[linux-2.6-block.git] / arch / arm64 / kvm / hyp / include / nvhe / fixed_config.h

/* SPDX-License-Identifier: GPL-2.0-only */
/*
 * Copyright (C) 2021 Google LLC
 * Author: Fuad Tabba <tabba@google.com>
 */

#ifndef __ARM64_KVM_FIXED_CONFIG_H__
#define __ARM64_KVM_FIXED_CONFIG_H__

#include <asm/sysreg.h>

/*
 * This file contains definitions for features to be allowed or restricted for
 * guest virtual machines, depending on the mode KVM is running in and on the
 * type of guest that is running.
 *
 * The ALLOW masks represent a bitmask of feature fields that are allowed
 * without any restrictions as long as they are supported by the system.
 *
 * The RESTRICT_UNSIGNED masks, if present, represent unsigned fields for
 * features that are restricted to support at most the specified feature.
 *
 * If a feature field is not present in either, than it is not supported.
 *
 * The approach taken for protected VMs is to allow features that are:
 * - Needed by common Linux distributions (e.g., floating point)
 * - Trivial to support, e.g., supporting the feature does not introduce or
 * require tracking of additional state in KVM
 * - Cannot be trapped or prevent the guest from using anyway
 */

/*
 * Allow for protected VMs:
 * - Floating-point and Advanced SIMD
 * - Data Independent Timing
 */
#define PVM_ID_AA64PFR0_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64PFR0_FP) | \
	ARM64_FEATURE_MASK(ID_AA64PFR0_ASIMD) | \
	ARM64_FEATURE_MASK(ID_AA64PFR0_DIT) \
	)

/*
 * Restrict to the following *unsigned* features for protected VMs:
 * - AArch64 guests only (no support for AArch32 guests):
 *	AArch32 adds complexity in trap handling, emulation, condition codes,
 *	etc...
 * - RAS (v1)
 *	Supported by KVM
 */
#define PVM_ID_AA64PFR0_RESTRICT_UNSIGNED (\
	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL0), ID_AA64PFR0_ELx_64BIT_ONLY) | \
	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1), ID_AA64PFR0_ELx_64BIT_ONLY) | \
	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL2), ID_AA64PFR0_ELx_64BIT_ONLY) | \
	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL3), ID_AA64PFR0_ELx_64BIT_ONLY) | \
	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_RAS), ID_AA64PFR0_RAS_V1) \
	)

/*
 * Allow for protected VMs:
 * - Branch Target Identification
 * - Speculative Store Bypassing
 */
#define PVM_ID_AA64PFR1_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64PFR1_BT) | \
	ARM64_FEATURE_MASK(ID_AA64PFR1_SSBS) \
	)

/*
 * Allow for protected VMs:
 * - Mixed-endian
 * - Distinction between Secure and Non-secure Memory
 * - Mixed-endian at EL0 only
 * - Non-context synchronizing exception entry and exit
 */
#define PVM_ID_AA64MMFR0_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64MMFR0_BIGENDEL) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR0_SNSMEM) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR0_BIGENDEL0) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR0_EXS) \
	)

/*
 * Restrict to the following *unsigned* features for protected VMs:
 * - 40-bit IPA
 * - 16-bit ASID
 */
#define PVM_ID_AA64MMFR0_RESTRICT_UNSIGNED (\
	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64MMFR0_PARANGE), ID_AA64MMFR0_PARANGE_40) | \
	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64MMFR0_ASID), ID_AA64MMFR0_ASID_16) \
	)

/*
 * Allow for protected VMs:
 * - Hardware translation table updates to Access flag and Dirty state
 * - Number of VMID bits from CPU
 * - Hierarchical Permission Disables
 * - Privileged Access Never
 * - SError interrupt exceptions from speculative reads
 * - Enhanced Translation Synchronization
 */
#define PVM_ID_AA64MMFR1_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64MMFR1_HADBS) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR1_VMIDBITS) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR1_HPD) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR1_PAN) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR1_SPECSEI) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR1_ETS) \
	)

