ANDROID: KVM: arm64: Add a range to the guest MMIO guard hypercalls

Extend the guest MMIO guard HVCs with a nr_pages argument. Contrary to
the memshare, legacy kernel didn't enforce arg2 and arg3 to 0. We have
then to bring a new set of HVCs. The range version of those HVCs is
advertised in the meminfo HVC.

Bug: 278749606
Bug: 243642516
Change-Id: Ic56aa7f0049dadaa72b5b5e65c00c6bafe5a40b9
Signed-off-by: Vincent Donnefort <[email protected]>

Author: vdonnefort

arch/arm64/kvm/hyp/include/nvhe/mem_protect.h

@@ -54,8 +54,10 @@ int __pkvm_guest_share_host(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa,
 			    u64 nr_pages, u64 *nr_shared);
 int __pkvm_guest_unshare_host(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa,
 			      u64 nr_pages, u64 *nr_unshared);
-int __pkvm_install_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa);
-int __pkvm_remove_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa);
+int __pkvm_install_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa,
+				u64 nr_pages, u64 *nr_guarded);
+int __pkvm_remove_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa,
+			       u64 nr_pages, u64 *nr_unguarded);
 bool __pkvm_check_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu);
 int __pkvm_guest_relinquish_to_host(struct pkvm_hyp_vcpu *vcpu,
 				    u64 ipa, u64 *ppa);

arch/arm64/kvm/hyp/nvhe/mem_protect.c

@@ -2495,60 +2495,94 @@ static bool __check_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa)
 		pte == KVM_INVALID_PTE_MMIO_NOTE);
 }
 
-int __pkvm_install_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa)
+int __pkvm_install_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa,
+				u64 nr_pages, u64 *nr_guarded)
 {
+	struct guest_request_walker_data data = GUEST_WALKER_DATA_INIT(PKVM_NOPAGE);
 	struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(hyp_vcpu);
-	kvm_pte_t pte;
-	u32 level;
+	struct kvm_pgtable_walker walker = {
+		.cb     = guest_request_walker,
+		.flags  = KVM_PGTABLE_WALK_LEAF,
+		.arg    = (void *)&data,
+	};
+	u64 size = nr_pages * PAGE_SIZE;
 	int ret;
 
 	if (!test_bit(KVM_ARCH_FLAG_MMIO_GUARD, &vm->kvm.arch.flags))
 		return -EINVAL;
 
-	if (ipa & ~PAGE_MASK)
+	if (!PAGE_ALIGNED(ipa) || !PAGE_ALIGNED(size) || !size)
 		return -EINVAL;
 
 	guest_lock_component(vm);
 
-	ret = kvm_pgtable_get_leaf(&vm->pgt, ipa, &pte, &level);
-	if (ret)
-		goto unlock;
-
-	if (pte && BIT(ARM64_HW_PGTABLE_LEVEL_SHIFT(level)) == PAGE_SIZE) {
-		/*
-		 * Already flagged as MMIO, let's accept it, and fail
-		 * otherwise
-		 */
-		if (pte != KVM_INVALID_PTE_MMIO_NOTE)
-			ret = -EBUSY;
-
+	/* Check we either have NOMAP or NOMAP|MMIO in this range */
+	data.desired_mask = ~PKVM_MMIO;
+	ret = kvm_pgtable_walk(&vm->pgt, ipa, size, &walker);
+	/* Walker reached data.max_ptes */
+	if (ret == -E2BIG)
+		ret = 0;
+	else if (ret)
 		goto unlock;
-	}
 
-	ret = kvm_pgtable_stage2_annotate(&vm->pgt, ipa, PAGE_SIZE,
+	/*
+	 * Intersection between the requested region and what has been verified
+	 */
+	size = min(data.size - (ipa - data.ipa_start), size);
+	ret = kvm_pgtable_stage2_annotate(&vm->pgt, ipa, size,
 					  &hyp_vcpu->vcpu.arch.stage2_mc,
 					  KVM_INVALID_PTE_MMIO_NOTE);
-
+	if (nr_guarded)
+		*nr_guarded = size >> PAGE_SHIFT;
 unlock:
 	guest_unlock_component(vm);
 	return ret;
 }
 
