[PATCH v3 18/18] KVM: arm64: Plumb the pKVM MMU in KVM

Quentin Perret qperret at google.com
Wed Dec 18 04:06:55 PST 2024


On Tuesday 17 Dec 2024 at 15:38:21 (+0000), Marc Zyngier wrote:
> On Tue, 17 Dec 2024 14:31:35 +0000,
> Quentin Perret <qperret at google.com> wrote:
> > 
> > On Tuesday 17 Dec 2024 at 14:03:37 (+0000), Marc Zyngier wrote:
> > > My gripe with this is that it makes it much harder to follow what is
> > > happening by using tags (ctags, etags, whatever). I ended up with the
> > > hack below, which is super ugly, but preserves the tagging
> > > functionality for non-pKVM.
> > 
> > Ack.
> > 
> > > I'll scratch my head to find something more elegant...
> > 
> > I find your proposal pretty reasonable -- I had a few different ideas
> > but they were all really over-engineered, so I figured relying on a
> > naming convention was the simplest. And any divergence will be flagged
> > at compile time, so that shouldn't be too hard to maintain looking
> > forward.
> > 
> > The __S2 name isn't massively descriptive though. Maybe KVM_PGT_CALL()
> > or something? Thinking about it, this abstraction doesn't need to be
> > restricted to stage-2 stuff. We could most likely hide the
> > __pkvm_host_{un}share_hyp() logic behind a pkvm_pgtable_hyp_{un}map()
> > implementation in pkvm.c as well...
> 
> Oh, I'm happy with *any* name. I just changed it to make sure any
> missing occurrence would blow up.
> 
> And yes, if we can make that more uniform, I'm all for that.

I had a go at porting the hyp stage-1 code to the same logic and
ended up with the diff below.

It's not completely obvious it is much better than the existing code
TBH. I ended up resorting to odd things like passing a NULL pgt to the
pkvm_pgtable_hyp_*() functions and such. All the mess comes from the
pKVM boot flow, where Linux originally creates the hyp stage-1
page-table, but then frees it after pKVM has initialized and switches to
using hypercalls.

None of this is needed for this series though, so I won't include that
in v4. I'll post it separately once that series lands, and then we can
decide if it's worth it, or if it should be done differently.

diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
index d116ab4230e8..b35c909f4d0a 100644
--- a/arch/arm64/include/asm/kvm_mmu.h
+++ b/arch/arm64/include/asm/kvm_mmu.h
@@ -152,8 +152,7 @@ static __always_inline unsigned long __kern_hyp_va(unsigned long v)
 #include <asm/kvm_pgtable.h>
 #include <asm/stage2_pgtable.h>
 
-int kvm_share_hyp(void *from, void *to);
-void kvm_unshare_hyp(void *from, void *to);
+void remove_hyp_mappings(void *from, void *to);
 int create_hyp_mappings(void *from, void *to, enum kvm_pgtable_prot prot);
 int __create_hyp_mappings(unsigned long start, unsigned long size,
 			  unsigned long phys, enum kvm_pgtable_prot prot);
diff --git a/arch/arm64/include/asm/kvm_pkvm.h b/arch/arm64/include/asm/kvm_pkvm.h
index 65f988b6fe0d..db7851459ef3 100644
--- a/arch/arm64/include/asm/kvm_pkvm.h
+++ b/arch/arm64/include/asm/kvm_pkvm.h
@@ -143,6 +143,11 @@ struct pkvm_mapping {
 	u64 pfn;
 };
 
+int pkvm_pgtable_hyp_init(struct kvm_pgtable *pgt, u32 va_bits, struct kvm_pgtable_mm_ops *mm_ops);
+void pkvm_pgtable_hyp_destroy(struct kvm_pgtable *pgt);
+int pkvm_pgtable_hyp_map(struct kvm_pgtable *pgt, u64 addr, u64 size, u64 phys,
+			 enum kvm_pgtable_prot prot);
+u64 pkvm_pgtable_hyp_unmap(struct kvm_pgtable *pgt, u64 addr, u64 size);
 int pkvm_pgtable_stage2_init(struct kvm_pgtable *pgt, struct kvm_s2_mmu *mmu,
 			     struct kvm_pgtable_mm_ops *mm_ops);
 void pkvm_pgtable_stage2_destroy(struct kvm_pgtable *pgt);
diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 9bcbc7b8ed38..2dada891c199 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -183,7 +183,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
 
 	kvm_init_nested(kvm);
 
