^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Common Ultravisor functions and initialization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright IBM Corp. 2019, 2020
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) #define KMSG_COMPONENT "prot_virt"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <linux/types.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/sizes.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/bitmap.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/memblock.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/pagemap.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/swap.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <asm/facility.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <asm/sections.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include <asm/uv.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) /* the bootdata_preserved fields come from ones in arch/s390/boot/uv.c */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) #ifdef CONFIG_PROTECTED_VIRTUALIZATION_GUEST
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) int __bootdata_preserved(prot_virt_guest);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) struct uv_info __bootdata_preserved(uv_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) #if IS_ENABLED(CONFIG_KVM)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) int __bootdata_preserved(prot_virt_host);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) EXPORT_SYMBOL(prot_virt_host);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) EXPORT_SYMBOL(uv_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) static int __init uv_init(unsigned long stor_base, unsigned long stor_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) struct uv_cb_init uvcb = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) .header.cmd = UVC_CMD_INIT_UV,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) .header.len = sizeof(uvcb),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) .stor_origin = stor_base,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) .stor_len = stor_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) if (uv_call(0, (uint64_t)&uvcb)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) pr_err("Ultravisor init failed with rc: 0x%x rrc: 0%x\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) uvcb.header.rc, uvcb.header.rrc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) void __init setup_uv(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) unsigned long uv_stor_base;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) * keep these conditions in line with kasan init code has_uv_sec_stor_limit()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) if (!is_prot_virt_host())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) if (is_prot_virt_guest()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) prot_virt_host = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) pr_warn("Protected virtualization not available in protected guests.");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) if (!test_facility(158)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) prot_virt_host = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) pr_warn("Protected virtualization not supported by the hardware.");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) uv_stor_base = (unsigned long)memblock_alloc_try_nid(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) uv_info.uv_base_stor_len, SZ_1M, SZ_2G,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) MEMBLOCK_ALLOC_ACCESSIBLE, NUMA_NO_NODE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) if (!uv_stor_base) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) pr_warn("Failed to reserve %lu bytes for ultravisor base storage\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) uv_info.uv_base_stor_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) goto fail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) if (uv_init(uv_stor_base, uv_info.uv_base_stor_len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) memblock_free(uv_stor_base, uv_info.uv_base_stor_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) goto fail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) pr_info("Reserving %luMB as ultravisor base storage\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) uv_info.uv_base_stor_len >> 20);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) fail:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) pr_info("Disabling support for protected virtualization");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) prot_virt_host = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) void adjust_to_uv_max(unsigned long *vmax)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) if (uv_info.max_sec_stor_addr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) *vmax = min_t(unsigned long, *vmax, uv_info.max_sec_stor_addr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) * Requests the Ultravisor to pin the page in the shared state. This will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) * cause an intercept when the guest attempts to unshare the pinned page.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) static int uv_pin_shared(unsigned long paddr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) struct uv_cb_cfs uvcb = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) .header.cmd = UVC_CMD_PIN_PAGE_SHARED,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) .header.len = sizeof(uvcb),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) .paddr = paddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) if (uv_call(0, (u64)&uvcb))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) * Requests the Ultravisor to destroy a guest page and make it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) * accessible to the host. The destroy clears the page instead of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) * exporting.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) * @paddr: Absolute host address of page to be destroyed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) int uv_destroy_page(unsigned long paddr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) struct uv_cb_cfs uvcb = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) .header.cmd = UVC_CMD_DESTR_SEC_STOR,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) .header.len = sizeof(uvcb),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) .paddr = paddr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) if (uv_call(0, (u64)&uvcb)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) * Older firmware uses 107/d as an indication of a non secure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) * page. Let us emulate the newer variant (no-op).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) if (uvcb.header.rc == 0x107 && uvcb.header.rrc == 0xd)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) * Requests the Ultravisor to encrypt a guest page and make it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) * accessible to the host for paging (export).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) * @paddr: Absolute host address of page to be exported
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) int uv_convert_from_secure(unsigned long paddr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) struct uv_cb_cfs uvcb = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) .header.cmd = UVC_CMD_CONV_FROM_SEC_STOR,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) .header.len = sizeof(uvcb),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) .paddr = paddr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) if (uv_call(0, (u64)&uvcb))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) * Calculate the expected ref_count for a page that would otherwise have no
