1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2020 Google LLC
4 * Author: Quentin Perret <qperret@google.com>
5 */
6
7 #include <linux/kvm_host.h>
8 #include <asm/kvm_emulate.h>
9 #include <asm/kvm_hyp.h>
10 #include <asm/kvm_mmu.h>
11 #include <asm/kvm_pgtable.h>
12 #include <asm/kvm_pkvm.h>
13 #include <asm/stage2_pgtable.h>
14
15 #include <hyp/fault.h>
16
17 #include <nvhe/gfp.h>
18 #include <nvhe/memory.h>
19 #include <nvhe/mem_protect.h>
20 #include <nvhe/mm.h>
21
22 #define KVM_HOST_S2_FLAGS (KVM_PGTABLE_S2_NOFWB | KVM_PGTABLE_S2_IDMAP)
23
24 struct host_mmu host_mmu;
25
26 static struct hyp_pool host_s2_pool;
27
28 static DEFINE_PER_CPU(struct pkvm_hyp_vm *, __current_vm);
29 #define current_vm (*this_cpu_ptr(&__current_vm))
30
guest_lock_component(struct pkvm_hyp_vm * vm)31 static void guest_lock_component(struct pkvm_hyp_vm *vm)
32 {
33 hyp_spin_lock(&vm->lock);
34 current_vm = vm;
35 }
36
guest_unlock_component(struct pkvm_hyp_vm * vm)37 static void guest_unlock_component(struct pkvm_hyp_vm *vm)
38 {
39 current_vm = NULL;
40 hyp_spin_unlock(&vm->lock);
41 }
42
host_lock_component(void)43 static void host_lock_component(void)
44 {
45 hyp_spin_lock(&host_mmu.lock);
46 }
47
host_unlock_component(void)48 static void host_unlock_component(void)
49 {
50 hyp_spin_unlock(&host_mmu.lock);
51 }
52
hyp_lock_component(void)53 static void hyp_lock_component(void)
54 {
55 hyp_spin_lock(&pkvm_pgd_lock);
56 }
57
hyp_unlock_component(void)58 static void hyp_unlock_component(void)
59 {
60 hyp_spin_unlock(&pkvm_pgd_lock);
61 }
62
63 #define for_each_hyp_page(__p, __st, __sz) \
64 for (struct hyp_page *__p = hyp_phys_to_page(__st), \
65 *__e = __p + ((__sz) >> PAGE_SHIFT); \
66 __p < __e; __p++)
67
host_s2_zalloc_pages_exact(size_t size)68 static void *host_s2_zalloc_pages_exact(size_t size)
69 {
70 void *addr = hyp_alloc_pages(&host_s2_pool, get_order(size));
71
72 hyp_split_page(hyp_virt_to_page(addr));
73
74 /*
75 * The size of concatenated PGDs is always a power of two of PAGE_SIZE,
76 * so there should be no need to free any of the tail pages to make the
77 * allocation exact.
78 */
79 WARN_ON(size != (PAGE_SIZE << get_order(size)));
80
81 return addr;
82 }
83
host_s2_zalloc_page(void * pool)84 static void *host_s2_zalloc_page(void *pool)
85 {
86 return hyp_alloc_pages(pool, 0);
87 }
88
host_s2_get_page(void * addr)89 static void host_s2_get_page(void *addr)
90 {
91 hyp_get_page(&host_s2_pool, addr);
92 }
93
host_s2_put_page(void * addr)94 static void host_s2_put_page(void *addr)
95 {
96 hyp_put_page(&host_s2_pool, addr);
97 }
98
host_s2_free_unlinked_table(void * addr,s8 level)99 static void host_s2_free_unlinked_table(void *addr, s8 level)
100 {
101 kvm_pgtable_stage2_free_unlinked(&host_mmu.mm_ops, addr, level);
102 }
103
prepare_s2_pool(void * pgt_pool_base)104 static int prepare_s2_pool(void *pgt_pool_base)
105 {
106 unsigned long nr_pages, pfn;
107 int ret;
108
109 pfn = hyp_virt_to_pfn(pgt_pool_base);
110 nr_pages = host_s2_pgtable_pages();
111 ret = hyp_pool_init(&host_s2_pool, pfn, nr_pages, 0);
112 if (ret)
113 return ret;
114
115 host_mmu.mm_ops = (struct kvm_pgtable_mm_ops) {
116 .zalloc_pages_exact = host_s2_zalloc_pages_exact,
117 .zalloc_page = host_s2_zalloc_page,
118 .free_unlinked_table = host_s2_free_unlinked_table,
119 .phys_to_virt = hyp_phys_to_virt,
120 .virt_to_phys = hyp_virt_to_phys,
121 .page_count = hyp_page_count,
122 .get_page = host_s2_get_page,
123 .put_page = host_s2_put_page,
124 };
125
126 return 0;
127 }
128
prepare_host_vtcr(void)129 static void prepare_host_vtcr(void)
130 {
131 u32 parange, phys_shift;
132
133 /* The host stage 2 is id-mapped, so use parange for T0SZ */
134 parange = kvm_get_parange(id_aa64mmfr0_el1_sys_val);
135 phys_shift = id_aa64mmfr0_parange_to_phys_shift(parange);
136
137 host_mmu.arch.mmu.vtcr = kvm_get_vtcr(id_aa64mmfr0_el1_sys_val,
138 id_aa64mmfr1_el1_sys_val, phys_shift);
139 }
140
141 static bool host_stage2_force_pte_cb(u64 addr, u64 end, enum kvm_pgtable_prot prot);
142
kvm_host_prepare_stage2(void * pgt_pool_base)143 int kvm_host_prepare_stage2(void *pgt_pool_base)
144 {
145 struct kvm_s2_mmu *mmu = &host_mmu.arch.mmu;
146 int ret;
147
148 prepare_host_vtcr();
149 hyp_spin_lock_init(&host_mmu.lock);
150 mmu->arch = &host_mmu.arch;
151
152 ret = prepare_s2_pool(pgt_pool_base);
153 if (ret)
154 return ret;
155
156 ret = __kvm_pgtable_stage2_init(&host_mmu.pgt, mmu,
157 &host_mmu.mm_ops, KVM_HOST_S2_FLAGS,
158 host_stage2_force_pte_cb);
159 if (ret)
160 return ret;
161
162 mmu->pgd_phys = __hyp_pa(host_mmu.pgt.pgd);
163 mmu->pgt = &host_mmu.pgt;
164 atomic64_set(&mmu->vmid.id, 0);
165
166 return 0;
167 }
168
guest_s2_zalloc_pages_exact(size_t size)169 static void *guest_s2_zalloc_pages_exact(size_t size)
170 {
171 void *addr = hyp_alloc_pages(¤t_vm->pool, get_order(size));
172
173 WARN_ON(size != (PAGE_SIZE << get_order(size)));
174 hyp_split_page(hyp_virt_to_page(addr));
175
