ANDROID: KVM: arm64: Create EL2 copy of __icache_flags for pKVM instead of alias

Using an alias of the host's `__icache_flags` variable at EL2 for pKVM
is risky, as it provides the host with a mechanism to elide cache
maintenance of guest pages by causing functions such as icache_is_vpipt()
to erroneously return false.

Create a private copy of the __icache_flags variable at EL2 and
initialise it using the host's version during pKVM init.

Signed-off-by: Will Deacon <will@kernel.org>
Bug: 209580772
Change-Id: I595f11d1e336dadae0eb82222e4da79a1069012a
Signed-off-by: Will Deacon <willdeacon@google.com>

arch/arm64/include/asm/kvm_hyp.h

@@ -123,4 +123,5 @@ extern u64 kvm_nvhe_sym(id_aa64mmfr0_el1_sys_val);
 extern u64 kvm_nvhe_sym(id_aa64mmfr1_el1_sys_val);
 extern u64 kvm_nvhe_sym(id_aa64mmfr2_el1_sys_val);
 
+extern unsigned long kvm_nvhe_sym(__icache_flags);
 #endif /* __ARM64_KVM_HYP_H__ */

arch/arm64/kernel/image-vars.h

@@ -76,9 +76,6 @@ KVM_NVHE_ALIAS(nvhe_hyp_panic_handler);
 /* Vectors installed by hyp-init on reset HVC. */
 KVM_NVHE_ALIAS(__hyp_stub_vectors);
 
-/* Kernel symbol used by icache_is_vpipt(). */
-KVM_NVHE_ALIAS(__icache_flags);
-
 /* Kernel symbols needed for cpus_have_final/const_caps checks. */
 KVM_NVHE_ALIAS(arm64_const_caps_ready);
 KVM_NVHE_ALIAS(cpu_hwcap_keys);

arch/arm64/kvm/arm.c

@@ -2007,6 +2007,7 @@ static int kvm_hyp_init_protection(u32 hyp_va_bits)
 	kvm_nvhe_sym(id_aa64mmfr0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR0_EL1);
 	kvm_nvhe_sym(id_aa64mmfr1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR1_EL1);
 	kvm_nvhe_sym(id_aa64mmfr2_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR2_EL1);
+	kvm_nvhe_sym(__icache_flags) = __icache_flags;
 
 	ret = create_hyp_mappings(addr, addr + hyp_mem_size, PAGE_HYP);
 	if (ret)

arch/arm64/kvm/hyp/nvhe/pkvm.c

@@ -21,6 +21,9 @@
 #include <nvhe/pkvm.h>
 #include <nvhe/trap_handler.h>
 
+/* Used by icache_is_vpipt(). */
+unsigned long __icache_flags;
+
 /*
  * Set trap register values based on features in ID_AA64PFR0.
  */