tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

KVM: arm64: Include VM type when checking VM capabilities in pKVM

Certain features and capabilities are restricted in protected mode. Most
of these features are restricted only for protected VMs, but some
are restricted for ALL VMs in protected mode.

Extend the pKVM capability check to pass the VM (kvm), and use that when
determining supported features.

Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20251211104710.151771-6-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>

authored by

Fuad Tabba and committed by
Marc Zyngier 43a21a0f c273feee

+13 -11
+6 -4
arch/arm64/include/asm/kvm_pkvm.h
··· 23 23 int pkvm_create_hyp_vcpu(struct kvm_vcpu *vcpu); 24 24 25 25 /* 26 - * This functions as an allow-list of protected VM capabilities. 27 - * Features not explicitly allowed by this function are denied. 26 + * Check whether the specific capability is allowed in pKVM. 27 + * 28 + * Certain features are allowed only for non-protected VMs in pKVM, which is why 29 + * this takes the VM (kvm) as a parameter. 28 30 */ 29 - static inline bool kvm_pvm_ext_allowed(long ext) 31 + static inline bool kvm_pkvm_ext_allowed(struct kvm *kvm, long ext) 30 32 { 31 33 switch (ext) { 32 34 case KVM_CAP_IRQCHIP: ··· 45 43 case KVM_CAP_ARM_PTRAUTH_GENERIC: 46 44 return true; 47 45 default: 48 - return false; 46 + return !kvm || !kvm_vm_is_protected(kvm); 49 47 } 50 48 } 51 49
+2 -2
arch/arm64/kvm/arm.c
··· 87 87 if (cap->flags) 88 88 return -EINVAL; 89 89 90 - if (kvm_vm_is_protected(kvm) && !kvm_pvm_ext_allowed(cap->cap)) 90 + if (is_protected_kvm_enabled() && !kvm_pkvm_ext_allowed(kvm, cap->cap)) 91 91 return -EINVAL; 92 92 93 93 switch (cap->cap) { ··· 303 303 { 304 304 int r; 305 305 306 - if (kvm && kvm_vm_is_protected(kvm) && !kvm_pvm_ext_allowed(ext)) 306 + if (is_protected_kvm_enabled() && !kvm_pkvm_ext_allowed(kvm, ext)) 307 307 return 0; 308 308 309 309 switch (ext) {
+5 -5
arch/arm64/kvm/hyp/nvhe/pkvm.c
··· 354 354 return; 355 355 } 356 356 357 - if (kvm_pvm_ext_allowed(KVM_CAP_ARM_MTE)) 357 + if (kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_MTE)) 358 358 kvm->arch.flags |= host_arch_flags & BIT(KVM_ARCH_FLAG_MTE_ENABLED); 359 359 360 360 bitmap_zero(allowed_features, KVM_VCPU_MAX_FEATURES); 361 361 362 362 set_bit(KVM_ARM_VCPU_PSCI_0_2, allowed_features); 363 363 364 - if (kvm_pvm_ext_allowed(KVM_CAP_ARM_PMU_V3)) 364 + if (kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_PMU_V3)) 365 365 set_bit(KVM_ARM_VCPU_PMU_V3, allowed_features); 366 366 367 - if (kvm_pvm_ext_allowed(KVM_CAP_ARM_PTRAUTH_ADDRESS)) 367 + if (kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_PTRAUTH_ADDRESS)) 368 368 set_bit(KVM_ARM_VCPU_PTRAUTH_ADDRESS, allowed_features); 369 369 370 - if (kvm_pvm_ext_allowed(KVM_CAP_ARM_PTRAUTH_GENERIC)) 370 + if (kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_PTRAUTH_GENERIC)) 371 371 set_bit(KVM_ARM_VCPU_PTRAUTH_GENERIC, allowed_features); 372 372 373 - if (kvm_pvm_ext_allowed(KVM_CAP_ARM_SVE)) { 373 + if (kvm_pkvm_ext_allowed(kvm, KVM_CAP_ARM_SVE)) { 374 374 set_bit(KVM_ARM_VCPU_SVE, allowed_features); 375 375 kvm->arch.flags |= host_arch_flags & BIT(KVM_ARCH_FLAG_GUEST_HAS_SVE); 376 376 }