176 return addr;
177 }
178
guest_s2_free_pages_exact(void * addr,unsigned long size)179 static void guest_s2_free_pages_exact(void *addr, unsigned long size)
180 {
181 u8 order = get_order(size);
182 unsigned int i;
183
184 for (i = 0; i < (1 << order); i++)
185 hyp_put_page(¤t_vm->pool, addr + (i * PAGE_SIZE));
186 }
187
guest_s2_zalloc_page(void * mc)188 static void *guest_s2_zalloc_page(void *mc)
189 {
190 struct hyp_page *p;
191 void *addr;
192
193 addr = hyp_alloc_pages(¤t_vm->pool, 0);
194 if (addr)
195 return addr;
196
197 addr = pop_hyp_memcache(mc, hyp_phys_to_virt);
198 if (!addr)
199 return addr;
200
201 memset(addr, 0, PAGE_SIZE);
202 p = hyp_virt_to_page(addr);
203 p->refcount = 1;
204 p->order = 0;
205
206 return addr;
207 }
208
guest_s2_get_page(void * addr)209 static void guest_s2_get_page(void *addr)
210 {
211 hyp_get_page(¤t_vm->pool, addr);
212 }
213
guest_s2_put_page(void * addr)214 static void guest_s2_put_page(void *addr)
215 {
216 hyp_put_page(¤t_vm->pool, addr);
217 }
218
__apply_guest_page(void * va,size_t size,void (* func)(void * addr,size_t size))219 static void __apply_guest_page(void *va, size_t size,
220 void (*func)(void *addr, size_t size))
221 {
222 size += va - PTR_ALIGN_DOWN(va, PAGE_SIZE);
223 va = PTR_ALIGN_DOWN(va, PAGE_SIZE);
224 size = PAGE_ALIGN(size);
225
226 while (size) {
227 size_t map_size = PAGE_SIZE;
228 void *map;
229
230 if (IS_ALIGNED((unsigned long)va, PMD_SIZE) && size >= PMD_SIZE)
231 map = hyp_fixblock_map(__hyp_pa(va), &map_size);
232 else
233 map = hyp_fixmap_map(__hyp_pa(va));
234
235 func(map, map_size);
236
237 if (map_size == PMD_SIZE)
238 hyp_fixblock_unmap();
239 else
240 hyp_fixmap_unmap();
241
242 size -= map_size;
243 va += map_size;
244 }
245 }
246
clean_dcache_guest_page(void * va,size_t size)247 static void clean_dcache_guest_page(void *va, size_t size)
248 {
249 __apply_guest_page(va, size, __clean_dcache_guest_page);
250 }
251
invalidate_icache_guest_page(void * va,size_t size)252 static void invalidate_icache_guest_page(void *va, size_t size)
253 {
254 __apply_guest_page(va, size, __invalidate_icache_guest_page);
255 }
256
kvm_guest_prepare_stage2(struct pkvm_hyp_vm * vm,void * pgd)257 int kvm_guest_prepare_stage2(struct pkvm_hyp_vm *vm, void *pgd)
258 {
259 struct kvm_s2_mmu *mmu = &vm->kvm.arch.mmu;
260 unsigned long nr_pages;
261 int ret;
262
263 nr_pages = kvm_pgtable_stage2_pgd_size(mmu->vtcr) >> PAGE_SHIFT;
264 ret = hyp_pool_init(&vm->pool, hyp_virt_to_pfn(pgd), nr_pages, 0);
265 if (ret)
266 return ret;
267
268 hyp_spin_lock_init(&vm->lock);
269 vm->mm_ops = (struct kvm_pgtable_mm_ops) {
270 .zalloc_pages_exact = guest_s2_zalloc_pages_exact,
271 .free_pages_exact = guest_s2_free_pages_exact,
272 .zalloc_page = guest_s2_zalloc_page,
273 .phys_to_virt = hyp_phys_to_virt,
274 .virt_to_phys = hyp_virt_to_phys,
275 .page_count = hyp_page_count,
276 .get_page = guest_s2_get_page,
277 .put_page = guest_s2_put_page,
278 .dcache_clean_inval_poc = clean_dcache_guest_page,
279 .icache_inval_pou = invalidate_icache_guest_page,
280 };
281
282 guest_lock_component(vm);
283 ret = __kvm_pgtable_stage2_init(mmu->pgt, mmu, &vm->mm_ops, 0, NULL);
284 guest_unlock_component(vm);
285 if (ret)
286 return ret;
287
288 vm->kvm.arch.mmu.pgd_phys = __hyp_pa(vm->pgt.pgd);
289
290 return 0;
291 }
292
reclaim_pgtable_pages(struct pkvm_hyp_vm * vm,struct kvm_hyp_memcache * mc)293 void reclaim_pgtable_pages(struct pkvm_hyp_vm *vm, struct kvm_hyp_memcache *mc)
294 {
295 struct hyp_page *page;
296 void *addr;
297
298 /* Dump all pgtable pages in the hyp_pool */
299 guest_lock_component(vm);
300 kvm_pgtable_stage2_destroy(&vm->pgt);
301 vm->kvm.arch.mmu.pgd_phys = 0ULL;
302 guest_unlock_component(vm);
303
304 /* Drain the hyp_pool into the memcache */
305 addr = hyp_alloc_pages(&vm->pool, 0);
306 while (addr) {
307 page = hyp_virt_to_page(addr);
308 page->refcount = 0;
309 page->order = 0;
310 push_hyp_memcache(mc, addr, hyp_virt_to_phys);
311 WARN_ON(__pkvm_hyp_donate_host(hyp_virt_to_pfn(addr), 1));
312 addr = hyp_alloc_pages(&vm->pool, 0);
313 }
314 }
315
__pkvm_prot_finalize(void)316 int __pkvm_prot_finalize(void)
317 {
318 struct kvm_s2_mmu *mmu = &host_mmu.arch.mmu;
319 struct kvm_nvhe_init_params *params = this_cpu_ptr(&kvm_init_params);
320
321 if (params->hcr_el2 & HCR_VM)
322 return -EPERM;
323
324 params->vttbr = kvm_get_vttbr(mmu);
325 params->vtcr = mmu->vtcr;
326 params->hcr_el2 |= HCR_VM;
327
328 /*
329 * The CMO below not only cleans the updated params to the
330 * PoC, but also provides the DSB that ensures ongoing
331 * page-table walks that have started before we trapped to EL2
332 * have completed.
333 */
334 kvm_flush_dcache_to_poc(params, sizeof(*params));
335
336 write_sysreg_hcr(params->hcr_el2);
337 __load_stage2(&host_mmu.arch.mmu, &host_mmu.arch);
338
339 /*
340 * Make sure to have an ISB before the TLB maintenance below but only
341 * when __load_stage2() doesn't include one already.
