[RFC,07/34] KVM: gunyah: Pin guest memory

Message ID	20250424141341.841734-8-karim.manaouil@linaro.org
State	New
Headers	show Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 00CE427F74B for <linux-arm-msm@vger.kernel.org>; Thu, 24 Apr 2025 14:13:55 +0000 (UTC) From: Karim Manaouil <karim.manaouil@linaro.org> To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev Cc: Karim Manaouil <karim.manaouil@linaro.org>, Alexander Graf <graf@amazon.com>, Alex Elder <elder@kernel.org>, Catalin Marinas <catalin.marinas@arm.com>, Fuad Tabba <tabba@google.com>, Joey Gouly <joey.gouly@arm.com>, Jonathan Corbet <corbet@lwn.net>, Marc Zyngier <maz@kernel.org>, Mark Brown <broonie@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Oliver Upton <oliver.upton@linux.dev>, Paolo Bonzini <pbonzini@redhat.com>, Prakruthi Deepak Heragu <quic_pheragu@quicinc.com>, Quentin Perret <qperret@google.com>, Rob Herring <robh@kernel.org>, Srinivas Kandagatla <srini@kernel.org>, Srivatsa Vaddagiri <quic_svaddagi@quicinc.com>, Will Deacon <will@kernel.org>, Haripranesh S <haripran@qti.qualcomm.com>, Carl van Schaik <cvanscha@qti.qualcomm.com>, Murali Nalajala <mnalajal@quicinc.com>, Sreenivasulu Chalamcharla <sreeniva@qti.qualcomm.com>, Trilok Soni <tsoni@quicinc.com>, Stefan Schmidt <stefan.schmidt@linaro.org> Subject: [RFC PATCH 07/34] KVM: gunyah: Pin guest memory Date: Thu, 24 Apr 2025 15:13:14 +0100 Message-Id: <20250424141341.841734-8-karim.manaouil@linaro.org> In-Reply-To: <20250424141341.841734-1-karim.manaouil@linaro.org> References: <20250424141341.841734-1-karim.manaouil@linaro.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Running Qualcomm's Gunyah Guests via KVM in EL1 \| expand [RFC,00/34] Running Qualcomm's Gunyah Guests via KVM in EL1 [RFC,01/34] KVM: Allow arch-specific vCPU allocation and freeing [RFC,02/34] KVM: irqfd: Add architecture hooks for irqfd allocation and initialization [RFC,03/34] KVM: irqfd: Allow KVM backends to override IRQ injection via set_irq callback [RFC,04/34] KVM: Add weak stubs for irqchip-related functions for Gunyah builds [RFC,05/34] KVM: Add KVM_SET_DTB_ADDRESS ioctl to pass guest DTB address from userspace [RFC,06/34] KVM: gunyah: Add initial Gunyah backend support [RFC,07/34] KVM: gunyah: Pin guest memory [RFC,08/34] docs: gunyah: Introduce Gunyah Hypervisor [RFC,09/34] dt-bindings: Add binding for gunyah hypervisor [RFC,10/34] gunyah: Common types and error codes for Gunyah hypercalls [RFC,11/34] gunyah: Add hypercalls to identify Gunyah [RFC,12/34] gunyah: Add hypervisor driver [RFC,13/34] gunyah: Add hypercalls to send and receive messages [RFC,14/34] gunyah: Add resource manager RPC core [RFC,15/34] gunyah: Add VM lifecycle RPC [RFC,16/34] gunyah: Add basic VM lifecycle management [RFC,17/34] gunyah: Translate gh_rm_hyp_resource into gunyah_resource [RFC,18/34] gunyah: Add resource tickets [RFC,19/34] gunyah: Add hypercalls for running a vCPU [RFC,20/34] gunyah: add proxy-scheduled vCPUs [RFC,21/34] gunyah: Add hypercalls for demand paging [RFC,22/34] gunyah: Add memory parcel RPC [RFC,23/34] gunyah: Add interfaces to map memory into guest address space [RFC,24/34] gunyah: Add platform ops on mem_lend/mem_reclaim [RFC,25/34] gunyah: Add Qualcomm Gunyah platform ops [RFC,26/34] gunyah: Share memory parcels [RFC,27/34] gunyah: Share guest VM dtb configuration to Gunyah [RFC,28/34] gunyah: Add RPC to enable demand paging [RFC,29/34] gunyah: Enable demand paging [RFC,30/34] gunyah: Add RPC to set VM boot context [RFC,31/34] gunyah: allow userspace to set boot cpu context [RFC,32/34] gunyah: Add hypercalls for sending doorbell [RFC,33/34] KVM: gunyah: Implement irqfd interface [RFC,34/34] KVM: gunyah: enable KVM for Gunyah