/*
 * Allow for protected VMs:
 * - Common not Private translations
 * - User Access Override
 * - IESB bit in the SCTLR_ELx registers
 * - Unaligned single-copy atomicity and atomic functions
 * - ESR_ELx.EC value on an exception by read access to feature ID space
 * - TTL field in address operations.
 * - Break-before-make sequences when changing translation block size
 * - E0PDx mechanism
 */
#define PVM_ID_AA64MMFR2_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64MMFR2_CNP) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR2_UAO) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR2_IESB) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR2_AT) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR2_IDS) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR2_TTL) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR2_BBM) | \
	ARM64_FEATURE_MASK(ID_AA64MMFR2_E0PD) \
	)

/*
 * No support for Scalable Vectors for protected VMs:
 *	Requires additional support from KVM, e.g., context-switching and
 *	trapping at EL2
 */
#define PVM_ID_AA64ZFR0_ALLOW (0ULL)

/*
 * No support for debug, including breakpoints, and watchpoints for protected
 * VMs:
 *	The Arm architecture mandates support for at least the Armv8 debug
 *	architecture, which would include at least 2 hardware breakpoints and
 *	watchpoints. Providing that support to protected guests adds
 *	considerable state and complexity. Therefore, the reserved value of 0 is
 *	used for debug-related fields.
 */
#define PVM_ID_AA64DFR0_ALLOW (0ULL)
#define PVM_ID_AA64DFR1_ALLOW (0ULL)

/*
 * No support for implementation defined features.
 */
#define PVM_ID_AA64AFR0_ALLOW (0ULL)
#define PVM_ID_AA64AFR1_ALLOW (0ULL)

/*
 * No restrictions on instructions implemented in AArch64.
 */
#define PVM_ID_AA64ISAR0_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_AES) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SHA1) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SHA2) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_CRC32) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_ATOMIC) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_RDM) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SHA3) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SM3) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SM4) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_DP) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_FHM) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_TS) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_TLB) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_RNDR) \
	)

#define PVM_ID_AA64ISAR1_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_DPB) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_APA) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_API) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_JSCVT) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_FCMA) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_LRCPC) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_GPA) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_GPI) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_FRINTTS) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_SB) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_SPECRES) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_BF16) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_DGH) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_I8MM) \
	)

#define PVM_ID_AA64ISAR2_ALLOW (\
	ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_GPA3) | \
	ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_APA3) \
	)

u64 pvm_read_id_reg(const struct kvm_vcpu *vcpu, u32 id);
bool kvm_handle_pvm_sysreg(struct kvm_vcpu *vcpu, u64 *exit_code);
bool kvm_handle_pvm_restricted(struct kvm_vcpu *vcpu, u64 *exit_code);
int kvm_check_pvm_sysreg_table(void);

