| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAC_TJvfzETz53ZXCk89ndqhj0+nuMUxPsB=NNT8kSZP-iwLm7A@mail.gmail.com>
Date: Mon, 26 Jan 2026 13:31:49 -0800
From: Kalesh Singh <kaleshsingh@...gle.com>
To: Vincent Donnefort <vdonnefort@...gle.com>
Cc: rostedt@...dmis.org, mhiramat@...nel.org, mathieu.desnoyers@...icios.com,
linux-trace-kernel@...r.kernel.org, maz@...nel.org, oliver.upton@...ux.dev,
joey.gouly@....com, suzuki.poulose@....com, yuzenghui@...wei.com,
kvmarm@...ts.linux.dev, linux-arm-kernel@...ts.infradead.org,
jstultz@...gle.com, qperret@...gle.com, will@...nel.org,
aneesh.kumar@...nel.org, kernel-team@...roid.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v10 19/30] KVM: arm64: Add PKVM_DISABLE_STAGE2_ON_PANIC
On Mon, Jan 26, 2026 at 2:44 AM Vincent Donnefort <vdonnefort@...gle.com> wrote:
>
> On NVHE_EL2_DEBUG, when using pKVM, the host stage-2 is relaxed to grant
> the kernel access to the stacktrace, hypervisor bug table and text to
> symbolize addresses. This is unsafe for production. In preparation for
> adding more debug options to NVHE_EL2_DEBUG, decouple the stage-2
> relaxation into a separate option.
>
> While at it, rename PROTECTED_NVHE_STACKTRACE into PKVM_STACKTRACE,
> following the same naming scheme as PKVM_DISABLE_STAGE2_ON_PANIC.
>
> Cc: Kalesh Singh <kaleshsingh@...gle.com>
> Signed-off-by: Vincent Donnefort <vdonnefort@...gle.com>
Reviewed-by: Kalesh Singh <kaleshsingh@...gle.com>
Thanks,
Kalesh
>
> diff --git a/arch/arm64/kvm/Kconfig b/arch/arm64/kvm/Kconfig
> index 4f803fd1c99a..6498dec00fe9 100644
> --- a/arch/arm64/kvm/Kconfig
> +++ b/arch/arm64/kvm/Kconfig
> @@ -43,9 +43,27 @@ menuconfig KVM
>
> If unsure, say N.
>
> +if KVM
> +
> +config PTDUMP_STAGE2_DEBUGFS
> + bool "Present the stage-2 pagetables to debugfs"
> + depends on DEBUG_KERNEL
> + depends on DEBUG_FS
> + depends on ARCH_HAS_PTDUMP
> + select PTDUMP
> + default n
> + help
> + Say Y here if you want to show the stage-2 kernel pagetables
> + layout in a debugfs file. This information is only useful for kernel developers
> + who are working in architecture specific areas of the kernel.
> + It is probably not a good idea to enable this feature in a production
> + kernel.
> +
> + If in doubt, say N.
> +
> config NVHE_EL2_DEBUG
> bool "Debug mode for non-VHE EL2 object"
> - depends on KVM
> + default n
> help
> Say Y here to enable the debug mode for the non-VHE KVM EL2 object.
> Failure reports will BUG() in the hypervisor. This is intended for
> @@ -53,10 +71,23 @@ config NVHE_EL2_DEBUG
>
> If unsure, say N.
>
> -config PROTECTED_NVHE_STACKTRACE
> - bool "Protected KVM hypervisor stacktraces"
> - depends on NVHE_EL2_DEBUG
> +if NVHE_EL2_DEBUG
> +
> +config PKVM_DISABLE_STAGE2_ON_PANIC
> + bool "Disable the host stage-2 on panic"
> default n
> + help
> + Relax the host stage-2 on hypervisor panic to allow the kernel to
> + unwind and symbolize the hypervisor stacktrace. This however tampers
> + the system security. This is intended for local EL2 hypervisor
> + development.
> +
> + If unsure, say N.
> +
> +config PKVM_STACKTRACE
> + bool "Protected KVM hypervisor stacktraces"
> + depends on PKVM_DISABLE_STAGE2_ON_PANIC
> + default y
> help
> Say Y here to enable pKVM hypervisor stacktraces on hyp_panic()
>
> @@ -66,21 +97,6 @@ config PROTECTED_NVHE_STACKTRACE
>
> If unsure, or not using protected nVHE (pKVM), say N.
>
> -config PTDUMP_STAGE2_DEBUGFS
> - bool "Present the stage-2 pagetables to debugfs"
> - depends on KVM
> - depends on DEBUG_KERNEL
> - depends on DEBUG_FS
> - depends on ARCH_HAS_PTDUMP
> - select PTDUMP
> - default n
> - help
> - Say Y here if you want to show the stage-2 kernel pagetables
> - layout in a debugfs file. This information is only useful for kernel developers
> - who are working in architecture specific areas of the kernel.
> - It is probably not a good idea to enable this feature in a production
> - kernel.
> -
> - If in doubt, say N.
