1.. SPDX-License-Identifier: GPL-2.0 2 3============== 4KVM MMIO guard 5============== 6 7KVM implements device emulation by handling translation faults to any 8IPA range that is not contained in a memory slot. Such a translation 9fault is in most cases passed on to userspace (or in rare cases to the 10host kernel) with the address, size and possibly data of the access 11for emulation. 12 13Should the guest exit with an address that is not one that corresponds 14to an emulatable device, userspace may take measures that are not the 15most graceful as far as the guest is concerned (such as terminating it 16or delivering a fatal exception). 17 18There is also an element of trust: by forwarding the request to 19userspace, the kernel assumes that the guest trusts userspace to do 20the right thing. 21 22The KVM MMIO guard offers a way to mitigate this last point: a guest 23can request that only certain regions of the IPA space are valid as 24MMIO. Only these regions will be handled as an MMIO, and any other 25will result in an exception being delivered to the guest. 26 27This relies on a set of hypercalls defined in the KVM-specific range, 28using the HVC64 calling convention. 29 30When operating on a range of contiguous IPA space, it is recommended 31to use ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_MAP. This HVC takes a number of 32granules as an argument. See ``KVM_FUNC_HAS_RANGE`` in hypercalls.rst 33for a complete description. 34 35Both ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP and 36ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_UNMAP are only declared for legacy guests, 37that is, older than 6.12. 38 39* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_INFO 40 41 ============== ======== ================================ 42 Function ID: (uint32) 0xC6000005 43 Arguments: r1-r3 Reserved / Must be zero 44 Return Values: (int64) NOT_SUPPORTED(-1) on error, or 45 (uint64) Protection Granule (PG) size in 46 bytes (r0). KVM_FUNC_HAS_RANGE(1) 47 is set (r1) if RGUARD_MAP and 48 RGUARD_UNMAP HVCs are available. 49 ============== ======== ================================ 50 51* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_ENROLL 52 53 ============== ======== ============================== 54 Function ID: (uint32) 0xC6000006 55 Arguments: none 56 Return Values: (int64) NOT_SUPPORTED(-1) on error, or 57 RET_SUCCESS(0) (r0) 58 ============== ======== ============================== 59 60* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_MAP 61 62 ============== ======== ==================================== 63 Function ID: (uint32) 0xC6000007 64 Arguments: (uint64) The base of the PG-sized IPA range 65 that is allowed to be accessed as 66 MMIO. Must be aligned to the PG size 67 (r1) 68 (uint64) Index in the MAIR_EL1 register 69 providing the memory attribute that 70 is used by the guest (r2) 71 Return Values: (int64) NOT_SUPPORTED(-1) on error, or 72 RET_SUCCESS(0) (r0) 73 ============== ======== ==================================== 74 75* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP 76 77 ============== ======== ====================================== 78 Function ID: (uint32) 0xC6000008 79 ============== ======== ====================================== 80 81* ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_MAP 82 83 ============== ======== ==================================== 84 Function ID: (uint32) 0xC600000A 85 Arguments: (uint64) The base of the PG-sized IPA range 86 that is allowed to be accessed as 87 MMIO. Must be aligned to the PG size 88 (r1) 89 (uint64) Number of granules to guard (r2). See 90 ``KVM_FUNC_HAS_RANGE`` in 91 hypercalls.rst for more details 92 Return Values: (int64) NOT_SUPPORTED(-1) on error, or 93 RET_SUCCESS(0) (r0) 94 (uint64) Number of shared granules (r1) 95 ============== ======== ==================================== 96 97* ARM_SMCCC_KVM_FUNC_MMIO_RGUARD_UNMAP 98 99 ============== ======== ====================================== 100 Function ID: (uint32) 0xC600000B 101 ============== ======== ====================================== 102