#endif /* __ARM64_KVM_FIXED_CONFIG_H__ */
Commit	Line	Data
6c30bfb1 FT	1	/* SPDX-License-Identifier: GPL-2.0-only */
	2	/*
	3	* Copyright (C) 2021 Google LLC
	4	* Author: Fuad Tabba <tabba@google.com>
	5	*/
	6
	7	#ifndef __ARM64_KVM_FIXED_CONFIG_H__
	8	#define __ARM64_KVM_FIXED_CONFIG_H__
	9
	10	#include <asm/sysreg.h>
	11
	12	/*
	13	* This file contains definitions for features to be allowed or restricted for
	14	* guest virtual machines, depending on the mode KVM is running in and on the
	15	* type of guest that is running.
	16	*
	17	* The ALLOW masks represent a bitmask of feature fields that are allowed
	18	* without any restrictions as long as they are supported by the system.
	19	*
	20	* The RESTRICT_UNSIGNED masks, if present, represent unsigned fields for
	21	* features that are restricted to support at most the specified feature.
	22	*
	23	* If a feature field is not present in either, than it is not supported.
	24	*
	25	* The approach taken for protected VMs is to allow features that are:
	26	* - Needed by common Linux distributions (e.g., floating point)
	27	* - Trivial to support, e.g., supporting the feature does not introduce or
	28	* require tracking of additional state in KVM
	29	* - Cannot be trapped or prevent the guest from using anyway
	30	*/
	31
	32	/*
	33	* Allow for protected VMs:
	34	* - Floating-point and Advanced SIMD
	35	* - Data Independent Timing
	36	*/
	37	#define PVM_ID_AA64PFR0_ALLOW (\
	38	ARM64_FEATURE_MASK(ID_AA64PFR0_FP) \| \
	39	ARM64_FEATURE_MASK(ID_AA64PFR0_ASIMD) \| \
	40	ARM64_FEATURE_MASK(ID_AA64PFR0_DIT) \
	41	)
	42
	43	/*
	44	* Restrict to the following unsigned features for protected VMs:
	45	* - AArch64 guests only (no support for AArch32 guests):
	46	* AArch32 adds complexity in trap handling, emulation, condition codes,
	47	* etc...
	48	* - RAS (v1)
	49	* Supported by KVM
	50	*/
	51	#define PVM_ID_AA64PFR0_RESTRICT_UNSIGNED (\
	52	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL0), ID_AA64PFR0_ELx_64BIT_ONLY) \| \
	53	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1), ID_AA64PFR0_ELx_64BIT_ONLY) \| \
	54	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL2), ID_AA64PFR0_ELx_64BIT_ONLY) \| \
	55	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL3), ID_AA64PFR0_ELx_64BIT_ONLY) \| \
	56	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_RAS), ID_AA64PFR0_RAS_V1) \
	57	)
	58
	59	/*
	60	* Allow for protected VMs:
	61	* - Branch Target Identification
	62	* - Speculative Store Bypassing
	63	*/
	64	#define PVM_ID_AA64PFR1_ALLOW (\
65	ARM64_FEATURE_MASK(ID_AA64PFR1_BT) \| \
66	ARM64_FEATURE_MASK(ID_AA64PFR1_SSBS) \
67	)
68
69	/*
70	* Allow for protected VMs:
71	* - Mixed-endian
72	* - Distinction between Secure and Non-secure Memory
73	* - Mixed-endian at EL0 only
74	* - Non-context synchronizing exception entry and exit
75	*/
76	#define PVM_ID_AA64MMFR0_ALLOW (\
77	ARM64_FEATURE_MASK(ID_AA64MMFR0_BIGENDEL) \| \
78	ARM64_FEATURE_MASK(ID_AA64MMFR0_SNSMEM) \| \
79	ARM64_FEATURE_MASK(ID_AA64MMFR0_BIGENDEL0) \| \
80	ARM64_FEATURE_MASK(ID_AA64MMFR0_EXS) \
81	)
82
83	/*
84	* Restrict to the following unsigned features for protected VMs:
85	* - 40-bit IPA
86	* - 16-bit ASID
87	*/
88	#define PVM_ID_AA64MMFR0_RESTRICT_UNSIGNED (\
89	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64MMFR0_PARANGE), ID_AA64MMFR0_PARANGE_40) \| \
90	FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64MMFR0_ASID), ID_AA64MMFR0_ASID_16) \
91	)
92
93	/*
94	* Allow for protected VMs:
95	* - Hardware translation table updates to Access flag and Dirty state
96	* - Number of VMID bits from CPU
97	* - Hierarchical Permission Disables
98	* - Privileged Access Never
99	* - SError interrupt exceptions from speculative reads
100	* - Enhanced Translation Synchronization
101	*/
102	#define PVM_ID_AA64MMFR1_ALLOW (\
103	ARM64_FEATURE_MASK(ID_AA64MMFR1_HADBS) \| \
104	ARM64_FEATURE_MASK(ID_AA64MMFR1_VMIDBITS) \| \
105	ARM64_FEATURE_MASK(ID_AA64MMFR1_HPD) \| \
106	ARM64_FEATURE_MASK(ID_AA64MMFR1_PAN) \| \
107	ARM64_FEATURE_MASK(ID_AA64MMFR1_SPECSEI) \| \
108	ARM64_FEATURE_MASK(ID_AA64MMFR1_ETS) \
109	)
110
111	/*
112	* Allow for protected VMs:
113	* - Common not Private translations
114	* - User Access Override
115	* - IESB bit in the SCTLR_ELx registers
116	* - Unaligned single-copy atomicity and atomic functions