-	ret = kvm_share_hyp(kvm, kvm + 1);
+	ret = create_hyp_mappings(kvm, kvm + 1, PAGE_HYP);
 	if (ret)
 		return ret;
 
@@ -217,7 +217,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
 err_free_cpumask:
 	free_cpumask_var(kvm->arch.supported_cpus);
 err_unshare_kvm:
-	kvm_unshare_hyp(kvm, kvm + 1);
+	remove_hyp_mappings(kvm, kvm + 1);
 	return ret;
 }
 
@@ -268,7 +268,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
 	kfree(kvm->arch.sysreg_masks);
 	kvm_destroy_vcpus(kvm);
 
-	kvm_unshare_hyp(kvm, kvm + 1);
+	remove_hyp_mappings(kvm, kvm + 1);
 
 	kvm_arm_teardown_hypercalls(kvm);
 }
@@ -493,7 +493,7 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)
 	if (err)
 		return err;
 
-	return kvm_share_hyp(vcpu, vcpu + 1);
+	return create_hyp_mappings(vcpu, vcpu + 1, PAGE_HYP);
 }
 
 void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
diff --git a/arch/arm64/kvm/fpsimd.c b/arch/arm64/kvm/fpsimd.c
index ea5484ce1f3b..49acdda3f1d0 100644
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -33,7 +33,7 @@ int kvm_arch_vcpu_run_map_fp(struct kvm_vcpu *vcpu)
 		return 0;
 
 	/* Make sure the host task fpsimd state is visible to hyp: */
-	ret = kvm_share_hyp(fpsimd, fpsimd + 1);
+	ret = create_hyp_mappings(fpsimd, fpsimd + 1, PAGE_HYP);
 	if (ret)
 		return ret;
 
diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index 4e6cf4a1a6eb..53e584a5e8d7 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -407,44 +407,20 @@ void __init free_hyp_pgds(void)
 {
 	mutex_lock(&kvm_hyp_pgd_mutex);
 	if (hyp_pgtable) {
-		kvm_pgtable_hyp_destroy(hyp_pgtable);
+		KVM_PGT_CALL(kvm_pgtable_hyp_destroy, hyp_pgtable);
 		kfree(hyp_pgtable);
 		hyp_pgtable = NULL;
 	}
 	mutex_unlock(&kvm_hyp_pgd_mutex);
 }
 
-static bool kvm_host_owns_hyp_mappings(void)
-{
-	if (is_kernel_in_hyp_mode())
-		return false;
-
-	if (static_branch_likely(&kvm_protected_mode_initialized))
-		return false;
-
-	/*
-	 * This can happen at boot time when __create_hyp_mappings() is called
-	 * after the hyp protection has been enabled, but the static key has
-	 * not been flipped yet.
-	 */
-	if (!hyp_pgtable && is_protected_kvm_enabled())
-		return false;
-
-	WARN_ON(!hyp_pgtable);
-
-	return true;
-}
-
 int __create_hyp_mappings(unsigned long start, unsigned long size,
 			  unsigned long phys, enum kvm_pgtable_prot prot)
 {
 	int err;
 
-	if (WARN_ON(!kvm_host_owns_hyp_mappings()))
-		return -EINVAL;
-
 	mutex_lock(&kvm_hyp_pgd_mutex);
-	err = kvm_pgtable_hyp_map(hyp_pgtable, start, size, phys, prot);
+	err = KVM_PGT_CALL(kvm_pgtable_hyp_map, hyp_pgtable, start, size, phys, prot);
 	mutex_unlock(&kvm_hyp_pgd_mutex);
 
 	return err;
@@ -461,138 +437,18 @@ static phys_addr_t kvm_kaddr_to_phys(void *kaddr)
 	}
 }
 
