From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A629DC83F09
	for <linux-mm@archiver.kernel.org>; Wed,  9 Jul 2025 10:59:53 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 268566B00A1; Wed,  9 Jul 2025 06:59:53 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 23FD06B00C2; Wed,  9 Jul 2025 06:59:53 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 155E36B00C4; Wed,  9 Jul 2025 06:59:53 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id ED63E6B00A1
	for <linux-mm@kvack.org>; Wed,  9 Jul 2025 06:59:52 -0400 (EDT)
Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id 57EAC140407
	for <linux-mm@kvack.org>; Wed,  9 Jul 2025 10:59:52 +0000 (UTC)
X-FDA: 83644431024.24.2A4E650
Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73])
	by imf23.hostedemail.com (Postfix) with ESMTP id 8C9C6140013
	for <linux-mm@kvack.org>; Wed,  9 Jul 2025 10:59:50 +0000 (UTC)
Authentication-Results: imf23.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=e74RSoeT;
	spf=pass (imf23.hostedemail.com: domain of 3pEtuaAUKCD8ubccbhpphmf.dpnmjovy-nnlwbdl.psh@flex--tabba.bounces.google.com designates 209.85.128.73 as permitted sender) smtp.mailfrom=3pEtuaAUKCD8ubccbhpphmf.dpnmjovy-nnlwbdl.psh@flex--tabba.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1752058790;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=dnO+KloSGnsCSQpQy5155dfzAZ7oAybktNY4973okqU=;
	b=fq6wWz+uB7cJSeqq2IdftJ2Gzq+Vz84lAMkaDhcECCoBRtLbjPa0Pxgey5ks0s7FPuaWLm
	c0Q7D9MO7KeyheZZlyfWPp3h9RUE0JIpeBa4hklpIJWrTX0GejjLTqkTwOnIq63Y7TkLEn
	nEfsMqhdWTslliAnw/rf1G7XgsDQ3X8=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752058790; a=rsa-sha256;
	cv=none;
	b=UuNUgJM9BV3Yu1YRAr1bm4l4mQa6ESXoc8meX5PFa7JasA7bIaQJp7hPoyf88vxG1driYE
	VVN/Dj2xoTlq59mEA8XYT1PpZtnDWSTkrK4Lr+YC0jyJXVD3OcN4gxOhFtStsue8EIgdOz
	foHgpjTtpDX6VPM8NrS5tHhAeUSWwPA=
ARC-Authentication-Results: i=1;
	imf23.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=e74RSoeT;
	spf=pass (imf23.hostedemail.com: domain of 3pEtuaAUKCD8ubccbhpphmf.dpnmjovy-nnlwbdl.psh@flex--tabba.bounces.google.com designates 209.85.128.73 as permitted sender) smtp.mailfrom=3pEtuaAUKCD8ubccbhpphmf.dpnmjovy-nnlwbdl.psh@flex--tabba.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-451deff247cso4126605e9.1
        for <linux-mm@kvack.org>; Wed, 09 Jul 2025 03:59:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1752058789; x=1752663589; darn=kvack.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=dnO+KloSGnsCSQpQy5155dfzAZ7oAybktNY4973okqU=;
        b=e74RSoeTkdnaVX+FqTeZblzKOuql8COlFa4TveE4GEkTH04mP4fgN67u+31R1p41f0
         UtyJBrZ8q4fAZbJ+OCHmIWomN1IReAPIfuEbxoUBE9h2tOjI3Cc+2Brd1ZLCKEBjue7P
         tNqgYIKqSMXHgjoih3VM6prRCI7qnR14cbGB0iHy7UvDGxFJfCEHkpPF5YvQNsBPos06
         /ADg65KXA0dqAPiiyma9j0NZOh7wxgnmQrxXxG4j5ORxapwj0cjZ9YPFOhv1lwhqOcas
         JuE3jGtykYUsQaJ62J2VJxvMy6HQQTL40dra3IOcTiLpbfAd03Ze9nfBbjKQGj6T1M1R
         bmWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752058789; x=1752663589;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=dnO+KloSGnsCSQpQy5155dfzAZ7oAybktNY4973okqU=;
        b=VdVHccVB+t4qnyJWY7SXpDPWoza30M5xKIF8GkTzs3nf4nvHr5ZxQz3T+W7ylXSmwM
         a6R6bexFIdoOJ+7kyWAbtHiVFzkW/BZBUv6DVJttbK0ckyIarJmdW0wM7IKJrFkvju+u
         283NmGyZlQgF5SvnTgmxP+aWF/uk4sSDtMWFQZizxzS5FTYtIMNf781Zt+NwpAdnP17P
         6SJhRmDeGH75q1XbUxwnc+Tj1pHWIyEA7QN49COrJ1VUft0uuPOgy0dfKvFpLD17qdqu
         0HCyXNIFXWFtyLjDaeShOnKTl5u4bXMwY3v/4kvpKz9EhRz+rjVnmTU9V9G2pBRgXXLU
         4UBg==
X-Forwarded-Encrypted: i=1; AJvYcCWeAAHzbaFxLwrgGK9ukSkrUT31+0qBQC2/CAyz4MrjPh9jYrGDBnVKKhtKZS0duQCnWmhDHq6gXQ==@kvack.org
X-Gm-Message-State: AOJu0YxZEGh89UihOZLKnzNYO/wyxyhpVzFobWjNWtf4bU/FLMpSVChw
	dw6J5off60LTowwS8rCofUQGlANnJDOX/Tm27moLPI3w8DGIztFaVv0I1Dn5obOoydpNWPZAqy8
	7fw==
X-Google-Smtp-Source: AGHT+IH97vlc2PwP5kjBWi2BuUgBLehVgDMNHnMBRqDSahyj4kB6WdLKy5MfyYEnD1QG3au218TPdoT90g==
X-Received: from wmbes22.prod.google.com ([2002:a05:600c:8116:b0:440:5d62:5112])
