LXR linux/arch/x86/kvm/mmu.h

   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef __KVM_X86_MMU_H
   3#define __KVM_X86_MMU_H
   4
   5#include <linux/kvm_host.h>
   6#include "kvm_cache_regs.h"
   7#include "cpuid.h"
   8
   9#define PT64_PT_BITS 9
  10#define PT64_ENT_PER_PAGE (1 << PT64_PT_BITS)
  11#define PT32_PT_BITS 10
  12#define PT32_ENT_PER_PAGE (1 << PT32_PT_BITS)
  13
  14#define PT_WRITABLE_SHIFT 1
  15#define PT_USER_SHIFT 2
  16
  17#define PT_PRESENT_MASK (1ULL << 0)
  18#define PT_WRITABLE_MASK (1ULL << PT_WRITABLE_SHIFT)
  19#define PT_USER_MASK (1ULL << PT_USER_SHIFT)
  20#define PT_PWT_MASK (1ULL << 3)
  21#define PT_PCD_MASK (1ULL << 4)
  22#define PT_ACCESSED_SHIFT 5
  23#define PT_ACCESSED_MASK (1ULL << PT_ACCESSED_SHIFT)
  24#define PT_DIRTY_SHIFT 6
  25#define PT_DIRTY_MASK (1ULL << PT_DIRTY_SHIFT)
  26#define PT_PAGE_SIZE_SHIFT 7
  27#define PT_PAGE_SIZE_MASK (1ULL << PT_PAGE_SIZE_SHIFT)
  28#define PT_PAT_MASK (1ULL << 7)
  29#define PT_GLOBAL_MASK (1ULL << 8)
  30#define PT64_NX_SHIFT 63
  31#define PT64_NX_MASK (1ULL << PT64_NX_SHIFT)
  32
  33#define PT_PAT_SHIFT 7
  34#define PT_DIR_PAT_SHIFT 12
  35#define PT_DIR_PAT_MASK (1ULL << PT_DIR_PAT_SHIFT)
  36
  37#define PT32_DIR_PSE36_SIZE 4
  38#define PT32_DIR_PSE36_SHIFT 13
  39#define PT32_DIR_PSE36_MASK \
  40        (((1ULL << PT32_DIR_PSE36_SIZE) - 1) << PT32_DIR_PSE36_SHIFT)
  41
  42#define PT64_ROOT_5LEVEL 5
  43#define PT64_ROOT_4LEVEL 4
  44#define PT32_ROOT_LEVEL 2
  45#define PT32E_ROOT_LEVEL 3
  46
  47static inline u64 rsvd_bits(int s, int e)
  48{
  49        if (e < s)
  50                return 0;
  51
  52        return ((1ULL << (e - s + 1)) - 1) << s;
  53}
  54
  55void kvm_mmu_set_mmio_spte_mask(u64 mmio_value, u64 access_mask);
  56
  57void
  58reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu, struct kvm_mmu *context);
  59
  60void kvm_init_mmu(struct kvm_vcpu *vcpu, bool reset_roots);
  61void kvm_init_shadow_npt_mmu(struct kvm_vcpu *vcpu, u32 cr0, u32 cr4, u32 efer,
  62                             gpa_t nested_cr3);
  63void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
  64                             bool accessed_dirty, gpa_t new_eptp);
  65bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);
  66int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
  67                                u64 fault_address, char *insn, int insn_len);
  68
  69static inline int kvm_mmu_reload(struct kvm_vcpu *vcpu)
  70{
  71        if (likely(vcpu->arch.mmu->root_hpa != INVALID_PAGE))
  72                return 0;
  73
  74        return kvm_mmu_load(vcpu);
  75}
  76
  77static inline unsigned long kvm_get_pcid(struct kvm_vcpu *vcpu, gpa_t cr3)
  78{
  79        BUILD_BUG_ON((X86_CR3_PCID_MASK & PAGE_MASK) != 0);
  80
  81        return kvm_read_cr4_bits(vcpu, X86_CR4_PCIDE)
  82               ? cr3 & X86_CR3_PCID_MASK
  83               : 0;
  84}
  85
  86static inline unsigned long kvm_get_active_pcid(struct kvm_vcpu *vcpu)
  87{
  88        return kvm_get_pcid(vcpu, kvm_read_cr3(vcpu));
  89}
  90
  91static inline void kvm_mmu_load_pgd(struct kvm_vcpu *vcpu)
  92{
  93        u64 root_hpa = vcpu->arch.mmu->root_hpa;
  94
  95        if (!VALID_PAGE(root_hpa))
  96                return;
  97
  98        kvm_x86_ops.load_mmu_pgd(vcpu, root_hpa | kvm_get_active_pcid(vcpu),
  99                                 vcpu->arch.mmu->shadow_root_level);
 100}
 101
 102int kvm_tdp_page_fault(struct kvm_vcpu *vcpu, gpa_t gpa, u32 error_code,
 103                       bool prefault);
 104
 105static inline int kvm_mmu_do_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
 106                                        u32 err, bool prefault)
 107{
 108#ifdef CONFIG_RETPOLINE
 109        if (likely(vcpu->arch.mmu->page_fault == kvm_tdp_page_fault))
 110                return kvm_tdp_page_fault(vcpu, cr2_or_gpa, err, prefault);
 111#endif
 112        return vcpu->arch.mmu->page_fault(vcpu, cr2_or_gpa, err, prefault);
 113}
 114
 115/*
 116 * Currently, we have two sorts of write-protection, a) the first one
 117 * write-protects guest page to sync the guest modification, b) another one is
 118 * used to sync dirty bitmap when we do KVM_GET_DIRTY_LOG. The differences
 119 * between these two sorts are:
 120 * 1) the first case clears SPTE_MMU_WRITEABLE bit.