342 */
343 asm(ALTERNATIVE("isb", "nop", ARM64_WORKAROUND_SPECULATIVE_AT));
344
345 /* Invalidate stale HCR bits that may be cached in TLBs */
346 __tlbi(vmalls12e1);
347 dsb(nsh);
348 isb();
349
350 return 0;
351 }
352
host_stage2_unmap_dev_all(void)353 static int host_stage2_unmap_dev_all(void)
354 {
355 struct kvm_pgtable *pgt = &host_mmu.pgt;
356 struct memblock_region *reg;
357 u64 addr = 0;
358 int i, ret;
359
360 /* Unmap all non-memory regions to recycle the pages */
361 for (i = 0; i < hyp_memblock_nr; i++, addr = reg->base + reg->size) {
362 reg = &hyp_memory[i];
363 ret = kvm_pgtable_stage2_unmap(pgt, addr, reg->base - addr);
364 if (ret)
365 return ret;
366 }
367 return kvm_pgtable_stage2_unmap(pgt, addr, BIT(pgt->ia_bits) - addr);
368 }
369
370 struct kvm_mem_range {
371 u64 start;
372 u64 end;
373 };
374
find_mem_range(phys_addr_t addr,struct kvm_mem_range * range)375 static struct memblock_region *find_mem_range(phys_addr_t addr, struct kvm_mem_range *range)
376 {
377 int cur, left = 0, right = hyp_memblock_nr;
378 struct memblock_region *reg;
379 phys_addr_t end;
380
381 range->start = 0;
382 range->end = ULONG_MAX;
383
384 /* The list of memblock regions is sorted, binary search it */
385 while (left < right) {
386 cur = (left + right) >> 1;
387 reg = &hyp_memory[cur];
388 end = reg->base + reg->size;
389 if (addr < reg->base) {
390 right = cur;
391 range->end = reg->base;
392 } else if (addr >= end) {
393 left = cur + 1;
394 range->start = end;
395 } else {
396 range->start = reg->base;
397 range->end = end;
398 return reg;
399 }
400 }
401
402 return NULL;
403 }
404
addr_is_memory(phys_addr_t phys)405 bool addr_is_memory(phys_addr_t phys)
406 {
407 struct kvm_mem_range range;
408
409 return !!find_mem_range(phys, &range);
410 }
411
is_in_mem_range(u64 addr,struct kvm_mem_range * range)412 static bool is_in_mem_range(u64 addr, struct kvm_mem_range *range)
413 {
414 return range->start <= addr && addr < range->end;
415 }
416
check_range_allowed_memory(u64 start,u64 end)417 static int check_range_allowed_memory(u64 start, u64 end)
418 {
419 struct memblock_region *reg;
420 struct kvm_mem_range range;
421
422 /*
423 * Callers can't check the state of a range that overlaps memory and
424 * MMIO regions, so ensure [start, end[ is in the same kvm_mem_range.
425 */
426 reg = find_mem_range(start, &range);
427 if (!is_in_mem_range(end - 1, &range))
428 return -EINVAL;
429
430 if (!reg || reg->flags & MEMBLOCK_NOMAP)
431 return -EPERM;
432
433 return 0;
434 }
435
range_is_memory(u64 start,u64 end)436 static bool range_is_memory(u64 start, u64 end)
437 {
438 struct kvm_mem_range r;
439
440 if (!find_mem_range(start, &r))
441 return false;
442
443 return is_in_mem_range(end - 1, &r);
444 }
445
__host_stage2_idmap(u64 start,u64 end,enum kvm_pgtable_prot prot)446 static inline int __host_stage2_idmap(u64 start, u64 end,
447 enum kvm_pgtable_prot prot)
448 {
449 return kvm_pgtable_stage2_map(&host_mmu.pgt, start, end - start, start,
450 prot, &host_s2_pool, 0);
451 }
452
453 /*
454 * The pool has been provided with enough pages to cover all of memory with
455 * page granularity, but it is difficult to know how much of the MMIO range
456 * we will need to cover upfront, so we may need to 'recycle' the pages if we
457 * run out.
458 */
459 #define host_stage2_try(fn, ...) \
460 ({ \
461 int __ret; \
462 hyp_assert_lock_held(&host_mmu.lock); \
463 __ret = fn(__VA_ARGS__); \
464 if (__ret == -ENOMEM) { \
465 __ret = host_stage2_unmap_dev_all(); \
466 if (!__ret) \
467 __ret = fn(__VA_ARGS__); \
468 } \
469 __ret; \
470 })
471
range_included(struct kvm_mem_range * child,struct kvm_mem_range * parent)472 static inline bool range_included(struct kvm_mem_range *child,
473 struct kvm_mem_range *parent)
474 {
475 return parent->start <= child->start && child->end <= parent->end;
476 }
477
host_stage2_adjust_range(u64 addr,struct kvm_mem_range * range)478 static int host_stage2_adjust_range(u64 addr, struct kvm_mem_range *range)
479 {
480 struct kvm_mem_range cur;
481 kvm_pte_t pte;
482 u64 granule;
483 s8 level;
484 int ret;
485
486 hyp_assert_lock_held(&host_mmu.lock);
487 ret = kvm_pgtable_get_leaf(&host_mmu.pgt, addr, &pte, &level);
488 if (ret)
489 return ret;
490
491 if (kvm_pte_valid(pte))
492 return -EAGAIN;
493
494 if (pte) {
495 WARN_ON(addr_is_memory(addr) &&
496 get_host_state(hyp_phys_to_page(addr)) != PKVM_NOPAGE);
497 return -EPERM;
498 }
499
500 for (; level <= KVM_PGTABLE_LAST_LEVEL; level++) {
501 if (!kvm_level_supports_block_mapping(level))
502 continue;
503 granule = kvm_granule_size(level);
504 cur.start = ALIGN_DOWN(addr, granule);
505 cur.end = cur.start + granule;
506 if (!range_included(&cur, range))
507 continue;
508 *range = cur;
509 return 0;
510 }
511
512 WARN_ON(1);
513
514 return -EINVAL;
515 }
516
host_stage2_idmap_locked(phys_addr_t addr,u64 size,enum kvm_pgtable_prot prot)517 int host_stage2_idmap_locked(phys_addr_t addr, u64 size,
518 enum kvm_pgtable_prot prot)
519 {
520 return host_stage2_try(__host_stage2_idmap, addr, addr + size, prot);
521 }
522
__host_update_page_state(phys_addr_t addr,u64 size,enum pkvm_page_state state)523 static void __host_update_page_state(phys_addr_t addr, u64 size, enum pkvm_page_state state)
524 {
525 for_each_hyp_page(page, addr, size)
526 set_host_state(page, state);
527 }
528
host_stage2_set_owner_locked(phys_addr_t addr,u64 size,u8 owner_id)529 int host_stage2_set_owner_locked(phys_addr_t addr, u64 size, u8 owner_id)
530 {
531 int ret;
532
533 if (!range_is_memory(addr, addr + size))
534 return -EPERM;
535
536 ret = host_stage2_try(kvm_pgtable_stage2_set_owner, &host_mmu.pgt,
537 addr, size, &host_s2_pool, owner_id);
538 if (ret)
539 return ret;
540
541 /* Don't forget to update the vmemmap tracking for the host */
542 if (owner_id == PKVM_ID_HOST)
543 __host_update_page_state(addr, size, PKVM_PAGE_OWNED);
544 else
545 __host_update_page_state(addr, size, PKVM_NOPAGE);
546
547 return 0;
548 }
549
host_stage2_force_pte_cb(u64 addr,u64 end,enum kvm_pgtable_prot prot)550 static bool host_stage2_force_pte_cb(u64 addr, u64 end, enum kvm_pgtable_prot prot)
551 {
552 /*
553 * Block mappings must be used with care in the host stage-2 as a
554 * kvm_pgtable_stage2_map() operation targeting a page in the range of
555 * an existing block will delete the block under the assumption that
556 * mappings in the rest of the block range can always be rebuilt lazily.