 (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:3b0f:b0:453:aca:4d08
 with SMTP id 5b1f17b1804b1-454d545fc59mr18960475e9.1.1752058788528; Wed, 09
 Jul 2025 03:59:48 -0700 (PDT)
Date: Wed,  9 Jul 2025 11:59:26 +0100
Mime-Version: 1.0
X-Mailer: git-send-email 2.50.0.727.gbf7dc18ff4-goog
Message-ID: <20250709105946.4009897-1-tabba@google.com>
Subject: [PATCH v13 00/20] KVM: Enable host userspace mapping for
 guest_memfd-backed memory for non-CoCo VMs
From: Fuad Tabba <tabba@google.com>
To: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org, 
	kvmarm@lists.linux.dev
Cc: pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, 
	anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, 
	aou@eecs.berkeley.edu, seanjc@google.com, viro@zeniv.linux.org.uk, 
	brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, 
	xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, 
	jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, 
	isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, 
	vannapurve@google.com, ackerleytng@google.com, mail@maciej.szmigiero.name, 
	david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, 
	liam.merwick@oracle.com, isaku.yamahata@gmail.com, 
	kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, 
	quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, 
	quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, 
	quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, 
	james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, 
	maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, 
	roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, 
	rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, 
	jthoughton@google.com, peterx@redhat.com, pankaj.gupta@amd.com, 
	ira.weiny@intel.com, tabba@google.com
Content-Type: text/plain; charset="UTF-8"
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: 8C9C6140013
X-Stat-Signature: 6upawtrra73iimremoh94t9dohpaxxca
X-HE-Tag: 1752058790-271895
X-HE-Meta: U2FsdGVkX18WEXvpXm42oq7nXdU/ltJxIzLt8zHVv8jl+4GP4L/GS93YOoA5gHRGzB8lJaT5ulLefSE+SAa71vG0oasOsRmkpNFLyRYFUstMlQaBei+FxIvbKCFy905X7dIYZ0zGUATWPoN+UnpLKJNE/gmPIuHu00KkT7Ya8+wmsV4bCEA6qhg5hBEBVdzn9TX5P2xwYNCnJMBRfI+twPCcNP7ZlnrvljGxgMM9HsfHLG97FB83RZNVSpjJG/eJ+1Bz9tLQe1qmuakpxXpH++g4Twy2SW0U7D6SCpCjPPnTLCxSanCrrXwvGayJJIlN+62ZuBxaqnBjzA2aZPanWAUJYW+cc3Dl2TM/rEaJNBnx8O9fGjQqLYh6OgNs/qyJ+A8wXxnnxeD0y8RJau9kJHxJGmexlb48Dt3yobPsbwg32v22xTyX/gG4ogasbQHDOiJY8yVlWHy3qkWIAta+gZMQbcyVqqu88QHFanBiGAvvOnLg6y4QS7U4ZZ0oHcmGtU8EFJEXV+Q7vrsFgCmjNOmgtZyTW4VJDXJ1QAQo+kFoft6pZtjcQiN2mhIiS3yPVAB/LDEDd+BiHbwXhb+tv5n1icQjuWRxYcxOurh6f4gqSYMkyWyHxm1pT6h966qIUMiPymEKW8oP7DLyF7rgPfdalaZplBQAbQfsL6xNkb1TjBDkpsQ4huVisxxeTPdiGahePLLEZd3xzxNvTHgWdGfMLz/1QIKRfm/2mNZW2Edh3mbbONBZR08xN3Lxttl9kzmqRRj1meIsUUtYlbY9HIk2Dz4gUhuMnDVRkZo5Z7/WpC2xKVrcmAJcY3n6+GnSHzWSi0kRQpiKs4m2f70hnln8G6zF3Qp7d4clXiZ5AW6OnR32+COtjb2PKHxJykLVRF6UFADWyIgixZoI5Mh7NnRe6OCfydR51hKOy1KfhQHgEBc4mx1Fq1LYDDhB4F7UeBf0Wl2FP6ZS25/2Xgo
 ksPUYUeE
 nVCday45UGmtLCqslciDyzoc8TDhE8szGS3QlqN99xqDl2l0hikAbHnNwq6tlcpvIPGlFsOnthgfcx8ZDpbcq+cCwcdAWf96/NIJhaIRLSiPgJd2XdIusWJrdRhyDUXz0yem5guB5UmVRI3Eh18ULntCE1Ilmo4HGw++j0Cc96mCMNaDj7pJm0D6FkTEUjGLU57exrejTQ0yUlhdjBpkuX3h0/RJNLl4x/L/EXDYU5igHA0k0MiZOrI4wj7gyVlgE40l79ez+j+kByQgVKTxXc3tchoon35LY1/KSDwShQS7nMx25AF/Ih/Uw48jBh8LNw4fCjgPTXpSkeXgK7qTDJZUDJQKxp0BFcdqirB9d/0ttIs25PE8FhIG7f3R+jajAz8EHDPPwRtJBaNQk5v2JdZllcIm/4hjXQnyu7OFQ+w8UlRjtAx716d3/BNZjrrvYANdZBn3uEiS78CWJxgmd8hKAoljIZteeJU3LTme0oTZxa+SGuK6A4ssHWgA2jiySVOaQF+dbCw4Q02NSGu0iaN0tf11dQzDEUg/TFvzpg4y5pZOiB8u9HmNc7Z3iC/U/UlhnhNorOJlrMUVLuv0Uwjjfsy3fMSHFqB4jJxvRT7m9MroiC6T3h7eaGm1+/hbiQjdYEujcUQjyp2dyAq0fWLhzIMH8iPl1WgTGfb6hPYui41KZBNV7KFyw6Ww1fVIt8DyUPsk2nu6RePCgREfKmdf52Thxu1ERskyKFz8dXX8f5HfOX1whNdc2yjzIgb7sFS3nPC6oz3yeOr2VFdVEuzlGdw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Main changes since v12 [1]:
* Rename various functions and variables
* Expand and clarify commit messages
* Rebase on Linux 6.16-rc5