-struct hyp_shared_pfn {
-	u64 pfn;
-	int count;
-	struct rb_node node;
-};
-
-static DEFINE_MUTEX(hyp_shared_pfns_lock);
-static struct rb_root hyp_shared_pfns = RB_ROOT;
-
-static struct hyp_shared_pfn *find_shared_pfn(u64 pfn, struct rb_node ***node,
-					      struct rb_node **parent)
-{
-	struct hyp_shared_pfn *this;
-
-	*node = &hyp_shared_pfns.rb_node;
-	*parent = NULL;
-	while (**node) {
-		this = container_of(**node, struct hyp_shared_pfn, node);
-		*parent = **node;
-		if (this->pfn < pfn)
-			*node = &((**node)->rb_left);
-		else if (this->pfn > pfn)
-			*node = &((**node)->rb_right);
-		else
-			return this;
-	}
-
-	return NULL;
-}
-
-static int share_pfn_hyp(u64 pfn)
-{
-	struct rb_node **node, *parent;
-	struct hyp_shared_pfn *this;
-	int ret = 0;
-
-	mutex_lock(&hyp_shared_pfns_lock);
-	this = find_shared_pfn(pfn, &node, &parent);
-	if (this) {
-		this->count++;
-		goto unlock;
-	}
-
-	this = kzalloc(sizeof(*this), GFP_KERNEL);
-	if (!this) {
-		ret = -ENOMEM;
-		goto unlock;
-	}
-
-	this->pfn = pfn;
-	this->count = 1;
-	rb_link_node(&this->node, parent, node);
-	rb_insert_color(&this->node, &hyp_shared_pfns);
-	ret = kvm_call_hyp_nvhe(__pkvm_host_share_hyp, pfn, 1);
-unlock:
-	mutex_unlock(&hyp_shared_pfns_lock);
-
-	return ret;
-}
-
-static int unshare_pfn_hyp(u64 pfn)
-{
-	struct rb_node **node, *parent;
-	struct hyp_shared_pfn *this;
-	int ret = 0;
-
-	mutex_lock(&hyp_shared_pfns_lock);
-	this = find_shared_pfn(pfn, &node, &parent);
-	if (WARN_ON(!this)) {
-		ret = -ENOENT;
-		goto unlock;
-	}
-
-	this->count--;
-	if (this->count)
-		goto unlock;
-
-	rb_erase(&this->node, &hyp_shared_pfns);
-	kfree(this);
-	ret = kvm_call_hyp_nvhe(__pkvm_host_unshare_hyp, pfn, 1);
-unlock:
-	mutex_unlock(&hyp_shared_pfns_lock);
-
-	return ret;
-}
-
-int kvm_share_hyp(void *from, void *to)
-{
-	phys_addr_t start, end, cur;
-	u64 pfn;
-	int ret;
-
-	if (is_kernel_in_hyp_mode())
-		return 0;
-
-	/*
-	 * The share hcall maps things in the 'fixed-offset' region of the hyp
-	 * VA space, so we can only share physically contiguous data-structures
-	 * for now.
-	 */
-	if (is_vmalloc_or_module_addr(from) || is_vmalloc_or_module_addr(to))
-		return -EINVAL;
-
-	if (kvm_host_owns_hyp_mappings())
-		return create_hyp_mappings(from, to, PAGE_HYP);
-
-	start = ALIGN_DOWN(__pa(from), PAGE_SIZE);
-	end = PAGE_ALIGN(__pa(to));
-	for (cur = start; cur < end; cur += PAGE_SIZE) {
-		pfn = __phys_to_pfn(cur);
-		ret = share_pfn_hyp(pfn);
-		if (ret)
-			return ret;
-	}
-
-	return 0;
-}
-
-void kvm_unshare_hyp(void *from, void *to)
+void remove_hyp_mappings(void *from, void *to)
 {
-	phys_addr_t start, end, cur;
-	u64 pfn;
+	unsigned long start = kern_hyp_va((unsigned long)from);
+	unsigned long end = kern_hyp_va((unsigned long)to);
+	unsigned long size = end - start;
 
-	if (is_kernel_in_hyp_mode() || kvm_host_owns_hyp_mappings() || !from)
+	if (!is_protected_kvm_enabled() || !from)
 		return;
 
