xref: /linux/arch/arm64/kvm/vgic/vgic-v3-nested.c (revision 6316366129d2885fae07c2774f4b7ae0a45fb55d) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 
3 #include <linux/cpu.h>
4 #include <linux/kvm.h>
5 #include <linux/kvm_host.h>
6 #include <linux/interrupt.h>
7 #include <linux/io.h>
8 #include <linux/uaccess.h>
9 
10 #include <kvm/arm_vgic.h>
11 
12 #include <asm/kvm_arm.h>
13 #include <asm/kvm_emulate.h>
14 #include <asm/kvm_nested.h>
15 
16 #include "vgic.h"
17 
18 #define ICH_LRN(n)	(ICH_LR0_EL2 + (n))
19 #define ICH_AP0RN(n)	(ICH_AP0R0_EL2 + (n))
20 #define ICH_AP1RN(n)	(ICH_AP1R0_EL2 + (n))
21 
22 struct mi_state {
23 	u16	eisr;
24 	u16	elrsr;
25 	bool	pend;
26 };
27 
28 /*
29  * The shadow registers loaded to the hardware when running a L2 guest
30  * with the virtual IMO/FMO bits set.
31  */
32 struct shadow_if {
33 	struct vgic_v3_cpu_if	cpuif;
34 	unsigned long		lr_map;
35 };
36 
37 static DEFINE_PER_CPU(struct shadow_if, shadow_if);
38 
39 static int lr_map_idx_to_shadow_idx(struct shadow_if *shadow_if, int idx)
40 {
41 	return hweight16(shadow_if->lr_map & (BIT(idx) - 1));
42 }
43 
44 /*
45  * Nesting GICv3 support
46  *
47  * On a non-nesting VM (only running at EL0/EL1), the host hypervisor
48  * completely controls the interrupts injected via the list registers.
49  * Consequently, most of the state that is modified by the guest (by ACK-ing
50  * and EOI-ing interrupts) is synced by KVM on each entry/exit, so that we
51  * keep a semi-consistent view of the interrupts.
52  *
53  * This still applies for a NV guest, but only while "InHost" (either
54  * running at EL2, or at EL0 with HCR_EL2.{E2H.TGE}=={1,1}.
55  *
56  * When running a L2 guest ("not InHost"), things are radically different,
57  * as the L1 guest is in charge of provisioning the interrupts via its own
58  * view of the ICH_LR*_EL2 registers, which conveniently live in the VNCR
59  * page.  This means that the flow described above does work (there is no
60  * state to rebuild in the L0 hypervisor), and that most things happen on L2
61  * load/put:
62  *
63  * - on L2 load: move the in-memory L1 vGIC configuration into a shadow,
64  *   per-CPU data structure that is used to populate the actual LRs. This is
65  *   an extra copy that we could avoid, but life is short. In the process,
66  *   we remap any interrupt that has the HW bit set to the mapped interrupt
67  *   on the host, should the host consider it a HW one. This allows the HW
68  *   deactivation to take its course, such as for the timer.
69  *
70  * - on L2 put: perform the inverse transformation, so that the result of L2
71  *   running becomes visible to L1 in the VNCR-accessible registers.
72  *
73  * - there is nothing to do on L2 entry apart from enabling the vgic, as
74  *   everything will have happened on load. However, this is the point where
75  *   we detect that an interrupt targeting L1 and prepare the grand
76  *   switcheroo.
77  *
78  * - on L2 exit: resync the LRs and VMCR, emulate the HW bit, and deactivate
79  *   corresponding the L1 interrupt. The L0 active state will be cleared by
80  *   the HW if the L1 interrupt was itself backed by a HW interrupt.
81  *
82  * Maintenance Interrupt (MI) management:
83  *
84  * Since the L2 guest runs the vgic in its full glory, MIs get delivered and
85  * used as a handover point between L2 and L1.
