| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f5b87486-89b5-4c86-aadb-47204fb39bea@arm.com>
Date: Thu, 18 Apr 2024 14:17:23 +0100
From: Steven Price <steven.price@....com>
To: Suzuki K Poulose <suzuki.poulose@....com>, kvm@...r.kernel.org,
kvmarm@...ts.linux.dev
Cc: Catalin Marinas <catalin.marinas@....com>, Marc Zyngier <maz@...nel.org>,
Will Deacon <will@...nel.org>, James Morse <james.morse@....com>,
Oliver Upton <oliver.upton@...ux.dev>, Zenghui Yu <yuzenghui@...wei.com>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
Joey Gouly <joey.gouly@....com>, Alexandru Elisei
<alexandru.elisei@....com>, Christoffer Dall <christoffer.dall@....com>,
Fuad Tabba <tabba@...gle.com>, linux-coco@...ts.linux.dev,
Ganapatrao Kulkarni <gankulkarni@...amperecomputing.com>
Subject: Re: [PATCH v2 05/43] arm64: RME: Add SMC definitions for calling the
RMM
On 16/04/2024 13:38, Suzuki K Poulose wrote:
> Hi Steven
>
> On 12/04/2024 09:42, Steven Price wrote:
>> The RMM (Realm Management Monitor) provides functionality that can be
>> accessed by SMC calls from the host.
>>
>> The SMC definitions are based on DEN0137[1] version 1.0-eac5
>>
>> [1] https://developer.arm.com/documentation/den0137/1-0eac5/
>>
>> Signed-off-by: Steven Price <steven.price@....com>
>> ---
>> arch/arm64/include/asm/rmi_smc.h | 250 +++++++++++++++++++++++++++++++
>> 1 file changed, 250 insertions(+)
>> create mode 100644 arch/arm64/include/asm/rmi_smc.h
>>
>> diff --git a/arch/arm64/include/asm/rmi_smc.h
>> b/arch/arm64/include/asm/rmi_smc.h
>> new file mode 100644
>> index 000000000000..c205efdb18d8
>> --- /dev/null
>> +++ b/arch/arm64/include/asm/rmi_smc.h
>> @@ -0,0 +1,250 @@
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +/*
>> + * Copyright (C) 2023 ARM Ltd.
>> + *
>> + * The values and structures in this file are from the Realm
>> Management Monitor
>> + * specification (DEN0137) version A-bet0:
>> + * https://developer.arm.com/documentation/den0137/1-0bet0/
>
> This should now point to eac5 instead.
Typical - I searched through the commit logs, but forgot I'd put a
reference in the code too! Thanks for spotting.
>> + */
>> +
>> +#ifndef __ASM_RME_SMC_H
>> +#define __ASM_RME_SMC_H
>> +
>> +#include <linux/arm-smccc.h>
>> +
>> +#define SMC_RxI_CALL(func) \
>> + ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL, \
>> + ARM_SMCCC_SMC_64, \
>> + ARM_SMCCC_OWNER_STANDARD, \
>> + (func))
>> +
>> +#define SMC_RMI_DATA_CREATE SMC_RxI_CALL(0x0153)
>> +#define SMC_RMI_DATA_CREATE_UNKNOWN SMC_RxI_CALL(0x0154)
>> +#define SMC_RMI_DATA_DESTROY SMC_RxI_CALL(0x0155)
>> +#define SMC_RMI_FEATURES SMC_RxI_CALL(0x0165)
>> +#define SMC_RMI_GRANULE_DELEGATE SMC_RxI_CALL(0x0151)
>> +#define SMC_RMI_GRANULE_UNDELEGATE SMC_RxI_CALL(0x0152)
>> +#define SMC_RMI_PSCI_COMPLETE SMC_RxI_CALL(0x0164)
>> +#define SMC_RMI_REALM_ACTIVATE SMC_RxI_CALL(0x0157)
>> +#define SMC_RMI_REALM_CREATE SMC_RxI_CALL(0x0158)
>> +#define SMC_RMI_REALM_DESTROY SMC_RxI_CALL(0x0159)
>> +#define SMC_RMI_REC_AUX_COUNT SMC_RxI_CALL(0x0167)
>> +#define SMC_RMI_REC_CREATE SMC_RxI_CALL(0x015a)
>> +#define SMC_RMI_REC_DESTROY SMC_RxI_CALL(0x015b)
>> +#define SMC_RMI_REC_ENTER SMC_RxI_CALL(0x015c)
>> +#define SMC_RMI_RTT_CREATE SMC_RxI_CALL(0x015d)
>> +#define SMC_RMI_RTT_DESTROY SMC_RxI_CALL(0x015e)
>> +#define SMC_RMI_RTT_FOLD SMC_RxI_CALL(0x0166)
>> +#define SMC_RMI_RTT_INIT_RIPAS SMC_RxI_CALL(0x0168)
>> +#define SMC_RMI_RTT_MAP_UNPROTECTED SMC_RxI_CALL(0x015f)
>> +#define SMC_RMI_RTT_READ_ENTRY SMC_RxI_CALL(0x0161)
>> +#define SMC_RMI_RTT_SET_RIPAS SMC_RxI_CALL(0x0169)
>> +#define SMC_RMI_RTT_UNMAP_UNPROTECTED SMC_RxI_CALL(0x0162)
>> +#define SMC_RMI_VERSION SMC_RxI_CALL(0x0150)
>> +
>> +#define RMI_ABI_MAJOR_VERSION 1
>> +#define RMI_ABI_MINOR_VERSION 0
>> +
>> +#define RMI_UNASSIGNED 0
>> +#define RMI_ASSIGNED 1
>> +#define RMI_TABLE 2
>> +
>> +#define RMI_ABI_VERSION_GET_MAJOR(version) ((version) >> 16)
>> +#define RMI_ABI_VERSION_GET_MINOR(version) ((version) & 0xFFFF)
>> +#define RMI_ABI_VERSION(major, minor) (((major) << 16) | (minor))
>> +
>> +#define RMI_RETURN_STATUS(ret) ((ret) & 0xFF)
>> +#define RMI_RETURN_INDEX(ret) (((ret) >> 8) & 0xFF)
>> +
>> +#define RMI_SUCCESS 0
>> +#define RMI_ERROR_INPUT 1
>> +#define RMI_ERROR_REALM 2
>> +#define RMI_ERROR_REC 3
>> +#define RMI_ERROR_RTT 4
>> +
>> +#define RMI_EMPTY 0
>> +#define RMI_RAM 1
>> +#define RMI_DESTROYED 2
>> +
>> +#define RMI_NO_MEASURE_CONTENT 0
>> +#define RMI_MEASURE_CONTENT 1
>> +
>> +#define RMI_FEATURE_REGISTER_0_S2SZ GENMASK(7, 0)
>> +#define RMI_FEATURE_REGISTER_0_LPA2 BIT(8)
>> +#define RMI_FEATURE_REGISTER_0_SVE_EN BIT(9)
>> +#define RMI_FEATURE_REGISTER_0_SVE_VL GENMASK(13, 10)
>> +#define RMI_FEATURE_REGISTER_0_NUM_BPS GENMASK(17, 14)
>> +#define RMI_FEATURE_REGISTER_0_NUM_WPS GENMASK(21, 18)
>> +#define RMI_FEATURE_REGISTER_0_PMU_EN BIT(22)
>> +#define RMI_FEATURE_REGISTER_0_PMU_NUM_CTRS GENMASK(27, 23)
>> +#define RMI_FEATURE_REGISTER_0_HASH_SHA_256 BIT(28)
>> +#define RMI_FEATURE_REGISTER_0_HASH_SHA_512 BIT(29)
>> +
>> +#define RMI_REALM_PARAM_FLAG_LPA2 BIT(0)
>> +#define RMI_REALM_PARAM_FLAG_SVE BIT(1)
>> +#define RMI_REALM_PARAM_FLAG_PMU BIT(2)
>> +
>> +/*
>> + * Note many of these fields are smaller than u64 but all fields have
>> u64
>> + * alignment, so use u64 to ensure correct alignment.
>> + */
>> +struct realm_params {
>> + union { /* 0x0 */
>> + struct {
>> + u64 flags;
>> + u64 s2sz;
>> + u64 sve_vl;
>> + u64 num_bps;
>> + u64 num_wps;
>> + u64 pmu_num_ctrs;
>> + u64 hash_algo;
>> + };
>> + u8 padding_1[0x400];
>> + };
>> + union { /* 0x400 */
>> + u8 rpv[64];
>> + u8 padding_2[0x400];
>> + };
>> + union { /* 0x800 */
>> + struct {
>> + u64 vmid;
>> + u64 rtt_base;
>> + s64 rtt_level_start;
>> + u64 rtt_num_start;
>> + };
>> + u8 padding_3[0x800];
>> + };
>> +};
>> +
>> +/*
>> + * The number of GPRs (starting from X0) that are
>> + * configured by the host when a REC is created.
