• Chao Peng's avatar
    KVM: Introduce per-page memory attributes · 5a475554
    Chao Peng authored
    In confidential computing usages, whether a page is private or shared is
    necessary information for KVM to perform operations like page fault
    handling, page zapping etc. There are other potential use cases for
    per-page memory attributes, e.g. to make memory read-only (or no-exec,
    or exec-only, etc.) without having to modify memslots.
    
    Introduce the KVM_SET_MEMORY_ATTRIBUTES ioctl, advertised by
    KVM_CAP_MEMORY_ATTRIBUTES, to allow userspace to set the per-page memory
    attributes to a guest memory range.
    
    Use an xarray to store the per-page attributes internally, with a naive,
    not fully optimized implementation, i.e. prioritize correctness over
    performance for the initial implementation.
    
    Use bit 3 for the PRIVATE attribute so that KVM can use bits 0-2 for RWX
    attributes/protections in the future, e.g. to give userspace fine-grained
    control over read, write, and execute protections for guest memory.
    
    Provide arch hooks for handling attribute changes before and after common
    code sets the new attributes, e.g. x86 will use the "pre" hook to zap all
    relevant mappings, and the "post" hook to track whether or not hugepages
    can be used to map the range.
    
    To simplify the implementation wrap the entire sequence with
    kvm_mmu_invalidate_{begin,end}() even though the operation isn't strictly
    guaranteed to be an invalidation.  For the initial use case, x86 *will*
    always invalidate memory, and preventing arch code from creating new
    mappings while the attributes are in flux makes it much easier to reason
    about the correctness of consuming attributes.
    
    It's possible that future usages may not require an invalidation, e.g.
    if KVM ends up supporting RWX protections and userspace grants _more_
    protections, but again opt for simplicity and punt optimizations to
    if/when they are needed.
    Suggested-by: default avatarSean Christopherson <seanjc@google.com>
    Link: https://lore.kernel.org/all/Y2WB48kD0J4VGynX@google.com
    Cc: Fuad Tabba <tabba@google.com>
    Cc: Xu Yilun <yilun.xu@intel.com>
    Cc: Mickaël Salaün <mic@digikod.net>
    Signed-off-by: default avatarChao Peng <chao.p.peng@linux.intel.com>
    Co-developed-by: default avatarSean Christopherson <seanjc@google.com>
    Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
    Message-Id: <20231027182217.3615211-14-seanjc@google.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    5a475554
api.rst 301 KB