1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2021 Google LLC 4 * Author: Fuad Tabba <tabba@google.com> 5 */ 6 7 #include <linux/kvm_host.h> 8 #include <linux/mm.h> 9 10 #include <asm/kvm_emulate.h> 11 12 #include <nvhe/mem_protect.h> 13 #include <nvhe/memory.h> 14 #include <nvhe/pkvm.h> 15 #include <nvhe/trap_handler.h> 16 17 /* Used by icache_is_aliasing(). */ 18 unsigned long __icache_flags; 19 20 /* Used by kvm_get_vttbr(). */ 21 unsigned int kvm_arm_vmid_bits; 22 23 unsigned int kvm_host_sve_max_vl; 24 25 /* 26 * The currently loaded hyp vCPU for each physical CPU. Used only when 27 * protected KVM is enabled, but for both protected and non-protected VMs. 28 */ 29 static DEFINE_PER_CPU(struct pkvm_hyp_vcpu *, loaded_hyp_vcpu); 30 31 static void pkvm_vcpu_reset_hcr(struct kvm_vcpu *vcpu) 32 { 33 vcpu->arch.hcr_el2 = HCR_GUEST_FLAGS; 34 35 if (has_hvhe()) 36 vcpu->arch.hcr_el2 |= HCR_E2H; 37 38 if (cpus_have_final_cap(ARM64_HAS_RAS_EXTN)) { 39 /* route synchronous external abort exceptions to EL2 */ 40 vcpu->arch.hcr_el2 |= HCR_TEA; 41 /* trap error record accesses */ 42 vcpu->arch.hcr_el2 |= HCR_TERR; 43 } 44 45 if (cpus_have_final_cap(ARM64_HAS_STAGE2_FWB)) 46 vcpu->arch.hcr_el2 |= HCR_FWB; 47 48 if (cpus_have_final_cap(ARM64_HAS_EVT) && 49 !cpus_have_final_cap(ARM64_MISMATCHED_CACHE_TYPE) && 50 kvm_read_vm_id_reg(vcpu->kvm, SYS_CTR_EL0) == read_cpuid(CTR_EL0)) 51 vcpu->arch.hcr_el2 |= HCR_TID4; 52 else 53 vcpu->arch.hcr_el2 |= HCR_TID2; 54 55 if (vcpu_has_ptrauth(vcpu)) 56 vcpu->arch.hcr_el2 |= (HCR_API | HCR_APK); 57 58 if (kvm_has_mte(vcpu->kvm)) 59 vcpu->arch.hcr_el2 |= HCR_ATA; 60 } 61 62 static void pvm_init_traps_hcr(struct kvm_vcpu *vcpu) 63 { 64 struct kvm *kvm = vcpu->kvm; 65 u64 val = vcpu->arch.hcr_el2; 66 67 /* No support for AArch32. */ 68 val |= HCR_RW; 69 70 /* 71 * Always trap: 72 * - Feature id registers: to control features exposed to guests 73 * - Implementation-defined features 74 */ 75 val |= HCR_TACR | HCR_TIDCP | HCR_TID3 | HCR_TID1; 76 77 if (!kvm_has_feat(kvm, ID_AA64PFR0_EL1, RAS, IMP)) { 78 val |= HCR_TERR | HCR_TEA; 79 val &= ~(HCR_FIEN); 80 } 81 82 if (!kvm_has_feat(kvm, ID_AA64PFR0_EL1, AMU, IMP)) 83 val &= ~(HCR_AMVOFFEN); 84 85 if (!kvm_has_feat(kvm, ID_AA64PFR1_EL1, MTE, IMP)) { 86 val |= HCR_TID5; 87 val &= ~(HCR_DCT | HCR_ATA); 88 } 89 90 if (!kvm_has_feat(kvm, ID_AA64MMFR1_EL1, LO, IMP)) 91 val |= HCR_TLOR; 92 93 vcpu->arch.hcr_el2 = val; 94 } 95 96 static void pvm_init_traps_mdcr(struct kvm_vcpu *vcpu) 97 { 98 struct kvm *kvm = vcpu->kvm; 99 u64 val = vcpu->arch.mdcr_el2; 100 101 if (!kvm_has_feat(kvm, ID_AA64DFR0_EL1, PMUVer, IMP)) { 102 val |= MDCR_EL2_TPM | MDCR_EL2_TPMCR; 103 val &= ~(MDCR_EL2_HPME | MDCR_EL2_MTPME | MDCR_EL2_HPMN_MASK); 104 } 105 106 if (!kvm_has_feat(kvm, ID_AA64DFR0_EL1, DebugVer, IMP)) 107 val |= MDCR_EL2_TDRA | MDCR_EL2_TDA; 108 109 if (!kvm_has_feat(kvm, ID_AA64DFR0_EL1, DoubleLock, IMP)) 110 val |= MDCR_EL2_TDOSA; 111 112 if (!kvm_has_feat(kvm, ID_AA64DFR0_EL1, PMSVer, IMP)) { 113 val |= MDCR_EL2_TPMS; 114 val &= ~MDCR_EL2_E2PB_MASK; 115 } 116 117 if (!kvm_has_feat(kvm, ID_AA64DFR0_EL1, TraceFilt, IMP)) 118 val |= MDCR_EL2_TTRF; 119 120 if (!kvm_has_feat(kvm, ID_AA64DFR0_EL1, ExtTrcBuff, IMP)) 121 val |= MDCR_EL2_E2TB_MASK; 122 123 /* Trap Debug Communications Channel registers */ 124 if (!kvm_has_feat(kvm, ID_AA64MMFR0_EL1, FGT, IMP)) 125 val |= MDCR_EL2_TDCC; 126 127 vcpu->arch.mdcr_el2 = val; 128 } 129 130 /* 131 * Check that cpu features that are neither trapped nor supported are not 132 * enabled for protected VMs. 133 */ 134 static int pkvm_check_pvm_cpu_features(struct kvm_vcpu *vcpu) 135 { 136 struct kvm *kvm = vcpu->kvm; 137 138 /* Protected KVM does not support AArch32 guests. */ 139 if (kvm_has_feat(kvm, ID_AA64PFR0_EL1, EL0, AARCH32) || 140 kvm_has_feat(kvm, ID_AA64PFR0_EL1, EL1, AARCH32)) 141 return -EINVAL; 142 143 /* 144 * Linux guests assume support for floating-point and Advanced SIMD. Do 145 * not change the trapping behavior for these from the KVM default. 146 */ 147 if (!kvm_has_feat(kvm, ID_AA64PFR0_EL1, FP, IMP) || 148 !kvm_has_feat(kvm, ID_AA64PFR0_EL1, AdvSIMD, IMP)) 149 return -EINVAL; 150 151 /* No SME support in KVM right now. Check to catch if it changes. */ 152 if (kvm_has_feat(kvm, ID_AA64PFR1_EL1, SME, IMP)) 153 return -EINVAL; 154 155 return 0; 156 } 157 158 /* 159 * Initialize trap register values in protected mode. 160 */ 161 static int pkvm_vcpu_init_traps(struct pkvm_hyp_vcpu *hyp_vcpu) 162 { 163 struct kvm_vcpu *vcpu = &hyp_vcpu->vcpu; 164 int ret; 165 166 vcpu->arch.mdcr_el2 = 0; 167 168 pkvm_vcpu_reset_hcr(vcpu); 169 170 if ((!pkvm_hyp_vcpu_is_protected(hyp_vcpu))) { 171 struct kvm_vcpu *host_vcpu = hyp_vcpu->host_vcpu; 172 173 /* Trust the host for non-protected vcpu features. */ 174 vcpu->arch.hcrx_el2 = host_vcpu->arch.hcrx_el2; 175 return 0; 176 } 177 178 ret = pkvm_check_pvm_cpu_features(vcpu); 179 if (ret) 180 return ret; 181 182 pvm_init_traps_hcr(vcpu); 183 pvm_init_traps_mdcr(vcpu); 184 vcpu_set_hcrx(vcpu); 185 186 return 0; 187 } 188 189 /* 190 * Start the VM table handle at the offset defined instead of at 0. 191 * Mainly for sanity checking and debugging. 