86  *
87  * - on delivery of a MI to L0 while L2 is running: make the L1 MI pending,
88  *   and let it rip. This will initiate a vcpu_put() on L2, and allow L1 to
89  *   run and process the MI.
90  *
91  * - L1 MI is a fully virtual interrupt, not linked to the host's MI. Its
92  *   state must be computed at each entry/exit of the guest, much like we do
93  *   it for the PMU interrupt.
94  *
95  * - because most of the ICH_*_EL2 registers live in the VNCR page, the
96  *   quality of emulation is poor: L1 can setup the vgic so that an MI would
97  *   immediately fire, and not observe anything until the next exit.
98  *   Similarly, a pending MI is not immediately disabled by clearing
99  *   ICH_HCR_EL2.En. Trying to read ICH_MISR_EL2 would do the trick, for
100  *   example.
101  *
102  * System register emulation:
103  *
104  * We get two classes of registers:
105  *
106  * - those backed by memory (LRs, APRs, HCR, VMCR): L1 can freely access
107  *   them, and L0 doesn't see a thing.
108  *
109  * - those that always trap (ELRSR, EISR, MISR): these are status registers
110  *   that are built on the fly based on the in-memory state.
111  *
112  * Only L1 can access the ICH_*_EL2 registers. A non-NV L2 obviously cannot,
113  * and a NV L2 would either access the VNCR page provided by L1 (memory
114  * based registers), or see the access redirected to L1 (registers that
115  * trap) thanks to NV being set by L1.
116  */
117 
118 bool vgic_state_is_nested(struct kvm_vcpu *vcpu)
119 {
120 	u64 xmo;
121 
122 	if (is_nested_ctxt(vcpu)) {
123 		xmo = __vcpu_sys_reg(vcpu, HCR_EL2) & (HCR_IMO | HCR_FMO);
124 		WARN_ONCE(xmo && xmo != (HCR_IMO | HCR_FMO),
125 			  "Separate virtual IRQ/FIQ settings not supported\n");
126 
127 		return !!xmo;
128 	}
129 
130 	return false;
131 }
132 
133 static struct shadow_if *get_shadow_if(void)
134 {
135 	return this_cpu_ptr(&shadow_if);
136 }
137 
138 static bool lr_triggers_eoi(u64 lr)
139 {
140 	return !(lr & (ICH_LR_STATE | ICH_LR_HW)) && (lr & ICH_LR_EOI);
141 }
142 
143 static void vgic_compute_mi_state(struct kvm_vcpu *vcpu, struct mi_state *mi_state)
144 {
145 	u16 eisr = 0, elrsr = 0;
146 	bool pend = false;
147 
148 	for (int i = 0; i < kvm_vgic_global_state.nr_lr; i++) {
149 		u64 lr = __vcpu_sys_reg(vcpu, ICH_LRN(i));
150 
151 		if (lr_triggers_eoi(lr))
152 			eisr |= BIT(i);
153 		if (!(lr & ICH_LR_STATE))
154 			elrsr |= BIT(i);
155 		pend |= (lr & ICH_LR_PENDING_BIT);
156 	}
157 
158 	mi_state->eisr	= eisr;
159 	mi_state->elrsr	= elrsr;
