1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Test TEST PROTECTION emulation.
4 *
5 * Copyright IBM Corp. 2021
6 */
7
8 #include <sys/mman.h>
9 #include "test_util.h"
10 #include "kvm_util.h"
11
12 #define PAGE_SHIFT 12
13 #define PAGE_SIZE (1 << PAGE_SHIFT)
14 #define CR0_FETCH_PROTECTION_OVERRIDE (1UL << (63 - 38))
15 #define CR0_STORAGE_PROTECTION_OVERRIDE (1UL << (63 - 39))
16
17 #define VCPU_ID 1
18
19 static __aligned(PAGE_SIZE) uint8_t pages[2][PAGE_SIZE];
20 static uint8_t *const page_store_prot = pages[0];
21 static uint8_t *const page_fetch_prot = pages[1];
22
23 /* Nonzero return value indicates that address not mapped */
set_storage_key(void * addr,uint8_t key)24 static int set_storage_key(void *addr, uint8_t key)
25 {
26 int not_mapped = 0;
27
28 asm volatile (
29 "lra %[addr], 0(0,%[addr])\n"
30 " jz 0f\n"
31 " llill %[not_mapped],1\n"
32 " j 1f\n"
33 "0: sske %[key], %[addr]\n"
34 "1:"
35 : [addr] "+&a" (addr), [not_mapped] "+r" (not_mapped)
36 : [key] "r" (key)
37 : "cc"
38 );
39 return -not_mapped;
40 }
41
42 enum permission {
43 READ_WRITE = 0,
44 READ = 1,
45 RW_PROTECTED = 2,
46 TRANSL_UNAVAIL = 3,
47 };
48
test_protection(void * addr,uint8_t key)49 static enum permission test_protection(void *addr, uint8_t key)
50 {
51 uint64_t mask;
52
53 asm volatile (
54 "tprot %[addr], 0(%[key])\n"
55 " ipm %[mask]\n"
56 : [mask] "=r" (mask)
57 : [addr] "Q" (*(char *)addr),
58 [key] "a" (key)
59 : "cc"
60 );
61
62 return (enum permission)(mask >> 28);
63 }
64
65 enum stage {
66 STAGE_END,
67 STAGE_INIT_SIMPLE,
68 TEST_SIMPLE,
69 STAGE_INIT_FETCH_PROT_OVERRIDE,
70 TEST_FETCH_PROT_OVERRIDE,
71 TEST_STORAGE_PROT_OVERRIDE,
72 };
73
74 struct test {
75 enum stage stage;
76 void *addr;
77 uint8_t key;
78 enum permission expected;
79 } tests[] = {
80 /*
81 * We perform each test in the array by executing TEST PROTECTION on
82 * the specified addr with the specified key and checking if the returned
83 * permissions match the expected value.
84 * Both guest and host cooperate to set up the required test conditions.
85 * A central condition is that the page targeted by addr has to be DAT
86 * protected in the host mappings, in order for KVM to emulate the
87 * TEST PROTECTION instruction.
88 * Since the page tables are shared, the host uses mprotect to achieve
89 * this.
90 *
91 * Test resulting in RW_PROTECTED/TRANSL_UNAVAIL will be interpreted
92 * by SIE, not KVM, but there is no harm in testing them also.
93 * See Enhanced Suppression-on-Protection Facilities in the
94 * Interpretive-Execution Mode
95 */
96 /*
97 * guest: set storage key of page_store_prot to 1
98 * storage key of page_fetch_prot to 9 and enable
99 * protection for it
100 * STAGE_INIT_SIMPLE
101 * host: write protect both via mprotect
102 */
103 /* access key 0 matches any storage key -> RW */
104 { TEST_SIMPLE, page_store_prot, 0x00, READ_WRITE },
105 /* access key matches storage key -> RW */
106 { TEST_SIMPLE, page_store_prot, 0x10, READ_WRITE },
107 /* mismatched keys, but no fetch protection -> RO */
108 { TEST_SIMPLE, page_store_prot, 0x20, READ },
109 /* access key 0 matches any storage key -> RW */
110 { TEST_SIMPLE, page_fetch_prot, 0x00, READ_WRITE },
111 /* access key matches storage key -> RW */
112 { TEST_SIMPLE, page_fetch_prot, 0x90, READ_WRITE },
113 /* mismatched keys, fetch protection -> inaccessible */
114 { TEST_SIMPLE, page_fetch_prot, 0x10, RW_PROTECTED },
115 /* page 0 not mapped yet -> translation not available */
116 { TEST_SIMPLE, (void *)0x00, 0x10, TRANSL_UNAVAIL },
117 /*
118 * host: try to map page 0
119 * guest: set storage key of page 0 to 9 and enable fetch protection
120 * STAGE_INIT_FETCH_PROT_OVERRIDE
121 * host: write protect page 0
122 * enable fetch protection override
123 */
124 /* mismatched keys, fetch protection, but override applies -> RO */
125 { TEST_FETCH_PROT_OVERRIDE, (void *)0x00, 0x10, READ },
126 /* mismatched keys, fetch protection, override applies to 0-2048 only -> inaccessible */
127 { TEST_FETCH_PROT_OVERRIDE, (void *)2049, 0x10, RW_PROTECTED },
128 /*
129 * host: enable storage protection override
130 */
131 /* mismatched keys, but override applies (storage key 9) -> RW */
132 { TEST_STORAGE_PROT_OVERRIDE, page_fetch_prot, 0x10, READ_WRITE },
133 /* mismatched keys, no fetch protection, override doesn't apply -> RO */
134 { TEST_STORAGE_PROT_OVERRIDE, page_store_prot, 0x20, READ },
135 /* mismatched keys, but override applies (storage key 9) -> RW */
136 { TEST_STORAGE_PROT_OVERRIDE, (void *)2049, 0x10, READ_WRITE },
137 /* end marker */
138 { STAGE_END, 0, 0, 0 },
139 };
140
perform_next_stage(int * i,bool mapped_0)141 static enum stage perform_next_stage(int *i, bool mapped_0)
142 {
143 enum stage stage = tests[*i].stage;
144 enum permission result;
145 bool skip;
146
147 for (; tests[*i].stage == stage; (*i)++) {
148 /*
149 * Some fetch protection override tests require that page 0
150 * be mapped, however, when the hosts tries to map that page via
151 * vm_vaddr_alloc, it may happen that some other page gets mapped
152 * instead.
