Lines Matching +full:hardware +full:- +full:protected
1 // SPDX-License-Identifier: GPL-2.0-only
13 * in hardware. E.g. MMIO SPTEs are not considered present. Use bit 11, as it
22 * be restricted to using write-protection (for L2 when CPU dirty logging, i.e.
28 * is guaranteed to have A/D bits and write-protection is forced only for
29 * TDP with CPU dirty logging (PML). If NPT ever gains PML-like support, it
30 * must be restricted to 64-bit KVM.
40 #define SPTE_BASE_ADDR_MASK (physical_mask & ~(u64)(PAGE_SIZE-1))
42 #define SPTE_BASE_ADDR_MASK (((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1))
64 * as not-present for access tracking purposes. We do not save the W bit as the
78 * SPTE is write-protected. See is_writable_pte() for details.
81 /* Bits 9 and 10 are ignored by all non-EPT PTEs. */
87 * to not overlap the A/D type mask or the saved access bits of access-tracked
105 * Bits 0-7 of the MMIO generation are propagated to spte bits 3-10
106 * Bits 8-18 of the MMIO generation are propagated to spte bits 52-62
131 * MMU-present bit. The generation obviously co-exists with the magic MMIO
132 * mask/value, and MMIO SPTEs are considered !MMU-present.
134 * The SPTE MMIO mask is allowed to use hardware "present" bits (i.e. all EPT
136 * and so they're off-limits for generation; additional checks ensure the mask
143 #define MMIO_SPTE_GEN_LOW_BITS (MMIO_SPTE_GEN_LOW_END - MMIO_SPTE_GEN_LOW_START + 1)
144 #define MMIO_SPTE_GEN_HIGH_BITS (MMIO_SPTE_GEN_HIGH_END - MMIO_SPTE_GEN_HIGH_START + 1)
149 #define MMIO_SPTE_GEN_LOW_SHIFT (MMIO_SPTE_GEN_LOW_START - 0)
150 #define MMIO_SPTE_GEN_HIGH_SHIFT (MMIO_SPTE_GEN_HIGH_START - MMIO_SPTE_GEN_LOW_BITS)
152 #define MMIO_SPTE_GEN_MASK GENMASK_ULL(MMIO_SPTE_GEN_LOW_BITS + MMIO_SPTE_GEN_HIGH_BITS - 1, 0)
155 * Non-present SPTE value needs to set bit 63 for TDX, in order to suppress
156 * #VE and get EPT violations on non-present PTEs. We can use the
159 * For SVM NPT, for non-present spte (bit 0 = 0), other bits are ignored.
172 * True if A/D bits are supported in hardware and are enabled by KVM. When
173 * enabled, KVM uses A/D bits for all non-nested MMUs. Because L1 can disable
196 * shadow_acc_track_mask is the set of bits to be cleared in non-accessed
202 * This mask must be set on all non-zero Non-Present or Reserved SPTEs in order
208 * The number of high-order 1 bits to use in the mask above.
214 * multi-part operation on an SPTE, it can set the SPTE to FROZEN_SPTE as a
215 * non-present intermediate value. Other threads which encounter this value
218 * Use a semi-arbitrary value that doesn't set RWX bits, i.e. is not-present on
237 return ((unsigned long)sptep / sizeof(*sptep)) & (SPTE_ENT_PER_PAGE - 1); in spte_index()
241 * In some cases, we need to preserve the GFN of a non-present or reserved
274 * SPTE to ensure any non-PA bits are dropped. in root_to_sp()
286 return (spte & shadow_mmio_mask) == kvm->arch.shadow_mmio_value && in is_mmio_spte()
304 return sp->role.ad_disabled; in sp_ad_disabled()
317 * This is benign for non-TDP SPTEs as SPTE_TDP_AD_ENABLED is '0', in spte_ad_need_write_protect()
318 * and non-TDP SPTEs will never set these bits. Optimize for 64-bit in spte_ad_need_write_protect()
359 return rsvd_check->rsvd_bits_mask[bit7][level-1]; in get_rsvd_bits()
371 return rsvd_check->bad_mt_xwr & BIT_ULL(pte & 0x3f); in __is_bad_mt_xwr()
382 * A shadow-present leaf SPTE may be non-writable for 4 possible reasons:
384 * 1. To intercept writes for dirty logging. KVM write-protects huge pages
387 * write-protects 4KiB pages so that writes can be recorded in the dirty log
388 * (e.g. if not using PML). SPTEs are write-protected for dirty logging
389 * during the VM-iotcls that enable dirty logging.
396 * 3. To prevent guest writes to read-only memory, such as for memory in a
397 * read-only memslot or guest memory backed by a read-only VMA. Writes to
401 * case, the SPTE is access-protected, not just write-protected!
405 * To differentiate #1 and #4 from #2 and #3, KVM uses two software-only bits
408 * shadow_mmu_writable_mask, aka MMU-writable -
409 * Cleared on SPTEs that KVM is currently write-protecting for shadow paging
412 * shadow_host_writable_mask, aka Host-writable -
413 * Cleared on SPTEs that are not host-writable (case 3 above)
421 * ------------------------- | ------------------------ | ----------------
430 * Clearing the MMU-writable bit is always done under the MMU lock and always
432 * shadow page tables between vCPUs. Write-protecting an SPTE for dirty logging
433 * (which does not clear the MMU-writable bit), does not flush TLBs before
435 * dirty bitmap. Similarly, making the SPTE inaccessible (and non-writable) for
436 * access-tracking via the clear_young() MMU notifier also does not flush TLBs.
438 * So, there is the problem: clearing the MMU-writable bit can encounter a
439 * write-protected SPTE while CPUs still have writable mappings for that SPTE
441 * write-protecting SPTEs if the MMU-writable bit is set on the old SPTE.
443 * The Host-writable bit is not modified on present SPTEs, it is only set or
444 * cleared when an SPTE is first faulted in from non-present and then remains
452 /* Note: spte must be a shadow-present leaf SPTE. */
457 KBUILD_MODNAME ": MMU-writable SPTE is not Host-writable: %llx", in check_spte_writable_invariants()
461 KBUILD_MODNAME ": Writable SPTE is not MMU-writable: %llx", spte); in check_spte_writable_invariants()
472 * SPTE is a shadow-present, leaf SPTE (either before or after).
476 if (fault->exec) in is_access_allowed()
479 if (fault->write) in is_access_allowed()
487 * If the MMU-writable flag is cleared, i.e. the SPTE is write-protected for
488 * write-tracking, remote TLBs must be flushed, even if the SPTE was read-only,
491 * not whether or not SPTEs were modified, i.e. only the write-tracking case
503 * Note, this logic only applies to shadow-present leaf SPTEs. The caller is
504 * responsible for checking that the old SPTE is shadow-present, and is also
506 * modifying a shadow-present non-leaf SPTE.
536 /* Restore an acc-track PTE back to a regular PTE */