ホーム エクスプローラ ヘルプ
サインイン
samsung-sm8650
/
android_kernel_samsung_sm8650_ksu
2
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: 5c86c450e2
ブランチ タグ
android_kernel_...
/
Documentation
/
virt
/
kvm
/
arm
/
pkvm.rst

pkvm.rst 4.1 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 
  1. .. SPDX-License-Identifier: GPL-2.0
    2. 

  2. 

  3. Protected virtual machines (pKVM)
    4. 

  4. =================================
    5. 

  5. 

  6. Introduction
    7. 

  7. ------------
    8. 

  8. 

  9. Protected KVM (pKVM) is a KVM/arm64 extension which uses the two-stage
    10. 

  10. translation capability of the Armv8 MMU to isolate guest memory from the host
    11. 

  11. system. This allows for the creation of a confidential computing environment
    12. 

  12. without relying on whizz-bang features in hardware, but still allowing room for
    13. 

  13. complementary technologies such as memory encryption and hardware-backed
    14. 

  14. attestation.
    15. 

  15. 

  16. The major implementation change brought about by pKVM is that the hypervisor
    17. 

  17. code running at EL2 is now largely independent of (and isolated from) the rest
    18. 

  18. of the host kernel running at EL1 and therefore additional hypercalls are
    19. 

  19. introduced to manage manipulation of guest stage-2 page tables, creation of VM
    20. 

  20. data structures and reclamation of memory on teardown. An immediate consequence
    21. 

  21. of this change is that the host itself runs with an identity mapping enabled
    22. 

  22. at stage-2, providing the hypervisor code with a mechanism to restrict host
    23. 

  23. access to an arbitrary physical page.
    24. 

  24. 

  25. Enabling pKVM
    26. 

  26. -------------
    27. 

  27. 

  28. The pKVM hypervisor is enabled by booting the host kernel at EL2 with
    29. 

  29. "``kvm-arm.mode=protected``" on the command-line. Once enabled, VMs can be spawned
    30. 

  30. in either protected or non-protected state, although the hypervisor is still
    31. 

  31. responsible for managing most of the VM metadata in either case.
    32. 

  32. 

  33. Limitations
    34. 

  34. -----------
    35. 

  35. 

  36. Enabling pKVM places some significant limitations on KVM guests, regardless of
    37. 

  37. whether they are spawned in protected state. It is therefore recommended only
    38. 

  38. to enable pKVM if protected VMs are required, with non-protected state acting
    39. 

  39. primarily as a debug and development aid.
    40. 

  40. 

  41. If you're still keen, then here is an incomplete list of caveats that apply
    42. 

  42. to all VMs running under pKVM:
    43. 

  43. 

  44. - Guest memory cannot be file-backed (with the exception of shmem/memfd) and is
    45. 

  45.   pinned as it is mapped into the guest. This prevents the host from
    46. 

  46.   swapping-out, migrating, merging or generally doing anything useful with the
    47. 

  47.   guest pages. It also requires that the VMM has either ``CAP_IPC_LOCK`` or
    48. 

  48.   sufficient ``RLIMIT_MEMLOCK`` to account for this pinned memory.
    49. 

  49. 

  50. - GICv2 is not supported and therefore GICv3 hardware is required in order
    51. 

  51.   to expose a virtual GICv3 to the guest.
    52. 

  52. 

  53. - Read-only memslots are unsupported and therefore dirty logging cannot be
    54. 

  54.   enabled.
    55. 

  55. 

  56. - Memslot configuration is fixed once a VM has started running, with subsequent
    57. 

  57.   move or deletion requests being rejected with ``-EPERM``.
    58. 

  58. 

  59. - There are probably many others.
    60. 

  60. 

  61. Since the host is unable to tear down the hypervisor when pKVM is enabled,
    62. 

  62. hibernation (``CONFIG_HIBERNATION``) and kexec (``CONFIG_KEXEC``) will fail
    63. 

  63. with ``-EBUSY``.
    64. 

  64. 

  65. If you are not happy with these limitations, then please don't enable pKVM :)
    66. 

  66. 

  67. VM creation
    68. 

  68. -----------
    69. 

  69. 

  70. When pKVM is enabled, protected VMs can be created by specifying the
    71. 

  71. ``KVM_VM_TYPE_ARM_PROTECTED`` flag in the machine type identifier parameter
    72. 

  72. passed to ``KVM_CREATE_VM``.
    73. 

  73. 

  74. Protected VMs are instantiated according to a fixed vCPU configuration
    75. 

  75. described by the ID register definitions in
    76. 

  76. ``arch/arm64/include/asm/kvm_pkvm.h``. Only a subset of the architectural
    77. 

  77. features that may be available to the host are exposed to the guest and the
    78. 

  78. capabilities advertised by ``KVM_CHECK_EXTENSION`` are limited accordingly,
    79. 

  79. with the vCPU registers being initialised to their architecturally-defined
    80. 

  80. values.
    81. 

  81. 

  82. Where not defined by the architecture, the registers of a protected vCPU
    83. 

  83. are reset to zero with the exception of the PC and X0 which can be set
    84. 

  84. either by the ``KVM_SET_ONE_REG`` interface or by a call to PSCI ``CPU_ON``.
    85. 

  85. 

  86. VM runtime
    87. 

  87. ----------
    88. 

  88. 

  89. By default, memory pages mapped into a protected guest are inaccessible to the
    90. 

  90. host and any attempt by the host to access such a page will result in the
    91. 

  91. injection of an abort at EL1 by the hypervisor. For accesses originating from
    92. 

  92. EL0, the host will then terminate the current task with a ``SIGSEGV``.
    93. 

  93. 

  94. pKVM exposes additional hypercalls to protected guests, primarily for the
    95. 

  95. purpose of establishing shared-memory regions with the host for communication
    96. 

  96. and I/O. These hypercalls are documented in hypercalls.rst.
    97.