On Wed, Nov 08, 2023, Sean Christopherson wrote:
> On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> > This RFC series introduces the necessary infrastructure to emulate VSM
> > enabled guests. It is a snapshot of the progress we made so far, and its
> > main goal is to gather design feedback.
On Wed, Nov 8, 2023 at 9:27 AM Alexander Graf wrote:
> My point with the comment on this patch was "Don't break AMD (or ancient
> VMX without instruction length decoding [Does that exist? I know SVM has
> old CPUs that don't do it]) please".
VM-exit instruction length is not defined for all VM-e
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> From: Anel Orazgaliyeva
>
> Introduce KVM_CAP_APIC_ID_GROUPS, this capability segments the VM's APIC
> ids into two. The lower bits, the physical APIC id, represent the part
> that's exposed to the guest. The higher bits, which are private to
On 08.11.23 18:20, Sean Christopherson wrote:
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
Save the length of the instruction that triggered an EPT violation in
struct kvm_vcpu_arch. This will be used to populate Hyper-V VSM memory
intercept messages.
This is silly and unnecessarily obf
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> With the upcoming introduction of per-VTL memory protections, make MMU
> roles VTL aware. This will avoid sharing PTEs between vCPUs that belong
> to different VTLs, and that have distinct memory access restrictions.
>
> Four bits are allocated
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> Save the length of the instruction that triggered an EPT violation in
> struct kvm_vcpu_arch. This will be used to populate Hyper-V VSM memory
> intercept messages.
This is silly and unnecessarily obfuscates *why* (as my response regarding SVM
On 08.11.23 17:15, Sean Christopherson wrote:
On Wed, Nov 08, 2023, Alexander Graf wrote:
On 08.11.23 12:18, Nicolas Saenz Julienne wrote:
Save the length of the instruction that triggered an EPT violation in
struct kvm_vcpu_arch. This will be used to populate Hyper-V VSM memory
intercept mes
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> Pass the memory attribute array through struct kvm_mmu_notifier_arg and
> use it in kvm_arch_post_set_memory_attributes() instead of defaulting on
> kvm->mem_attr_array.
>
> Signed-off-by: Nicolas Saenz Julienne
> ---
> arch/x86/kvm/mmu/mmu.c
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
> index 631fd532c97a..4242588e3dfb 100644
> --- a/include/linux/kvm_host.h
> +++ b/include/linux/kvm_host.h
> @@ -2385,9 +2385,10 @@ static inline void
> kvm_prepare_memory_fault_
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> This RFC series introduces the necessary infrastructure to emulate VSM
> enabled guests. It is a snapshot of the progress we made so far, and its
> main goal is to gather design feedback.
Heh, then please provide an overview of the design, and
On Wed, Nov 08, 2023, Alexander Graf wrote:
>
> On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
> > Introduce the following memory attributes:
> > - KVM_MEMORY_ATTRIBUTE_READ
> > - KVM_MEMORY_ATTRIBUTE_WRITE
> > - KVM_MEMORY_ATTRIBUTE_EXECUTE
> > - KVM_MEMORY_ATTRIBUTE_NO_ACCESS
> >
> >
On Wed, Nov 08, 2023, Alexander Graf wrote:
>
> On 08.11.23 12:18, Nicolas Saenz Julienne wrote:
> > Save the length of the instruction that triggered an EPT violation in
> > struct kvm_vcpu_arch. This will be used to populate Hyper-V VSM memory
> > intercept messages.
> >
> > Signed-off-by: Nico
On Wed, Nov 08, 2023, Nicolas Saenz Julienne wrote:
> lapic.h has no dependencies with hyperv.h, so don't include it there.
>
> Additionally, cpuid.c implicitly relied on hyperv.h's inclusion through
> lapic.h, so include it explicitly there.
>
> Signed-off-by: Nicolas Saenz Julienne
> ---
FWIW
On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote:
Update kernel-parameters.txt to reflect new deferred signature
verification.
Enhances boot speed by allowing unsigned modules in initrd after
bootloader check.
