From: Sukadev Bhattiprolu
Protected Execution Facility (PEF) is an architectural change for
POWER 9 that enables Secure Virtual Machines (SVMs). When enabled,
PEF adds a new higher privileged mode, called Ultravisor mode, to POWER
architecture. Along with the new mode there is new firmware called the
Protected Execution Ultravisor (or Ultravisor for short).
POWER 9 DD2.3 chips (PVR=0x004e1203) or greater will be PEF-capable.
Attached documentation provides an overview of PEF and defines the API
for various interfaces that must be implemented in the Ultravisor
firmware as well as in the KVM Hypervisor.
Based on input from Mike Anderson, Thiago Bauermann, Claudio Carvalho,
Ben Herrenschmidt, Guerney Hunt, Paul Mackerras.
Signed-off-by: Sukadev Bhattiprolu
Signed-off-by: Ram Pai
Signed-off-by: Guerney Hunt
Reviewed-by: Claudio Carvalho
Reviewed-by: Michael Anderson
Reviewed-by: Thiago Bauermann
Signed-off-by: Claudio Carvalho
---
Documentation/powerpc/ultravisor.rst | 1057 ++
1 file changed, 1057 insertions(+)
create mode 100644 Documentation/powerpc/ultravisor.rst
diff --git a/Documentation/powerpc/ultravisor.rst
b/Documentation/powerpc/ultravisor.rst
new file mode 100644
index ..94a149f34ec3
--- /dev/null
+++ b/Documentation/powerpc/ultravisor.rst
@@ -0,0 +1,1057 @@
+.. SPDX-License-Identifier: GPL-2.0
+.. _ultravisor:
+
+
+Protected Execution Facility
+
+
+.. contents::
+:depth: 3
+
+.. sectnum::
+:depth: 3
+
+Protected Execution Facility
+
+
+Protected Execution Facility (PEF) is an architectural change for
+POWER 9 that enables Secure Virtual Machines (SVMs). DD2.3 chips
+(PVR=0x004e1203) or greater will be PEF-capable. A new ISA release
+will include the PEF RFC02487 changes.
+
+When enabled, PEF adds a new higher privileged mode, called Ultravisor
+mode, to POWER architecture. Along with the new mode there is new
+firmware called the Protected Execution Ultravisor (or Ultravisor
+for short). Ultravisor mode is the highest privileged mode in POWER
+architecture.
+
+ +--+
+ | Privilege States |
+ +==+
+ | Problem |
+ +--+
+ | Supervisor |
+ +--+
+ | Hypervisor |
+ +--+
+ | Ultravisor |
+ +--+
+
+PEF protects SVMs from the hypervisor, privileged users, and other
+VMs in the system. SVMs are protected while at rest and can only be
+executed by an authorized machine. All virtual machines utilize
+hypervisor services. The Ultravisor filters calls between the SVMs
+and the hypervisor to assure that information does not accidentally
+leak. All hypercalls except H_RANDOM are reflected to the hypervisor.
+H_RANDOM is not reflected to prevent the hypervisor from influencing
+random values in the SVM.
+
+To support this there is a refactoring of the ownership of resources
+in the CPU. Some of the resources which were previously hypervisor
+privileged are now ultravisor privileged.
+
+Hardware
+
+
+The hardware changes include the following:
+
+* There is a new bit in the MSR that determines whether the current
+ process is running in secure mode, MSR(S) bit 41. MSR(S)=1, process
+ is in secure mode, MSR(s)=0 process is in normal mode.
+
+* The MSR(S) bit can only be set by the Ultravisor.
+
+* HRFID cannot be used to set the MSR(S) bit. If the hypervisor needs
+ to return to a SVM it must use an ultracall. It can determine if
+ the VM it is returning to is secure.
+
+* There is a new Ultravisor privileged register, SMFCTRL, which has an
+ enable/disable bit SMFCTRL(E).
+
+* The privilege of a process is now determined by three MSR bits,
+ MSR(S, HV, PR). In each of the tables below the modes are listed
+ from least privilege to highest privilege. The higher privilege
+ modes can access all the resources of the lower privilege modes.
+
+ **Secure Mode MSR Settings**
+
+ +---+---+---+---+
+ | S | HV| PR|Privilege |
+ +===+===+===+===+
+ | 1 | 0 | 1 | Problem |
+ +---+---+---+---+
+ | 1 | 0 | 0 | Privileged(OS)|
+ +---+---+---+---+
+ | 1 | 1 | 0 | Ultravisor|
+ +---+---+---+---+
+ | 1 | 1 | 1 | Reserved |
+ +---+---+---+---+
+
+ **Normal Mode MSR Settings**
+
+ +---+---+---+---+
+ | S | HV| PR|Privilege |
+ +===+===+===+===+
+ | 0 | 0 | 1 | Problem |
+ +---+---+---+---+
+ | 0 | 0 | 0 | Privileged(OS)|
+ +---+---+---+---+
+ | 0 | 1 | 0 | Hypervisor|
+