tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

KVM: arm64: Prevent host from managing timer offsets for protected VMs

For protected VMs, the guest's timer offset state should not be
controlled by the host and must always run with a virtual counter offset
of 0. The existing timer logic allowed the host to set and manage the
timer counter offsets for protected VMs in certain cases.

Disable all host-side management of timer offsets for protected VMs by
adding checks in the relevant code paths.

Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20251211104710.151771-10-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>

authored by

Fuad Tabba and committed by
Marc Zyngier f7d05ee8 b12b3b04

+13 -5
+13 -5
arch/arm64/kvm/arch_timer.c
··· 1056 1056 1057 1057 ctxt->timer_id = timerid; 1058 1058 1059 - if (timerid == TIMER_VTIMER) 1060 - ctxt->offset.vm_offset = &kvm->arch.timer_data.voffset; 1061 - else 1062 - ctxt->offset.vm_offset = &kvm->arch.timer_data.poffset; 1059 + if (!kvm_vm_is_protected(vcpu->kvm)) { 1060 + if (timerid == TIMER_VTIMER) 1061 + ctxt->offset.vm_offset = &kvm->arch.timer_data.voffset; 1062 + else 1063 + ctxt->offset.vm_offset = &kvm->arch.timer_data.poffset; 1064 + } else { 1065 + ctxt->offset.vm_offset = NULL; 1066 + } 1063 1067 1064 1068 hrtimer_setup(&ctxt->hrtimer, kvm_hrtimer_expire, CLOCK_MONOTONIC, HRTIMER_MODE_ABS_HARD); 1065 1069 ··· 1087 1083 timer_context_init(vcpu, i); 1088 1084 1089 1085 /* Synchronize offsets across timers of a VM if not already provided */ 1090 - if (!test_bit(KVM_ARCH_FLAG_VM_COUNTER_OFFSET, &vcpu->kvm->arch.flags)) { 1086 + if (!vcpu_is_protected(vcpu) && 1087 + !test_bit(KVM_ARCH_FLAG_VM_COUNTER_OFFSET, &vcpu->kvm->arch.flags)) { 1091 1088 timer_set_offset(vcpu_vtimer(vcpu), kvm_phys_timer_read()); 1092 1089 timer_set_offset(vcpu_ptimer(vcpu), 0); 1093 1090 } ··· 1690 1685 int ret = 0; 1691 1686 1692 1687 if (offset->reserved) 1688 + return -EINVAL; 1689 + 1690 + if (kvm_vm_is_protected(kvm)) 1693 1691 return -EINVAL; 1694 1692 1695 1693 mutex_lock(&kvm->lock);