Signed-off-by: Alessandro Carminati (Red Hat)
---
Documentation/admin-guide/k
On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote:
This patch sets up a new feature to the Linux kernel to have the ability,
while module signature checking is enabled, to delay the moment where
these signatures are effectively checked. The feature is structure into
two main key points, the
On Wed Nov 8, 2023 at 11:40 AM UTC, Alexander Graf wrote:
> Hey Nicolas,
[...]
> > The series is accompanied by two repositories:
> > - A PoC QEMU implementation of VSM [3].
> > - VSM kvm-unit-tests [4].
> >
> > Note that this isn't a full VSM implementation. For now it only supports
> > 2 VT
On Wed Nov 8, 2023 at 11:53 AM UTC, Alexander Graf wrote:
[...]
> > @@ -285,6 +286,81 @@ static int patch_hypercall_page(struct kvm_vcpu *vcpu,
> > u64 data)
> > /* ret */
> > ((unsigned char *)instructions)[i++] = 0xc3;
> >
> > + /* VTL call/return entries */
> > + if (!kvm_xen_h
On Wed Nov 8, 2023 at 12:21 PM UTC, Alexander Graf wrote:
>
> On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
> > Introduce two helper functions. The first one queries a vCPU's VTL
> > level, the second one, given a struct kvm_vcpu and VTL pair, returns the
> > corresponding 'sibling' struct kvm_v
On Wed Nov 8, 2023 at 12:49 PM UTC, Alexander Graf wrote:
>
> On 08.11.23 12:18, Nicolas Saenz Julienne wrote:
> > Introduce HVCALL_TRANSLATE_VIRTUAL_ADDRESS, the hypercall receives a
> > GVA, generally from a less privileged VTL, and returns the GPA backing
> > it. The GVA -> GPA conversion is don
On Wed Nov 8, 2023 at 12:45 PM UTC, Alexander Graf wrote:
>
> On 08.11.23 12:18, Nicolas Saenz Julienne wrote:
> > Introduce a new request type, KVM_REQ_HV_INJECT_INTERCEPT which allows
> > injecting out-of-band Hyper-V secure intercepts. For now only memory
> > access intercepts are supported. The
On 08.11.23 12:18, Nicolas Saenz Julienne wrote:
Introduce HVCALL_TRANSLATE_VIRTUAL_ADDRESS, the hypercall receives a
GVA, generally from a less privileged VTL, and returns the GPA backing
it. The GVA -> GPA conversion is done by walking the target VTL's vCPU
MMU.
NOTE: The hypercall implementa
On 08.11.23 12:18, Nicolas Saenz Julienne wrote:
Introduce a new request type, KVM_REQ_HV_INJECT_INTERCEPT which allows
injecting out-of-band Hyper-V secure intercepts. For now only memory
access intercepts are supported. These are triggered when access a GPA
protected by a higher VTL. The memor
On 08.11.23 12:18, Nicolas Saenz Julienne wrote:
Save the length of the instruction that triggered an EPT violation in
struct kvm_vcpu_arch. This will be used to populate Hyper-V VSM memory
intercept messages.
Signed-off-by: Nicolas Saenz Julienne
In v1, please do this for SVM as well :)
On Mon, Oct 02, 2023 at 11:24:22PM -0700, Xin Li wrote:
> Subject: Re: [PATCH v12 01/37] x86/cpufeatures: Add the cpu feature bit for
> WRMSRNS
For all your text:
s/cpu/CPU/g
> WRMSRNS is an instruction that behaves exactly like WRM
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
Introduce the following memory attributes:
- KVM_MEMORY_ATTRIBUTE_READ
- KVM_MEMORY_ATTRIBUTE_WRITE
- KVM_MEMORY_ATTRIBUTE_EXECUTE
- KVM_MEMORY_ATTRIBUTE_NO_ACCESS
Note that NO_ACCESS is necessary in order to make a distinction between
th
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
Introduce two helper functions. The first one queries a vCPU's VTL
level, the second one, given a struct kvm_vcpu and VTL pair, returns the
corresponding 'sibling' struct kvm_vcpu at the right VTL.