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) * further pins. This was cribbed from similar functions in other places in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) * the kernel, but with some slight modifications. We know that a secure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) * page can not be a huge page for example.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) static int expected_page_refs(struct page *page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) int res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) res = page_mapcount(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) if (PageSwapCache(page)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) res++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) } else if (page_mapping(page)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) res++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) if (page_has_private(page))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) res++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) static int make_secure_pte(pte_t *ptep, unsigned long addr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) struct page *exp_page, struct uv_cb_header *uvcb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) pte_t entry = READ_ONCE(*ptep);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) struct page *page;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) int expected, rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) if (!pte_present(entry))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) return -ENXIO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) if (pte_val(entry) & _PAGE_INVALID)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) return -ENXIO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) page = pte_page(entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) if (page != exp_page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) return -ENXIO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) if (PageWriteback(page))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) return -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) expected = expected_page_refs(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) if (!page_ref_freeze(page, expected))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) return -EBUSY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) set_bit(PG_arch_1, &page->flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) rc = uv_call(0, (u64)uvcb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) page_ref_unfreeze(page, expected);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) /* Return -ENXIO if the page was not mapped, -EINVAL otherwise */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) rc = uvcb->rc == 0x10a ? -ENXIO : -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) * Requests the Ultravisor to make a page accessible to a guest.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) * If it's brought in the first time, it will be cleared. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) * it has been exported before, it will be decrypted and integrity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) * checked.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) int gmap_make_secure(struct gmap *gmap, unsigned long gaddr, void *uvcb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) struct vm_area_struct *vma;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) bool local_drain = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) spinlock_t *ptelock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) unsigned long uaddr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) struct page *page;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) pte_t *ptep;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) again:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) rc = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) mmap_read_lock(gmap->mm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) uaddr = __gmap_translate(gmap, gaddr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) if (IS_ERR_VALUE(uaddr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) vma = find_vma(gmap->mm, uaddr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) if (!vma)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) * Secure pages cannot be huge and userspace should not combine both.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) * In case userspace does it anyway this will result in an -EFAULT for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) * the unpack. The guest is thus never reaching secure mode. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) * userspace is playing dirty tricky with mapping huge pages later
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) * on this will result in a segmentation fault.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) if (is_vm_hugetlb_page(vma))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) rc = -ENXIO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) page = follow_page(vma, uaddr, FOLL_WRITE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) if (IS_ERR_OR_NULL(page))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) lock_page(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) ptep = get_locked_pte(gmap->mm, uaddr, &ptelock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) rc = make_secure_pte(ptep, uaddr, page, uvcb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) pte_unmap_unlock(ptep, ptelock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) unlock_page(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) mmap_read_unlock(gmap->mm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) if (rc == -EAGAIN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) wait_on_page_writeback(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) } else if (rc == -EBUSY) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) * If we have tried a local drain and the page refcount
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) * still does not match our expected safe value, try with a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) * system wide drain. This is needed if the pagevecs holding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) * the page are on a different CPU.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) if (local_drain) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) lru_add_drain_all();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) /* We give up here, and let the caller try again */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) return -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) * We are here if the page refcount does not match the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) * expected safe value. The main culprits are usually
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) * pagevecs. With lru_add_drain() we drain the pagevecs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) * on the local CPU so that hopefully the refcount will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) * reach the expected safe value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) lru_add_drain();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) local_drain = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) /* And now we try again immediately after draining */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) goto again;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) } else if (rc == -ENXIO) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) if (gmap_fault(gmap, gaddr, FAULT_FLAG_WRITE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) return -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) EXPORT_SYMBOL_GPL(gmap_make_secure);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) int gmap_convert_to_secure(struct gmap *gmap, unsigned long gaddr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) struct uv_cb_cts uvcb = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) .header.cmd = UVC_CMD_CONV_TO_SEC_STOR,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) .header.len = sizeof(uvcb),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) .guest_handle = gmap->guest_handle,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) .gaddr = gaddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) return gmap_make_secure(gmap, gaddr, &uvcb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) EXPORT_SYMBOL_GPL(gmap_convert_to_secure);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) * To be called with the page locked or with an extra reference! This will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) * prevent gmap_make_secure from touching the page concurrently. Having 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) * parallel make_page_accessible is fine, as the UV calls will become a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) * no-op if the page is already exported.