160 	mi_state->pend	= pend;
161 }
162 
163 u16 vgic_v3_get_eisr(struct kvm_vcpu *vcpu)
164 {
165 	struct mi_state mi_state;
166 
167 	vgic_compute_mi_state(vcpu, &mi_state);
168 	return mi_state.eisr;
169 }
170 
171 u16 vgic_v3_get_elrsr(struct kvm_vcpu *vcpu)
172 {
173 	struct mi_state mi_state;
174 
175 	vgic_compute_mi_state(vcpu, &mi_state);
176 	return mi_state.elrsr;
177 }
178 
179 u64 vgic_v3_get_misr(struct kvm_vcpu *vcpu)
180 {
181 	struct mi_state mi_state;
182 	u64 reg = 0, hcr, vmcr;
183 
184 	hcr = __vcpu_sys_reg(vcpu, ICH_HCR_EL2);
185 	vmcr = __vcpu_sys_reg(vcpu, ICH_VMCR_EL2);
186 
187 	vgic_compute_mi_state(vcpu, &mi_state);
188 
189 	if (mi_state.eisr)
190 		reg |= ICH_MISR_EL2_EOI;
191 
192 	if (__vcpu_sys_reg(vcpu, ICH_HCR_EL2) & ICH_HCR_EL2_UIE) {
193 		int used_lrs = kvm_vgic_global_state.nr_lr;
194 
195 		used_lrs -= hweight16(mi_state.elrsr);
196 		reg |= (used_lrs <= 1) ? ICH_MISR_EL2_U : 0;
197 	}
198 
199 	if ((hcr & ICH_HCR_EL2_LRENPIE) && FIELD_GET(ICH_HCR_EL2_EOIcount_MASK, hcr))
200 		reg |= ICH_MISR_EL2_LRENP;
201 
202 	if ((hcr & ICH_HCR_EL2_NPIE) && !mi_state.pend)
203 		reg |= ICH_MISR_EL2_NP;
204 
205 	if ((hcr & ICH_HCR_EL2_VGrp0EIE) && (vmcr & ICH_VMCR_EL2_VENG0_MASK))
206 		reg |= ICH_MISR_EL2_VGrp0E;
207 
208 	if ((hcr & ICH_HCR_EL2_VGrp0DIE) && !(vmcr & ICH_VMCR_EL2_VENG0_MASK))
209 		reg |= ICH_MISR_EL2_VGrp0D;
210 
211 	if ((hcr & ICH_HCR_EL2_VGrp1EIE) && (vmcr & ICH_VMCR_EL2_VENG1_MASK))
212 		reg |= ICH_MISR_EL2_VGrp1E;
213 
214 	if ((hcr & ICH_HCR_EL2_VGrp1DIE) && !(vmcr & ICH_VMCR_EL2_VENG1_MASK))
215 		reg |= ICH_MISR_EL2_VGrp1D;
216 
217 	return reg;
218 }
219 
220 static u64 translate_lr_pintid(struct kvm_vcpu *vcpu, u64 lr)
221 {
222 	struct vgic_irq *irq;
223 
224 	if (!(lr & ICH_LR_HW))
225 		return lr;
226 
227 	/* We have the HW bit set, check for validity of pINTID */
228 	irq = vgic_get_vcpu_irq(vcpu, FIELD_GET(ICH_LR_PHYS_ID_MASK, lr));
229 	/* If there was no real mapping, nuke the HW bit */
230 	if (!irq || !irq->hw || irq->intid > VGIC_MAX_SPI)
231 		lr &= ~ICH_LR_HW;
232 
233 	/* Translate the virtual mapping to the real one, even if invalid */
234 	if (irq) {
235 		lr &= ~ICH_LR_PHYS_ID_MASK;
236 		lr |= FIELD_PREP(ICH_LR_PHYS_ID_MASK, (u64)irq->hwintid);
237 		vgic_put_irq(vcpu->kvm, irq);
238 	}
239 
240 	return lr;
241 }
242 
243 /*
244  * For LRs which have HW bit set such as timer interrupts, we modify them to
245  * have the host hardware interrupt number instead of the virtual one programmed
246  * by the guest hypervisor.