-	start = ALIGN_DOWN(__pa(from), PAGE_SIZE);
-	end = PAGE_ALIGN(__pa(to));
-	for (cur = start; cur < end; cur += PAGE_SIZE) {
-		pfn = __phys_to_pfn(cur);
-		WARN_ON(unshare_pfn_hyp(pfn));
-	}
+	mutex_lock(&kvm_hyp_pgd_mutex);
+	WARN_ON(KVM_PGT_CALL(kvm_pgtable_hyp_unmap, hyp_pgtable, start, size) != size);
+	mutex_unlock(&kvm_hyp_pgd_mutex);
 }
 
 /**
@@ -615,9 +471,6 @@ int create_hyp_mappings(void *from, void *to, enum kvm_pgtable_prot prot)
 	if (is_kernel_in_hyp_mode())
 		return 0;
 
-	if (!kvm_host_owns_hyp_mappings())
-		return -EPERM;
-
 	start = start & PAGE_MASK;
 	end = PAGE_ALIGN(end);
 
@@ -699,16 +552,6 @@ static int __create_hyp_private_mapping(phys_addr_t phys_addr, size_t size,
 	unsigned long addr;
 	int ret = 0;
 
-	if (!kvm_host_owns_hyp_mappings()) {
-		addr = kvm_call_hyp_nvhe(__pkvm_create_private_mapping,
-					 phys_addr, size, prot);
-		if (IS_ERR_VALUE(addr))
-			return addr;
-		*haddr = addr;
-
-		return 0;
-	}
-
 	size = PAGE_ALIGN(size + offset_in_page(phys_addr));
 	ret = hyp_alloc_private_va_range(size, &addr);
 	if (ret)
@@ -2094,7 +1937,7 @@ int __init kvm_mmu_init(u32 *hyp_va_bits)
 		goto out;
 	}
 
-	err = kvm_pgtable_hyp_init(hyp_pgtable, *hyp_va_bits, &kvm_hyp_mm_ops);
+	err = KVM_PGT_CALL(kvm_pgtable_hyp_init, hyp_pgtable, *hyp_va_bits, &kvm_hyp_mm_ops);
 	if (err)
 		goto out_free_pgtable;
 
@@ -2106,7 +1949,7 @@ int __init kvm_mmu_init(u32 *hyp_va_bits)
 	return 0;
 
 out_destroy_pgtable:
-	kvm_pgtable_hyp_destroy(hyp_pgtable);
+	KVM_PGT_CALL(kvm_pgtable_hyp_destroy, hyp_pgtable);
 out_free_pgtable:
 	kfree(hyp_pgtable);
 	hyp_pgtable = NULL;
diff --git a/arch/arm64/kvm/pkvm.c b/arch/arm64/kvm/pkvm.c
index 64de20e8001d..f5a02b4039b1 100644
--- a/arch/arm64/kvm/pkvm.c
+++ b/arch/arm64/kvm/pkvm.c
@@ -270,6 +270,124 @@ static int __init finalize_pkvm(void)
 }
 device_initcall_sync(finalize_pkvm);
 
