From nobody Sat Feb 7 10:14:56 2026 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 445B9158520 for ; Fri, 29 Nov 2024 12:58:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732885086; cv=none; b=p4r+LgS3ZHMnlhmow8d6RkACtINojm3PyBdAtwG7EjNCHtGGhc7uaJ55nsX9BfUKTlAGHX18ebM0Px2wugXh5z0ImyVEp/fKJWq18EYYwlHnJDyOR3Pf0IdW+Fo+eJueDQ546CPLqSLSBOURxAcpC7EaNtLf+yb60M5o5X/GOJw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732885086; c=relaxed/simple; bh=N86aIaspaf9/OWHueYEllRRLdGM2qGulhJQm2YAviaA=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=mnbTYRm0qHlex1Bpa15Bf9pAG+sB/I9XvpnZQDjv1fJGxhUBJDYavAt67e69gQ+U+HTlBt0kBJ8k5/NwhVynh4BW/KcKQeX/c1OXJo7oG8My6iKI6ckmspTdmGGS+LZNd/16aXHrIsVol0tvfU/3pK+cWg4+mII+NFfNYCJnAzw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--qperret.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=I5uu3JJo; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--qperret.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="I5uu3JJo" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-5d028dcdb47so1126460a12.2 for ; Fri, 29 Nov 2024 04:58:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1732885082; x=1733489882; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=iTo7mdsKhhMMv0NQ6W3WdpTpByHz4qODWqGMzHKiw1I=; b=I5uu3JJoEX29p1wIBvDB+7CDsvtyi9BJZCKdeVEVkRcmsKe6/ZzkXbzuT8Etvo0fZ3 GZGVntWJ5rWCknYy2vMJQzPXyqFzzWlw9CSZIS3XZo4Yqyo8ZBFb6P5ZAKRqtpMketYW loKvJ17EouQyLuYvvY+afOJ/9BiiHCIRtjT5qLiQnOwt6PPSYGJwvtM4G6kAYgxJ6zNt G+T7s/AhmxgLBi65ucEdvYsKSlVkSWOgma7UJKi6lleIizZn+jcsbd+2iPpdJf17CSRA snKNqjzn/IPqkQ0Uio8qg0SUDe65KmwNlzLONq1ZGLuxfLDJv8e4+PC7egN2HjWmi6n2 7HBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732885082; x=1733489882; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=iTo7mdsKhhMMv0NQ6W3WdpTpByHz4qODWqGMzHKiw1I=; b=A2FLzA4nLOmvnkeZ/V9pzj7MWOVrdwfaru+C5e6WV/3GVW+eAOGSU21Ev8FdToJNGW BAbLEABKJSUEFG3ClDDEQ++1w5OhDpaSCZThk/r33dsNTqDvR07uAqnx3Gl6HMxgzHWr W62LNY3+Mkfm7kguuWeYaEMhcrm8Dlpclhxg29k3aTRzID7iLmhXdQS0vnakhtP7dQNp PtbTe6Y9tIWvw3U/yXZQDGs7SPSOTtoigGIC3nEPFm9XIi+KSwBGdEdwM+IAWLv/HybE fi5jbjLFIIF0fMKrk0yfiIjd6l5DeYFKgywxcqlhMnhVewzzhTSK0isJa0FAyCltUhxT FnKg== X-Forwarded-Encrypted: i=1; AJvYcCU9Bntz0xS7Y+8q0DzOQaHOrLBw5uVzZbv1301h6J8zT+WSc86ieKhbivSlo80KBsOSq01SYBV/FOM71GQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yy6K98GZaeScAdrK2NfDmmr4Seehjd/+B5Nz1nh2tIf6Sy4RJlE 3MSs+wXBvFwZYG9JCHzHrebZf6m43eH5EmK4Q2k2XNJbVB2Ni/58i0OZHBY95XFG3jF7LKKUW7F FSg/G1g== X-Google-Smtp-Source: AGHT+IE8LI59tC+qSLoKQ9kpy+7UR4VBfF+klcw+nBIw6XFRR92RWRwAjYNKTrXAmiQZO9b0XnadXq1XxO3S X-Received: from edya11.prod.google.com ([2002:aa7:cf0b:0:b0:5cf:ca78:ecdf]) (user=qperret job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:4402:b0:5cf:f248:7715 with SMTP id 4fb4d7f45d1cf-5d080c48680mr9111559a12.23.1732885082703; Fri, 29 Nov 2024 04:58:02 -0800 (PST) Date: Fri, 29 Nov 2024 12:58:00 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog Message-ID: <20241129125800.992468-1-qperret@google.com> Subject: [PATCH] KVM: arm64: Selftest for pKVM transitions From: Quentin Perret To: Marc Zyngier , Oliver Upton , Joey Gouly , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, qperret@google.