We keep track of each VTL's state by having a di
On 08.11.23 13:11, Vitaly Kuznetsov wrote:
Alexander Graf writes:
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
Prepare infrastructure to be able to return data through the XMM
registers when Hyper-V hypercalls are issues in fast mode. The XMM
registers are exposed to user-space through K
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
Let user-space handle HVCALL_GET_VP_REGISTERS and
HVCALL_SET_VP_REGISTERS through the KVM_EXIT_HYPERV_HVCALL exit reason.
Additionally, expose the cpuid bit.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/hyperv.c | 9 +
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
From: Anel Orazgaliyeva
Introduce KVM_CAP_APIC_ID_GROUPS, this capability segments the VM's APIC
ids into two. The lower bits, the physical APIC id, represent the part
that's exposed to the guest. The higher bits, which are private to KVM,
group
Alexander Graf writes:
> On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
>> Prepare infrastructure to be able to return data through the XMM
>> registers when Hyper-V hypercalls are issues in fast mode. The XMM
>> registers are exposed to user-space through KVM_EXIT_HYPERV_HCALL and
>> restored
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
VTL call/return hypercalls have their own entry points in the hypercall
page because they don't follow normal hyper-v hypercall conventions.
Move the VTL call/return control input into ECX/RAX and set the
hypercall code into EAX/RCX before calling
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
Prepare infrastructure to be able to return data through the XMM
registers when Hyper-V hypercalls are issues in fast mode. The XMM
registers are exposed to user-space through KVM_EXIT_HYPERV_HCALL and
restored on successful hypercall completion.
Hey Nicolas,
On 08.11.23 12:17, Nicolas Saenz Julienne wrote:
Hyper-V's Virtual Secure Mode (VSM) is a virtualisation security feature
that leverages the hypervisor to create secure execution environments
within a guest. VSM is documented as part of Microsoft's Hypervisor Top
Level Functional Sp
Introduce "Emulating Hyper-V VSM with KVM", which describes the KVM APIs
made available to a VMM that wants to emulate Hyper-V's VSM.
Signed-off-by: Nicolas Saenz Julienne
---
.../virt/kvm/x86/emulating-hyperv-vsm.rst | 136 ++
1 file changed, 136 insertions(+)
create mode 1
Introduce HVCALL_TRANSLATE_VIRTUAL_ADDRESS, the hypercall receives a
GVA, generally from a less privileged VTL, and returns the GPA backing
it. The GVA -> GPA conversion is done by walking the target VTL's vCPU
MMU.
NOTE: The hypercall implementation is incomplete and only shared for
completion. A
Inject a Hyper-V secure intercept when a VTL tries to access memory that
was protected by a more privileged VTL. The intercept is injected into
the next enabled privileged VTL (for now, this patch takes a shortcut
and assumes it's the one right after).
After injecting the request, the KVM vCPU tha
Introduce a new request type, KVM_REQ_HV_INJECT_INTERCEPT which allows
injecting out-of-band Hyper-V secure intercepts. For now only memory
access intercepts are supported. These are triggered when access a GPA
protected by a higher VTL. The memory intercept metadata is filled based
on the GPA prov
Save the length of the instruction that triggered an EPT violation in
struct kvm_vcpu_arch. This will be used to populate Hyper-V VSM memory
intercept messages.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/include/asm/kvm_host.h | 2 ++
arch/x86/kvm/vmx/vmx.c | 1 +
2 files change
Introduce a new step in __kvm_faultin_pfn() that'll validate the
fault against the vCPU's VTL protections and generate a user space exit
when invalid.
Note that kvm_hv_faultin_pfn() has to be run after resolving the fault
against the memslots, since that operation steps over
'fault->map_writable'.