247  */
248 static void vgic_v3_create_shadow_lr(struct kvm_vcpu *vcpu,
249 				     struct vgic_v3_cpu_if *s_cpu_if)
250 {
251 	struct shadow_if *shadow_if;
252 
253 	shadow_if = container_of(s_cpu_if, struct shadow_if, cpuif);
254 	shadow_if->lr_map = 0;
255 
256 	for (int i = 0; i < kvm_vgic_global_state.nr_lr; i++) {
257 		u64 lr = __vcpu_sys_reg(vcpu, ICH_LRN(i));
258 
259 		if (!(lr & ICH_LR_STATE))
260 			continue;
261 
262 		lr = translate_lr_pintid(vcpu, lr);
263 
264 		s_cpu_if->vgic_lr[hweight16(shadow_if->lr_map)] = lr;
265 		shadow_if->lr_map |= BIT(i);
266 	}
267 
268 	s_cpu_if->used_lrs = hweight16(shadow_if->lr_map);
269 }
270 
271 void vgic_v3_flush_nested(struct kvm_vcpu *vcpu)
272 {
273 	u64 val = __vcpu_sys_reg(vcpu, ICH_HCR_EL2);
274 
275 	write_sysreg_s(val | vgic_ich_hcr_trap_bits(), SYS_ICH_HCR_EL2);
276 }
277 
278 void vgic_v3_sync_nested(struct kvm_vcpu *vcpu)
279 {
280 	struct shadow_if *shadow_if = get_shadow_if();
281 	int i;
282 
283 	for_each_set_bit(i, &shadow_if->lr_map, kvm_vgic_global_state.nr_lr) {
284 		u64 val, host_lr, lr;
285 
286 		host_lr = __gic_v3_get_lr(lr_map_idx_to_shadow_idx(shadow_if, i));
287 
288 		/* Propagate the new LR state */
289 		lr = __vcpu_sys_reg(vcpu, ICH_LRN(i));
290 		val = lr & ~ICH_LR_STATE;
291 		val |= host_lr & ICH_LR_STATE;
292 		__vcpu_assign_sys_reg(vcpu, ICH_LRN(i), val);
293 
294 		/*
295 		 * Deactivation of a HW interrupt: the LR must have the HW
296 		 * bit set, have been in a non-invalid state before the run,
297 		 * and now be in an invalid state. If any of that doesn't
298 		 * hold, we're done with this LR.
299 		 */
300 		if (!((lr & ICH_LR_HW) && (lr & ICH_LR_STATE) &&
301 		      !(host_lr & ICH_LR_STATE)))
302 			continue;
303 
304 		/*
305 		 * If we had a HW lr programmed by the guest hypervisor, we
306 		 * need to emulate the HW effect between the guest hypervisor
307 		 * and the nested guest.
308 		 */
309 		vgic_v3_deactivate(vcpu, FIELD_GET(ICH_LR_PHYS_ID_MASK, lr));
310 	}
311 
312 	/* We need these to be synchronised to generate the MI */
313 	__vcpu_assign_sys_reg(vcpu, ICH_VMCR_EL2, read_sysreg_s(SYS_ICH_VMCR_EL2));
314 	__vcpu_rmw_sys_reg(vcpu, ICH_HCR_EL2, &=, ~ICH_HCR_EL2_EOIcount);
315 	__vcpu_rmw_sys_reg(vcpu, ICH_HCR_EL2, |=, read_sysreg_s(SYS_ICH_HCR_EL2) & ICH_HCR_EL2_EOIcount);
316 
317 	write_sysreg_s(0, SYS_ICH_HCR_EL2);
318 	isb();
319 
320 	vgic_v3_nested_update_mi(vcpu);
321 }
322 
323 static void vgic_v3_create_shadow_state(struct kvm_vcpu *vcpu,
324 					struct vgic_v3_cpu_if *s_cpu_if)
325 {
326 	struct vgic_v3_cpu_if *host_if = &vcpu->arch.vgic_cpu.vgic_v3;