192 */ 193 #define HANDLE_OFFSET 0x1000 194 195 static unsigned int vm_handle_to_idx(pkvm_handle_t handle) 196 { 197 return handle - HANDLE_OFFSET; 198 } 199 200 static pkvm_handle_t idx_to_vm_handle(unsigned int idx) 201 { 202 return idx + HANDLE_OFFSET; 203 } 204 205 /* 206 * Spinlock for protecting state related to the VM table. Protects writes 207 * to 'vm_table', 'nr_table_entries', and other per-vm state on initialization. 208 * Also protects reads and writes to 'last_hyp_vcpu_lookup'. 209 */ 210 DEFINE_HYP_SPINLOCK(vm_table_lock); 211 212 /* 213 * The table of VM entries for protected VMs in hyp. 214 * Allocated at hyp initialization and setup. 215 */ 216 static struct pkvm_hyp_vm **vm_table; 217 218 void pkvm_hyp_vm_table_init(void *tbl) 219 { 220 WARN_ON(vm_table); 221 vm_table = tbl; 222 } 223 224 /* 225 * Return the hyp vm structure corresponding to the handle. 226 */ 227 static struct pkvm_hyp_vm *get_vm_by_handle(pkvm_handle_t handle) 228 { 229 unsigned int idx = vm_handle_to_idx(handle); 230 231 if (unlikely(idx >= KVM_MAX_PVMS)) 232 return NULL; 233 234 return vm_table[idx]; 235 } 236 237 struct pkvm_hyp_vcpu *pkvm_load_hyp_vcpu(pkvm_handle_t handle, 238 unsigned int vcpu_idx) 239 { 240 struct pkvm_hyp_vcpu *hyp_vcpu = NULL; 241 struct pkvm_hyp_vm *hyp_vm; 242 243 /* Cannot load a new vcpu without putting the old one first. */ 244 if (__this_cpu_read(loaded_hyp_vcpu)) 245 return NULL; 246 247 hyp_spin_lock(&vm_table_lock); 248 hyp_vm = get_vm_by_handle(handle); 249 if (!hyp_vm || hyp_vm->kvm.created_vcpus <= vcpu_idx) 250 goto unlock; 251 252 hyp_vcpu = hyp_vm->vcpus[vcpu_idx]; 253 if (!hyp_vcpu) 254 goto unlock; 255 256 /* Ensure vcpu isn't loaded on more than one cpu simultaneously. */ 257 if (unlikely(hyp_vcpu->loaded_hyp_vcpu)) { 258 hyp_vcpu = NULL; 259 goto unlock; 260 } 261 262 hyp_vcpu->loaded_hyp_vcpu = this_cpu_ptr(&loaded_hyp_vcpu); 263 hyp_page_ref_inc(hyp_virt_to_page(hyp_vm)); 264 unlock: 265 hyp_spin_unlock(&vm_table_lock); 266 267 if (hyp_vcpu) 268 __this_cpu_write(loaded_hyp_vcpu, hyp_vcpu); 269 return hyp_vcpu; 270 } 271 272 void pkvm_put_hyp_vcpu(struct pkvm_hyp_vcpu *hyp_vcpu) 273 { 274 struct pkvm_hyp_vm *hyp_vm = pkvm_hyp_vcpu_to_hyp_vm(hyp_vcpu); 275 276 hyp_spin_lock(&vm_table_lock); 277 hyp_vcpu->loaded_hyp_vcpu = NULL; 278 __this_cpu_write(loaded_hyp_vcpu, NULL); 279 hyp_page_ref_dec(hyp_virt_to_page(hyp_vm)); 280 hyp_spin_unlock(&vm_table_lock); 281 } 282 283 struct pkvm_hyp_vcpu *pkvm_get_loaded_hyp_vcpu(void) 284 { 285 return __this_cpu_read(loaded_hyp_vcpu); 286 287 } 288 289 struct