[PATCH v4 7/8] KVM: arm64: Check whether a VM IOCTL is allowed in pKVM
Oliver Upton
oupton at kernel.org
Wed Nov 12 02:07:30 PST 2025
Hi Fuad,
On Wed, Nov 12, 2025 at 09:20:50AM +0000, Fuad Tabba wrote:
> +/*
> + * Check whether the KVM VM IOCTL is allowed in pKVM.
> + *
> + * Certain features are allowed only for non-protected VMs in pKVM, which is why
> + * this takes the VM (kvm) as a parameter.
> + */
> +static inline bool kvm_pkvm_ioctl_allowed(struct kvm *kvm, unsigned int ioctl)
> +{
> + switch (ioctl) {
> + case KVM_CREATE_IRQCHIP:
> + return kvm_pkvm_ext_allowed(kvm, KVM_CAP_IRQCHIP);
> + case KVM_ARM_SET_DEVICE_ADDR:
> + return kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_SET_DEVICE_ADDR);
> + case KVM_ARM_MTE_COPY_TAGS:
> + return kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_MTE);
> + case KVM_ARM_SET_COUNTER_OFFSET:
> + return kvm_pkvm_ext_allowed(kvm, KVM_CAP_COUNTER_OFFSET);
> + case KVM_HAS_DEVICE_ATTR:
> + case KVM_SET_DEVICE_ATTR:
> + case KVM_GET_DEVICE_ATTR:
> + return kvm_pkvm_ext_allowed(kvm, KVM_CAP_DEVICE_CTRL) ||
> + kvm_pkvm_ext_allowed(kvm, KVM_CAP_VM_ATTRIBUTES);
> + case KVM_ARM_GET_REG_WRITABLE_MASKS:
> + return kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_SUPPORTED_REG_MASK_RANGES);
> + default:
> + return true;
> + }
> +}
> +
I was thinking of something a bit more tabular since CCA will impose its
own restrictions + pKVM could share the ioctl <=> KVM_CAP association.
Anyway, ioctl filtering should be an allowlist (default to false) just
like kvm_pkvm_ext_allowed(). The default assumption is that new UAPI is not
supported for pVMs unless explicitly stated otherwise.
Thanks,
Oliver
More information about the linux-arm-kernel
mailing list