> -
> +endif # NVHE_EL2_DEBUG
> +endif # KVM
> endif # VIRTUALIZATION
> diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
> index cc7d5d1709cb..54aedf93c78b 100644
> --- a/arch/arm64/kvm/handle_exit.c
> +++ b/arch/arm64/kvm/handle_exit.c
> @@ -539,7 +539,7 @@ void __noreturn __cold nvhe_hyp_panic_handler(u64 esr, u64 spsr,
>
> /* All hyp bugs, including warnings, are treated as fatal. */
> if (!is_protected_kvm_enabled() ||
> - IS_ENABLED(CONFIG_NVHE_EL2_DEBUG)) {
> + IS_ENABLED(CONFIG_PKVM_DISABLE_STAGE2_ON_PANIC)) {
> struct bug_entry *bug = find_bug(elr_in_kimg);
>
> if (bug)
> diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
> index eef15b374abb..3092befcd97c 100644
> --- a/arch/arm64/kvm/hyp/nvhe/host.S
> +++ b/arch/arm64/kvm/hyp/nvhe/host.S
> @@ -120,7 +120,7 @@ SYM_FUNC_START(__hyp_do_panic)
>
> mov x29, x0
>
> -#ifdef CONFIG_NVHE_EL2_DEBUG
> +#ifdef PKVM_DISABLE_STAGE2_ON_PANIC
> /* Ensure host stage-2 is disabled */
> mrs x0, hcr_el2
> bic x0, x0, #HCR_VM
> diff --git a/arch/arm64/kvm/hyp/nvhe/stacktrace.c b/arch/arm64/kvm/hyp/nvhe/stacktrace.c
> index 5b6eeab1a774..7c832d60d22b 100644
> --- a/arch/arm64/kvm/hyp/nvhe/stacktrace.c
> +++ b/arch/arm64/kvm/hyp/nvhe/stacktrace.c
> @@ -34,7 +34,7 @@ static void hyp_prepare_backtrace(unsigned long fp, unsigned long pc)
> stacktrace_info->pc = pc;
> }
>
> -#ifdef CONFIG_PROTECTED_NVHE_STACKTRACE
> +#ifdef CONFIG_PKVM_STACKTRACE
> #include <asm/stacktrace/nvhe.h>
>
> DEFINE_PER_CPU(unsigned long [NVHE_STACKTRACE_SIZE/sizeof(long)], pkvm_stacktrace);
> @@ -134,11 +134,11 @@ static void pkvm_save_backtrace(unsigned long fp, unsigned long pc)
>
> unwind(&state, pkvm_save_backtrace_entry, &idx);
> }
> -#else /* !CONFIG_PROTECTED_NVHE_STACKTRACE */
> +#else /* !CONFIG_PKVM_STACKTRACE */
> static void pkvm_save_backtrace(unsigned long fp, unsigned long pc)
> {
> }
> -#endif /* CONFIG_PROTECTED_NVHE_STACKTRACE */
> +#endif /* CONFIG_PKVM_STACKTRACE */
>
> /*
> * kvm_nvhe_prepare_backtrace - prepare to dump the nVHE backtrace
> diff --git a/arch/arm64/kvm/stacktrace.c b/arch/arm64/kvm/stacktrace.c
> index af5eec681127..9724c320126b 100644
> --- a/arch/arm64/kvm/stacktrace.c
> +++ b/arch/arm64/kvm/stacktrace.c
> @@ -197,7 +197,7 @@ static void hyp_dump_backtrace(unsigned long hyp_offset)
> kvm_nvhe_dump_backtrace_end();
> }
>
> -#ifdef CONFIG_PROTECTED_NVHE_STACKTRACE
> +#ifdef CONFIG_PKVM_STACKTRACE
> DECLARE_KVM_NVHE_PER_CPU(unsigned long [NVHE_STACKTRACE_SIZE/sizeof(long)],
> pkvm_stacktrace);
>
> @@ -225,12 +225,12 @@ static void pkvm_dump_backtrace(unsigned long hyp_offset)
> kvm_nvhe_dump_backtrace_entry((void *)hyp_offset, stacktrace[i]);
> kvm_nvhe_dump_backtrace_end();
> }
> -#else /* !CONFIG_PROTECTED_NVHE_STACKTRACE */
> +#else /* !CONFIG_PKVM_STACKTRACE */
> static void pkvm_dump_backtrace(unsigned long hyp_offset)
> {
> - kvm_err("Cannot dump pKVM nVHE stacktrace: !CONFIG_PROTECTED_NVHE_STACKTRACE\n");
> + kvm_err("Cannot dump pKVM nVHE stacktrace: !CONFIG_PKVM_STACKTRACE\n");
> }
> -#endif /* CONFIG_PROTECTED_NVHE_STACKTRACE */
> +#endif /* CONFIG_PKVM_STACKTRACE */
>
> /*
> * kvm_nvhe_dump_backtrace - Dump KVM nVHE hypervisor backtrace.
> --
> 2.52.0.457.g6b5491de43-goog
>
Powered by blists - more mailing lists