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" We have recently found a bug [1] in the pKVM memory ownership transitions by code inspection, but it could have been caught with a test. Introduce a boot-time selftest exercising all the known pKVM memory transitions and importantly checks the rejection of illegal transitions. The new test is hidden behind a new Kconfig option separate from CONFIG_EL2_NVHE_DEBUG on purpose as that has side effects on the transition checks ([1] doesn't reproduce with EL2 debug enabled). [1] https://lore.kernel.org/kvmarm/20241128154406.602875-1-qperret@google.c= om/ Suggested-by: Will Deacon Signed-off-by: Quentin Perret --- arch/arm64/kvm/Kconfig | 10 ++ arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 6 + arch/arm64/kvm/hyp/nvhe/mem_protect.c | 110 ++++++++++++++++++ arch/arm64/kvm/hyp/nvhe/setup.c | 2 + 4 files changed, 128 insertions(+) diff --git a/arch/arm64/kvm/Kconfig b/arch/arm64/kvm/Kconfig index ead632ad01b4..038d7f52232c 100644 --- a/arch/arm64/kvm/Kconfig +++ b/arch/arm64/kvm/Kconfig @@ -46,6 +46,7 @@ menuconfig KVM config NVHE_EL2_DEBUG bool "Debug mode for non-VHE EL2 object" depends on KVM + select PKVM_SELFTESTS help Say Y here to enable the debug mode for the non-VHE KVM EL2 object. Failure reports will BUG() in the hypervisor. This is intended for @@ -53,6 +54,15 @@ config NVHE_EL2_DEBUG =20 If unsure, say N. =20 +config PKVM_SELFTESTS + bool "Protected KVM hypervisor selftests" + help + Say Y here to enable Protected KVM (pKVM) hypervisor selftests + during boot. Failure reports will panic the hypervisor. This is + intended for EL2 hypervisor development. + + If unsure, say N. + config PROTECTED_NVHE_STACKTRACE bool "Protected KVM hypervisor stacktraces" depends on NVHE_EL2_DEBUG diff --git a/arch/arm64/kvm/hyp/include/nvhe/mem_protect.h b/arch/arm64/kvm= /hyp/include/nvhe/mem_protect.h index 0972faccc2af..a9b2677227cc 100644 --- a/arch/arm64/kvm/hyp/include/nvhe/mem_protect.h +++ b/arch/arm64/kvm/hyp/include/nvhe/mem_protect.h @@ -90,4 +90,10 @@ static __always_inline void __load_host_stage2(void) else write_sysreg(0, vttbr_el2); } + +#ifdef CONFIG_PKVM_SELFTESTS +void pkvm_ownership_selftest(void); +#else +static inline void pkvm_ownership_selftest(void) { } +#endif #endif /* __KVM_NVHE_MEM_PROTECT__ */ diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvh= e/mem_protect.c index e75374d682f4..6a01ffe3d117 100644 --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c @@ -1306,3 +1306,113 @@ int __pkvm_host_unshare_ffa(u64 pfn, u64 nr_pages) =20 return ret; } + +#ifdef CONFIG_PKVM_SELFTESTS +struct pkvm_expected_state { + enum pkvm_page_state host; + enum pkvm_page_state hyp; +}; + +static struct pkvm_expected_state selftest_state; +static struct hyp_page *selftest_page; + +static void assert_page_state(void) +{ + void *virt =3D hyp_page_to_virt(selftest_page); + u64 size =3D PAGE_SIZE << selftest_page->order; + u64 phys =3D hyp_virt_to_phys(virt); + + host_lock_component(); + WARN_ON(__host_check_page_state_range(phys, size, selftest_state.host)); + host_unlock_component(); + + hyp_lock_component(); + WARN_ON(__hyp_check_page_state_range((u64)virt, size, selftest_state.hyp)= ); + hyp_unlock_component(); +} + +#define assert_transition_res(res, fn, ...) \ + do { \ + WARN_ON(fn(__VA_ARGS__) !