On 17 October 2018 at 19:21, Christoffer Dall <[email protected]> wrote:
> This commit adds a paranoid check when entering the guest to make sure
> we don't attempt running guest code in an equally or more privilged mode
> than the hypervisor. We also catch other accidental programming of the
> SPSR_EL2 which results in an illegal exception return and report this
> safely back to the user.
>
> Signed-off-by: Christoffer Dall <[email protected]>
> ---
> diff --git a/arch/arm64/kvm/hyp/sysreg-sr.c b/arch/arm64/kvm/hyp/sysreg-sr.c
> index 9ce223944983..d7ac15412c97 100644
> --- a/arch/arm64/kvm/hyp/sysreg-sr.c
> +++ b/arch/arm64/kvm/hyp/sysreg-sr.c
> @@ -152,8 +152,25 @@ static void __hyp_text __sysreg_restore_el1_state(struct
> kvm_cpu_context *ctxt)
> static void __hyp_text
> __sysreg_restore_el2_return_state(struct kvm_cpu_context *ctxt)
> {
> + u64 pstate = ctxt->gp_regs.regs.pstate;
> + u64 mode = pstate & PSR_AA32_MODE_MASK;
> +
> + /*
> + * Safety check to ensure we're setting the CPU up to enter the guest
> + * in a less privileged mode.
> + *
> + * If we are attempting a return to EL2 or higher in AArch64 state,
> + * program SPSR_EL2 with M=EL2h and the IL bit set which ensures that
> + * we'll take an illegal exception return exception immediately after
This should read "illegal exception state exception", I think
(for the 64-bit case we don't do an illegal exception return,
we do a legal exception return that sets PSTATE.IL to 1.)
> + * the ERET to the guest. Attempts to return to AArch32 Hyp will
> + * result in an illegal exception return because EL2's execution state
> + * is determined by SCR_EL3.RW.
> + */
> + if (!(mode & PSR_MODE32_BIT) && mode >= PSR_MODE_EL2t)
> + pstate = PSR_MODE_EL2h | PSR_IL_BIT;
thanks
-- PMM
_______________________________________________
kvmarm mailing list
[email protected]
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