pkvm_hyp_vm *get_pkvm_hyp_vm(pkvm_handle_t handle) 290 { 291 struct pkvm_hyp_vm *hyp_vm; 292 293 hyp_spin_lock(&vm_table_lock); 294 hyp_vm = get_vm_by_handle(handle); 295 if (hyp_vm) 296 hyp_page_ref_inc(hyp_virt_to_page(hyp_vm)); 297 hyp_spin_unlock(&vm_table_lock); 298 299 return hyp_vm; 300 } 301 302 void put_pkvm_hyp_vm(struct pkvm_hyp_vm *hyp_vm) 303 { 304 hyp_spin_lock(&vm_table_lock); 305 hyp_page_ref_dec(hyp_virt_to_page(hyp_vm)); 306 hyp_spin_unlock(&vm_table_lock); 307 } 308 309 struct pkvm_hyp_vm *get_np_pkvm_hyp_vm(pkvm_handle_t handle) 310 { 311 struct pkvm_hyp_vm *hyp_vm = get_pkvm_hyp_vm(handle); 312 313 if (hyp_vm && pkvm_hyp_vm_is_protected(hyp_vm)) { 314 put_pkvm_hyp_vm(hyp_vm); 315 hyp_vm = NULL; 316 } 317 318 return hyp_vm; 319 } 320 321 static void pkvm_init_features_from_host(struct pkvm_hyp_vm *hyp_vm, const struct kvm *host_kvm) 322 { 323 struct kvm *kvm = &hyp_vm->kvm; 324 unsigned long host_arch_flags = READ_ONCE(host_kvm->arch.flags); 325 DECLARE_BITMAP(allowed_features, KVM_VCPU_MAX_FEATURES); 326 327 /* CTR_EL0 is always under host control, even for protected VMs. */ 328 hyp_vm->kvm.arch.ctr_el0 = host_kvm->arch.ctr_el0; 329 330 if (test_bit(KVM_ARCH_FLAG_MTE_ENABLED, &host_kvm->arch.flags)) 331 set_bit(KVM_ARCH_FLAG_MTE_ENABLED, &kvm->arch.flags); 332 333 /* No restrictions for non-protected VMs. */ 334 if (!kvm_vm_is_protected(kvm)) { 335 hyp_vm->kvm.arch.flags = host_arch_flags; 336 337 bitmap_copy(kvm->arch.vcpu_features, 338 host_kvm->arch.vcpu_features, 339 KVM_VCPU_MAX_FEATURES); 340 341 if (test_bit(KVM_ARCH_FLAG_WRITABLE_IMP_ID_REGS, &host_arch_flags)) 342 hyp_vm->kvm.arch.midr_el1 = host_kvm->arch.midr_el1; 343 344 return; 345 } 346 347 bitmap_zero(allowed_features, KVM_VCPU_MAX_FEATURES); 348 349 set_bit(KVM_ARM_VCPU_PSCI_0_2, allowed_features); 350 351 if (kvm_pvm_ext_allowed(KVM_CAP_ARM_PMU_V3)) 352 set_bit(KVM_ARM_VCPU_PMU_V3, allowed_features); 353 354 if (kvm_pvm_ext_allowed(KVM_CAP_ARM_PTRAUTH_ADDRESS)) 355 set_bit(KVM_ARM_VCPU_PTRAUTH_ADDRESS, allowed_features); 356 357 if (kvm_pvm_ext_allowed(KVM_CAP_ARM_PTRAUTH_GENERIC)) 358 set_bit(KVM_ARM_VCPU_PTRAUTH_GENERIC, allowed_features); 359 360 if (kvm_pvm_ext_allowed(KVM_CAP_ARM_SVE)) { 361 set_bit(KVM_ARM_VCPU_SVE, allowed_features); 362 kvm->arch.flags |= host_arch_flags & BIT(KVM_ARCH_FLAG_GUEST_HAS_SVE); 363 } 364 365 bitmap_and(kvm->arch.vcpu_features, host_kvm->arch.vcpu_features, 366 allowed_features, KVM_VCPU_MAX_FEATURES); 367 } 368 369 static void unpin_host_vcpu(struct kvm_vcpu *host_vcpu) 370 { 371 if (host_vcpu) 372 