KVM: arm64: Issue CMOs when tearing down guest s2 pages

Quentin Perret · Marc Zyngier · commit cb16301626c3 · 2024-05-01T16:46:58.000+01:00
On the guest teardown path, pKVM will zero the pages used to back the guest data structures before returning them to the host as they may contain secrets (e.g. in the vCPU registers). However, the zeroing is done using a cacheable alias, and CMOs are missing, hence giving the host a potential opportunity to read the original content of the guest structs from memory. Fix this by issuing CMOs after zeroing the pages. Signed-off-by: Quentin Perret <qperret@google.com> Signed-off-by: Fuad Tabba <tabba@google.com> Acked-by: Oliver Upton <oliver.upton@linux.dev> Link: https://lore.kernel.org/r/20240423150538.2103045-6-tabba@google.com Signed-off-by: Marc Zyngier <maz@kernel.org>
diff --git a/arch/arm64/kvm/hyp/nvhe/pkvm.c b/arch/arm64/kvm/hyp/nvhe/pkvm.c
@@ -441,6 +441,7 @@ static void *map_donated_memory(unsigned long host_va, size_t size)
 
 static void __unmap_donated_memory(void *va, size_t size)
 {
+	kvm_flush_dcache_to_poc(va, size);
 	WARN_ON(__pkvm_hyp_donate_host(hyp_virt_to_pfn(va),
 				       PAGE_ALIGN(size) >> PAGE_SHIFT));
 }

Original file line number	Diff line number	Diff line change
`@@ -441,6 +441,7 @@ static void *map_donated_memory(unsigned long host_va, size_t size)`
`441`	`441`
`442`	`442`	`static void __unmap_donated_memory(void *va, size_t size)`
`443`	`443`	`{`
	`444`	`+ kvm_flush_dcache_to_poc(va, size);`
`444`	`445`	`WARN_ON(__pkvm_hyp_donate_host(hyp_virt_to_pfn(va),`
`445`	`446`	`PAGE_ALIGN(size) >> PAGE_SHIFT));`
`446`	`447`	`}`