Introduce struct hv_memory_intercept_message, which is used when issuing
memory intercepts to a Hyper-V VSM guest.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/include/asm/hyperv-tlfs.h | 76 ++
1 file changed, 76 insertions(+)
diff --git a/arch/x86/include/asm
Introduce a new KVM device aimed at tracking partition wide VTL state,
it'll be the one responsible from keeping track of VTL's memory
protections. For now its functionality it's limited, it only exposes its
VTL level through a device attribute. Additionally, the device type is
only registered if t
Introduce KVM_SET_MEMORY_ATTRIBUTES ioctl support for VTL KVM devices.
The attributes are stored in an xarray private to the VTL device.
The following memory attributes are supported:
- KVM_MEMORY_ATTRIBUTE_READ
- KVM_MEMORY_ATTRIBUTE_WRITE
- KVM_MEMORY_ATTRIBUTE_EXECUTE
- KVM_MEMORY_ATTRIBUTE
Introduce the following memory attributes:
- KVM_MEMORY_ATTRIBUTE_READ
- KVM_MEMORY_ATTRIBUTE_WRITE
- KVM_MEMORY_ATTRIBUTE_EXECUTE
- KVM_MEMORY_ATTRIBUTE_NO_ACCESS
Note that NO_ACCESS is necessary in order to make a distinction between
the lack of attributes for a gfn, which defaults to the me
Expose memory attribute helper functions even when
CONFIG_KVM_GENERIC_MEMORY_ATTRIBUTES is disabled. Other KVM features,
like Hyper-V VSM, make use of memory attributes but don't rely on the
KVM ioctl.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/mmu/mmu.c | 2 +-
include/linux/kvm_
VSM will keep track of each VTL's memory protections in a separate
mem_attr_array. Access to these arrays will happen by issuing
KVM_SET_MEMORY_ATTRIBUTES ioctls to their respective KVM VTL devices
(which is also introduced in subsequent patches). Let the VTL devices
reuse kvm_ioctl_set_mem_attribu
Pass the memory attribute array through struct kvm_mmu_notifier_arg and
use it in kvm_arch_post_set_memory_attributes() instead of defaulting on
kvm->mem_attr_array.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/mmu/mmu.c | 8
include/linux/kvm_host.h | 5 -
virt/kvm/kvm_
Decouple kvm_range_has_memory_attributes() from struct kvm's
mem_attr_array to allow other memory attribute sources to use the
function.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/mmu/mmu.c | 3 ++-
include/linux/kvm_host.h | 4 ++--
virt/kvm/kvm_main.c | 9 +
3 files
Decouple hugepage_has_attrs() from struct kvm's mem_attr_array to
allow other memory attribute sources to use the function.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/mmu/mmu.c | 18 ++
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kvm/mmu/mm
Decouple kvm_get_memory_attributes() from struct kvm's mem_attr_array to
allow other memory attribute sources to use the function.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/mmu/mmu.c | 5 +++--
include/linux/kvm_host.h | 8 +---
2 files changed, 8 insertions(+), 5 deletions(-)
VSM is also a user of memory attributes, so let it use
kvm_set_mem_attributes().
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/mmu/mmu.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index feca077c0210..a1fbb905
Include the fault's read, write and execute status when exiting to
user-space.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/mmu/mmu.c | 4 ++--
include/linux/kvm_host.h | 9 +++--
include/uapi/linux/kvm.h | 6 ++
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a
The upcoming per-VTL memory protections support needs to fault in
non-executable memory. Introduce a new attribute in struct
kvm_page_fault, map_executable, to control whether the gfn range should
be mapped as executable.
No functional change intended.
Signed-off-by: Nicolas Saenz Julienne
---
A number of use cases have surfaced where it'd be beneficial to have a
vCPU stop its execution in user-space, as opposed to having it sleep
in-kernel. Be it in order to make better use of the pCPU's time while
the vCPU is halted, or to implement security features like Hyper-V's
VSM.
A problem with
With the upcoming introduction of per-VTL memory protections, make MMU
roles VTL aware. This will avoid sharing PTEs between vCPUs that belong
to different VTLs, and that have distinct memory access restrictions.