153 * In order to skip these tests we detect this inside the guest
154 */
155 skip = tests[*i].addr < (void *)4096 &&
156 tests[*i].expected != TRANSL_UNAVAIL &&
157 !mapped_0;
158 if (!skip) {
159 result = test_protection(tests[*i].addr, tests[*i].key);
160 GUEST_ASSERT_2(result == tests[*i].expected, *i, result);
161 }
162 }
163 return stage;
164 }
165
guest_code(void)166 static void guest_code(void)
167 {
168 bool mapped_0;
169 int i = 0;
170
171 GUEST_ASSERT_EQ(set_storage_key(page_store_prot, 0x10), 0);
172 GUEST_ASSERT_EQ(set_storage_key(page_fetch_prot, 0x98), 0);
173 GUEST_SYNC(STAGE_INIT_SIMPLE);
174 GUEST_SYNC(perform_next_stage(&i, false));
175
176 /* Fetch-protection override */
177 mapped_0 = !set_storage_key((void *)0, 0x98);
178 GUEST_SYNC(STAGE_INIT_FETCH_PROT_OVERRIDE);
179 GUEST_SYNC(perform_next_stage(&i, mapped_0));
180
181 /* Storage-protection override */
182 GUEST_SYNC(perform_next_stage(&i, mapped_0));
183 }
184
185 #define HOST_SYNC(vmp, stage) \
186 ({ \
187 struct kvm_vm *__vm = (vmp); \
188 struct ucall uc; \
189 int __stage = (stage); \
190 \
191 vcpu_run(__vm, VCPU_ID); \
192 get_ucall(__vm, VCPU_ID, &uc); \
193 if (uc.cmd == UCALL_ABORT) { \
194 TEST_FAIL("line %lu: %s, hints: %lu, %lu", uc.args[1], \
195 (const char *)uc.args[0], uc.args[2], uc.args[3]); \
196 } \
197 ASSERT_EQ(uc.cmd, UCALL_SYNC); \
198 ASSERT_EQ(uc.args[1], __stage); \
199 })
200
main(int argc,char * argv[])201 int main(int argc, char *argv[])
202 {
203 struct kvm_vm *vm;
204 struct kvm_run *run;
205 vm_vaddr_t guest_0_page;
206
207 vm = vm_create_default(VCPU_ID, 0, guest_code);
208 run = vcpu_state(vm, VCPU_ID);
209
210 HOST_SYNC(vm, STAGE_INIT_SIMPLE);
211 mprotect(addr_gva2hva(vm, (vm_vaddr_t)pages), PAGE_SIZE * 2, PROT_READ);
212 HOST_SYNC(vm, TEST_SIMPLE);
213
214 guest_0_page = vm_vaddr_alloc(vm, PAGE_SIZE, 0);
215 if (guest_0_page != 0)
216 print_skip("Did not allocate page at 0 for fetch protection override tests");
217 HOST_SYNC(vm, STAGE_INIT_FETCH_PROT_OVERRIDE);
218 if (guest_0_page == 0)
219 mprotect(addr_gva2hva(vm, (vm_vaddr_t)0), PAGE_SIZE, PROT_READ);
220 run->s.regs.crs[0] |= CR0_FETCH_PROTECTION_OVERRIDE;
221 run->kvm_dirty_regs = KVM_SYNC_CRS;
222 HOST_SYNC(vm, TEST_FETCH_PROT_OVERRIDE);
223
224 run->s.regs.crs[0] |= CR0_STORAGE_PROTECTION_OVERRIDE;
225 run->kvm_dirty_regs = KVM_SYNC_CRS;
226 HOST_SYNC(vm, TEST_STORAGE_PROT_OVERRIDE);
227 }
228