[PATCH 03/11] KVM: arm64: Make kvm_skip_instr() and co private to HYP
Mark Rutland
mark.rutland at arm.com
Mon Oct 26 10:04:35 EDT 2020
On Mon, Oct 26, 2020 at 01:34:42PM +0000, Marc Zyngier wrote:
> In an effort to remove the vcpu PC manipulations from EL1 on nVHE
> systems, move kvm_skip_instr() to be HYP-specific. EL1's intent
> to increment PC post emulation is now signalled via a flag in the
> vcpu structure.
>
> Signed-off-by: Marc Zyngier <maz at kernel.org>
[...]
> +/*
> + * Adjust the guest PC on entry, depending on flags provided by EL1
> + * for the purpose of emulation (MMIO, sysreg).
> + */
> +static inline void __adjust_pc(struct kvm_vcpu *vcpu)
> +{
> + if (vcpu->arch.flags & KVM_ARM64_INCREMENT_PC) {
> + kvm_skip_instr(vcpu);
> + vcpu->arch.flags &= ~KVM_ARM64_INCREMENT_PC;
> + }
> +}
What's your plan for restricting *when* EL1 can ask for the PC to be
adjusted?
I'm assuming that either:
1. You have EL2 sanity-check all responses from EL1 are permitted for
the current state. e.g. if EL1 asks to increment the PC, EL2 must
check that that was a sane response for the current state.
2. You raise the level of abstraction at the EL2/EL1 boundary, such that
EL2 simply knows. e.g. if emulating a memory access, EL1 can either
provide the response or signal an abort, but doesn't choose to
manipulate the PC as EL2 will infer the right thing to do.
I know that either are tricky in practice, so I'm curious what your view
is. Generally option #2 is easier to fortify, but I guess we might have
to do #1 since we also have to support unprotected VMs?
Thanks,
Mark.
More information about the linux-arm-kernel
mailing list