realms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/13/24 1:55 AM, Steven Price wrote:
Physical device assignment is not yet supported by the RMM, so it
doesn't make much sense to allow device mappings within the realm.
Prevent them when the guest is a realm.

Signed-off-by: Steven Price <steven.price@xxxxxxx>
---
Changes from v5:
  * Also prevent accesses in user_mem_abort()
---
  arch/arm64/kvm/mmu.c | 12 ++++++++++++
  1 file changed, 12 insertions(+)

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index 9ede143ccef1..cef7c3dcbf99 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1149,6 +1149,10 @@ int kvm_phys_addr_ioremap(struct kvm *kvm, phys_addr_t guest_ipa,
  	if (is_protected_kvm_enabled())
  		return -EPERM;
+ /* We don't support mapping special pages into a Realm */
+	if (kvm_is_realm(kvm))
+		return -EINVAL;
+

		return -EPERM;

  	size += offset_in_page(guest_ipa);
  	guest_ipa &= PAGE_MASK;
@@ -1725,6 +1729,14 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
  	if (exec_fault && device)
  		return -ENOEXEC;
+ /*
+	 * Don't allow device accesses to protected memory as we don't (yet)
+	 * support protected devices.
+	 */
+	if (device && kvm_is_realm(kvm) &&
+	    kvm_gpa_from_fault(kvm, fault_ipa) == fault_ipa)
+		return -EINVAL;
+

s/kvm_is_realm/vcpu_is_rec

I don't understand the check very well. What I understood is mem_abort() is called
only when kvm_gpa_from_fault(kvm, fault_ipa) != fault_ipa, meaning only the page
faults in the shared address space is handled by mem_abort(). So I guess we perhaps
need something like below.

	if (vcpu_is_rec(vcpu) && device)
		return -EPERM;

kvm_handle_guest_abort
  kvm_slot_can_be_private
    private_memslot_fault	// page fault in the private space is handled here
  io_mem_abort			// MMIO emulation is handled here
  user_mem_abort                // page fault in the shared space is handled here

  	/*
  	 * Potentially reduce shadow S2 permissions to match the guest's own
  	 * S2. For exec faults, we'd only reach this point if the guest

Thanks,
Gavin





[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux