Commit 9a5788c6 authored by Paul Mackerras's avatar Paul Mackerras
Browse files

KVM: PPC: Book3S HV: Add a capability for enabling secure guests 



At present, on Power systems with Protected Execution Facility
hardware and an ultravisor, a KVM guest can transition to being a
secure guest at will.  Userspace (QEMU) has no way of knowing
whether a host system is capable of running secure guests.  This
will present a problem in future when the ultravisor is capable of
migrating secure guests from one host to another, because
virtualization management software will have no way to ensure that
secure guests only run in domains where all of the hosts can
support secure guests.

This adds a VM capability which has two functions: (a) userspace
can query it to find out whether the host can support secure guests,
and (b) userspace can enable it for a guest, which allows that
guest to become a secure guest.  If userspace does not enable it,
KVM will return an error when the ultravisor does the hypercall
that indicates that the guest is starting to transition to a
secure guest.  The ultravisor will then abort the transition and
the guest will terminate.

Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
Reviewed-by: default avatarDavid Gibson <david@gibson.dropbear.id.au>
Reviewed-by: default avatarRam Pai <linuxram@us.ibm.com>
parent 377f02d4

Documentation/virt/kvm/api.rst

+17 −0
Original line number Diff line number Diff line
@@ -5779,6 +5779,23 @@ it hard or impossible to use it correctly. The availability of 
KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2 signals that those bugs are fixed.

Userspace should not try to use KVM_CAP_MANUAL_DIRTY_LOG_PROTECT.



7.19 KVM_CAP_PPC_SECURE_GUEST

------------------------------



:Architectures: ppc



This capability indicates that KVM is running on a host that has

ultravisor firmware and thus can support a secure guest.  On such a

system, a guest can ask the ultravisor to make it a secure guest,

one whose memory is inaccessible to the host except for pages which

are explicitly requested to be shared with the host.  The ultravisor

notifies KVM when a guest requests to become a secure guest, and KVM

has the opportunity to veto the transition.



If present, this capability can be enabled for a VM, meaning that KVM

will allow the transition to secure guest mode.  Otherwise KVM will

veto the transition.



8. Other capabilities.

======================

arch/powerpc/include/asm/kvm_book3s_uvmem.h

+6 −0
Original line number Diff line number Diff line
@@ -5,6 +5,7 @@ 
#ifdef CONFIG_PPC_UV

int kvmppc_uvmem_init(void);

void kvmppc_uvmem_free(void);

bool kvmppc_uvmem_available(void);

int kvmppc_uvmem_slot_init(struct kvm *kvm, const struct kvm_memory_slot *slot);

void kvmppc_uvmem_slot_free(struct kvm *kvm,

			    const struct kvm_memory_slot *slot);
@@ -30,6 +31,11 @@ static inline int kvmppc_uvmem_init(void) 


static inline void kvmppc_uvmem_free(void) { }



static inline bool kvmppc_uvmem_available(void)

{

	return false;

}



static inline int

kvmppc_uvmem_slot_init(struct kvm *kvm, const struct kvm_memory_slot *slot)

{

arch/powerpc/include/asm/kvm_host.h

+1 −0
Original line number Diff line number Diff line
@@ -303,6 +303,7 @@ struct kvm_arch { 
	u8 radix;

	u8 fwnmi_enabled;

	u8 secure_guest;

	u8 svm_enabled;

	bool threads_indep;

	bool nested_enable;

	pgd_t *pgtable;

arch/powerpc/include/asm/kvm_ppc.h

+1 −0
Original line number Diff line number Diff line
@@ -313,6 +313,7 @@ struct kvmppc_ops { 
			       int size);

	int (*store_to_eaddr)(struct kvm_vcpu *vcpu, ulong *eaddr, void *ptr,

			      int size);

	int (*enable_svm)(struct kvm *kvm);

	int (*svm_off)(struct kvm *kvm);

};

arch/powerpc/kvm/book3s_hv.c

+16 −0
Original line number Diff line number Diff line
@@ -5428,6 +5428,21 @@ static void unpin_vpa_reset(struct kvm *kvm, struct kvmppc_vpa *vpa) 
	vpa->update_pending = 0;

}



/*

 * Enable a guest to become a secure VM, or test whether

 * that could be enabled.

 * Called when the KVM_CAP_PPC_SECURE_GUEST capability is

 * tested (kvm == NULL) or enabled (kvm != NULL).

 */

static int kvmhv_enable_svm(struct kvm *kvm)

{

	if (!kvmppc_uvmem_available())

		return -EINVAL;

	if (kvm)

		kvm->arch.svm_enabled = 1;

	return 0;

}



/*

 *  IOCTL handler to turn off secure mode of guest

 *
@@ -5548,6 +5563,7 @@ static struct kvmppc_ops kvm_ops_hv = { 
	.enable_nested = kvmhv_enable_nested,

	.load_from_eaddr = kvmhv_load_from_eaddr,

	.store_to_eaddr = kvmhv_store_to_eaddr,

	.enable_svm = kvmhv_enable_svm,

	.svm_off = kvmhv_svm_off,

};

CRA Git | Maintained and supported by SUSTech CRA and CCSE