Message ID

20250424141341.841734-8-karim.manaouil@linaro.org

State

New

Headers

From: Karim Manaouil <karim.manaouil@linaro.org>
To: linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org,
	linux-arm-msm@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev
Cc: Karim Manaouil <karim.manaouil@linaro.org>,
	Alexander Graf <graf@amazon.com>,
	Alex Elder <elder@kernel.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Fuad Tabba <tabba@google.com>,
	Joey Gouly <joey.gouly@arm.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Marc Zyngier <maz@kernel.org>,
	Mark Brown <broonie@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Oliver Upton <oliver.upton@linux.dev>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Prakruthi Deepak Heragu <quic_pheragu@quicinc.com>,
	Quentin Perret <qperret@google.com>,
	Rob Herring <robh@kernel.org>,
	Srinivas Kandagatla <srini@kernel.org>,
	Srivatsa Vaddagiri <quic_svaddagi@quicinc.com>,
	Will Deacon <will@kernel.org>,
	Haripranesh S <haripran@qti.qualcomm.com>,
	Carl van Schaik <cvanscha@qti.qualcomm.com>,
	Murali Nalajala <mnalajal@quicinc.com>,
	Sreenivasulu Chalamcharla <sreeniva@qti.qualcomm.com>,
	Trilok Soni <tsoni@quicinc.com>,
	Stefan Schmidt <stefan.schmidt@linaro.org>
Subject: [RFC PATCH 07/34] KVM: gunyah: Pin guest memory
Date: Thu, 24 Apr 2025 15:13:14 +0100
Message-Id: <20250424141341.841734-8-karim.manaouil@linaro.org>
In-Reply-To: <20250424141341.841734-1-karim.manaouil@linaro.org>
References: <20250424141341.841734-1-karim.manaouil@linaro.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Running Qualcomm's Gunyah Guests via KVM in EL1 | expand

Commit Message

Karim Manaouil April 24, 2025, 2:13 p.m. UTC

Qualcomm's Gunyah hypervisor allows to implement protected VMs, in which
private memory given to the guest is no more accessible to the host (an
access violation will be raised if the host tries to read/write that
memory).

In the context of protected VMs (aka confidential computing), the consensus
to manage this memory is via guest_memfd. We would like this port to be
be based on guest_memfd. However, for this RFC, the port allocates
anonymous pages, which are subject to migration and swap out. That will
trigger a violation if the memory is private, which is the case for most
of the guest's main memory.

Since the memory is allocated and given to the guest for possibly an
unbounded amount of time, we longterm pin the pages to prevent the
kernel from touching and possibly swapping or migrating those pages.

In upcoming versions of this port, we intend to move to guest_memfd.

Signed-off-by: Karim Manaouil <karim.manaouil@linaro.org>
---
 arch/arm64/include/asm/kvm_host.h |  3 ++
 arch/arm64/kvm/gunyah.c           | 68 ++++++++++++++++++++++++++++---
 2 files changed, 66 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
index efbfe31d262d..9c8e173fc9c1 100644
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -229,6 +229,9 @@  struct kvm_s2_mmu {
 };
 
 struct kvm_arch_memory_slot {
+#ifdef CONFIG_GUNYAH
+	struct page **pages;
+#endif
 };
 
 /**
diff --git a/arch/arm64/kvm/gunyah.c b/arch/arm64/kvm/gunyah.c
index 0095610166ad..9c37ab20d7e2 100644
--- a/arch/arm64/kvm/gunyah.c
+++ b/arch/arm64/kvm/gunyah.c
@@ -660,11 +660,47 @@  void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
 {
 }
 
-void kvm_arch_commit_memory_region(struct kvm *kvm,
-				   struct kvm_memory_slot *old,
-				   const struct kvm_memory_slot *new,
-				   enum kvm_mr_change change)
+static int gunyah_pin_user_memory(struct kvm *kvm, struct kvm_memory_slot *memslot)
 {
+	unsigned int gup_flags = FOLL_WRITE | FOLL_LONGTERM;
+	unsigned long start = memslot->userspace_addr;
+	struct vm_area_struct *vma;
+	struct page **pages;
+	int ret;
+
+	if (!memslot->npages)
+		return 0;
+
+	/* It needs to be a valid VMA-backed region */
+	mmap_read_lock(current->mm);
+	vma = find_vma(current->mm, start);
+	if (!vma || start < vma->vm_start) {
+		mmap_read_unlock(current->mm);
+		return 0;
+	}
+	if (!(vma->vm_flags & VM_READ) || !(vma->vm_flags & VM_WRITE)) {
+		mmap_read_unlock(current->mm);
+		return 0;
+	}
+	mmap_read_unlock(current->mm);
+
+	pages = kvcalloc(memslot->npages, sizeof(*pages), GFP_KERNEL);
+	if (!pages)
+		return -ENOMEM;
+
+	ret = pin_user_pages_fast(start, memslot->npages, gup_flags, pages);
+	if (ret < 0) {
+		goto err;
+	} else if (ret != memslot->npages) {
+		ret = -EIO;
+		goto err;
+	} else {
+		memslot->arch.pages = pages;
+		return 0;
+	}
+err:
+	kvfree(pages);
+	return ret;
 }
 
 int kvm_arch_prepare_memory_region(struct kvm *kvm,
@@ -672,11 +708,33 @@  int kvm_arch_prepare_memory_region(struct kvm *kvm,
 				   struct kvm_memory_slot *new,
 				   enum kvm_mr_change change)
 {
-	return 0;
+	int ret;
+
+	switch (change) {
+	case KVM_MR_CREATE:
+		ret = gunyah_pin_user_memory(kvm, new);
+		break;
+	default:
+		return 0;
+	}
+	return ret;
+}
+
+void kvm_arch_commit_memory_region(struct kvm *kvm,
+				   struct kvm_memory_slot *old,
+				   const struct kvm_memory_slot *new,
+				   enum kvm_mr_change change)
+{
 }
 
 void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *slot)
 {
+	if (!slot->arch.pages)
+		return;
+
+	unpin_user_pages(slot->arch.pages, slot->npages);
+
+	kvfree(slot->arch.pages);
 }
 
 void kvm_arch_memslots_updated(struct kvm *kvm, u64 gen)

[RFC,07/34] KVM: gunyah: Pin guest memory

Commit Message

Patch