hyp_unpin_shared_mem(host_vcpu, host_vcpu + 1); 373 } 374 375 static void unpin_host_vcpus(struct pkvm_hyp_vcpu *hyp_vcpus[], 376 unsigned int nr_vcpus) 377 { 378 int i; 379 380 for (i = 0; i < nr_vcpus; i++) { 381 struct pkvm_hyp_vcpu *hyp_vcpu = hyp_vcpus[i]; 382 383 if (!hyp_vcpu) 384 continue; 385 386 unpin_host_vcpu(hyp_vcpu->host_vcpu); 387 } 388 } 389 390 static void init_pkvm_hyp_vm(struct kvm *host_kvm, struct pkvm_hyp_vm *hyp_vm, 391 unsigned int nr_vcpus) 392 { 393 hyp_vm->host_kvm = host_kvm; 394 hyp_vm->kvm.created_vcpus = nr_vcpus; 395 hyp_vm->kvm.arch.mmu.vtcr = host_mmu.arch.mmu.vtcr; 396 hyp_vm->kvm.arch.pkvm.enabled = READ_ONCE(host_kvm->arch.pkvm.enabled); 397 hyp_vm->kvm.arch.flags = 0; 398 pkvm_init_features_from_host(hyp_vm, host_kvm); 399 } 400 401 static void pkvm_vcpu_init_sve(struct pkvm_hyp_vcpu *hyp_vcpu, struct kvm_vcpu *host_vcpu) 402 { 403 struct kvm_vcpu *vcpu = &hyp_vcpu->vcpu; 404 405 if (!vcpu_has_feature(vcpu, KVM_ARM_VCPU_SVE)) 406 vcpu_clear_flag(vcpu, VCPU_SVE_FINALIZED); 407 } 408 409 static int init_pkvm_hyp_vcpu(struct pkvm_hyp_vcpu *hyp_vcpu, 410 struct pkvm_hyp_vm *hyp_vm, 411 struct kvm_vcpu *host_vcpu) 412 { 413 int ret = 0; 414 415 if (hyp_pin_shared_mem(host_vcpu, host_vcpu + 1)) 416 return -EBUSY; 417 418 hyp_vcpu->host_vcpu = host_vcpu; 419 420 hyp_vcpu->vcpu.kvm = &hyp_vm->kvm; 421 hyp_vcpu->vcpu.vcpu_id = READ_ONCE(host_vcpu->vcpu_id); 422 hyp_vcpu->vcpu.vcpu_idx = READ_ONCE(host_vcpu->vcpu_idx); 423 424 hyp_vcpu->vcpu.arch.hw_mmu = &hyp_vm->kvm.arch.mmu; 425 hyp_vcpu->vcpu.arch.cflags = READ_ONCE(host_vcpu->arch.cflags); 426 hyp_vcpu->vcpu.arch.mp_state.mp_state = KVM_MP_STATE_STOPPED; 427 428 if (pkvm_hyp_vcpu_is_protected(hyp_vcpu)) 429 kvm_init_pvm_id_regs(&hyp_vcpu->vcpu); 430 431 ret = pkvm_vcpu_init_traps(hyp_vcpu); 432 if (ret) 433 goto done; 434 435 pkvm_vcpu_init_sve(hyp_vcpu, host_vcpu); 436 done: 437 if (ret) 438 unpin_host_vcpu(host_vcpu); 439 return ret; 440 } 441 442 static int find_free_vm_table_entry(struct kvm *host_kvm) 443 { 444 int i; 445 446 for (i = 0; i < KVM_MAX_PVMS; ++i) { 447 if (!vm_table[i]) 448 return i; 449 } 450 451 return -ENOMEM; 452 } 453 454 /* 455 * Allocate a VM table entry and insert a pointer to the new vm. 456 * 457 * Return a unique handle to the protected VM on success, 458 * negative error code on failure. 459 */ 460 static pkvm_handle_t insert_vm_table_entry(struct kvm *host_kvm, 461 struct pkvm_hyp_vm *hyp_vm) 462 { 463 struct kvm_s2_mmu *mmu = &hyp_vm->kvm.arch.mmu; 464 int idx; 465 466 hyp_assert_lock_held(&vm_table_lock); 467 468 /* 469 * Initializing protected state might have failed, yet a malicious 470 * host could trigger this function. Thus, ensure that 'vm_table' 471 * exists. 