[RFC] ARM vGIC-ITS tables serialization when running protected VMs

Marc Zyngier maz at kernel.org
Sun Apr 27 09:43:18 PDT 2025 

On Tue, 22 Apr 2025 11:47:46 +0100,
David Woodhouse <dwmw2 at infradead.org> wrote:
> 
> [1  <text/plain; UTF-8 (quoted-printable)>]
> On Tue, 2025-04-15 at 10:44 +0100, David Woodhouse wrote:
> >  
> > 
> > > > Another issue is that it's actually hard for the lowvisor to know where these
> > > > tables live without trusting the EL1 host which virtualizes the ITS. It is
> > > > especially hard knowing the locations of the ITTs (compared to
> > > > Collection/Device tables) because that probably means having to parse the ITS
> > > > command queue from EL2 which is complex and undesirable.
> > > > 
> > > > # An alternative: Serializing ITTs into a userspace buffer
> > > 
> > > NAK.
> > > 
> > > Share the page-aligned memory with the rest of the hypervisor, and use
> > > the existing API.
> > 
> > That seems like a bad choice. All this is just using guest memory to
> > store KVM's state.
> > 
> > Yes, the guest provides a buffer which the virtual hardware *may* use
> > if it wants, but with no IOMMU or access control defined in the
> > specification.
> > 
> > It seems like it would be much cleaner just to let KVM pass its state
> > up to userspace for serialization like we do for all *other* KVM state,
> > which is what Ilias is proposing.
> 
> Ping?
> 
> Redefining the GIC specification to implicitly share whole pages with
> the hypervisor in a protected guest, when they happen to have an ITT
> somewhere inside the page, seems like a very bad idea. Did you have
> some proposed wording for the specification update though, if that's
> the approach you're proposing?

That's already a requirement for CCA when used with GICv3/GICv4.

> And *implementing* it by making the lowvisor snoop on the ITS command
> queue is also awful.

Not only the command queue. *ANY* RD and ITS access. If you don't, it
is rather easy for the host to use the GIC to repaint your privileged
code and confidential guest, one bit at a time.

But that has nothing to do with sharing the ITT memory, which is only
manipulated by the KVM emulation.

	M.

-- 
Without deviation from the norm, progress is not possible.

More information about the linux-arm-kernel mailing list