327 	int i;
328 
329 	s_cpu_if->vgic_hcr = __vcpu_sys_reg(vcpu, ICH_HCR_EL2);
330 	s_cpu_if->vgic_vmcr = __vcpu_sys_reg(vcpu, ICH_VMCR_EL2);
331 	s_cpu_if->vgic_sre = host_if->vgic_sre;
332 
333 	for (i = 0; i < 4; i++) {
334 		s_cpu_if->vgic_ap0r[i] = __vcpu_sys_reg(vcpu, ICH_AP0RN(i));
335 		s_cpu_if->vgic_ap1r[i] = __vcpu_sys_reg(vcpu, ICH_AP1RN(i));
336 	}
337 
338 	vgic_v3_create_shadow_lr(vcpu, s_cpu_if);
339 }
340 
341 void vgic_v3_load_nested(struct kvm_vcpu *vcpu)
342 {
343 	struct shadow_if *shadow_if = get_shadow_if();
344 	struct vgic_v3_cpu_if *cpu_if = &shadow_if->cpuif;
345 
346 	BUG_ON(!vgic_state_is_nested(vcpu));
347 
348 	vgic_v3_create_shadow_state(vcpu, cpu_if);
349 
350 	__vgic_v3_restore_vmcr_aprs(cpu_if);
351 	__vgic_v3_activate_traps(cpu_if);
352 
353 	for (int i = 0; i < cpu_if->used_lrs; i++)
354 		__gic_v3_set_lr(cpu_if->vgic_lr[i], i);
355 
356 	/*
357 	 * Propagate the number of used LRs for the benefit of the HYP
358 	 * GICv3 emulation code. Yes, this is a pretty sorry hack.
359 	 */
360 	vcpu->arch.vgic_cpu.vgic_v3.used_lrs = cpu_if->used_lrs;
361 }
362 
363 void vgic_v3_put_nested(struct kvm_vcpu *vcpu)
364 {
365 	struct shadow_if *shadow_if = get_shadow_if();
366 	struct vgic_v3_cpu_if *s_cpu_if = &shadow_if->cpuif;
367 	int i;
368 
369 	__vgic_v3_save_aprs(s_cpu_if);
370 
371 	for (i = 0; i < 4; i++) {
372 		__vcpu_assign_sys_reg(vcpu, ICH_AP0RN(i), s_cpu_if->vgic_ap0r[i]);
373 		__vcpu_assign_sys_reg(vcpu, ICH_AP1RN(i), s_cpu_if->vgic_ap1r[i]);
374 	}
375 
376 	for (i = 0; i < s_cpu_if->used_lrs; i++)
377 		__gic_v3_set_lr(0, i);
378 
379 	__vgic_v3_deactivate_traps(s_cpu_if);
380 
381 	vcpu->arch.vgic_cpu.vgic_v3.used_lrs = 0;
382 }
383 
384 /*
385  * If we exit a L2 VM with a pending maintenance interrupt from the GIC,
386  * then we need to forward this to L1 so that it can re-sync the appropriate
387  * LRs and sample level triggered interrupts again.
388  */
389 void vgic_v3_handle_nested_maint_irq(struct kvm_vcpu *vcpu)
390 {
391 	bool state = read_sysreg_s(SYS_ICH_MISR_EL2);
392 
393 	/* This will force a switch back to L1 if the level is high */
394 	kvm_vgic_inject_irq(vcpu->kvm, vcpu,
395 			    vcpu->kvm->arch.vgic.mi_intid, state, vcpu);
396 
397 	sysreg_clear_set_s(SYS_ICH_HCR_EL2, ICH_HCR_EL2_En, 0);
398 }
399 
400 void vgic_v3_nested_update_mi(struct kvm_vcpu *vcpu)
401 {
402 	bool level;
403 
404 	level = (__vcpu_sys_reg(vcpu, ICH_HCR_EL2) & ICH_HCR_EL2_En) && vgic_v3_get_misr(vcpu);
405 	kvm_vgic_inject_irq(vcpu->kvm, vcpu,
406 			    vcpu->kvm->arch.vgic.mi_intid, level, vcpu);
407 }
408