557 * That assumption is correct for the host stage-2 with RWX mappings
558 * targeting memory or RW mappings targeting MMIO ranges (see
559 * host_stage2_idmap() below which implements some of the host memory
560 * abort logic). However, this is not safe for any other mappings where
561 * the host stage-2 page-table is in fact the only place where this
562 * state is stored. In all those cases, it is safer to use page-level
563 * mappings, hence avoiding to lose the state because of side-effects in
564 * kvm_pgtable_stage2_map().
565 */
566 if (range_is_memory(addr, end))
567 return prot != PKVM_HOST_MEM_PROT;
568 else
569 return prot != PKVM_HOST_MMIO_PROT;
570 }
571
host_stage2_idmap(u64 addr)572 static int host_stage2_idmap(u64 addr)
573 {
574 struct kvm_mem_range range;
575 bool is_memory = !!find_mem_range(addr, &range);
576 enum kvm_pgtable_prot prot;
577 int ret;
578
579 prot = is_memory ? PKVM_HOST_MEM_PROT : PKVM_HOST_MMIO_PROT;
580
581 host_lock_component();
582 ret = host_stage2_adjust_range(addr, &range);
583 if (ret)
584 goto unlock;
585
586 ret = host_stage2_idmap_locked(range.start, range.end - range.start, prot);
587 unlock:
588 host_unlock_component();
589
590 return ret;
591 }
592
handle_host_mem_abort(struct kvm_cpu_context * host_ctxt)593 void handle_host_mem_abort(struct kvm_cpu_context *host_ctxt)
594 {
595 struct kvm_vcpu_fault_info fault;
596 u64 esr, addr;
597 int ret = 0;
598
599 esr = read_sysreg_el2(SYS_ESR);
600 if (!__get_fault_info(esr, &fault)) {
601 /*
602 * We've presumably raced with a page-table change which caused
603 * AT to fail, try again.
604 */
605 return;
606 }
607
608
609 /*
610 * Yikes, we couldn't resolve the fault IPA. This should reinject an
611 * abort into the host when we figure out how to do that.
612 */
613 BUG_ON(!(fault.hpfar_el2 & HPFAR_EL2_NS));
614 addr = FIELD_GET(HPFAR_EL2_FIPA, fault.hpfar_el2) << 12;
615
616 ret = host_stage2_idmap(addr);
617 BUG_ON(ret && ret != -EAGAIN);
618 }
619
620 struct check_walk_data {
621 enum pkvm_page_state desired;
622 enum pkvm_page_state (*get_page_state)(kvm_pte_t pte, u64 addr);
623 };
624
__check_page_state_visitor(const struct kvm_pgtable_visit_ctx * ctx,enum kvm_pgtable_walk_flags visit)625 static int __check_page_state_visitor(const struct kvm_pgtable_visit_ctx *ctx,
626 enum kvm_pgtable_walk_flags visit)
627 {
628 struct check_walk_data *d = ctx->arg;
629
630 return d->get_page_state(ctx->old, ctx->addr) == d->desired ? 0 : -EPERM;
631 }
632
check_page_state_range(struct kvm_pgtable * pgt,u64 addr,u64 size,struct check_walk_data * data)633 static int check_page_state_range(struct kvm_pgtable *pgt, u64 addr, u64 size,
634 struct check_walk_data *data)
635 {
636 struct kvm_pgtable_walker walker = {
637 .cb = __check_page_state_visitor,
638 .arg = data,
639 .flags = KVM_PGTABLE_WALK_LEAF,
640 };
641
642 return kvm_pgtable_walk(pgt, addr, size, &walker);
643 }
644
__host_check_page_state_range(u64 addr,u64 size,enum pkvm_page_state state)645 static int __host_check_page_state_range(u64 addr, u64 size,
646 enum pkvm_page_state state)
647 {
648 int ret;
649
650 ret = check_range_allowed_memory(addr, addr + size);
651 if (ret)
652 return ret;
653
654 hyp_assert_lock_held(&host_mmu.lock);
655
656 for_each_hyp_page(page, addr, size) {
657 if (get_host_state(page) != state)
658 return -EPERM;
659 }
660
661 return 0;
662 }
663
__host_set_page_state_range(u64 addr,u64 size,enum pkvm_page_state state)664 static int __host_set_page_state_range(u64 addr, u64 size,
665 enum pkvm_page_state state)
666 {
667 if (get_host_state(hyp_phys_to_page(addr)) == PKVM_NOPAGE) {
668 int ret = host_stage2_idmap_locked(addr, size, PKVM_HOST_MEM_PROT);
669
670 if (ret)
671 return ret;
672 }
673
674 __host_update_page_state(addr, size, state);
675
676 return 0;
677 }
678
__hyp_set_page_state_range(phys_addr_t phys,u64 size,enum pkvm_page_state state)679 static void __hyp_set_page_state_range(phys_addr_t phys, u64 size, enum pkvm_page_state state)
680 {
681 for_each_hyp_page(page, phys, size)
682 set_hyp_state(page, state);
683 }
684
__hyp_check_page_state_range(phys_addr_t phys,u64 size,enum pkvm_page_state state)685 static int __hyp_check_page_state_range(phys_addr_t phys, u64 size, enum pkvm_page_state state)
686 {
687 for_each_hyp_page(page, phys, size) {
688 if (get_hyp_state(page) != state)
689 return -EPERM;
690 }
691
692 return 0;
693 }
694
guest_get_page_state(kvm_pte_t pte,u64 addr)695 static enum pkvm_page_state guest_get_page_state(kvm_pte_t pte, u64 addr)
696 {
697 if (!kvm_pte_valid(pte))
698 return PKVM_NOPAGE;
699
700 return pkvm_getstate(kvm_pgtable_stage2_pte_prot(pte));
701 }
702
__guest_check_page_state_range(struct pkvm_hyp_vm * vm,u64 addr,u64 size,enum pkvm_page_state state)703 static int __guest_check_page_state_range(struct pkvm_hyp_vm *vm, u64 addr,
704 u64 size, enum pkvm_page_state state)
705 {
706 struct check_walk_data d = {
707 .desired = state,
708 .get_page_state = guest_get_page_state,
709 };
710
711 hyp_assert_lock_held(&vm->lock);
712 return check_page_state_range(&vm->pgt, addr, size, &d);
713 }
714
__pkvm_host_share_hyp(u64 pfn)715 int __pkvm_host_share_hyp(u64 pfn)
716 {