=3D res); \ + assert_page_state(); \ + } while (0) + +void pkvm_ownership_selftest(void) +{ + void *virt =3D hyp_alloc_pages(&host_s2_pool, 0); + u64 phys, size, pfn; + + WARN_ON(!virt); + selftest_page =3D hyp_virt_to_page(virt); + selftest_page->refcount =3D 0; + + size =3D PAGE_SIZE << selftest_page->order; + phys =3D hyp_virt_to_phys(virt); + pfn =3D hyp_phys_to_pfn(phys); + + selftest_state.host =3D PKVM_NOPAGE; + selftest_state.hyp =3D PKVM_PAGE_OWNED; + assert_page_state(); + assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_unshare_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_unshare_ffa, pfn, 1); + assert_transition_res(-EPERM, hyp_pin_shared_mem, virt, virt + size); + + selftest_state.host =3D PKVM_PAGE_OWNED; + selftest_state.hyp =3D PKVM_NOPAGE; + assert_transition_res(0, __pkvm_hyp_donate_host, pfn, 1); + assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1); + assert_transition_res(-EPERM, hyp_pin_shared_mem, virt, virt + size); + + selftest_state.host =3D PKVM_PAGE_SHARED_OWNED; + selftest_state.hyp =3D PKVM_PAGE_SHARED_BORROWED; + assert_transition_res(0, __pkvm_host_share_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1); + assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1); + + assert_transition_res(0, hyp_pin_shared_mem, virt, virt + size); + WARN_ON(!hyp_page_count(virt)); + assert_transition_res(-EBUSY, __pkvm_host_unshare_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1); + assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1); + + hyp_unpin_shared_mem(virt, virt + size); + assert_page_state(); + WARN_ON(hyp_page_count(virt)); + assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1); + assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1); + + selftest_state.host =3D PKVM_PAGE_OWNED; + selftest_state.hyp =3D PKVM_NOPAGE; + assert_transition_res(0, __pkvm_host_unshare_hyp, pfn); + + selftest_state.host =3D PKVM_PAGE_SHARED_OWNED; + selftest_state.hyp =3D PKVM_NOPAGE; + assert_transition_res(0, __pkvm_host_share_ffa, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1); + assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_host_unshare_hyp, pfn); + assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1); + assert_transition_res(-EPERM, hyp_pin_shared_mem, virt, virt + size); + + selftest_state.host =3D PKVM_PAGE_OWNED; + selftest_state.hyp =3D PKVM_NOPAGE; + assert_transition_res(0, __pkvm_host_unshare_ffa, pfn, 1); + + selftest_state.host =3D PKVM_NOPAGE; + selftest_state.hyp =3D PKVM_PAGE_OWNED; + assert_transition_res(0, __pkvm_host_donate_hyp, pfn, 1); + + selftest_page->refcount =3D 1; + hyp_put_page(&host_s2_pool, virt); +} +#endif diff --git a/arch/arm64/kvm/hyp/nvhe/setup.c b/arch/arm64/kvm/hyp/nvhe/setu= p.c index cbdd18cd3f98..d154e80fe6b9 100644 --- a/arch/arm64/kvm/hyp/nvhe/setup.c +++ b/arch/arm64/kvm/hyp/nvhe/setup.c @@ -306,6 +306,8 @@ void __noreturn __pkvm_init_finalise(void) goto out; =20 pkvm_hyp_vm_table_init(vm_table_base); + + pkvm_ownership_selftest(); out: /* * We tail-called to here from handle___pkvm_init() and will not return, --=20 2.47.0.338.g60cca15819-goog