Four bits are allocated to store the VTL number in the MMU role, since
the TLFS state
Let user-space handle all hypercalls that fall under the AccessVsm
partition privilege flag. That is:
- HVCALL_MODIFY_VTL_PROTECTION_MASK:
- HVCALL_ENABLE_PARTITION_VTL:
- HVCALL_ENABLE_VP_VTL:
- HVCALL_VTL_CALL:
- HVCALL_VTL_RETURN:
The hypercalls are processed through the KVM_EXIT_HYPERV_HVC
Let user-space handle HVCALL_GET_VP_REGISTERS and
HVCALL_SET_VP_REGISTERS through the KVM_EXIT_HYPERV_HVCALL exit reason.
Additionally, expose the cpuid bit.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/hyperv.c | 9 +
include/asm-generic/hyperv-tlfs.h | 1 +
2 file
HVCALL_GET_VP_REGISTERS exposes the VTL call hypercall page entry
offsets to the guest. This hypercall is implemented in user-space while
the hypercall page patching happens in-kernel. So expose it as part of
the partition wide VSM state.
NOTE: Alternatively there is the option of sharing this inf
Introduce two helper functions. The first one queries a vCPU's VTL
level, the second one, given a struct kvm_vcpu and VTL pair, returns the
corresponding 'sibling' struct kvm_vcpu at the right VTL.
We keep track of each VTL's state by having a distinct struct kvm_vpcu
for each level. VTL-vCPUs tha
Introduce a new capability to enable Hyper-V Virtual Secure Mode (VSM)
emulation support.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/include/asm/kvm_host.h | 2 ++
arch/x86/kvm/hyperv.h | 5 +
arch/x86/kvm/x86.c | 5 +
include/uapi/linux/kvm.h| 1 +
VSM's VTLs are modeled by using a distinct vCPU per VTL. While one VTL
is running the rest of vCPUs are left idle. This doesn't play well with
the approach of tracking emulated timer expiration by using the VMX
preemption timer. Inactive VTL's timers are still meant to run and
inject interrupts reg
HVCALL_SEND_IPI and HVCALL_SEND_IPI_EX allow targeting specific a
specific VTL. Honour the requests.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/hyperv.c | 24 +---
arch/x86/kvm/trace.h | 20
include/asm-generic/hyperv-
VTL call/return hypercalls have their own entry points in the hypercall
page because they don't follow normal hyper-v hypercall conventions.
Move the VTL call/return control input into ECX/RAX and set the
hypercall code into EAX/RCX before calling the hypercall instruction in
order to be able to us
The hypercall page patching is about to grow considerably, move it into
its own function.
No functional change intended.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/hyperv.c | 69 ---
1 file changed, 39 insertions(+), 30 deletions(-)
diff --gi
Prepare infrastructure to be able to return data through the XMM
registers when Hyper-V hypercalls are issues in fast mode. The XMM
registers are exposed to user-space through KVM_EXIT_HYPERV_HCALL and
restored on successful hypercall completion.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x8
lapic.h has no dependencies with hyperv.h, so don't include it there.
Additionally, cpuid.c implicitly relied on hyperv.h's inclusion through
lapic.h, so include it explicitly there.
Signed-off-by: Nicolas Saenz Julienne
---
arch/x86/kvm/cpuid.c | 1 +
arch/x86/kvm/lapic.h | 1 -
2 files change
From: Anel Orazgaliyeva
Introduce KVM_CAP_APIC_ID_GROUPS, this capability segments the VM's APIC
ids into two. The lower bits, the physical APIC id, represent the part
that's exposed to the guest. The higher bits, which are private to KVM,
groups APICs together. APICs in different groups are isol
Hyper-V's Virtual Secure Mode (VSM) is a virtualisation security feature
that leverages the hypervisor to create secure execution environments
within a guest. VSM is documented as part of Microsoft's Hypervisor Top
Level Functional Specification [1]. Security features that build upon
VSM, like Wind
67 matches
Mail list logo
