ANDROID: KVM: arm64: Deprecate late pKVM module loading

Previously it was possible to load a pKVM module after the userspace has started, leaving on the modules the task of disabling the feature (__pkvm_close_module_registration HVC). Depreacte this way of loading modules in favor of the pre-userspace loading via the cmdline kvm-arm.protected_modules=<module1>,<module2>. Bug: 254835242 Change-Id: I38eef46b1482ff03af610b3b5d21b3ebfadda59b Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
2026-06-07 03:15:31 +09:00 · 2023-02-21 16:51:43 +00:00
parent 0fbbb18ab0
commit aacbded3ac
6 changed files with 8 additions and 64 deletions
--- a/arch/arm64/include/asm/kvm_asm.h
+++ b/arch/arm64/include/asm/kvm_asm.h
@@ -63,17 +63,11 @@ enum __kvm_host_smccc_func {
 	__KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid_ipa,
 	__KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid,
 	__KVM_HOST_SMCCC_FUNC___kvm_flush_cpu_context,
 	/*
 	 * __pkvm_alloc_module_va may temporarily serve as the privileged hcall
 	 * limit when module loading is enabled, see early_pkvm_enable_modules().
 	 */
 	__KVM_HOST_SMCCC_FUNC___pkvm_alloc_module_va,
 	__KVM_HOST_SMCCC_FUNC___pkvm_map_module_page,
 	__KVM_HOST_SMCCC_FUNC___pkvm_unmap_module_page,
 	__KVM_HOST_SMCCC_FUNC___pkvm_init_module,
 	__KVM_HOST_SMCCC_FUNC___pkvm_register_hcall,
 	__KVM_HOST_SMCCC_FUNC___pkvm_close_module_registration,
 	__KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize,
 	/* Hypercalls available after pKVM finalisation */
--- a/arch/arm64/kvm/hyp/include/nvhe/modules.h
+++ b/arch/arm64/kvm/hyp/include/nvhe/modules.h
@@ -11,13 +11,10 @@ int __pkvm_register_hyp_panic_notifier(void (*cb)(struct kvm_cpu_context *));
 enum pkvm_psci_notification;
 int __pkvm_register_psci_notifier(void (*cb)(enum pkvm_psci_notification, struct kvm_cpu_context *));
 int reset_pkvm_priv_hcall_limit(void);
 #ifdef CONFIG_MODULES
 int __pkvm_init_module(void *module_init);
 int __pkvm_register_hcall(unsigned long hfn_hyp_va);
 int handle_host_dynamic_hcall(struct kvm_cpu_context *host_ctxt);
 int __pkvm_close_late_module_registration(void);
 void __pkvm_close_module_registration(void);
 #else
 static inline int __pkvm_init_module(void *module_init) { return -EOPNOTSUPP; }
@@ -27,6 +24,5 @@ static inline int handle_host_dynamic_hcall(struct kvm_cpu_context *host_ctxt)
 {
 	return HCALL_UNHANDLED;
 }
 static inline int __pkvm_close_late_module_registration(void) { return -EOPNOTSUPP; }
 static inline void __pkvm_close_module_registration(void) { }
 #endif
--- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
@@ -1212,12 +1212,6 @@ static void handle___pkvm_register_hcall(struct kvm_cpu_context *host_ctxt)
 	cpu_reg(host_ctxt, 1) = __pkvm_register_hcall(hfn_hyp_va);
 }
 static void
 handle___pkvm_close_module_registration(struct kvm_cpu_context *host_ctxt)
 {
 	cpu_reg(host_ctxt, 1) = __pkvm_close_late_module_registration();
 }
 static void handle___pkvm_load_tracing(struct kvm_cpu_context *host_ctxt)
 {
 	 DECLARE_REG(unsigned long, pack_hva, host_ctxt, 1);
@@ -1290,13 +1284,11 @@ static const hcall_t host_hcall[] = {
 	HANDLE_FUNC(__kvm_tlb_flush_vmid_ipa),
 	HANDLE_FUNC(__kvm_tlb_flush_vmid),
 	HANDLE_FUNC(__kvm_flush_cpu_context),
 	HANDLE_FUNC(__pkvm_alloc_module_va),
 	HANDLE_FUNC(__pkvm_map_module_page),
 	HANDLE_FUNC(__pkvm_unmap_module_page),
 	HANDLE_FUNC(__pkvm_init_module),
 	HANDLE_FUNC(__pkvm_register_hcall),
 	HANDLE_FUNC(__pkvm_close_module_registration),
 	HANDLE_FUNC(__pkvm_prot_finalize),
 	HANDLE_FUNC(__pkvm_host_share_hyp),
@@ -1330,22 +1322,6 @@ static const hcall_t host_hcall[] = {
 #endif
 };
 unsigned long pkvm_priv_hcall_limit __ro_after_init = __KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize;
 int reset_pkvm_priv_hcall_limit(void)
 {
 	unsigned long *addr;
 	if (pkvm_priv_hcall_limit == __KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize)
 		return -EACCES;
 	addr = hyp_fixmap_map(__hyp_pa(&pkvm_priv_hcall_limit));
 	*addr = __KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize;
 	hyp_fixmap_unmap();
 	return 0;
 }
 static void handle_host_hcall(struct kvm_cpu_context *host_ctxt)
 {
 	DECLARE_REG(unsigned long, id, host_ctxt, 0);
@@ -1365,7 +1341,7 @@ static void handle_host_hcall(struct kvm_cpu_context *host_ctxt)
 	 * returns -EPERM after the first call for a given CPU.