717 u64 phys = hyp_pfn_to_phys(pfn);
718 u64 size = PAGE_SIZE;
719 int ret;
720
721 host_lock_component();
722 hyp_lock_component();
723
724 ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED);
725 if (ret)
726 goto unlock;
727 ret = __hyp_check_page_state_range(phys, size, PKVM_NOPAGE);
728 if (ret)
729 goto unlock;
730
731 __hyp_set_page_state_range(phys, size, PKVM_PAGE_SHARED_BORROWED);
732 WARN_ON(__host_set_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED));
733
734 unlock:
735 hyp_unlock_component();
736 host_unlock_component();
737
738 return ret;
739 }
740
__pkvm_host_unshare_hyp(u64 pfn)741 int __pkvm_host_unshare_hyp(u64 pfn)
742 {
743 u64 phys = hyp_pfn_to_phys(pfn);
744 u64 virt = (u64)__hyp_va(phys);
745 u64 size = PAGE_SIZE;
746 int ret;
747
748 host_lock_component();
749 hyp_lock_component();
750
751 ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED);
752 if (ret)
753 goto unlock;
754 ret = __hyp_check_page_state_range(phys, size, PKVM_PAGE_SHARED_BORROWED);
755 if (ret)
756 goto unlock;
757 if (hyp_page_count((void *)virt)) {
758 ret = -EBUSY;
759 goto unlock;
760 }
761
762 __hyp_set_page_state_range(phys, size, PKVM_NOPAGE);
763 WARN_ON(__host_set_page_state_range(phys, size, PKVM_PAGE_OWNED));
764
765 unlock:
766 hyp_unlock_component();
767 host_unlock_component();
768
769 return ret;
770 }
771
__pkvm_host_donate_hyp(u64 pfn,u64 nr_pages)772 int __pkvm_host_donate_hyp(u64 pfn, u64 nr_pages)
773 {
774 u64 phys = hyp_pfn_to_phys(pfn);
775 u64 size = PAGE_SIZE * nr_pages;
776 void *virt = __hyp_va(phys);
777 int ret;
778
779 host_lock_component();
780 hyp_lock_component();
781
782 ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED);
783 if (ret)
784 goto unlock;
785 ret = __hyp_check_page_state_range(phys, size, PKVM_NOPAGE);
786 if (ret)
787 goto unlock;
788
789 __hyp_set_page_state_range(phys, size, PKVM_PAGE_OWNED);
790 WARN_ON(pkvm_create_mappings_locked(virt, virt + size, PAGE_HYP));
791 WARN_ON(host_stage2_set_owner_locked(phys, size, PKVM_ID_HYP));
792
793 unlock:
794 hyp_unlock_component();
795 host_unlock_component();
796
797 return ret;
798 }
799
__pkvm_hyp_donate_host(u64 pfn,u64 nr_pages)800 int __pkvm_hyp_donate_host(u64 pfn, u64 nr_pages)
801 {
802 u64 phys = hyp_pfn_to_phys(pfn);
803 u64 size = PAGE_SIZE * nr_pages;
804 u64 virt = (u64)__hyp_va(phys);
805 int ret;
806
807 host_lock_component();
808 hyp_lock_component();
809
810 ret = __hyp_check_page_state_range(phys, size, PKVM_PAGE_OWNED);
811 if (ret)
812 goto unlock;
813 ret = __host_check_page_state_range(phys, size, PKVM_NOPAGE);
814 if (ret)
815 goto unlock;
816
817 __hyp_set_page_state_range(phys, size, PKVM_NOPAGE);
818 WARN_ON(kvm_pgtable_hyp_unmap(&pkvm_pgtable, virt, size) != size);
819 WARN_ON(host_stage2_set_owner_locked(phys, size, PKVM_ID_HOST));
820
821 unlock:
822 hyp_unlock_component();
823 host_unlock_component();
824
825 return ret;
826 }
827
hyp_pin_shared_mem(void * from,void * to)828 int hyp_pin_shared_mem(void *from, void *to)
829 {
830 u64 cur, start = ALIGN_DOWN((u64)from, PAGE_SIZE);
831 u64 end = PAGE_ALIGN((u64)to);
832 u64 phys = __hyp_pa(start);
833 u64 size = end - start;
834 struct hyp_page *p;
835 int ret;
836
837 host_lock_component();
838 hyp_lock_component();
839
840 ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED);
841 if (ret)
842 goto unlock;
843
844 ret = __hyp_check_page_state_range(phys, size, PKVM_PAGE_SHARED_BORROWED);
845 if (ret)
846 goto unlock;
847
848 for (cur = start; cur < end; cur += PAGE_SIZE) {
849 p = hyp_virt_to_page(cur);
850 hyp_page_ref_inc(p);
851 if (p->refcount == 1)
852 WARN_ON(pkvm_create_mappings_locked((void *)cur,
853 (void *)cur + PAGE_SIZE,
854 PAGE_HYP));
855 }
856
857 unlock:
858 hyp_unlock_component();
859 host_unlock_component();
860
861 return ret;
862 }
863
hyp_unpin_shared_mem(void * from,void * to)864 void hyp_unpin_shared_mem(void *from, void *to)
865 {
866 u64 cur, start = ALIGN_DOWN((u64)from, PAGE_SIZE);
867 u64 end = PAGE_ALIGN((u64)to);
868 struct hyp_page *p;
869
870 host_lock_component();
871 hyp_lock_component();
872
873 for (cur = start; cur < end; cur += PAGE_SIZE) {
874 p = hyp_virt_to_page(cur);
875 if (p->refcount == 1)
876 WARN_ON(kvm_pgtable_hyp_unmap(&pkvm_pgtable, cur, PAGE_SIZE) != PAGE_SIZE);
877 hyp_page_ref_dec(p);
878 }
879
880 hyp_unlock_component();
881 host_unlock_component();
882 }
883
__pkvm_host_share_ffa(u64 pfn,u64 nr_pages)884 int __pkvm_host_share_ffa(u64 pfn, u64 nr_pages)
885 {
886 u64 phys = hyp_pfn_to_phys(pfn);
887 u64 size = PAGE_SIZE * nr_pages;
888 int ret;
889
890 host_lock_component();
891 ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED);
892 if (!ret)
893 ret = __host_set_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED);
894 host_unlock_component();
895
896 return ret;
897 }
898
__pkvm_host_unshare_ffa(u64 pfn,u64 nr_pages)899 int __pkvm_host_unshare_ffa(u64 pfn, u64 nr_pages)
900 {
901 u64 phys = hyp_pfn_to_phys(pfn);
902 u64 size = PAGE_SIZE * nr_pages;
903 int ret;
904
905 host_lock_component();
906 ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED);
907 if (!ret)
