| Message ID | 20240625130042.259175-3-maz@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | KVM: arm64: Fix handling of TCR2_EL1 | expand |
On Tue, Jun 25, 2024 at 02:00:38PM +0100, Marc Zyngier wrote: > HCRX_GUEST_FLAGS gives random KVM hackers the impression that > they can stuff bits in this macro and unconditionally enable > features in the guest. > > In general, this is wrong (we have been there with FEAT_MOPS, > and again with FEAT_TCRX). > > Document that HCRX_EL2.SMPME is an exception rather than the rule, > and get rid of HCRX_GUEST_FLAGS. > > Signed-off-by: Marc Zyngier <maz@kernel.org> > --- > arch/arm64/include/asm/kvm_arm.h | 1 - > arch/arm64/kvm/sys_regs.c | 8 +++++++- > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h > index e6682a3ace5af..d81cc746e0ebd 100644 > --- a/arch/arm64/include/asm/kvm_arm.h > +++ b/arch/arm64/include/asm/kvm_arm.h > @@ -102,7 +102,6 @@ > #define HCR_HOST_NVHE_PROTECTED_FLAGS (HCR_HOST_NVHE_FLAGS | HCR_TSC) > #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H) > > -#define HCRX_GUEST_FLAGS (HCRX_EL2_SMPME) > #define HCRX_HOST_FLAGS (HCRX_EL2_MSCEn | HCRX_EL2_TCR2En | HCRX_EL2_EnFPM) > > /* TCR_EL2 Registers bits */ > diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c > index 71996d36f3751..8e22232c4b0f4 100644 > --- a/arch/arm64/kvm/sys_regs.c > +++ b/arch/arm64/kvm/sys_regs.c > @@ -4062,7 +4062,13 @@ void kvm_init_sysreg(struct kvm_vcpu *vcpu) > vcpu->arch.hcr_el2 |= HCR_TTLBOS; > > if (cpus_have_final_cap(ARM64_HAS_HCX)) { > - vcpu->arch.hcrx_el2 = HCRX_GUEST_FLAGS; > + /* > + * In general, all HCRX_EL2 bits are gated by a feature. > + * The only reason we can set SMPME without checking any > + * feature is that its effects are not directly observable > + * from the guest. > + */ > + vcpu->arch.hcrx_el2 = HCRX_EL2_SMPME; > > if (kvm_has_feat(kvm, ID_AA64ISAR2_EL1, MOPS, IMP)) > vcpu->arch.hcrx_el2 |= (HCRX_EL2_MSCEn | HCRX_EL2_MCE2); Reviewed-by: Joey Gouly <joey.gouly@arm.com>
diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h index e6682a3ace5af..d81cc746e0ebd 100644 --- a/arch/arm64/include/asm/kvm_arm.h +++ b/arch/arm64/include/asm/kvm_arm.h @@ -102,7 +102,6 @@ #define HCR_HOST_NVHE_PROTECTED_FLAGS (HCR_HOST_NVHE_FLAGS | HCR_TSC) #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H) -#define HCRX_GUEST_FLAGS (HCRX_EL2_SMPME) #define HCRX_HOST_FLAGS (HCRX_EL2_MSCEn | HCRX_EL2_TCR2En | HCRX_EL2_EnFPM) /* TCR_EL2 Registers bits */ diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index 71996d36f3751..8e22232c4b0f4 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -4062,7 +4062,13 @@ void kvm_init_sysreg(struct kvm_vcpu *vcpu) vcpu->arch.hcr_el2 |= HCR_TTLBOS; if (cpus_have_final_cap(ARM64_HAS_HCX)) { - vcpu->arch.hcrx_el2 = HCRX_GUEST_FLAGS; + /* + * In general, all HCRX_EL2 bits are gated by a feature. + * The only reason we can set SMPME without checking any + * feature is that its effects are not directly observable + * from the guest. + */ + vcpu->arch.hcrx_el2 = HCRX_EL2_SMPME; if (kvm_has_feat(kvm, ID_AA64ISAR2_EL1, MOPS, IMP)) vcpu->arch.hcrx_el2 |= (HCRX_EL2_MSCEn | HCRX_EL2_MCE2);
HCRX_GUEST_FLAGS gives random KVM hackers the impression that they can stuff bits in this macro and unconditionally enable features in the guest. In general, this is wrong (we have been there with FEAT_MOPS, and again with FEAT_TCRX). Document that HCRX_EL2.SMPME is an exception rather than the rule, and get rid of HCRX_GUEST_FLAGS. Signed-off-by: Marc Zyngier <maz@kernel.org> --- arch/arm64/include/asm/kvm_arm.h | 1 - arch/arm64/kvm/sys_regs.c | 8 +++++++- 2 files changed, 7 insertions(+), 2 deletions(-)