[PATCH v4 00/43] arm64: Support for Arm CCA in KVM
From: Steven Price
Date: Wed Aug 21 2024 - 11:39:18 EST
This series adds support for running protected VMs using KVM under the
Arm Confidential Compute Architecture (CCA).
The related guest support was posted[1] earlier this week. As mentioned
there this version switches to a newer version of the RMM spec
(v1.0-rel0-rc1) which involves some (small) binary breaks to the
interface so you'll need to upgrade both host and guest kernel (and the
RMM) at the same time.
The focus has been on the guest side, so there's not much in the way of
big changes this time. The changes since v3[3] fit in three categories:
1. Updates caused by the new RMM spec. In particular the 'num_bps' and
'num_wps' fields now match the architectural ID_AA64DFR0_EL1
register which avoids a number +1 and -1s in the code.
2. A bunch of tidy ups handling the cases where kvm is NULL in various
places.
3. Misc changes due to rebasing (mostly caused by nested virt support).
Major limitations:
* Only supports 4k host PAGE_SIZE (if PAGE_SIZE != 4k then the realm
extensions are disabled).
* No support for huge pages when mapping the guest's pages. There is
some 'dead' code left over from before guest_mem was supported. This
is partly a current limitation of guest_memfd.
The ABI to the RMM (the RMI) is based on RMM v1.0-rel0-rc1
specification[2].
This series is based on v6.11-rc1. It is also available as a git
repository:
https://gitlab.arm.com/linux-arm/linux-cca cca-host/v4
Work in progress changes for kvmtool are available from the git
repository below, these changes are based on Fuad Tabba's repository for
pKVM to provide some alignment with the ongoing pKVM work:
https://gitlab.arm.com/linux-arm/kvmtool-cca cca/v2
[1] https://lore.kernel.org/r/20240819131924.372366-1-steven.price%40arm.com
[2] https://developer.arm.com/-/cdn-downloads/permalink/PDF/Architectures/DEN0137_1.0-rel0-rc1_rmm-arch_external.pdf
[3] https://lore.kernel.org/r/20240610134202.54893-1-steven.price%40arm.com
Jean-Philippe Brucker (7):
arm64: RME: Propagate number of breakpoints and watchpoints to
userspace
arm64: RME: Set breakpoint parameters through SET_ONE_REG
arm64: RME: Initialize PMCR.N with number counter supported by RMM
arm64: RME: Propagate max SVE vector length from RMM
arm64: RME: Configure max SVE vector length for a Realm
arm64: RME: Provide register list for unfinalized RME RECs
arm64: RME: Provide accurate register list
Joey Gouly (2):
arm64: rme: allow userspace to inject aborts
arm64: rme: support RSI_HOST_CALL
Sean Christopherson (1):
KVM: Prepare for handling only shared mappings in mmu_notifier events
Steven Price (29):
arm64: RME: Handle Granule Protection Faults (GPFs)
arm64: RME: Add SMC definitions for calling the RMM
arm64: RME: Add wrappers for RMI calls
arm64: RME: Check for RME support at KVM init
arm64: RME: Define the user ABI
arm64: RME: ioctls to create and configure realms
arm64: kvm: Allow passing machine type in KVM creation
arm64: RME: Keep a spare page delegated to the RMM
arm64: RME: RTT tear down
arm64: RME: Allocate/free RECs to match vCPUs
arm64: RME: Support for the VGIC in realms
KVM: arm64: Support timers in realm RECs
arm64: RME: Allow VMM to set RIPAS
arm64: RME: Handle realm enter/exit
KVM: arm64: Handle realm MMIO emulation
arm64: RME: Allow populating initial contents
arm64: RME: Runtime faulting of memory
KVM: arm64: Handle realm VCPU load
KVM: arm64: Validate register access for a Realm VM
KVM: arm64: Handle Realm PSCI requests
KVM: arm64: WARN on injected undef exceptions
arm64: Don't expose stolen time for realm guests
arm64: RME: Always use 4k pages for realms
arm64: rme: Prevent Device mappings for Realms
arm_pmu: Provide a mechanism for disabling the physical IRQ
arm64: rme: Enable PMU support with a realm guest
kvm: rme: Hide KVM_CAP_READONLY_MEM for realm guests
arm64: kvm: Expose support for private memory
KVM: arm64: Allow activating realms
Suzuki K Poulose (4):
kvm: arm64: pgtable: Track the number of pages in the entry level
kvm: arm64: Include kvm_emulate.h in kvm/arm_psci.h
kvm: arm64: Expose debug HW register numbers for Realm
arm64: rme: Allow checking SVE on VM instance
Documentation/virt/kvm/api.rst | 3 +
arch/arm64/include/asm/kvm_emulate.h | 34 +
arch/arm64/include/asm/kvm_host.h | 16 +-
arch/arm64/include/asm/kvm_pgtable.h | 2 +
arch/arm64/include/asm/kvm_rme.h | 155 +++
arch/arm64/include/asm/rmi_cmds.h | 508 ++++++++
arch/arm64/include/asm/rmi_smc.h | 253 ++++
arch/arm64/include/asm/virt.h | 1 +
arch/arm64/include/uapi/asm/kvm.h | 49 +
arch/arm64/kvm/Kconfig | 1 +
arch/arm64/kvm/Makefile | 3 +-
arch/arm64/kvm/arch_timer.c | 45 +-
arch/arm64/kvm/arm.c | 166 ++-
arch/arm64/kvm/guest.c | 99 +-
arch/arm64/kvm/hyp/pgtable.c | 5 +-
arch/arm64/kvm/hypercalls.c | 4 +-
arch/arm64/kvm/inject_fault.c | 2 +
arch/arm64/kvm/mmio.c | 10 +-
arch/arm64/kvm/mmu.c | 181 ++-
arch/arm64/kvm/pmu-emul.c | 7 +-
arch/arm64/kvm/psci.c | 29 +
arch/arm64/kvm/reset.c | 23 +-
arch/arm64/kvm/rme-exit.c | 212 ++++
arch/arm64/kvm/rme.c | 1620 ++++++++++++++++++++++++++
arch/arm64/kvm/sys_regs.c | 83 +-
arch/arm64/kvm/vgic/vgic-v3.c | 8 +-
arch/arm64/kvm/vgic/vgic.c | 37 +-
arch/arm64/mm/fault.c | 31 +-
drivers/perf/arm_pmu.c | 15 +
include/kvm/arm_arch_timer.h | 2 +
include/kvm/arm_pmu.h | 4 +
include/kvm/arm_psci.h | 2 +
include/linux/kvm_host.h | 2 +
include/linux/perf/arm_pmu.h | 5 +
include/uapi/linux/kvm.h | 31 +-
virt/kvm/kvm_main.c | 7 +
36 files changed, 3555 insertions(+), 100 deletions(-)
create mode 100644 arch/arm64/include/asm/kvm_rme.h
create mode 100644 arch/arm64/include/asm/rmi_cmds.h
create mode 100644 arch/arm64/include/asm/rmi_smc.h
create mode 100644 arch/arm64/kvm/rme-exit.c
create mode 100644 arch/arm64/kvm/rme.c
--
2.34.1