1. Patchew
  2. linux
  3. [PATCH v10 00/43] arm64: Support for Arm CCA in KVM
  4. View patch

[PATCH v10 08/43] kvm: arm64: Don't expose debug capabilities for realm guests

Steven Price posted 43 patches 5 months, 3 weeks ago
There is a newer version of this series
[PATCH v10 08/43] kvm: arm64: Don't expose debug capabilities for realm guests
Posted by Steven Price 5 months, 3 weeks ago 
From: Suzuki K Poulose <suzuki.poulose@arm.com>

RMM v1.0 provides no mechanism for the host to perform debug operations
on the guest. So don't expose KVM_CAP_SET_GUEST_DEBUG and report 0
breakpoints and 0 watch points.

Reviewed-by: Gavin Shan <gshan@redhat.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Steven Price <steven.price@arm.com>
---
Changes since v7:
 * Remove the helper functions and inline the kvm_is_realm() check with
   a ternary operator.
 * Rewrite the commit message to explain this patch.
---
 arch/arm64/kvm/arm.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 1acee3861e55..8c0e9ec34f0a 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -331,7 +331,6 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
 	case KVM_CAP_ARM_IRQ_LINE_LAYOUT_2:
 	case KVM_CAP_ARM_NISV_TO_USER:
 	case KVM_CAP_ARM_INJECT_EXT_DABT:
-	case KVM_CAP_SET_GUEST_DEBUG:
 	case KVM_CAP_VCPU_ATTRIBUTES:
 	case KVM_CAP_PTP_KVM:
 	case KVM_CAP_ARM_SYSTEM_SUSPEND:
@@ -340,6 +339,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
 	case KVM_CAP_ARM_WRITABLE_IMP_ID_REGS:
 		r = 1;
 		break;
+	case KVM_CAP_SET_GUEST_DEBUG:
+		r = !kvm_is_realm(kvm);
+		break;
 	case KVM_CAP_SET_GUEST_DEBUG2:
 		return KVM_GUESTDBG_VALID_MASK;
 	case KVM_CAP_ARM_SET_DEVICE_ADDR:
@@ -391,10 +393,10 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
 		r = cpus_have_final_cap(ARM64_HAS_HCR_NV1);
 		break;
 	case KVM_CAP_GUEST_DEBUG_HW_BPS:
-		r = get_num_brps();
+		r = kvm_is_realm(kvm) ? 0 : get_num_brps();
 		break;
 	case KVM_CAP_GUEST_DEBUG_HW_WPS:
-		r = get_num_wrps();
+		r = kvm_is_realm(kvm) ? 0 : get_num_wrps();
 		break;
 	case KVM_CAP_ARM_PMU_V3:
 		r = kvm_supports_guest_pmuv3();
-- 
2.43.0
Re: [PATCH v10 08/43] kvm: arm64: Don't expose debug capabilities for realm guests
Posted by Marc Zyngier 4 months, 1 week ago 
On Wed, 20 Aug 2025 15:55:28 +0100,
Steven Price <steven.price@arm.com> wrote:
> 
> From: Suzuki K Poulose <suzuki.poulose@arm.com>
> 
> RMM v1.0 provides no mechanism for the host to perform debug operations
> on the guest. So don't expose KVM_CAP_SET_GUEST_DEBUG and report 0
> breakpoints and 0 watch points.

What is the guest seeing for the same things?

	M.

-- 
Without deviation from the norm, progress is not possible.
Re: [PATCH v10 08/43] kvm: arm64: Don't expose debug capabilities for realm guests
Posted by Steven Price 4 months, 1 week ago 
On 01/10/2025 14:11, Marc Zyngier wrote:
> On Wed, 20 Aug 2025 15:55:28 +0100,
> Steven Price <steven.price@arm.com> wrote:
>>
>> From: Suzuki K Poulose <suzuki.poulose@arm.com>
>>
>> RMM v1.0 provides no mechanism for the host to perform debug operations
>> on the guest. So don't expose KVM_CAP_SET_GUEST_DEBUG and report 0
>> breakpoints and 0 watch points.
> 
> What is the guest seeing for the same things?

The number of breakpoints/watchpoints is configured using the usual
architectural register ID_AA64DFR0_EL1. So the VMM can configure the
guest as it pleases to be able to debug itself.

Obviously CCA is about the host not seeing into the guest so debugging
the guest is generally not permitted.

RMM v1.1 should provide some mechanisms for the host to debug a realm -
but this would also change the attestation measurement so needs buy in
from the guest's attestation flow. I don't think the RMM API for that is
finalised yet, and I certainly don't have any Linux patches.

Thanks,
Steve

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.