>> + */
>> +#define REC_CREATE_NR_GPRS 8
>> +
>> +#define REC_PARAMS_FLAG_RUNNABLE BIT_ULL(0)
>> +
>> +#define REC_PARAMS_AUX_GRANULES 16
>> +
>> +struct rec_params {
>> + union { /* 0x0 */
>> + u64 flags;
>> + u8 padding1[0x100];
>> + };
>> + union { /* 0x100 */
>> + u64 mpidr;
>> + u8 padding2[0x100];
>> + };
>> + union { /* 0x200 */
>> + u64 pc;
>> + u8 padding3[0x100];
>> + };
>> + union { /* 0x300 */
>> + u64 gprs[REC_CREATE_NR_GPRS];
>> + u8 padding4[0x500];
>> + };
>> + union { /* 0x800 */
>> + struct {
>> + u64 num_rec_aux;
>> + u64 aux[REC_PARAMS_AUX_GRANULES];
>> + };
>> + u8 padding5[0x800];
>> + };
>> +};
>> +
>> +#define RMI_EMULATED_MMIO BIT(0)
>> +#define RMI_INJECT_SEA BIT(1)
>> +#define RMI_TRAP_WFI BIT(2)
>> +#define RMI_TRAP_WFE BIT(3)
>
> For completeness, we could add :
>
> #define RMI_RIPAS_RESPONSE BIT(4)
>
> Not sure if we use it later in the series.
Yes, I'll add for completeness. Currently KVM will never reject a RIPAS
change request from the guest. I'm not sure in what situation it would
make sense to do such a thing. The current uABI doesn't allow the VMM to
have a say in it either as the RIPAS change is completed before the exit
to the VMM. The expectation is therefore that the VMM would simply
terminate a Realm guest that attempted a RIPAS change that it disagreed
with.
>> +
>> +#define REC_RUN_GPRS 31
>> +#define REC_GIC_NUM_LRS 16
>> +
>> +struct rec_entry {
While I'm reading this (and the spec) again - I notice that the spec
says "RecEnter" not 'entry' - I'll rename this to be consistent.
>> + union { /* 0x000 */
>> + u64 flags;
>> + u8 padding0[0x200];
>> + };
>> + union { /* 0x200 */
>> + u64 gprs[REC_RUN_GPRS];
>> + u8 padding2[0x100];
>> + };
>> + union { /* 0x300 */
>> + struct {
>> + u64 gicv3_hcr;
>> + u64 gicv3_lrs[REC_GIC_NUM_LRS];
>> + };
>> + u8 padding3[0x100];
>> + };
>> + u8 padding4[0x400];
>> +};
>> +
>> +struct rec_exit {
>> + union { /* 0x000 */
>> + u8 exit_reason;
>> + u8 padding0[0x100];
>> + };
>> + union { /* 0x100 */
>> + struct {
>> + u64 esr;
>> + u64 far;
>> + u64 hpfar;
>> + };
>> + u8 padding1[0x100];
>> + };
>> + union { /* 0x200 */
>> + u64 gprs[REC_RUN_GPRS];
>> + u8 padding2[0x100];
>> + };
>> + union { /* 0x300 */
>> + struct {
>> + u64 gicv3_hcr;
>> + u64 gicv3_lrs[REC_GIC_NUM_LRS];
>> + u64 gicv3_misr;
>> + u64 gicv3_vmcr;
>> + };
>> + u8 padding3[0x100];
>> + };
>> + union { /* 0x400 */
>> + struct {
>> + u64 cntp_ctl;
>> + u64 cntp_cval;
>> + u64 cntv_ctl;
>> + u64 cntv_cval;
>> + };
>> + u8 padding4[0x100];
>> + };
>> + union { /* 0x500 */
>> + struct {
>> + u64 ripas_base;
>> + u64 ripas_top;
>> + u64 ripas_value;
>> + };
>> + u8 padding5[0x100];
>> + };
>> + union { /* 0x600 */
>> + u16 imm;
>> + u8 padding6[0x100];
>> + };
>> + union { /* 0x700 */
>> + struct {
>> + u64 pmu_ovf_status;
>
> This is u8 as per section B4.4.10 RmiPmuOverflowStatus type.
Indeed - I'm not sure where I got u64 from - it was probably to provide
padding in an older version of the spec.
>> + };
>> + u8 padding7[0x100];
>> + };
>> +};
>> +
>> +struct rec_run {
>> + struct rec_entry entry;
>> + struct rec_exit exit;
>> +};
>> +
>> +#define RMI_EXIT_SYNC 0x00
>> +#define RMI_EXIT_IRQ 0x01
>> +#define RMI_EXIT_FIQ 0x02
>> +#define RMI_EXIT_PSCI 0x03
>> +#define RMI_EXIT_RIPAS_CHANGE 0x04
>> +#define RMI_EXIT_HOST_CALL 0x05
>> +#define RMI_EXIT_SERROR 0x06
>
> Minor nit: Like the other definitions, it may be good to keep the
> defintions of the "exit_reason" above the field declaration.
Yes, makes sense - I'll move these.
Thanks for the review!
Steve
>
> Rest looks fine to me.
>
> Suzuki
>> +
>> +#endif
>
Powered by blists - more mailing lists