 121 * 2) the first case requires flushing tlb immediately avoiding corrupting
 122 *    shadow page table between all vcpus so it should be in the protection of
 123 *    mmu-lock. And the another case does not need to flush tlb until returning
 124 *    the dirty bitmap to userspace since it only write-protects the page
 125 *    logged in the bitmap, that means the page in the dirty bitmap is not
 126 *    missed, so it can flush tlb out of mmu-lock.
 127 *
 128 * So, there is the problem: the first case can meet the corrupted tlb caused
 129 * by another case which write-protects pages but without flush tlb
 130 * immediately. In order to making the first case be aware this problem we let
 131 * it flush tlb if we try to write-protect a spte whose SPTE_MMU_WRITEABLE bit
 132 * is set, it works since another case never touches SPTE_MMU_WRITEABLE bit.
 133 *
 134 * Anyway, whenever a spte is updated (only permission and status bits are
 135 * changed) we need to check whether the spte with SPTE_MMU_WRITEABLE becomes
 136 * readonly, if that happens, we need to flush tlb. Fortunately,
 137 * mmu_spte_update() has already handled it perfectly.
 138 *
 139 * The rules to use SPTE_MMU_WRITEABLE and PT_WRITABLE_MASK:
 140 * - if we want to see if it has writable tlb entry or if the spte can be
 141 *   writable on the mmu mapping, check SPTE_MMU_WRITEABLE, this is the most
 142 *   case, otherwise
 143 * - if we fix page fault on the spte or do write-protection by dirty logging,
 144 *   check PT_WRITABLE_MASK.
 145 *
 146 * TODO: introduce APIs to split these two cases.
 147 */
 148static inline int is_writable_pte(unsigned long pte)
 149{
 150        return pte & PT_WRITABLE_MASK;
 151}
 152
 153static inline bool is_write_protection(struct kvm_vcpu *vcpu)
 154{
 155        return kvm_read_cr0_bits(vcpu, X86_CR0_WP);
 156}
 157
 158static inline bool kvm_mmu_is_illegal_gpa(struct kvm_vcpu *vcpu, gpa_t gpa)
 159{
 160        return (gpa >= BIT_ULL(cpuid_maxphyaddr(vcpu)));
 161}
 162
 163/*
 164 * Check if a given access (described through the I/D, W/R and U/S bits of a
 165 * page fault error code pfec) causes a permission fault with the given PTE
 166 * access rights (in ACC_* format).
 167 *
 168 * Return zero if the access does not fault; return the page fault error code
 169 * if the access faults.
 170 */
 171static inline u8 permission_fault(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
 172                                  unsigned pte_access, unsigned pte_pkey,
 173                                  unsigned pfec)
 174{
 175        int cpl = kvm_x86_ops.get_cpl(vcpu);
 176        unsigned long rflags = kvm_x86_ops.get_rflags(vcpu);
 177
 178        /*
 179         * If CPL < 3, SMAP prevention are disabled if EFLAGS.AC = 1.
 180         *
 181         * If CPL = 3, SMAP applies to all supervisor-mode data accesses
 182         * (these are implicit supervisor accesses) regardless of the value
 183         * of EFLAGS.AC.
 184         *
 185         * This computes (cpl < 3) && (rflags & X86_EFLAGS_AC), leaving
 186         * the result in X86_EFLAGS_AC. We then insert it in place of
 187         * the PFERR_RSVD_MASK bit; this bit will always be zero in pfec,
 188         * but it will be one in index if SMAP checks are being overridden.
 189         * It is important to keep this branchless.
 190         */
 191        unsigned long smap = (cpl - 3) & (rflags & X86_EFLAGS_AC);
 192        int index = (pfec >> 1) +
 193                    (smap >> (X86_EFLAGS_AC_BIT - PFERR_RSVD_BIT + 1));
 194        bool fault = (mmu->permissions[index] >> pte_access) & 1;
 195        u32 errcode = PFERR_PRESENT_MASK;
 196
 197        WARN_ON(pfec & (PFERR_PK_MASK | PFERR_RSVD_MASK));
 198        if (unlikely(mmu->pkru_mask)) {
 199                u32 pkru_bits, offset;
 200
 201                /*
 202                * PKRU defines 32 bits, there are 16 domains and 2
 203                * attribute bits per domain in pkru.  pte_pkey is the
 204                * index of the protection domain, so pte_pkey * 2 is
 205                * is the index of the first bit for the domain.
 206                */
 207                pkru_bits = (vcpu->arch.pkru >> (pte_pkey * 2)) & 3;
 208
 209                /* clear present bit, replace PFEC.RSVD with ACC_USER_MASK. */
 210                offset = (pfec & ~1) +
 211                        ((pte_access & PT_USER_MASK) << (PFERR_RSVD_BIT - PT_USER_SHIFT));
 212
 213                pkru_bits &= mmu->pkru_mask >> offset;
 214                errcode |= -pkru_bits & PFERR_PK_MASK;
 215                fault |= (pkru_bits != 0);
 216        }
 217
 218        return -(u32)fault & errcode;
 219}
 220
 221void kvm_zap_gfn_range(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end);
 222
 223int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu);
 224
 225int kvm_mmu_post_init_vm(struct kvm *kvm);
 226void kvm_mmu_pre_destroy_vm(struct kvm *kvm);
 227
 228#endif
 229