From patchwork Mon Nov 13 02:23:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 1862969 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=digikod.net header.i=@digikod.net header.a=rsa-sha256 header.s=20191114 header.b=oy65yEMw; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4STCv23xjLz1yRk for ; Mon, 13 Nov 2023 13:25:01 +1100 (AEDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r2Mcv-0006VT-Dr; Sun, 12 Nov 2023 21:24:37 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r2Mct-0006VL-M8 for qemu-devel@nongnu.org; Sun, 12 Nov 2023 21:24:35 -0500 Received: from smtp-42af.mail.infomaniak.ch ([2001:1600:3:17::42af]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r2Mcq-00088y-QY for qemu-devel@nongnu.org; Sun, 12 Nov 2023 21:24:35 -0500 Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4STCtR28lmzMq1pb; Mon, 13 Nov 2023 02:24:31 +0000 (UTC) Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4STCtP6n2FzMpnPd; Mon, 13 Nov 2023 03:24:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1699842271; bh=HO3RcULwQ802eeIPFZkXgFQnmnXm7kA4hgpvD90H0yM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oy65yEMwFBZXkzY8/GbCSCY015c7FsKYAOxiyiLLg876EDse7qPjjQ2TawXHbDdpo RqYXUhhMZo8wrcdUoNJcKni3rzSjF0HzYO1MLe/71b+NvJhrkaU1fgwZGfleYIbVsx 7CZiYxZUd35oWxWwZ9c+J67orF3hA2vwNYlS1LAw= From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Ingo Molnar , Kees Cook , Paolo Bonzini , Sean Christopherson , Thomas Gleixner , Vitaly Kuznetsov , Wanpeng Li Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Alexander Graf , Chao Peng , "Edgecombe, Rick P" , Forrest Yuan Yu , James Gowans , James Morris , John Andersen , "Madhavan T . Venkataraman" , Marian Rotariu , =?utf-8?q?Mihai_Don=C8=9Bu?= , =?utf-8?b?TmljdciZ?= =?utf-8?b?b3IgQ8OuyJt1?= , Thara Gopinath , Trilok Soni , Wei Liu , Will Deacon , Yu Zhang , Zahra Tarkhani , =?utf-8?q?=C8=98tefan_=C8=98icler?= =?utf-8?q?u?= , dev@lists.cloudhypervisor.org, kvm@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, qemu-devel@nongnu.org, virtualization@lists.linux-foundation.org, x86@kernel.org, xen-devel@lists.xenproject.org Subject: [RFC PATCH v2 10/19] KVM: x86: Implement per-guest-page permissions Date: Sun, 12 Nov 2023 21:23:17 -0500 Message-ID: <20231113022326.24388-11-mic@digikod.net> In-Reply-To: <20231113022326.24388-1-mic@digikod.net> References: <20231113022326.24388-1-mic@digikod.net> MIME-Version: 1.0 X-Infomaniak-Routing: alpha Received-SPF: pass client-ip=2001:1600:3:17::42af; envelope-from=mic@digikod.net; helo=smtp-42af.mail.infomaniak.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Define memory attributes that can be associated with guest physical pages in KVM. To begin with, define permissions as memory attributes (READ, WRITE and EXECUTE), and the IMMUTABLE property. In the future, other attributes could be defined. Use the memory attribute feature to implement the following functions in KVM: - kvm_permissions_set(): Set the permissions for a guest page in the memory attribute XArray. - kvm_permissions_get(): Retrieve the permissions associated with a guest page in same XArray. These functions will be called in a following commit to associate proper permissions with guest pages instead of RWX for all the pages. Add 4 new memory attributes, private to the KVM implementation: - KVM_MEMORY_ATTRIBUTE_HEKI_READ - KVM_MEMORY_ATTRIBUTE_HEKI_WRITE - KVM_MEMORY_ATTRIBUTE_HEKI_EXEC - KVM_MEMORY_ATTRIBUTE_HEKI_IMMUTABLE Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Mickaël Salaün Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Madhavan T. Venkataraman Signed-off-by: Madhavan T. Venkataraman Signed-off-by: Mickaël Salaün --- Changes since v1: * New patch replacing the deprecated page tracking mechanism. * Add new files: virt/lib/kvm_permissions.c and include/linux/kvm_mem_attr.h * Add new kvm_permissions_get() and kvm_permissions_set() leveraging the to-be-upstream memory attributes for KVM. * Introduce the KVM_MEMORY_ATTRIBUTE_HEKI_* values. --- arch/x86/kvm/Kconfig | 1 + arch/x86/kvm/Makefile | 4 +- include/linux/kvm_mem_attr.h | 32 +++++++++++ include/uapi/linux/kvm.h | 5 ++ virt/heki/Kconfig | 1 + virt/lib/kvm_permissions.c | 104 +++++++++++++++++++++++++++++++++++ 6 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 include/linux/kvm_mem_attr.h create mode 100644 virt/lib/kvm_permissions.c diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig index 7a3b52b7e456..ea6d73241632 100644 --- a/arch/x86/kvm/Kconfig +++ b/arch/x86/kvm/Kconfig @@ -50,6 +50,7 @@ config KVM select HAVE_KVM_PM_NOTIFIER if PM select KVM_GENERIC_HARDWARE_ENABLING select HYPERVISOR_SUPPORTS_HEKI + select SPARSEMEM help Support hosting fully virtualized guest machines using hardware virtualization extensions. You will need a fairly recent diff --git a/arch/x86/kvm/Makefile b/arch/x86/kvm/Makefile index 80e3fe184d17..aac51a5d2cae 100644 --- a/arch/x86/kvm/Makefile +++ b/arch/x86/kvm/Makefile @@ -9,10 +9,12 @@ endif include $(srctree)/virt/kvm/Makefile.kvm +VIRT_LIB = ../../../virt/lib + kvm-y += x86.o emulate.o i8259.o irq.o lapic.o \ i8254.o ioapic.o irq_comm.o cpuid.o pmu.o mtrr.o \ hyperv.o debugfs.o mmu/mmu.o mmu/page_track.o \ - mmu/spte.o + mmu/spte.o $(VIRT_LIB)/kvm_permissions.o ifdef CONFIG_HYPERV kvm-y += kvm_onhyperv.o diff --git a/include/linux/kvm_mem_attr.h b/include/linux/kvm_mem_attr.h new file mode 100644 index 000000000000..0a755025e553 --- /dev/null +++ b/include/linux/kvm_mem_attr.h @@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * KVM guest page permissions - Definitions. + * + * Copyright © 2023 Microsoft Corporation. + */ +#ifndef __KVM_MEM_ATTR_H__ +#define __KVM_MEM_ATTR_H__ + +#include +#include + +/* clang-format off */ + +#define MEM_ATTR_READ BIT(0) +#define MEM_ATTR_WRITE BIT(1) +#define MEM_ATTR_EXEC BIT(2) +#define MEM_ATTR_IMMUTABLE BIT(3) + +#define MEM_ATTR_PROT ( \ + MEM_ATTR_READ | \ + MEM_ATTR_WRITE | \ + MEM_ATTR_EXEC | \ + MEM_ATTR_IMMUTABLE) + +/* clang-format on */ + +int kvm_permissions_set(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end, + unsigned long heki_attr); +unsigned long kvm_permissions_get(struct kvm *kvm, gfn_t gfn); + +#endif /* __KVM_MEM_ATTR_H__ */ diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h index 2477b4a16126..2b5b90216565 100644 --- a/include/uapi/linux/kvm.h +++ b/include/uapi/linux/kvm.h @@ -2319,6 +2319,11 @@ struct kvm_memory_attributes { #define KVM_MEMORY_ATTRIBUTE_PRIVATE (1ULL << 3) +#define KVM_MEMORY_ATTRIBUTE_HEKI_READ (1ULL << 4) +#define KVM_MEMORY_ATTRIBUTE_HEKI_WRITE (1ULL << 5) +#define KVM_MEMORY_ATTRIBUTE_HEKI_EXEC (1ULL << 6) +#define KVM_MEMORY_ATTRIBUTE_HEKI_IMMUTABLE (1ULL << 7) + #define KVM_CREATE_GUEST_MEMFD _IOWR(KVMIO, 0xd4, struct kvm_create_guest_memfd) struct kvm_create_guest_memfd { diff --git a/virt/heki/Kconfig