472 */ 473 if (unlikely(!vm_table)) 474 return -EINVAL; 475 476 idx = find_free_vm_table_entry(host_kvm); 477 if (idx < 0) 478 return idx; 479 480 hyp_vm->kvm.arch.pkvm.handle = idx_to_vm_handle(idx); 481 482 /* VMID 0 is reserved for the host */ 483 atomic64_set(&mmu->vmid.id, idx + 1); 484 485 mmu->arch = &hyp_vm->kvm.arch; 486 mmu->pgt = &hyp_vm->pgt; 487 488 vm_table[idx] = hyp_vm; 489 return hyp_vm->kvm.arch.pkvm.handle; 490 } 491 492 /* 493 * Deallocate and remove the VM table entry corresponding to the handle. 494 */ 495 static void remove_vm_table_entry(pkvm_handle_t handle) 496 { 497 hyp_assert_lock_held(&vm_table_lock); 498 vm_table[vm_handle_to_idx(handle)] = NULL; 499 } 500 501 static size_t pkvm_get_hyp_vm_size(unsigned int nr_vcpus) 502 { 503 return size_add(sizeof(struct pkvm_hyp_vm), 504 size_mul(sizeof(struct pkvm_hyp_vcpu *), nr_vcpus)); 505 } 506 507 static void *map_donated_memory_noclear(unsigned long host_va, size_t size) 508 { 509 void *va = (void *)kern_hyp_va(host_va); 510 511 if (!PAGE_ALIGNED(va)) 512 return NULL; 513 514 if (__pkvm_host_donate_hyp(hyp_virt_to_pfn(va), 515 PAGE_ALIGN(size) >> PAGE_SHIFT)) 516 return NULL; 517 518 return va; 519 } 520 521 static void *map_donated_memory(unsigned long host_va, size_t size) 522 { 523 void *va = map_donated_memory_noclear(host_va, size); 524 525 if (va) 526 memset(va, 0, size); 527 528 return va; 529 } 530 531 static void __unmap_donated_memory(void *va, size_t size) 532 { 533 kvm_flush_dcache_to_poc(va, size); 534 WARN_ON(__pkvm_hyp_donate_host(hyp_virt_to_pfn(va), 535 PAGE_ALIGN(size) >> PAGE_SHIFT)); 536 } 537 538 static void unmap_donated_memory(void *va, size_t size) 539 { 540 if (!va) 541 return; 542 543 memset(va, 0, size); 544 __unmap_donated_memory(va, size); 545 } 546 547 static void unmap_donated_memory_noclear(void *va, size_t size) 548 { 549 if (!va) 550 return; 551 552 __unmap_donated_memory(va, size); 553 } 554 555 /* 556 * Initialize the hypervisor copy of the protected VM state using the 557 * memory donated by the host. 558 * 559 * Unmaps the donated memory from the host at stage 2. 560 * 561 * host_kvm: A pointer to the host's struct kvm. 562 * vm_hva: The host va of the area being donated for the VM state. 563 * Must be page aligned. 564 * pgd_hva: The host va of the area being donated for the stage-2 PGD for 565 * the VM. Must be page aligned. Its size is implied by the VM's 566 * VTCR. 567 * 568 * Return a unique handle to the protected VM on success, 569 * negative error code on failure. 