-int __pkvm_remove_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa)
+int __pkvm_remove_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 ipa,
+			       u64 nr_pages, u64 *nr_unguarded)
 {
 	struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(hyp_vcpu);
+	struct guest_request_walker_data data =
+		GUEST_WALKER_DATA_INIT(PKVM_NOPAGE | PKVM_MMIO);
+	struct kvm_pgtable_walker walker = {
+		.cb     = guest_request_walker,
+		.flags  = KVM_PGTABLE_WALK_LEAF,
+		.arg    = (void *)&data,
+	};
+	u64 size = nr_pages * PAGE_SIZE;
+	int ret;
 
 	if (!test_bit(KVM_ARCH_FLAG_MMIO_GUARD, &vm->kvm.arch.flags))
 		return -EINVAL;
 
+	if (!PAGE_ALIGNED(ipa) || !PAGE_ALIGNED(size) || !size)
+		return -EINVAL;
+
 	guest_lock_component(vm);
 
-	if (__check_ioguard_page(hyp_vcpu, ipa))
-		WARN_ON(kvm_pgtable_stage2_unmap(&vm->pgt,
-				ALIGN_DOWN(ipa, PAGE_SIZE), PAGE_SIZE));
+	ret = kvm_pgtable_walk(&vm->pgt, ipa, size, &walker);
+	/* Walker reached data.max_ptes */
+	if (ret == -E2BIG)
+		ret = 0;
+	else if (ret)
+		goto unlock;
+
+	/*
+	 * Ioguard is using annotation which has force_pte on.
+	 * We shouldn't get any block mapping
+	 */
+	WARN_ON(data.ipa_start != ipa);
+	WARN_ON(data.size > size);
+
+	ret = kvm_pgtable_stage2_unmap(&vm->pgt, data.ipa_start, data.size);
 
 	guest_unlock_component(vm);
-	return 0;
+
+	if (nr_unguarded)
+		*nr_unguarded = data.size >> PAGE_SHIFT;
+unlock:
+	return WARN_ON(ret);
 }
 
 bool __pkvm_check_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu)

arch/arm64/kvm/hyp/nvhe/pkvm.c

@@ -1525,20 +1525,57 @@ static bool pkvm_memunshare_call(struct pkvm_hyp_vcpu *hyp_vcpu)
 	return true;
 }
 
-static bool pkvm_install_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu, u64 *exit_code)
+static bool pkvm_install_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu,
+				      u64 *exit_code)
 {
-	u64 retval = SMCCC_RET_SUCCESS;
 	u64 ipa = smccc_get_arg1(&hyp_vcpu->vcpu);
-	int ret;
+	u64 nr_pages = smccc_get_arg2(&hyp_vcpu->vcpu);
+	u32 fn = smccc_get_function(&hyp_vcpu->vcpu);
+	u64 retval = SMCCC_RET_SUCCESS;
+	u64 nr_guarded = 0;
+	int ret = -EINVAL;
+
+	/* Legacy non-range version, arg2|arg3 might be garbage */
+	if (fn == ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID)
+		nr_pages = 1;
+	else if (smccc_get_arg3(&hyp_vcpu->vcpu))
+		goto out_guest_err;
 
-	ret = __pkvm_install_ioguard_page(hyp_vcpu, ipa);
+	ret = __pkvm_install_ioguard_page(hyp_vcpu, ipa, nr_pages, &nr_guarded);
 	if (ret == -ENOMEM && !pkvm_handle_empty_memcache(hyp_vcpu, exit_code))
 		return false;
 
+out_guest_err:
 	if (ret)
 		retval = SMCCC_RET_INVALID_PARAMETER;
 
-	smccc_set_retval(&hyp_vcpu->vcpu, retval, 0, 0, 0);
+	smccc_set_retval(&hyp_vcpu->vcpu, retval, nr_guarded, 0, 0);
+	return true;
+}
+
+static bool pkvm_remove_ioguard_page(struct pkvm_hyp_vcpu *hyp_vcpu,
+				     u64 *exit_code)
+{
+	u64 ipa = smccc_get_arg1(&hyp_vcpu->vcpu);
+	u64 nr_pages = smccc_get_arg2(&hyp_vcpu->vcpu);
+	u32 fn = smccc_get_function(&hyp_vcpu->vcpu);
+	u64 retval = SMCCC_RET_SUCCESS;
+	u64 nr_unguarded = 0;
+	int ret = -EINVAL;
+
+	/* Legacy non-range version, arg2|arg3 might be garbage */
+	if (fn == ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID)
+		nr_pages = 1;
+	else if (smccc_get_arg3(&hyp_vcpu->vcpu))
+		goto out_guest_err;
+
+	ret = __pkvm_remove_ioguard_page(hyp_vcpu, ipa, nr_pages, &nr_unguarded);
+
+out_guest_err:
+	if (ret)
+		retval = SMCCC_RET_INVALID_PARAMETER;
+
+	smccc_set_retval(&hyp_vcpu->vcpu, retval, nr_unguarded, 0, 0);
 	return true;
 }
 
@@ -1653,20 +1690,20 @@ bool kvm_handle_pvm_hvc64(struct kvm_vcpu *vcpu, u64 *exit_code)
 		val[0] |= BIT(ARM_SMCCC_KVM_FUNC_MMIO_GUARD_ENROLL);
 		val[0] |= BIT(ARM_SMCCC_KVM_FUNC_MMIO_GUARD_MAP);
 		val[0] |= BIT(ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP);
+		val[0] |= BIT(ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_MAP);
+		val[0] |= BIT(ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_UNMAP);
 		val[0] |= BIT(ARM_SMCCC_KVM_FUNC_MEM_RELINQUISH);
 		break;
 	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID:
 		set_bit(KVM_ARCH_FLAG_MMIO_GUARD, &vcpu->kvm->arch.flags);
 		val[0] = SMCCC_RET_SUCCESS;
 		break;
 	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID:
+	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_RGUARD_MAP_FUNC_ID:
 		return pkvm_install_ioguard_page(hyp_vcpu, exit_code);
 	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID:
-		if (__pkvm_remove_ioguard_page(hyp_vcpu, vcpu_get_reg(vcpu, 1)))
-			val[0] = SMCCC_RET_INVALID_PARAMETER;
-		else
-			val[0] = SMCCC_RET_SUCCESS;
-		break;
+	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_RGUARD_UNMAP_FUNC_ID:
+		return pkvm_remove_ioguard_page(hyp_vcpu, exit_code);
 	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID:
 	case ARM_SMCCC_VENDOR_HYP_KVM_HYP_MEMINFO_FUNC_ID:
 		return pkvm_meminfo_call(hyp_vcpu);

include/linux/arm-smccc.h

@@ -123,6 +123,8 @@
 #define ARM_SMCCC_KVM_FUNC_MMIO_GUARD_MAP	7
 #define ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP	8
 #define ARM_SMCCC_KVM_FUNC_MEM_RELINQUISH	9
+#define ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_MAP	10
+#define ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_UNMAP	11
 #define ARM_SMCCC_KVM_FUNC_FEATURES_2		127
 #define ARM_SMCCC_KVM_NUM_FUNCS			128
 
@@ -199,6 +201,18 @@
 			   ARM_SMCCC_OWNER_VENDOR_HYP,			\
 			   ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP)
 
+#define ARM_SMCCC_VENDOR_HYP_KVM_MMIO_RGUARD_MAP_FUNC_ID		\
+	ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL,				\
+			   ARM_SMCCC_SMC_64,				\
+			   ARM_SMCCC_OWNER_VENDOR_HYP,			\
+			   ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_MAP)
+
+#define ARM_SMCCC_VENDOR_HYP_KVM_MMIO_RGUARD_UNMAP_FUNC_ID		\
+	ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL,				\
+			   ARM_SMCCC_SMC_64,				\
+			   ARM_SMCCC_OWNER_VENDOR_HYP,			\
+			   ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_UNMAP)
+
 /* Paravirtualised time calls (defined by ARM DEN0057A) */
 #define ARM_SMCCC_HV_PV_TIME_FEATURES				\
 	ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL,			\