b/virt/heki/Kconfig index 5ea75b595667..75a784653e31 100644 --- a/virt/heki/Kconfig +++ b/virt/heki/Kconfig @@ -5,6 +5,7 @@ config HEKI bool "Hypervisor Enforced Kernel Integrity (Heki)" depends on ARCH_SUPPORTS_HEKI && HYPERVISOR_SUPPORTS_HEKI + select KVM_GENERIC_MEMORY_ATTRIBUTES help This feature enhances guest virtual machine security by taking advantage of security features provided by the hypervisor for guests. diff --git a/virt/lib/kvm_permissions.c b/virt/lib/kvm_permissions.c new file mode 100644 index 000000000000..9f4e8027d21c --- /dev/null +++ b/virt/lib/kvm_permissions.c @@ -0,0 +1,104 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * KVM guest page permissions - functions. + * + * Copyright © 2023 Microsoft Corporation. + */ +#include +#include + +#ifdef pr_fmt +#undef pr_fmt +#endif + +#define pr_fmt(fmt) "kvm: heki: " fmt + +/* clang-format off */ + +static unsigned long kvm_default_permissions = + MEM_ATTR_READ | + MEM_ATTR_WRITE | + MEM_ATTR_EXEC; + +static unsigned long kvm_memory_attributes_heki = + KVM_MEMORY_ATTRIBUTE_HEKI_READ | + KVM_MEMORY_ATTRIBUTE_HEKI_WRITE | + KVM_MEMORY_ATTRIBUTE_HEKI_EXEC | + KVM_MEMORY_ATTRIBUTE_HEKI_IMMUTABLE; + +/* clang-format on */ + +static unsigned long heki_attr_to_kvm_attr(unsigned long heki_attr) +{ + unsigned long kvm_attr = 0; + + if (WARN_ON_ONCE((heki_attr | MEM_ATTR_PROT) != MEM_ATTR_PROT)) + return 0; + + if (heki_attr & MEM_ATTR_READ) + kvm_attr |= KVM_MEMORY_ATTRIBUTE_HEKI_READ; + if (heki_attr & MEM_ATTR_WRITE) + kvm_attr |= KVM_MEMORY_ATTRIBUTE_HEKI_WRITE; + if (heki_attr & MEM_ATTR_EXEC) + kvm_attr |= KVM_MEMORY_ATTRIBUTE_HEKI_EXEC; + if (heki_attr & MEM_ATTR_IMMUTABLE) + kvm_attr |= KVM_MEMORY_ATTRIBUTE_HEKI_IMMUTABLE; + return kvm_attr; +} + +static unsigned long kvm_attr_to_heki_attr(unsigned long kvm_attr) +{ + unsigned long heki_attr = 0; + + if (kvm_attr & KVM_MEMORY_ATTRIBUTE_HEKI_READ) + heki_attr |= MEM_ATTR_READ; + if (kvm_attr & KVM_MEMORY_ATTRIBUTE_HEKI_WRITE) + heki_attr |= MEM_ATTR_WRITE; + if (kvm_attr & KVM_MEMORY_ATTRIBUTE_HEKI_EXEC) + heki_attr |= MEM_ATTR_EXEC; + if (kvm_attr & KVM_MEMORY_ATTRIBUTE_HEKI_IMMUTABLE) + heki_attr |= MEM_ATTR_IMMUTABLE; + return heki_attr; +} + +unsigned long kvm_permissions_get(struct kvm *kvm, gfn_t gfn) +{ + unsigned long kvm_attr = 0; + + /* + * Retrieve the permissions for a guest page. If not present (i.e., no + * attribute), then return default permissions (RWX). This means + * setting permissions to 0 resets them to RWX. We might want to + * revisit that in a future version. + */ + kvm_attr = kvm_get_memory_attributes(kvm, gfn); + if (kvm_attr) + return kvm_attr_to_heki_attr(kvm_attr); + else + return kvm_default_permissions; +} +EXPORT_SYMBOL_GPL(kvm_permissions_get); + +int kvm_permissions_set(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end, + unsigned long heki_attr) +{ + if ((heki_attr | MEM_ATTR_PROT) != MEM_ATTR_PROT) + return -EINVAL; + + if (gfn_end <= gfn_start) + return -EINVAL; + + if (kvm_range_has_memory_attributes(kvm, gfn_start, gfn_end, + KVM_MEMORY_ATTRIBUTE_HEKI_IMMUTABLE, + false)) { + pr_warn_ratelimited( + "Guest tried to change immutable permission for GFNs %llx-%llx\n", + gfn_start, gfn_end); + return -EPERM; + } + + return kvm_vm_set_mem_attributes(kvm, gfn_start, gfn_end, + heki_attr_to_kvm_attr(heki_attr), + kvm_memory_attributes_heki); +} +EXPORT_SYMBOL_GPL(kvm_permissions_set);