| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f04bdf46-c752-43ec-88fa-dcd37f29d374@arm.com>
Date: Wed, 17 Dec 2025 14:29:46 +0000
From: Suzuki K Poulose <suzuki.poulose@....com>
To: Steven Price <steven.price@....com>, kvm@...r.kernel.org,
kvmarm@...ts.linux.dev
Cc: Catalin Marinas <catalin.marinas@....com>, Marc Zyngier <maz@...nel.org>,
Will Deacon <will@...nel.org>, James Morse <james.morse@....com>,
Oliver Upton <oliver.upton@...ux.dev>, Zenghui Yu <yuzenghui@...wei.com>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
Joey Gouly <joey.gouly@....com>, Alexandru Elisei
<alexandru.elisei@....com>, Christoffer Dall <christoffer.dall@....com>,
Fuad Tabba <tabba@...gle.com>, linux-coco@...ts.linux.dev,
Ganapatrao Kulkarni <gankulkarni@...amperecomputing.com>,
Gavin Shan <gshan@...hat.com>, Shanker Donthineni <sdonthineni@...dia.com>,
Alper Gun <alpergun@...gle.com>, "Aneesh Kumar K . V"
<aneesh.kumar@...nel.org>, Emi Kisanuki <fj0570is@...itsu.com>,
Vishal Annapurve <vannapurve@...gle.com>
Subject: Re: [PATCH v12 11/46] arm64: RMI: Activate realm on first VCPU run
On 17/12/2025 10:10, Steven Price wrote:
> When a VCPU migrates to another physical CPU check if this is the first
> time the guest has run, and if so activate the realm.
>
> Before the realm can be activated it must first be created, this is a
> stub in this patch and will be filled in by a later patch.
>
> Signed-off-by: Steven Price <steven.price@....com>
> ---
> New patch for v12
> ---
> arch/arm64/include/asm/kvm_rmi.h | 1 +
> arch/arm64/kvm/arm.c | 6 +++++
> arch/arm64/kvm/rmi.c | 42 ++++++++++++++++++++++++++++++++
> 3 files changed, 49 insertions(+)
>
> diff --git a/arch/arm64/include/asm/kvm_rmi.h b/arch/arm64/include/asm/kvm_rmi.h
> index cb7350f8a01a..e4534af06d96 100644
> --- a/arch/arm64/include/asm/kvm_rmi.h
> +++ b/arch/arm64/include/asm/kvm_rmi.h
> @@ -69,6 +69,7 @@ void kvm_init_rmi(void);
> u32 kvm_realm_ipa_limit(void);
>
> int kvm_init_realm_vm(struct kvm *kvm);
> +int kvm_activate_realm(struct kvm *kvm);
> void kvm_destroy_realm(struct kvm *kvm);
> void kvm_realm_destroy_rtts(struct kvm *kvm);
>
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 941d1bec8e77..542df37b9e82 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -951,6 +951,12 @@ int kvm_arch_vcpu_run_pid_change(struct kvm_vcpu *vcpu)
> return ret;
> }
>
> + if (kvm_is_realm(vcpu->kvm)) {
> + ret = kvm_activate_realm(kvm);
> + if (ret)
> + return ret;
> + }
> +
> mutex_lock(&kvm->arch.config_lock);
> set_bit(KVM_ARCH_FLAG_HAS_RAN_ONCE, &kvm->arch.flags);
> mutex_unlock(&kvm->arch.config_lock);
> diff --git a/arch/arm64/kvm/rmi.c b/arch/arm64/kvm/rmi.c
> index e57e8b7eafa9..98929382c365 100644
> --- a/arch/arm64/kvm/rmi.c
> +++ b/arch/arm64/kvm/rmi.c
> @@ -223,6 +223,48 @@ void kvm_realm_destroy_rtts(struct kvm *kvm)
> WARN_ON(realm_tear_down_rtt_range(realm, 0, (1UL << ia_bits)));
> }
>
> +static int realm_ensure_created(struct kvm *kvm)
> +{
> + /* Provided in later patch */
> + return -ENXIO;
> +}
> +
> +int kvm_activate_realm(struct kvm *kvm)
> +{
> + struct realm *realm = &kvm->arch.realm;
> + int ret;
> +
> + if (!kvm_is_realm(kvm))
> + return -ENXIO;
> +
> + if (kvm_realm_state(kvm) == REALM_STATE_ACTIVE)
> + return 0;
> +
> + guard(mutex)(&kvm->arch.config_lock);
> + /* Check again with the lock held */
> + if (kvm_realm_state(kvm) == REALM_STATE_ACTIVE)
> + return 0;
> +
> + ret = realm_ensure_created(kvm);
> + if (ret)
> + return ret;
> +
> + /* Mark state as dead in case we fail */
> + WRITE_ONCE(realm->state, REALM_STATE_DEAD);
> +
> + if (!irqchip_in_kernel(kvm)) {
> + /* Userspace irqchip not yet supported with realms */
> + return -EOPNOTSUPP;
> + }
super minor nit: We could do this check before create the realm, within
the config_lock'ed region.
Suzuki
Powered by blists - more mailing lists