908 ret = __host_set_page_state_range(phys, size, PKVM_PAGE_OWNED);
909 host_unlock_component();
910
911 return ret;
912 }
913
__guest_check_transition_size(u64 phys,u64 ipa,u64 nr_pages,u64 * size)914 static int __guest_check_transition_size(u64 phys, u64 ipa, u64 nr_pages, u64 *size)
915 {
916 size_t block_size;
917
918 if (nr_pages == 1) {
919 *size = PAGE_SIZE;
920 return 0;
921 }
922
923 /* We solely support second to last level huge mapping */
924 block_size = kvm_granule_size(KVM_PGTABLE_LAST_LEVEL - 1);
925
926 if (nr_pages != block_size >> PAGE_SHIFT)
927 return -EINVAL;
928
929 if (!IS_ALIGNED(phys | ipa, block_size))
930 return -EINVAL;
931
932 *size = block_size;
933 return 0;
934 }
935
__pkvm_host_share_guest(u64 pfn,u64 gfn,u64 nr_pages,struct pkvm_hyp_vcpu * vcpu,enum kvm_pgtable_prot prot)936 int __pkvm_host_share_guest(u64 pfn, u64 gfn, u64 nr_pages, struct pkvm_hyp_vcpu *vcpu,
937 enum kvm_pgtable_prot prot)
938 {
939 struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu);
940 u64 phys = hyp_pfn_to_phys(pfn);
941 u64 ipa = hyp_pfn_to_phys(gfn);
942 u64 size;
943 int ret;
944
945 if (prot & ~KVM_PGTABLE_PROT_RWX)
946 return -EINVAL;
947
948 ret = __guest_check_transition_size(phys, ipa, nr_pages, &size);
949 if (ret)
950 return ret;
951
952 ret = check_range_allowed_memory(phys, phys + size);
953 if (ret)
954 return ret;
955
956 host_lock_component();
957 guest_lock_component(vm);
958
959 ret = __guest_check_page_state_range(vm, ipa, size, PKVM_NOPAGE);
960 if (ret)
961 goto unlock;
962
963 for_each_hyp_page(page, phys, size) {
964 switch (get_host_state(page)) {
965 case PKVM_PAGE_OWNED:
966 continue;
967 case PKVM_PAGE_SHARED_OWNED:
968 if (page->host_share_guest_count == U32_MAX) {
969 ret = -EBUSY;
970 goto unlock;
971 }
972
973 /* Only host to np-guest multi-sharing is tolerated */
974 if (page->host_share_guest_count)
975 continue;
976
977 fallthrough;
978 default:
979 ret = -EPERM;
980 goto unlock;
981 }
982 }
983
984 for_each_hyp_page(page, phys, size) {
985 set_host_state(page, PKVM_PAGE_SHARED_OWNED);
986 page->host_share_guest_count++;
987 }
988
989 WARN_ON(kvm_pgtable_stage2_map(&vm->pgt, ipa, size, phys,
990 pkvm_mkstate(prot, PKVM_PAGE_SHARED_BORROWED),
991 &vcpu->vcpu.arch.pkvm_memcache, 0));
992
993 unlock:
994 guest_unlock_component(vm);
995 host_unlock_component();
996
997 return ret;
998 }
999
__check_host_shared_guest(struct pkvm_hyp_vm * vm,u64 * __phys,u64 ipa,u64 size)1000 static int __check_host_shared_guest(struct pkvm_hyp_vm *vm, u64 *__phys, u64 ipa, u64 size)
1001 {
1002 enum pkvm_page_state state;
1003 kvm_pte_t pte;
1004 u64 phys;
1005 s8 level;
1006 int ret;
1007
1008 ret = kvm_pgtable_get_leaf(&vm->pgt, ipa, &pte, &level);
1009 if (ret)
1010 return ret;
1011 if (!kvm_pte_valid(pte))
1012 return -ENOENT;
1013 if (kvm_granule_size(level) != size)
1014 return -E2BIG;
1015
1016 state = guest_get_page_state(pte, ipa);
1017 if (state != PKVM_PAGE_SHARED_BORROWED)
1018 return -EPERM;
1019
1020 phys = kvm_pte_to_phys(pte);
1021 ret = check_range_allowed_memory(phys, phys + size);
1022 if (WARN_ON(ret))
1023 return ret;
1024
1025 for_each_hyp_page(page, phys, size) {
1026 if (get_host_state(page) != PKVM_PAGE_SHARED_OWNED)
1027 return -EPERM;
1028 if (WARN_ON(!page->host_share_guest_count))
1029 return -EINVAL;
1030 }
1031
1032 *__phys = phys;
1033
1034 return 0;
1035 }
1036
__pkvm_host_unshare_guest(u64 gfn,u64 nr_pages,struct pkvm_hyp_vm * vm)1037 int __pkvm_host_unshare_guest(u64 gfn, u64 nr_pages, struct pkvm_hyp_vm *vm)
1038 {
1039 u64 ipa = hyp_pfn_to_phys(gfn);
1040 u64 size, phys;
1041 int ret;
1042
1043 ret = __guest_check_transition_size(0, ipa, nr_pages, &size);
1044 if (ret)
1045 return ret;
1046
1047 host_lock_component();
1048 guest_lock_component(vm);
1049
1050 ret = __check_host_shared_guest(vm, &phys, ipa, size);
1051 if (ret)
1052 goto unlock;
1053
1054 ret = kvm_pgtable_stage2_unmap(&vm->pgt, ipa, size);
1055 if (ret)
1056 goto unlock;
1057
1058 for_each_hyp_page(page, phys, size) {
1059 /* __check_host_shared_guest() protects against underflow */
1060 page->host_share_guest_count--;
1061 if (!page->host_share_guest_count)
1062 set_host_state(page, PKVM_PAGE_OWNED);
1063 }
1064
1065 unlock:
1066 guest_unlock_component(vm);
1067 host_unlock_component();
1068
1069 return ret;
1070 }
1071
assert_host_shared_guest(struct pkvm_hyp_vm * vm,u64 ipa,u64 size)1072 static void assert_host_shared_guest(struct pkvm_hyp_vm *vm, u64 ipa, u64 size)
1073 {
1074 u64 phys;
1075 int ret;
1076
1077 if (!IS_ENABLED(CONFIG_NVHE_EL2_DEBUG))
1078 return;
1079
1080 host_lock_component();
1081 guest_lock_component(vm);
1082
1083 ret = __check_host_shared_guest(vm, &phys, ipa, size);
1084
1085 guest_unlock_component(vm);
1086 host_unlock_component();
1087
1088 WARN_ON(ret && ret != -ENOENT);
1089 }
1090
__pkvm_host_relax_perms_guest(u64 gfn,struct pkvm_hyp_vcpu * vcpu,enum kvm_pgtable_prot prot)1091 int __pkvm_host_relax_perms_guest(u64 gfn, struct pkvm_hyp_vcpu *vcpu, enum kvm_pgtable_prot prot)
1092 {
1093 struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu);
1094 u64 ipa = hyp_pfn_to_phys(gfn);
1095 int ret;
1096
1097 if (pkvm_hyp_vm_is_protected(vm))
