[PATCH v10 00/15] Direct Map Removal Support for guest_memfd

[Kalyazin, Nikita]

[ based on kvm/next ]

Unmapping virtual machine guest memory from the host kernel's direct map
is a successful mitigation against Spectre-style transient execution
issues: if the kernel page tables do not contain entries pointing to
guest memory, then any attempted speculative read through the direct map
will necessarily be blocked by the MMU before any observable
microarchitectural side-effects happen.  This means that Spectre-gadgets
and similar cannot be used to target virtual machine memory.  Roughly
60% of speculative execution issues fall into this category [1, Table
1].

This patch series extends guest_memfd with the ability to remove its
memory from the host kernel's direct map, to be able to attain the above
protection for KVM guests running inside guest_memfd.

Additionally, a Firecracker branch with support for these VMs can be
found on GitHub [2].

For more details, please refer to the v5 cover letter.  No substantial
changes in design have taken place since.

See also related write() syscall support in guest_memfd [3] where
the interoperation between the two features is described.

Changes since v9:
 - Huacai/Ackerley: formatting and error handling fixes
 - Heiko: remove TLB flushing from folio_zap_direct_map() on s390
 - Willy: set_direct_map_valid_noflush() to take const void * instead of
   struct page *page
 - Ackerley: remove reject_file_backed variable in
   gup_fast_folio_allowed()
 - Ackerley: avoid referencing memfd_secret in doc
 - Ackerley: make calls to kvm_gmem_folio_zap_direct_map() conditional
   to GUEST_MEMFD_FLAG_NO_DIRECT_MAP
 - Rick: Exclude TDX from direct map removal
 - Rick: Add a comment about current impossibility of zapping at
   non-base page granularity.

v9: https://lore.kernel.org/kvm/20260114134510.1835-1-kalya...@amazon.com
v8: https://lore.kernel.org/kvm/20251205165743.9341-1-kalya...@amazon.com
v7: 
https://lore.kernel.org/kvm/20250924151101.2225820-1-patrick....@campus.lmu.de
v6: https://lore.kernel.org/kvm/20250912091708.17502-1-roy...@amazon.co.uk
v5: https://lore.kernel.org/kvm/20250828093902.2719-1-roy...@amazon.co.uk
v4: https://lore.kernel.org/kvm/20250221160728.1584559-1-roy...@amazon.co.uk
RFCv3: https://lore.kernel.org/kvm/20241030134912.515725-1-roy...@amazon.co.uk
RFCv2: https://lore.kernel.org/kvm/20240910163038.1298452-1-roy...@amazon.co.uk
RFCv1: https://lore.kernel.org/kvm/20240709132041.3625501-1-roy...@amazon.co.uk

[1] https://download.vusec.net/papers/quarantine_raid23.pdf
[2] 
https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hiding
[3] https://lore.kernel.org/kvm/20251114151828.98165-1-kalya...@amazon.com

Nikita Kalyazin (3):
  set_memory: set_direct_map_* to take address
  set_memory: add folio_{zap,restore}_direct_map helpers
  mm/gup: drop local variable in gup_fast_folio_allowed

Patrick Roy (12):
  mm/gup: drop secretmem optimization from gup_fast_folio_allowed
  mm: introduce AS_NO_DIRECT_MAP
  KVM: guest_memfd: Add stub for kvm_arch_gmem_invalidate
  KVM: x86: define kvm_arch_gmem_supports_no_direct_map()
  KVM: arm64: define kvm_arch_gmem_supports_no_direct_map()
  KVM: guest_memfd: Add flag to remove from direct map
  KVM: selftests: load elf via bounce buffer
  KVM: selftests: set KVM_MEM_GUEST_MEMFD in vm_mem_add() if guest_memfd
    != -1
  KVM: selftests: Add guest_memfd based vm_mem_backing_src_types
  KVM: selftests: cover GUEST_MEMFD_FLAG_NO_DIRECT_MAP in existing
    selftests
  KVM: selftests: stuff vm_mem_backing_src_type into vm_shape
  KVM: selftests: Test guest execution from direct map removed gmem

 Documentation/virt/kvm/api.rst                | 21 +++--
 arch/arm64/include/asm/kvm_host.h             | 13 +++
 arch/arm64/include/asm/set_memory.h           |  9 +-
 arch/arm64/mm/pageattr.c                      | 31 ++++---
 arch/loongarch/include/asm/set_memory.h       |  9 +-
 arch/loongarch/mm/pageattr.c                  | 37 +++++---
 arch/riscv/include/asm/set_memory.h           |  9 +-
 arch/riscv/mm/pageattr.c                      | 29 +++++--
 arch/s390/include/asm/set_memory.h            |  9 +-
 arch/s390/mm/pageattr.c                       | 25 ++++--
 arch/x86/include/asm/kvm_host.h               |  6 ++
 arch/x86/include/asm/set_memory.h             |  9 +-
 arch/x86/kvm/x86.c                            |  5 ++
 arch/x86/mm/pat/set_memory.c                  | 43 +++++++---
 include/linux/kvm_host.h                      | 14 ++++
 include/linux/pagemap.h                       | 16 ++++
 include/linux/secretmem.h                     | 18 ----
 include/linux/set_memory.h                    | 19 ++++-
 include/uapi/linux/kvm.h                      |  1 +
 kernel/power/snapshot.c                       |  4 +-
 lib/buildid.c                                 |  4 +-
 mm/execmem.c                                  |  6 +-
 mm/gup.c                                      | 37 +++-----
 mm/mlock.c                                    |  2 +-
 mm/secretmem.c                                | 14 ++--
 mm/vmalloc.c                                  | 11 ++-
 .../testing/selftests/kvm/guest_memfd_test.c  | 17 +++-
 .../testing/selftests/kvm/include/kvm_util.h  | 37 ++++++--
 .../testing/selftests/kvm/include/test_util.h |  8 ++
 tools/testing/selftests/kvm/lib/elf.c         |  8 +-
 tools/testing/selftests/kvm/lib/io.c          | 23 +++++
 tools/testing/selftests/kvm/lib/kvm_util.c    | 59 +++++++------
 tools/testing/selftests/kvm/lib/test_util.c   |  8 ++
 tools/testing/selftests/kvm/lib/x86/sev.c     |  1 +
 .../selftests/kvm/pre_fault_memory_test.c     |  1 +
 .../selftests/kvm/set_memory_region_test.c    | 52 +++++++++++-
 .../kvm/x86/private_mem_conversions_test.c    |  7 +-
 virt/kvm/guest_memfd.c                        | 84 +++++++++++++++++--
 38 files changed, 511 insertions(+), 195 deletions(-)


base-commit: 0499add8efd72456514c6218c062911ccc922a99
-- 
2.50.1