 	 */
 	if (static_branch_unlikely(&kvm_protected_mode_initialized))
-		hcall_min = pkvm_priv_hcall_limit;
+		hcall_min = __KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize;
 	id -= KVM_HOST_SMCCC_ID(0);
--- a/arch/arm64/kvm/hyp/nvhe/iommu.c
+++ b/arch/arm64/kvm/hyp/nvhe/iommu.c
@@ -470,8 +470,6 @@ int __pkvm_iommu_finalize(int err)
 	if (!ret && err)
 		pkvm_handle_system_misconfiguration(NO_DMA_ISOLATION);
 	__pkvm_close_late_module_registration();
 	return ret;
 }
--- a/arch/arm64/kvm/hyp/nvhe/modules.c
+++ b/arch/arm64/kvm/hyp/nvhe/modules.c
@@ -77,15 +77,6 @@ void __pkvm_close_module_registration(void)
 	 */
 }
 int __pkvm_close_late_module_registration(void)
 {
 	__pkvm_close_module_registration();
 	return reset_pkvm_priv_hcall_limit();
 	/* The fuse is blown! No way back until reset */
 }
 const struct pkvm_module_ops module_ops = {
 	.create_private_mapping = __pkvm_create_private_mapping,
 	.alloc_module_va = __pkvm_alloc_module_va,
--- a/arch/arm64/kvm/pkvm.c
+++ b/arch/arm64/kvm/pkvm.c
@@ -578,26 +578,14 @@ int pkvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap)
 #ifdef CONFIG_MODULES
 static char early_pkvm_modules[COMMAND_LINE_SIZE] __initdata;
 static int __init pkvm_enable_module_late_loading(void)
 {
 	extern unsigned long kvm_nvhe_sym(pkvm_priv_hcall_limit);
 	WARN(1, "Loading pKVM modules with kvm-arm.protected_modules is deprecated\n"
 	     "Use kvm-arm.protected_modules=<module1>,<module2>");
 	/*
 	 * Move the limit to allow module loading HVCs. It will be moved back to
 	 * its original position in __pkvm_close_module_registration().
 	 */
 	kvm_nvhe_sym(pkvm_priv_hcall_limit) = __KVM_HOST_SMCCC_FUNC___pkvm_alloc_module_va;
 	return 0;
 }
 static int __init early_pkvm_modules_cfg(char *arg)
 {
 	/*
 	 * Loading pKVM modules with kvm-arm.protected_modules is deprecated
 	 * Use kvm-arm.protected_modules=<module1>,<module2>
 	 */
 	if (!arg)
-		return pkvm_enable_module_late_loading();
+		return -EINVAL;
 	strscpy(early_pkvm_modules, arg, COMMAND_LINE_SIZE);
@@ -800,7 +788,8 @@ int __pkvm_load_el2_module(struct module *this, unsigned long *token)
 	int ret, i, secs_first;
 	size_t offset, size;
-	if (!is_protected_kvm_enabled())
+	/* The pKVM hyp only allows loading before it is fully initialized */
 	if (!is_protected_kvm_enabled() || is_pkvm_initialized())
 		return -EOPNOTSUPP;
 	for (i = 0; i < ARRAY_SIZE(secs_map); i++) {