1098 return -EPERM;
1099
1100 if (prot & ~KVM_PGTABLE_PROT_RWX)
1101 return -EINVAL;
1102
1103 assert_host_shared_guest(vm, ipa, PAGE_SIZE);
1104 guest_lock_component(vm);
1105 ret = kvm_pgtable_stage2_relax_perms(&vm->pgt, ipa, prot, 0);
1106 guest_unlock_component(vm);
1107
1108 return ret;
1109 }
1110
__pkvm_host_wrprotect_guest(u64 gfn,u64 nr_pages,struct pkvm_hyp_vm * vm)1111 int __pkvm_host_wrprotect_guest(u64 gfn, u64 nr_pages, struct pkvm_hyp_vm *vm)
1112 {
1113 u64 size, ipa = hyp_pfn_to_phys(gfn);
1114 int ret;
1115
1116 if (pkvm_hyp_vm_is_protected(vm))
1117 return -EPERM;
1118
1119 ret = __guest_check_transition_size(0, ipa, nr_pages, &size);
1120 if (ret)
1121 return ret;
1122
1123 assert_host_shared_guest(vm, ipa, size);
1124 guest_lock_component(vm);
1125 ret = kvm_pgtable_stage2_wrprotect(&vm->pgt, ipa, size);
1126 guest_unlock_component(vm);
1127
1128 return ret;
1129 }
1130
__pkvm_host_test_clear_young_guest(u64 gfn,u64 nr_pages,bool mkold,struct pkvm_hyp_vm * vm)1131 int __pkvm_host_test_clear_young_guest(u64 gfn, u64 nr_pages, bool mkold, struct pkvm_hyp_vm *vm)
1132 {
1133 u64 size, ipa = hyp_pfn_to_phys(gfn);
1134 int ret;
1135
1136 if (pkvm_hyp_vm_is_protected(vm))
1137 return -EPERM;
1138
1139 ret = __guest_check_transition_size(0, ipa, nr_pages, &size);
1140 if (ret)
1141 return ret;
1142
1143 assert_host_shared_guest(vm, ipa, size);
1144 guest_lock_component(vm);
1145 ret = kvm_pgtable_stage2_test_clear_young(&vm->pgt, ipa, size, mkold);
1146 guest_unlock_component(vm);
1147
1148 return ret;
1149 }
1150
__pkvm_host_mkyoung_guest(u64 gfn,struct pkvm_hyp_vcpu * vcpu)1151 int __pkvm_host_mkyoung_guest(u64 gfn, struct pkvm_hyp_vcpu *vcpu)
1152 {
1153 struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu);
1154 u64 ipa = hyp_pfn_to_phys(gfn);
1155
1156 if (pkvm_hyp_vm_is_protected(vm))
1157 return -EPERM;
1158
1159 assert_host_shared_guest(vm, ipa, PAGE_SIZE);
1160 guest_lock_component(vm);
1161 kvm_pgtable_stage2_mkyoung(&vm->pgt, ipa, 0);
1162 guest_unlock_component(vm);
1163
1164 return 0;
1165 }
1166
1167 #ifdef CONFIG_NVHE_EL2_DEBUG
1168 struct pkvm_expected_state {
1169 enum pkvm_page_state host;
1170 enum pkvm_page_state hyp;
1171 enum pkvm_page_state guest[2]; /* [ gfn, gfn + 1 ] */
1172 };
1173
1174 static struct pkvm_expected_state selftest_state;
1175 static struct hyp_page *selftest_page;
1176
1177 static struct pkvm_hyp_vm selftest_vm = {
1178 .kvm = {
1179 .arch = {
1180 .mmu = {
1181 .arch = &selftest_vm.kvm.arch,
1182 .pgt = &selftest_vm.pgt,
1183 },
1184 },
1185 },
1186 };
1187
1188 static struct pkvm_hyp_vcpu selftest_vcpu = {
1189 .vcpu = {
1190 .arch = {
1191 .hw_mmu = &selftest_vm.kvm.arch.mmu,
1192 },
1193 .kvm = &selftest_vm.kvm,
1194 },
1195 };
1196
init_selftest_vm(void * virt)1197 static void init_selftest_vm(void *virt)
1198 {
1199 struct hyp_page *p = hyp_virt_to_page(virt);
1200 int i;
1201
1202 selftest_vm.kvm.arch.mmu.vtcr = host_mmu.arch.mmu.vtcr;
1203 WARN_ON(kvm_guest_prepare_stage2(&selftest_vm, virt));
1204
1205 for (i = 0; i < pkvm_selftest_pages(); i++) {
1206 if (p[i].refcount)
1207 continue;
1208 p[i].refcount = 1;
1209 hyp_put_page(&selftest_vm.pool, hyp_page_to_virt(&p[i]));
1210 }
1211 }
1212
selftest_ipa(void)1213 static u64 selftest_ipa(void)
1214 {
1215 return BIT(selftest_vm.pgt.ia_bits - 1);
1216 }
1217
assert_page_state(void)1218 static void assert_page_state(void)
1219 {
1220 void *virt = hyp_page_to_virt(selftest_page);
1221 u64 size = PAGE_SIZE << selftest_page->order;
1222 struct pkvm_hyp_vcpu *vcpu = &selftest_vcpu;
1223 u64 phys = hyp_virt_to_phys(virt);
1224 u64 ipa[2] = { selftest_ipa(), selftest_ipa() + PAGE_SIZE };
1225 struct pkvm_hyp_vm *vm;
1226
1227 vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu);
1228
1229 host_lock_component();
1230 WARN_ON(__host_check_page_state_range(phys, size, selftest_state.host));
1231 host_unlock_component();
1232
1233 hyp_lock_component();
1234 WARN_ON(__hyp_check_page_state_range(phys, size, selftest_state.hyp));
1235 hyp_unlock_component();
1236
1237 guest_lock_component(&selftest_vm);
1238 WARN_ON(__guest_check_page_state_range(vm, ipa[0], size, selftest_state.guest[0]));
1239 WARN_ON(__guest_check_page_state_range(vm, ipa[1], size, selftest_state.guest[1]));
1240 guest_unlock_component(&selftest_vm);
1241 }
1242
1243 #define assert_transition_res(res, fn, ...) \
1244 do { \
1245 WARN_ON(fn(__VA_ARGS__) != res); \
1246 assert_page_state(); \
1247 } while (0)
1248
pkvm_ownership_selftest(void * base)1249 void pkvm_ownership_selftest(void *base)
1250 {
1251 enum kvm_pgtable_prot prot = KVM_PGTABLE_PROT_RWX;
1252 void *virt = hyp_alloc_pages(&host_s2_pool, 0);
1253 struct pkvm_hyp_vcpu *vcpu = &selftest_vcpu;
1254 struct pkvm_hyp_vm *vm = &selftest_vm;
1255 u64 phys, size, pfn, gfn;
1256
1257 WARN_ON(!virt);
1258 selftest_page = hyp_virt_to_page(virt);
1259 selftest_page->refcount = 0;
1260 init_selftest_vm(base);
1261
1262 size = PAGE_SIZE << selftest_page->order;
1263 phys = hyp_virt_to_phys(virt);
1264 pfn = hyp_phys_to_pfn(phys);
1265 gfn = hyp_phys_to_pfn(selftest_ipa());
1266
1267 selftest_state.host = PKVM_NOPAGE;
