From b64488ab95b4c1517ea1d8e6c124ce4828cb879d Mon Sep 17 00:00:00 2001 From: Wojciech Ozga Date: Thu, 20 Jun 2024 17:12:31 +0200 Subject: [PATCH] Described how interrupts are injected on platforms without AIA support Signed-off-by: Wojciech Ozga --- src/sbi_cove.adoc | 5 +++-- src/swlifecycle.adoc | 26 ++++++++++++++++++-------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/src/sbi_cove.adoc b/src/sbi_cove.adoc index 8800a06..95ed6d9 100644 --- a/src/sbi_cove.adoc +++ b/src/sbi_cove.adoc @@ -404,8 +404,9 @@ NACL shared memory region. ===== Management of secure interrupts The host can use the TEE Interrupt Extension (EXT_COVI) to manage secure TVM -interrupts on -platforms with AIA support. +interrupts on platforms with AIA support, or present these interrupts via HVIP +when resuming the vCPU execution via `sbi_covh_run_tvm_vcpu()` on platforms +without AIA support. ===== TVM teardown The host can teardown a TVM by calling `sbi_covh_destroy_tvm()`. This diff --git a/src/swlifecycle.adoc b/src/swlifecycle.adoc index f25e079..f93e351 100644 --- a/src/swlifecycle.adoc +++ b/src/swlifecycle.adoc @@ -527,6 +527,12 @@ when resuming. ==== TVM external interrupts +Platforms that do not support hardware-accelerated interrupt-controller +virtualization must rely on the OS/VMM for management of external interrupts. +The OS/VMM presents the external interrupt to the TVM via the HVIP register +when resuming the vCPU execution. The TSM must filter presented interrupts to +enforce that it injects only interrupts allow-listed by the TVM. + Hardware-accelerated interrupt-controller virtualization is possible for TVMs on platform supporting the Advanced Interrupt Architecture [AIA] and an implementation-defined method of isolating IMSIC guest interrupt files between @@ -689,17 +695,21 @@ triggered. *sbi_covg_allow_external_interrupt* -Registers an interrupt ID that the OS/VMM is allowed to trigger. Passing an -interrupt ID of -1 allows the injection of all external interrupts. TVM vCPUs -are started with all external interrupts completely denied by default. Generates -a TVM exit to notify the OS/VMM of the interrupt vector. +TVM can register an interrupt ID that the OS/VMM is allowed to trigger. Passing an +interrupt ID of the maximum value of unsigned long (`2^64-1`) allows the injection +of all external interrupts. TVM vCPUs are started with all external interrupts +denied by default. This call results in a TVM exit to notify the OS/VMM of the +interrupt vector. *sbi_covi_inject_tvm_cpu* -Injects a previously allow-listed interrupt into a TVM. The TSM updates the -interrupt state of the targeted virtual hart. The TSM may also enforce -rate-limiting on the injection of interrupts in order to prevent single-step -attacks by the OS/VMM. +The OS/VMM can use this ABI to inject an interrupt into a TVM's vCPU on systems +supporting AIA. On systems that do not support AIA, it should present the interrupts +via HVIP when resuming the vCPU execution via `sbi_covh_run_tvm_vcpu()`. +In both cases, the TSM updates the interrupt state of the targeted virtual hart after +filtering triggered interrupts using the TVM's allow-list. The TSM may also enforce +rate-limiting on the injection of interrupts in order to prevent single-step attacks +by the OS/VMM. === TVM shutdown