tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

KVM: arm64: Check whether a VM IOCTL is allowed in pKVM

Certain VM IOCTLs are tied to specific VM features. Since pKVM does not
support all features, restrict which IOCTLs are allowed depending on
whether the associated feature is supported.

Use the existing VM capability check as the source of truth to whether
an IOCTL is allowed for a particular VM by mapping the IOCTLs with their
associated capabilities.

Suggested-by: Oliver Upton <oupton@kernel.org>
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20251211104710.151771-9-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>

authored by

Fuad Tabba and committed by
Marc Zyngier b12b3b04 8823485a

+23
+20
arch/arm64/include/asm/kvm_pkvm.h
··· 9 9 #include <linux/arm_ffa.h> 10 10 #include <linux/memblock.h> 11 11 #include <linux/scatterlist.h> 12 + #include <asm/kvm_host.h> 12 13 #include <asm/kvm_pgtable.h> 13 14 14 15 /* Maximum number of VMs that can co-exist under pKVM. */ ··· 50 49 default: 51 50 return !kvm || !kvm_vm_is_protected(kvm); 52 51 } 52 + } 53 + 54 + /* 55 + * Check whether the KVM VM IOCTL is allowed in pKVM. 56 + * 57 + * Certain features are allowed only for non-protected VMs in pKVM, which is why 58 + * this takes the VM (kvm) as a parameter. 59 + */ 60 + static inline bool kvm_pkvm_ioctl_allowed(struct kvm *kvm, unsigned int ioctl) 61 + { 62 + long ext; 63 + int r; 64 + 65 + r = kvm_get_cap_for_kvm_ioctl(ioctl, &ext); 66 + 67 + if (WARN_ON_ONCE(r < 0)) 68 + return false; 69 + 70 + return kvm_pkvm_ext_allowed(kvm, ext); 53 71 } 54 72 55 73 extern struct memblock_region kvm_nvhe_sym(hyp_memory)[];
+3
arch/arm64/kvm/arm.c
··· 1938 1938 void __user *argp = (void __user *)arg; 1939 1939 struct kvm_device_attr attr; 1940 1940 1941 + if (is_protected_kvm_enabled() && !kvm_pkvm_ioctl_allowed(kvm, ioctl)) 1942 + return -EINVAL; 1943 + 1941 1944 switch (ioctl) { 1942 1945 case KVM_CREATE_IRQCHIP: { 1943 1946 int ret;