This patch series enables host userspace mapping of guest_memfd-backed
memory for non-CoCo VMs. This is required for several evolving KVM use
cases:

* Allows VMMs like Firecracker to run guests entirely backed by
  guest_memfd [2]. This provides a unified memory management model for
  both confidential and non-confidential guests, simplifying VMM design.

* Enhanced Security via direct map removal: When combined with Patrick's
  series for direct map removal [3], this provides additional hardening
  against Spectre-like transient execution attacks by eliminating the
  need for host kernel direct maps of guest memory.

* Lays the groundwork for *restricted* mmap() support for
  guest_memfd-backed memory on CoCo platforms [4] that permit in-place
  sharing of guest memory with the host.

Patch breakdown:

Patches 1-7: Primarily infrastructure refactorings and renames to decouple
guest_memfd from the concept of "private" memory.

Patches 8-9: Add support for the host to map guest_memfd backed memory
for non-CoCo VMs, which includes support for mmap() and fault handling.
This is gated by a new configuration option, toggled by a new flag, and
advertised to userspace by a new capability (introduced in patch 18).

Patches 10-14: Implement x86 guest_memfd mmap support.

Patches 15-17: Implement arm64 guest_memfd mmap support.

Patch 18: Introduce the new capability to advertise this support and
update the documentation.