1268 selftest_state.hyp = PKVM_PAGE_OWNED;
1269 selftest_state.guest[0] = selftest_state.guest[1] = PKVM_NOPAGE;
1270 assert_page_state();
1271 assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1);
1272 assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn);
1273 assert_transition_res(-EPERM, __pkvm_host_unshare_hyp, pfn);
1274 assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1);
1275 assert_transition_res(-EPERM, __pkvm_host_unshare_ffa, pfn, 1);
1276 assert_transition_res(-EPERM, hyp_pin_shared_mem, virt, virt + size);
1277 assert_transition_res(-EPERM, __pkvm_host_share_guest, pfn, gfn, 1, vcpu, prot);
1278 assert_transition_res(-ENOENT, __pkvm_host_unshare_guest, gfn, 1, vm);
1279
1280 selftest_state.host = PKVM_PAGE_OWNED;
1281 selftest_state.hyp = PKVM_NOPAGE;
1282 assert_transition_res(0, __pkvm_hyp_donate_host, pfn, 1);
1283 assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1);
1284 assert_transition_res(-EPERM, __pkvm_host_unshare_hyp, pfn);
1285 assert_transition_res(-EPERM, __pkvm_host_unshare_ffa, pfn, 1);
1286 assert_transition_res(-ENOENT, __pkvm_host_unshare_guest, gfn, 1, vm);
1287 assert_transition_res(-EPERM, hyp_pin_shared_mem, virt, virt + size);
1288
1289 selftest_state.host = PKVM_PAGE_SHARED_OWNED;
1290 selftest_state.hyp = PKVM_PAGE_SHARED_BORROWED;
1291 assert_transition_res(0, __pkvm_host_share_hyp, pfn);
1292 assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn);
1293 assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1);
1294 assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1);
1295 assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1);
1296 assert_transition_res(-EPERM, __pkvm_host_share_guest, pfn, gfn, 1, vcpu, prot);
1297 assert_transition_res(-ENOENT, __pkvm_host_unshare_guest, gfn, 1, vm);
1298
1299 assert_transition_res(0, hyp_pin_shared_mem, virt, virt + size);
1300 assert_transition_res(0, hyp_pin_shared_mem, virt, virt + size);
1301 hyp_unpin_shared_mem(virt, virt + size);
1302 WARN_ON(hyp_page_count(virt) != 1);
1303 assert_transition_res(-EBUSY, __pkvm_host_unshare_hyp, pfn);
1304 assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn);
1305 assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1);
1306 assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1);
1307 assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1);
1308 assert_transition_res(-EPERM, __pkvm_host_share_guest, pfn, gfn, 1, vcpu, prot);
1309 assert_transition_res(-ENOENT, __pkvm_host_unshare_guest, gfn, 1, vm);
1310
1311 hyp_unpin_shared_mem(virt, virt + size);
1312 assert_page_state();
1313 WARN_ON(hyp_page_count(virt));
1314
1315 selftest_state.host = PKVM_PAGE_OWNED;
1316 selftest_state.hyp = PKVM_NOPAGE;
1317 assert_transition_res(0, __pkvm_host_unshare_hyp, pfn);
1318
1319 selftest_state.host = PKVM_PAGE_SHARED_OWNED;
1320 selftest_state.hyp = PKVM_NOPAGE;
1321 assert_transition_res(0, __pkvm_host_share_ffa, pfn, 1);
1322 assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1);
1323 assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1);
1324 assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn);
1325 assert_transition_res(-EPERM, __pkvm_host_unshare_hyp, pfn);
1326 assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1);
1327 assert_transition_res(-EPERM, __pkvm_host_share_guest, pfn, gfn, 1, vcpu, prot);
1328 assert_transition_res(-ENOENT, __pkvm_host_unshare_guest, gfn, 1, vm);
1329 assert_transition_res(-EPERM, hyp_pin_shared_mem, virt, virt + size);
1330
1331 selftest_state.host = PKVM_PAGE_OWNED;
1332 selftest_state.hyp = PKVM_NOPAGE;
1333 assert_transition_res(0, __pkvm_host_unshare_ffa, pfn, 1);
1334 assert_transition_res(-EPERM, __pkvm_host_unshare_ffa, pfn, 1);
1335
1336 selftest_state.host = PKVM_PAGE_SHARED_OWNED;
1337 selftest_state.guest[0] = PKVM_PAGE_SHARED_BORROWED;
1338 assert_transition_res(0, __pkvm_host_share_guest, pfn, gfn, 1, vcpu, prot);
1339 assert_transition_res(-EPERM, __pkvm_host_share_guest, pfn, gfn, 1, vcpu, prot);
1340 assert_transition_res(-EPERM, __pkvm_host_share_ffa, pfn, 1);
1341 assert_transition_res(-EPERM, __pkvm_host_donate_hyp, pfn, 1);
1342 assert_transition_res(-EPERM, __pkvm_host_share_hyp, pfn);
1343 assert_transition_res(-EPERM, __pkvm_host_unshare_hyp, pfn);
1344 assert_transition_res(-EPERM, __pkvm_hyp_donate_host, pfn, 1);
1345 assert_transition_res(-EPERM, hyp_pin_shared_mem, virt, virt + size);
1346
1347 selftest_state.guest[1] = PKVM_PAGE_SHARED_BORROWED;
1348 assert_transition_res(0, __pkvm_host_share_guest, pfn, gfn + 1, 1, vcpu, prot);
1349 WARN_ON(hyp_virt_to_page(virt)->host_share_guest_count != 2);
1350
1351 selftest_state.guest[0] = PKVM_NOPAGE;
1352 assert_transition_res(0, __pkvm_host_unshare_guest, gfn, 1, vm);
1353
1354 selftest_state.guest[1] = PKVM_NOPAGE;
1355 selftest_state.host = PKVM_PAGE_OWNED;
1356 assert_transition_res(0, __pkvm_host_unshare_guest, gfn + 1, 1, vm);
1357
1358 selftest_state.host = PKVM_NOPAGE;
1359 selftest_state.hyp = PKVM_PAGE_OWNED;
1360 assert_transition_res(0, __pkvm_host_donate_hyp, pfn, 1);
1361
1362 selftest_page->refcount = 1;
1363 hyp_put_page(&host_s2_pool, virt);
1364 }
1365 #endif
1366