570 */ 571 int __pkvm_init_vm(struct kvm *host_kvm, unsigned long vm_hva, 572 unsigned long pgd_hva) 573 { 574 struct pkvm_hyp_vm *hyp_vm = NULL; 575 size_t vm_size, pgd_size; 576 unsigned int nr_vcpus; 577 void *pgd = NULL; 578 int ret; 579 580 ret = hyp_pin_shared_mem(host_kvm, host_kvm + 1); 581 if (ret) 582 return ret; 583 584 nr_vcpus = READ_ONCE(host_kvm->created_vcpus); 585 if (nr_vcpus < 1) { 586 ret = -EINVAL; 587 goto err_unpin_kvm; 588 } 589 590 vm_size = pkvm_get_hyp_vm_size(nr_vcpus); 591 pgd_size = kvm_pgtable_stage2_pgd_size(host_mmu.arch.mmu.vtcr); 592 593 ret = -ENOMEM; 594 595 hyp_vm = map_donated_memory(vm_hva, vm_size); 596 if (!hyp_vm) 597 goto err_remove_mappings; 598 599 pgd = map_donated_memory_noclear(pgd_hva, pgd_size); 600 if (!pgd) 601 goto err_remove_mappings; 602 603 init_pkvm_hyp_vm(host_kvm, hyp_vm, nr_vcpus); 604 605 hyp_spin_lock(&vm_table_lock); 606 ret = insert_vm_table_entry(host_kvm, hyp_vm); 607 if (ret < 0) 608 goto err_unlock; 609 610 ret = kvm_guest_prepare_stage2(hyp_vm, pgd); 611 if (ret) 612 goto err_remove_vm_table_entry; 613 hyp_spin_unlock(&vm_table_lock); 614 615 return hyp_vm->kvm.arch.pkvm.handle; 616 617 err_remove_vm_table_entry: 618 remove_vm_table_entry(hyp_vm->kvm.arch.pkvm.handle); 619 err_unlock: 620 hyp_spin_unlock(&vm_table_lock); 621 err_remove_mappings: 622 unmap_donated_memory(hyp_vm, vm_size); 623 unmap_donated_memory(pgd, pgd_size); 624 err_unpin_kvm: 625 hyp_unpin_shared_mem(host_kvm, host_kvm + 1); 626 return ret; 627 } 628 629 /* 630 * Initialize the hypervisor copy of the protected vCPU state using the 631 * memory donated by the host. 632 * 633 * handle: The handle for the protected vm. 634 * host_vcpu: A pointer to the corresponding host vcpu. 635 * vcpu_hva: The host va of the area being donated for the vcpu state. 636 * Must be page aligned. The size of the area must be equal to 637 * the page-aligned size of 'struct pkvm_hyp_vcpu'. 638 * Return 0 on success, negative error code on failure. 639 */ 640 int __pkvm_init_vcpu(pkvm_handle_t handle, struct kvm_vcpu *host_vcpu, 641 unsigned long vcpu_hva) 642 { 643 struct pkvm_hyp_vcpu *hyp_vcpu; 644 struct pkvm_hyp_vm *hyp_vm; 645 unsigned int idx; 646 int ret; 647 648 hyp_vcpu = map_donated_memory(vcpu_hva, sizeof(*hyp_vcpu)); 649 if (!hyp_vcpu) 650 return -ENOMEM; 651 652 hyp_spin_lock(&vm_table_lock); 653 654 hyp_vm = get_vm_by_handle(handle); 655 if (!hyp_vm) { 656 ret = -ENOENT; 657 goto unlock; 658 } 659 660 ret = init_pkvm_hyp_vcpu(hyp_vcpu, hyp_vm, host_vcpu); 