Patches 19-20: Update and expand selftests for guest_memfd to include
mmap functionality and improve portability.

To test this patch series and boot a guest utilizing the new features,
please refer to the instructions in v8 of the series [5]. Note that
kvmtool for Linux 6.16 (available at [6]) is required, as the
KVM_CAP_GMEM_MMAP capability number has changed, additionally, drop the
--sw_protected kvmtool parameter to test with the default VM type.

Cheers,
/fuad

[1] https://lore.kernel.org/all/20250611133330.1514028-3-tabba@google.com/T/
[2] https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hiding
[3] https://lore.kernel.org/all/20250221160728.1584559-1-roypat@amazon.co.uk/
[4] https://lore.kernel.org/all/20250328153133.3504118-1-tabba@google.com/
[5] https://lore.kernel.org/all/20250430165655.605595-1-tabba@google.com/
[6] https://android-kvm.googlesource.com/kvmtool/+/refs/heads/tabba/guestmem-basic-6.16

Ackerley Tng (4):
  KVM: x86/mmu: Generalize private_max_mapping_level x86 op to
    max_mapping_level
  KVM: x86/mmu: Allow NULL-able fault in kvm_max_private_mapping_level
  KVM: x86/mmu: Consult guest_memfd when computing max_mapping_level
  KVM: x86/mmu: Handle guest page faults for guest_memfd with shared
    memory

Fuad Tabba (16):
  KVM: Rename CONFIG_KVM_PRIVATE_MEM to CONFIG_KVM_GMEM
  KVM: Rename CONFIG_KVM_GENERIC_PRIVATE_MEM to
    CONFIG_KVM_GENERIC_GMEM_POPULATE
  KVM: Introduce kvm_arch_supports_gmem()
  KVM: x86: Introduce kvm->arch.supports_gmem
  KVM: Rename kvm_slot_can_be_private() to kvm_slot_has_gmem()
  KVM: Fix comments that refer to slots_lock
  KVM: Fix comment that refers to kvm uapi header path
  KVM: guest_memfd: Allow host to map guest_memfd pages
  KVM: guest_memfd: Track guest_memfd mmap support in memslot
  KVM: x86: Enable guest_memfd mmap for default VM type
  KVM: arm64: Refactor user_mem_abort()
  KVM: arm64: Handle guest_memfd-backed guest page faults
  KVM: arm64: Enable host mapping of shared guest_memfd memory
  KVM: Introduce the KVM capability KVM_CAP_GMEM_MMAP
  KVM: selftests: Do not use hardcoded page sizes in guest_memfd test
  KVM: selftests: guest_memfd mmap() test when mmap is supported

 Documentation/virt/kvm/api.rst                |   9 +
 arch/arm64/include/asm/kvm_host.h             |   4 +
 arch/arm64/kvm/Kconfig                        |   1 +
 arch/arm64/kvm/mmu.c                          | 190 ++++++++++++----
 arch/x86/include/asm/kvm-x86-ops.h            |   2 +-
 arch/x86/include/asm/kvm_host.h               |  18 +-
 arch/x86/kvm/Kconfig                          |   7 +-
 arch/x86/kvm/mmu/mmu.c                        | 115 ++++++----
 arch/x86/kvm/svm/sev.c                        |  12 +-
 arch/x86/kvm/svm/svm.c                        |   3 +-
 arch/x86/kvm/svm/svm.h                        |   4 +-
 arch/x86/kvm/vmx/main.c                       |   6 +-
 arch/x86/kvm/vmx/tdx.c                        |   6 +-
 arch/x86/kvm/vmx/x86_ops.h                    |   2 +-
 arch/x86/kvm/x86.c                            |   5 +-
 include/linux/kvm_host.h                      |  64 +++++-
 include/uapi/linux/kvm.h                      |   2 +
 tools/testing/selftests/kvm/Makefile.kvm      |   1 +
 .../testing/selftests/kvm/guest_memfd_test.c  | 208 +++++++++++++++---
 virt/kvm/Kconfig                              |  14 +-
 virt/kvm/Makefile.kvm                         |   2 +-
 virt/kvm/guest_memfd.c                        |  96 +++++++-
 virt/kvm/kvm_main.c                           |  14 +-
 virt/kvm/kvm_mm.h                             |   4 +-
 24 files changed, 622 insertions(+), 167 deletions(-)


base-commit: d7b8f8e20813f0179d8ef519541a3527e7661d3a
-- 
2.50.0.727.gbf7dc18ff4-goog