[PATCH v3 30/36] KVM: arm64: Allow userspace to create protected VMs when pKVM is enabled
Will Deacon
will at kernel.org
Mon Mar 23 08:00:10 PDT 2026
On Fri, Mar 20, 2026 at 01:22:29PM +0000, Marc Zyngier wrote:
> On Thu, 05 Mar 2026 14:43:43 +0000,
> Will Deacon <will at kernel.org> wrote:
> >
> > Introduce a new VM type for KVM/arm64 to allow userspace to request the
> > creation of a "protected VM" when the host has booted with pKVM enabled.
> >
> > For now, this depends on CONFIG_EXPERT and results in a taint on first
> > use as many aspects of a protected VM are not yet protected!
> >
> > Signed-off-by: Will Deacon <will at kernel.org>
> > ---
> > arch/arm64/include/asm/kvm_pkvm.h | 2 +-
> > arch/arm64/kvm/Kconfig | 10 ++++++++++
> > arch/arm64/kvm/arm.c | 8 +++++++-
> > arch/arm64/kvm/mmu.c | 3 ---
> > arch/arm64/kvm/pkvm.c | 11 ++++++++++-
> > include/uapi/linux/kvm.h | 5 +++++
> > 6 files changed, 33 insertions(+), 6 deletions(-)
> >
> > diff --git a/arch/arm64/include/asm/kvm_pkvm.h b/arch/arm64/include/asm/kvm_pkvm.h
> > index 7041e398fb4c..2954b311128c 100644
> > --- a/arch/arm64/include/asm/kvm_pkvm.h
> > +++ b/arch/arm64/include/asm/kvm_pkvm.h
> > @@ -17,7 +17,7 @@
> >
> > #define HYP_MEMBLOCK_REGIONS 128
> >
> > -int pkvm_init_host_vm(struct kvm *kvm);
> > +int pkvm_init_host_vm(struct kvm *kvm, unsigned long type);
> > int pkvm_create_hyp_vm(struct kvm *kvm);
> > bool pkvm_hyp_vm_is_created(struct kvm *kvm);
> > void pkvm_destroy_hyp_vm(struct kvm *kvm);
> > diff --git a/arch/arm64/kvm/Kconfig b/arch/arm64/kvm/Kconfig
> > index 7d1f22fd490b..e71f7fb6e89a 100644
> > --- a/arch/arm64/kvm/Kconfig
> > +++ b/arch/arm64/kvm/Kconfig
> > @@ -82,4 +82,14 @@ config PTDUMP_STAGE2_DEBUGFS
> >
> > If in doubt, say N.
> >
> > +config PROTECTED_VM_UAPI
> > + bool "Expose protected VMs to userspace (experimental)"
> > + depends on KVM && EXPERT
> > + help
> > + Say Y here to enable experimental (i.e. in development)
> > + support for creating protected virtual machines using KVM's
> > + KVM_CREATE_VM ioctl() when booted with pKVM enabled.
> > +
> > + Unless you are a KVM developer, say N.
> > +
>
> Let me once more express my lack of appetite for config options.
> Protected more is already gated by a command-line option, and requires
> active buy-in from the user.
>
> Nested support is in the same "not quite finished" state, and yet
> isn't hidden behind a configuration symbol.
>
> Taint the kernel if you want, but I'd rather we don't add extra config
> options for this. Documenting the "experimental" aspect of upstream
> pKVM should be enough.
Since I _do_ expect the user ABI to evolve (probably becoming stricter)
as we introduce additional protection to parts of the protected VM
state, I just went for the full shebang: CONFIG option, cmdline option
and taint.
I tend to agree that having *all* of that is overkill, so if you're
happy for me to drop the CONFIG option, despite the user ABI not being
stable, then I'm fine with that.
Will
More information about the linux-arm-kernel
mailing list