661 if (ret) 662 goto unlock; 663 664 idx = hyp_vcpu->vcpu.vcpu_idx; 665 if (idx >= hyp_vm->kvm.created_vcpus) { 666 ret = -EINVAL; 667 goto unlock; 668 } 669 670 if (hyp_vm->vcpus[idx]) { 671 ret = -EINVAL; 672 goto unlock; 673 } 674 675 hyp_vm->vcpus[idx] = hyp_vcpu; 676 unlock: 677 hyp_spin_unlock(&vm_table_lock); 678 679 if (ret) 680 unmap_donated_memory(hyp_vcpu, sizeof(*hyp_vcpu)); 681 return ret; 682 } 683 684 static void 685 teardown_donated_memory(struct kvm_hyp_memcache *mc, void *addr, size_t size) 686 { 687 size = PAGE_ALIGN(size); 688 memset(addr, 0, size); 689 690 for (void *start = addr; start < addr + size; start += PAGE_SIZE) 691 push_hyp_memcache(mc, start, hyp_virt_to_phys); 692 693 unmap_donated_memory_noclear(addr, size); 694 } 695 696 int __pkvm_teardown_vm(pkvm_handle_t handle) 697 { 698 struct kvm_hyp_memcache *mc, *stage2_mc; 699 struct pkvm_hyp_vm *hyp_vm; 700 struct kvm *host_kvm; 701 unsigned int idx; 702 size_t vm_size; 703 int err; 704 705 hyp_spin_lock(&vm_table_lock); 706 hyp_vm = get_vm_by_handle(handle); 707 if (!hyp_vm) { 708 err = -ENOENT; 709 goto err_unlock; 710 } 711 712 if (WARN_ON(hyp_page_count(hyp_vm))) { 713 err = -EBUSY; 714 goto err_unlock; 715 } 716 717 host_kvm = hyp_vm->host_kvm; 718 719 /* Ensure the VMID is clean before it can be reallocated */ 720 __kvm_tlb_flush_vmid(&hyp_vm->kvm.arch.mmu); 721 remove_vm_table_entry(handle); 722 hyp_spin_unlock(&vm_table_lock); 723 724 /* Reclaim guest pages (including page-table pages) */ 725 mc = &host_kvm->arch.pkvm.teardown_mc; 726 stage2_mc = &host_kvm->arch.pkvm.stage2_teardown_mc; 727 reclaim_pgtable_pages(hyp_vm, stage2_mc); 728 unpin_host_vcpus(hyp_vm->vcpus, hyp_vm->kvm.created_vcpus); 729 730 /* Push the metadata pages to the teardown memcache */ 731 for (idx = 0; idx < hyp_vm->kvm.created_vcpus; ++idx) { 732 struct pkvm_hyp_vcpu *hyp_vcpu = hyp_vm->vcpus[idx]; 733 struct kvm_hyp_memcache *vcpu_mc; 734 735 if (!hyp_vcpu) 736 continue; 737 738 vcpu_mc = &hyp_vcpu->vcpu.arch.pkvm_memcache; 739 740 while (vcpu_mc->nr_pages) { 741 void *addr = pop_hyp_memcache(vcpu_mc, hyp_phys_to_virt); 742 743 push_hyp_memcache(stage2_mc, addr, hyp_virt_to_phys); 744 unmap_donated_memory_noclear(addr, PAGE_SIZE); 745 } 746 747 teardown_donated_memory(mc, hyp_vcpu, sizeof(*hyp_vcpu)); 748 } 749 750 vm_size = pkvm_get_hyp_vm_size(hyp_vm->kvm.created_vcpus); 751 teardown_donated_memory(mc, hyp_vm, vm_size); 752 hyp_unpin_shared_mem(host_kvm, host_kvm + 1); 753 return 0; 754 755 err_unlock: 756 hyp_spin_unlock(&vm_table_lock); 757 return err; 758 } 759