On 04/10/2024 16:27, Steven Price wrote:
> Physical device assignment is not yet supported by the RMM, so it
> doesn't make much sense to allow device mappings within the realm.
> Prevent them when the guest is a realm.
>
> Signed-off-by: Steven Price <steven.price@arm.com>
> ---
> arch/arm64/kvm/mmu.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
> index 4f0403059c91..602c49eae90d 100644
> --- a/arch/arm64/kvm/mmu.c
> +++ b/arch/arm64/kvm/mmu.c
> @@ -1142,6 +1142,10 @@ int kvm_phys_addr_ioremap(struct kvm *kvm, phys_addr_t guest_ipa,
> if (is_protected_kvm_enabled())
> return -EPERM;
>
> + /* We don't support mapping special pages into a Realm */
> + if (kvm_is_realm(kvm))
> + return -EINVAL;
> +
I believe this is not sufficient. This is only called for GICv2 today.
But we also need to check in user_mem_abort() and only allow the
mapping if it targeting an unprotected IPA.
Something like:
diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index 26d550ad8393..e433bf8376f2 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1710,6 +1710,9 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
if (exec_fault && device)
return -ENOEXEC;
+ if (device && kvm_gpa_from_fault(fault_ipa) != fault_ipa)
+ return -EINVAL;
+
/*
* Potentially reduce shadow S2 permissions to match the
guest's own
* S2. For exec faults, we'd only reach this point if the guest
Suzuki
> size += offset_in_page(guest_ipa);
> guest_ipa &= PAGE_MASK;
>