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) int arch_make_page_accessible(struct page *page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) int rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) /* Hugepage cannot be protected, so nothing to do */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) if (PageHuge(page))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) * PG_arch_1 is used in 3 places:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) * 1. for kernel page tables during early boot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) * 2. for storage keys of huge pages and KVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) * 3. As an indication that this page might be secure. This can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) * overindicate, e.g. we set the bit before calling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) * convert_to_secure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) * As secure pages are never huge, all 3 variants can co-exists.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) if (!test_bit(PG_arch_1, &page->flags))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) rc = uv_pin_shared(page_to_phys(page));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) if (!rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) clear_bit(PG_arch_1, &page->flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) rc = uv_convert_from_secure(page_to_phys(page));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) if (!rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) clear_bit(PG_arch_1, &page->flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) EXPORT_SYMBOL_GPL(arch_make_page_accessible);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) #if defined(CONFIG_PROTECTED_VIRTUALIZATION_GUEST) || IS_ENABLED(CONFIG_KVM)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) static ssize_t uv_query_facilities(struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) struct kobj_attribute *attr, char *page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) return scnprintf(page, PAGE_SIZE, "%lx\n%lx\n%lx\n%lx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) uv_info.inst_calls_list[0],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) uv_info.inst_calls_list[1],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) uv_info.inst_calls_list[2],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) uv_info.inst_calls_list[3]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) static struct kobj_attribute uv_query_facilities_attr =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) __ATTR(facilities, 0444, uv_query_facilities, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) static ssize_t uv_query_feature_indications(struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) struct kobj_attribute *attr, char *buf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) return sysfs_emit(buf, "%lx\n", uv_info.uv_feature_indications);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) static struct kobj_attribute uv_query_feature_indications_attr =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) __ATTR(feature_indications, 0444, uv_query_feature_indications, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) static ssize_t uv_query_max_guest_cpus(struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) struct kobj_attribute *attr, char *page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) return scnprintf(page, PAGE_SIZE, "%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) uv_info.max_guest_cpu_id + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) static struct kobj_attribute uv_query_max_guest_cpus_attr =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) __ATTR(max_cpus, 0444, uv_query_max_guest_cpus, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) static ssize_t uv_query_max_guest_vms(struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) struct kobj_attribute *attr, char *page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) return scnprintf(page, PAGE_SIZE, "%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) uv_info.max_num_sec_conf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) static struct kobj_attribute uv_query_max_guest_vms_attr =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) __ATTR(max_guests, 0444, uv_query_max_guest_vms, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) static ssize_t uv_query_max_guest_addr(struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) struct kobj_attribute *attr, char *page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) return scnprintf(page, PAGE_SIZE, "%lx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) uv_info.max_sec_stor_addr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) static struct kobj_attribute uv_query_max_guest_addr_attr =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) __ATTR(max_address, 0444, uv_query_max_guest_addr, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) static struct attribute *uv_query_attrs[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) &uv_query_facilities_attr.attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) &uv_query_feature_indications_attr.attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) &uv_query_max_guest_cpus_attr.attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) &uv_query_max_guest_vms_attr.attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) &uv_query_max_guest_addr_attr.attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) static struct attribute_group uv_query_attr_group = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) .attrs = uv_query_attrs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) static struct kset *uv_query_kset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) static struct kobject *uv_kobj;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) static int __init uv_info_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) int rc = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) if (!test_facility(158))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) uv_kobj = kobject_create_and_add("uv", firmware_kobj);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) if (!uv_kobj)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) uv_query_kset = kset_create_and_add("query", NULL, uv_kobj);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) if (!uv_query_kset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) goto out_kobj;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) rc = sysfs_create_group(&uv_query_kset->kobj, &uv_query_attr_group);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) if (!rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) kset_unregister(uv_query_kset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) out_kobj:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) kobject_del(uv_kobj);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) kobject_put(uv_kobj);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) device_initcall(uv_info_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) #endif
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags