KVM: arm64: Ensure I-cache isolation between vcpus of a same VM

Marc Zyngier · Marc Zyngier · commit 01dc9262ff57 · 2021-03-09T17:58:56.000Z
It recently became apparent that the ARMv8 architecture has interesting rules regarding attributes being used when fetching instructions if the MMU is off at Stage-1. In this situation, the CPU is allowed to fetch from the PoC and allocate into the I-cache (unless the memory is mapped with the XN attribute at Stage-2). If we transpose this to vcpus sharing a single physical CPU, it is possible for a vcpu running with its MMU off to influence another vcpu running with its MMU on, as the latter is expected to fetch from the PoU (and self-patching code doesn't flush below that level). In order to solve this, reuse the vcpu-private TLB invalidation code to apply the same policy to the I-cache, nuking it every time the vcpu runs on a physical CPU that ran another vcpu of the same VM in the past. This involve renaming __kvm_tlb_flush_local_vmid() to __kvm_flush_cpu_context(), and inserting a local i-cache invalidation there. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier <maz@kernel.org> Acked-by: Will Deacon <will@kernel.org> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Link: https://lore.kernel.org/r/20210303164505.68492-1-maz@kernel.org
diff --git a/arch/arm64/include/asm/kvm_asm.h b/arch/arm64/include/asm/kvm_asm.h
@@ -47,7 +47,7 @@
 #define __KVM_HOST_SMCCC_FUNC___kvm_flush_vm_context		2
 #define __KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid_ipa		3
 #define __KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid		4
-#define __KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_local_vmid	5
+#define __KVM_HOST_SMCCC_FUNC___kvm_flush_cpu_context		5
 #define __KVM_HOST_SMCCC_FUNC___kvm_timer_set_cntvoff		6
 #define __KVM_HOST_SMCCC_FUNC___kvm_enable_ssbs			7
 #define __KVM_HOST_SMCCC_FUNC___vgic_v3_get_gic_config		8
@@ -183,10 +183,10 @@ DECLARE_KVM_HYP_SYM(__bp_harden_hyp_vecs);
 #define __bp_harden_hyp_vecs	CHOOSE_HYP_SYM(__bp_harden_hyp_vecs)
 
 extern void __kvm_flush_vm_context(void);
+extern void __kvm_flush_cpu_context(struct kvm_s2_mmu *mmu);
 extern void __kvm_tlb_flush_vmid_ipa(struct kvm_s2_mmu *mmu, phys_addr_t ipa,
 				     int level);
 extern void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu);
-extern void __kvm_tlb_flush_local_vmid(struct kvm_s2_mmu *mmu);
 
 extern void __kvm_timer_set_cntvoff(u64 cntvoff);
 
diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
@@ -385,11 +385,16 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 	last_ran = this_cpu_ptr(mmu->last_vcpu_ran);
 
 	/*
+	 * We guarantee that both TLBs and I-cache are private to each
+	 * vcpu. If detecting that a vcpu from the same VM has
+	 * previously run on the same physical CPU, call into the
+	 * hypervisor code to nuke the relevant contexts.
+	 *
 	 * We might get preempted before the vCPU actually runs, but
 	 * over-invalidation doesn't affect correctness.
 	 */
 	if (*last_ran != vcpu->vcpu_id) {
-		kvm_call_hyp(__kvm_tlb_flush_local_vmid, mmu);
+		kvm_call_hyp(__kvm_flush_cpu_context, mmu);
 		*last_ran = vcpu->vcpu_id;
 	}
 
diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
@@ -46,11 +46,11 @@ static void handle___kvm_tlb_flush_vmid(struct kvm_cpu_context *host_ctxt)
 	__kvm_tlb_flush_vmid(kern_hyp_va(mmu));
 }
 
-static void handle___kvm_tlb_flush_local_vmid(struct kvm_cpu_context *host_ctxt)
+static void handle___kvm_flush_cpu_context(struct kvm_cpu_context *host_ctxt)
 {
 	DECLARE_REG(struct kvm_s2_mmu *, mmu, host_ctxt, 1);
 
-	__kvm_tlb_flush_local_vmid(kern_hyp_va(mmu));
+	__kvm_flush_cpu_context(kern_hyp_va(mmu));
 }
 
 static void handle___kvm_timer_set_cntvoff(struct kvm_cpu_context *host_ctxt)
@@ -115,7 +115,7 @@ static const hcall_t host_hcall[] = {
 	HANDLE_FUNC(__kvm_flush_vm_context),
 	HANDLE_FUNC(__kvm_tlb_flush_vmid_ipa),
 	HANDLE_FUNC(__kvm_tlb_flush_vmid),
-	HANDLE_FUNC(__kvm_tlb_flush_local_vmid),
+	HANDLE_FUNC(__kvm_flush_cpu_context),
 	HANDLE_FUNC(__kvm_timer_set_cntvoff),
 	HANDLE_FUNC(__kvm_enable_ssbs),
 	HANDLE_FUNC(__vgic_v3_get_gic_config),
diff --git a/arch/arm64/kvm/hyp/nvhe/tlb.c b/arch/arm64/kvm/hyp/nvhe/tlb.c
@@ -123,14 +123,15 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)
 	__tlb_switch_to_host(&cxt);
 }
 
-void __kvm_tlb_flush_local_vmid(struct kvm_s2_mmu *mmu)
+void __kvm_flush_cpu_context(struct kvm_s2_mmu *mmu)
 {
 	struct tlb_inv_context cxt;
 
 	/* Switch to requested VMID */
 	__tlb_switch_to_guest(mmu, &cxt);
 
 	__tlbi(vmalle1);
+	asm volatile("ic iallu");
 	dsb(nsh);
 	isb();
 
diff --git a/arch/arm64/kvm/hyp/vhe/tlb.c b/arch/arm64/kvm/hyp/vhe/tlb.c
@@ -127,14 +127,15 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)
 	__tlb_switch_to_host(&cxt);
 }
 
-void __kvm_tlb_flush_local_vmid(struct kvm_s2_mmu *mmu)
+void __kvm_flush_cpu_context(struct kvm_s2_mmu *mmu)
 {
 	struct tlb_inv_context cxt;
 
 	/* Switch to requested VMID */
 	__tlb_switch_to_guest(mmu, &cxt);
 
 	__tlbi(vmalle1);
+	asm volatile("ic iallu");
 	dsb(nsh);
 	isb();
 

Original file line number	Diff line number	Diff line change
`@@ -46,11 +46,11 @@ static void handle___kvm_tlb_flush_vmid(struct kvm_cpu_context *host_ctxt)`
`46`	`46`	`__kvm_tlb_flush_vmid(kern_hyp_va(mmu));`
`47`	`47`	`}`
`48`	`48`
`49`		`-static void handle___kvm_tlb_flush_local_vmid(struct kvm_cpu_context *host_ctxt)`
	`49`	`+static void handle___kvm_flush_cpu_context(struct kvm_cpu_context *host_ctxt)`
`50`	`50`	`{`
`51`	`51`	`DECLARE_REG(struct kvm_s2_mmu *, mmu, host_ctxt, 1);`
`52`	`52`
`53`		`- __kvm_tlb_flush_local_vmid(kern_hyp_va(mmu));`
	`53`	`+ __kvm_flush_cpu_context(kern_hyp_va(mmu));`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`static void handle___kvm_timer_set_cntvoff(struct kvm_cpu_context *host_ctxt)`
`@@ -115,7 +115,7 @@ static const hcall_t host_hcall[] = {`
`115`	`115`	`HANDLE_FUNC(__kvm_flush_vm_context),`
`116`	`116`	`HANDLE_FUNC(__kvm_tlb_flush_vmid_ipa),`
`117`	`117`	`HANDLE_FUNC(__kvm_tlb_flush_vmid),`
`118`		`- HANDLE_FUNC(__kvm_tlb_flush_local_vmid),`
	`118`	`+ HANDLE_FUNC(__kvm_flush_cpu_context),`
`119`	`119`	`HANDLE_FUNC(__kvm_timer_set_cntvoff),`
`120`	`120`	`HANDLE_FUNC(__kvm_enable_ssbs),`
`121`	`121`	`HANDLE_FUNC(__vgic_v3_get_gic_config),`
Original file line number	Diff line number	Diff line change
`@@ -123,14 +123,15 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)`
`123`	`123`	`__tlb_switch_to_host(&cxt);`
`124`	`124`	`}`
`125`	`125`
`126`		`-void __kvm_tlb_flush_local_vmid(struct kvm_s2_mmu *mmu)`
	`126`	`+void __kvm_flush_cpu_context(struct kvm_s2_mmu *mmu)`
`127`	`127`	`{`
`128`	`128`	`struct tlb_inv_context cxt;`
`129`	`129`
`130`	`130`	`/* Switch to requested VMID */`
`131`	`131`	`__tlb_switch_to_guest(mmu, &cxt);`
`132`	`132`
`133`	`133`	`__tlbi(vmalle1);`
	`134`	`+ asm volatile("ic iallu");`
`134`	`135`	`dsb(nsh);`
`135`	`136`	`isb();`
`136`	`137`
Original file line number	Diff line number	Diff line change
`@@ -127,14 +127,15 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)`
`127`	`127`	`__tlb_switch_to_host(&cxt);`
`128`	`128`	`}`
`129`	`129`
`130`		`-void __kvm_tlb_flush_local_vmid(struct kvm_s2_mmu *mmu)`
	`130`	`+void __kvm_flush_cpu_context(struct kvm_s2_mmu *mmu)`
`131`	`131`	`{`
`132`	`132`	`struct tlb_inv_context cxt;`
`133`	`133`
`134`	`134`	`/* Switch to requested VMID */`
`135`	`135`	`__tlb_switch_to_guest(mmu, &cxt);`
`136`	`136`
`137`	`137`	`__tlbi(vmalle1);`
	`138`	`+ asm volatile("ic iallu");`
`138`	`139`	`dsb(nsh);`
`139`	`140`	`isb();`
`140`	`141`