117	* - ESR_ELx.EC value on an exception by read access to feature ID space
118	* - TTL field in address operations.
119	* - Break-before-make sequences when changing translation block size
120	* - E0PDx mechanism
121	*/
122	#define PVM_ID_AA64MMFR2_ALLOW (\
123	ARM64_FEATURE_MASK(ID_AA64MMFR2_CNP) \| \
124	ARM64_FEATURE_MASK(ID_AA64MMFR2_UAO) \| \
125	ARM64_FEATURE_MASK(ID_AA64MMFR2_IESB) \| \
126	ARM64_FEATURE_MASK(ID_AA64MMFR2_AT) \| \
127	ARM64_FEATURE_MASK(ID_AA64MMFR2_IDS) \| \
128	ARM64_FEATURE_MASK(ID_AA64MMFR2_TTL) \| \
129	ARM64_FEATURE_MASK(ID_AA64MMFR2_BBM) \| \
130	ARM64_FEATURE_MASK(ID_AA64MMFR2_E0PD) \
131	)
132
133	/*
134	* No support for Scalable Vectors for protected VMs:
135	* Requires additional support from KVM, e.g., context-switching and
136	* trapping at EL2
137	*/
138	#define PVM_ID_AA64ZFR0_ALLOW (0ULL)
139
140	/*
141	* No support for debug, including breakpoints, and watchpoints for protected
142	* VMs:
143	* The Arm architecture mandates support for at least the Armv8 debug
144	* architecture, which would include at least 2 hardware breakpoints and
145	* watchpoints. Providing that support to protected guests adds
146	* considerable state and complexity. Therefore, the reserved value of 0 is
147	* used for debug-related fields.
148	*/
149	#define PVM_ID_AA64DFR0_ALLOW (0ULL)
150	#define PVM_ID_AA64DFR1_ALLOW (0ULL)
151
152	/*
153	* No support for implementation defined features.
154	*/
155	#define PVM_ID_AA64AFR0_ALLOW (0ULL)
156	#define PVM_ID_AA64AFR1_ALLOW (0ULL)
157
158	/*
159	* No restrictions on instructions implemented in AArch64.
160	*/
161	#define PVM_ID_AA64ISAR0_ALLOW (\
0eda2ec4 MB	162	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_AES) \| \
	163	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SHA1) \| \
	164	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SHA2) \| \
	165	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_CRC32) \| \
	166	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_ATOMIC) \| \
	167	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_RDM) \| \
	168	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SHA3) \| \
	169	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SM3) \| \
	170	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_SM4) \| \
	171	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_DP) \| \
	172	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_FHM) \| \
	173	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_TS) \| \
	174	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_TLB) \| \
	175	ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_RNDR) \
6c30bfb1 FT	176	)
	177
	178	#define PVM_ID_AA64ISAR1_ALLOW (\
aa50479b MB	179	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_DPB) \| \
	180	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_APA) \| \
	181	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_API) \| \
	182	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_JSCVT) \| \
	183	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_FCMA) \| \
	184	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_LRCPC) \| \
	185	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_GPA) \| \
	186	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_GPI) \| \
	187	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_FRINTTS) \| \
	188	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_SB) \| \
	189	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_SPECRES) \| \
	190	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_BF16) \| \
	191	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_DGH) \| \
	192	ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_I8MM) \
6c30bfb1 FT	193	)
6c30bfb1 FT	194
def8c222	195	#define PVM_ID_AA64ISAR2_ALLOW (\
b2d71f27 MB	196	ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_GPA3) \| \
b2d71f27 MB	197	ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_APA3) \
def8c222 VM	198	)
def8c222 VM	199
3061725d MZ	200	u64 pvm_read_id_reg(const struct kvm_vcpu *vcpu, u32 id);
3061725d MZ	201	bool kvm_handle_pvm_sysreg(struct kvm_vcpu vcpu, u64 exit_code);
746bdead	202	bool kvm_handle_pvm_restricted(struct kvm_vcpu vcpu, u64 exit_code);
3061725d	203	int kvm_check_pvm_sysreg_table(void);
3061725d	204
6c30bfb1	205	#endif /* __ARM64_KVM_FIXED_CONFIG_H__ */