+struct hyp_shared_page {
+	struct rb_node node;
+	phys_addr_t phys;
+	void *hyp_va;
+	int count;
+};
+static struct rb_root hyp_shared_pages = RB_ROOT;
+
+static struct hyp_shared_page *find_shared_page(void *hyp_va, struct rb_node ***node,
+					       struct rb_node **parent)
+{
+	struct hyp_shared_page *page;
+
+	*node = &hyp_shared_pages.rb_node;
+	*parent = NULL;
+	while (**node) {
+		page = container_of(**node, struct hyp_shared_page, node);
+		*parent = **node;
+		if (page->hyp_va < hyp_va)
+			*node = &((**node)->rb_left);
+		else if (page->hyp_va > hyp_va)
+			*node = &((**node)->rb_right);
+		else
+			return page;
+	}
+
+	return NULL;
+}
+
+int pkvm_pgtable_hyp_init(struct kvm_pgtable *pgt, u32 va_bits, struct kvm_pgtable_mm_ops *mm_ops)
+{
+	if (pgt)
+		return kvm_pgtable_hyp_init(pgt, va_bits, mm_ops);
+	return 0;
+}
+
+void pkvm_pgtable_hyp_destroy(struct kvm_pgtable *pgt)
+{
+	if (pgt)
+		return kvm_pgtable_hyp_destroy(pgt);
+}
+
+static int share_page_hyp(void *hyp_va, phys_addr_t phys)
+{
+	struct rb_node **node, *parent;
+	struct hyp_shared_page *page;
+
+	page = find_shared_page(hyp_va, &node, &parent);
+	if (page) {
+		page->count++;
+		return 0;
+	}
+
+	page = kzalloc(sizeof(*page), GFP_KERNEL);
+	if (!page)
+		return -ENOMEM;
+	page->hyp_va = hyp_va;
+	page->phys = phys;
+	page->count = 1;
+	rb_link_node(&page->node, parent, node);
+	rb_insert_color(&page->node, &hyp_shared_pages);
+
+	return kvm_call_hyp_nvhe(__pkvm_host_share_hyp, phys >> PAGE_SHIFT, 1);
+}
+
+int pkvm_pgtable_hyp_map(struct kvm_pgtable *pgt, u64 addr, u64 size, u64 phys,
+			 enum kvm_pgtable_prot prot)
+{
+	u64 off;
+	int ret;
+
+	if (pgt)
+		return kvm_pgtable_hyp_map(pgt, addr, size, phys, prot);
+
+	addr = ALIGN_DOWN(addr, PAGE_SIZE);
+	phys = ALIGN_DOWN(phys, PAGE_SIZE);
+	size = PAGE_ALIGN(size);
+	if (addr != (u64)kern_hyp_va(__va(phys)))
+		return -EINVAL;
+	if (prot != PAGE_HYP)
+		return -EPERM;
+
+	for (off = 0; off < size; off += PAGE_SIZE) {
+		ret = share_page_hyp((void *)(addr + off), phys + off);
+		if (ret)
+			return ret;
+	}
+
+	return 0;
+}
+
+u64 pkvm_pgtable_hyp_unmap(struct kvm_pgtable *pgt, u64 addr, u64 size)
+{
+	struct rb_node **node, *parent, *next;
+	struct hyp_shared_page *page;
+	u64 pfn, off = 0;
+
+	if (pgt)
+		return kvm_pgtable_hyp_unmap(pgt, addr, size);
+
+	page = find_shared_page((void *)addr, &node, &parent);
+	while (page && ((u64)page->hyp_va == addr + off) && off < size) {
+		next = rb_next(&page->node);
+		page->count--;
+		if (!page->count) {
+			pfn = page->phys >> PAGE_SHIFT;
+			rb_erase(&page->node, &hyp_shared_pages);
+			kfree(page);
+			if (kvm_call_hyp_nvhe(__pkvm_host_unshare_hyp, pfn, 1))
+				break;
+		}
+		off += PAGE_SIZE;
+		page = next ? container_of(next, struct hyp_shared_page, node) : NULL;
+	}
+
+	return off;
+}
+
 static int cmp_mappings(struct rb_node *node, const struct rb_node *parent)
 {
 	struct pkvm_mapping *a = rb_entry(node, struct pkvm_mapping, node);
diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
index 470524b31951..e8b3d08e26dd 100644
--- a/arch/arm64/kvm/reset.c
+++ b/arch/arm64/kvm/reset.c
@@ -115,7 +115,7 @@ static int kvm_vcpu_finalize_sve(struct kvm_vcpu *vcpu)
 	if (!buf)
 		return -ENOMEM;
 
-	ret = kvm_share_hyp(buf, buf + reg_sz);
+	ret = create_hyp_mappings(buf, buf + reg_sz, PAGE_HYP);
 	if (ret) {
 		kfree(buf);
 		return ret;
@@ -154,9 +154,9 @@ void kvm_arm_vcpu_destroy(struct kvm_vcpu *vcpu)
 {
 	void *sve_state = vcpu->arch.sve_state;
 
-	kvm_unshare_hyp(vcpu, vcpu + 1);
+	remove_hyp_mappings(vcpu, vcpu + 1);
 	if (sve_state)
-		kvm_unshare_hyp(sve_state, sve_state + vcpu_sve_state_size(vcpu));
+		remove_hyp_mappings(sve_state, sve_state + vcpu_sve_state_size(vcpu));
 	kfree(sve_state);
 	kfree(vcpu->arch.ccsidr);
 }
-- 
2.47.1.613.gc27f4b7a9f-goog




More information about the linux-arm-kernel mailing list