[XEN,v4,1/3] xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option

Commit Message

Ayan Kumar Halder Jan. 31, 2024, 12:10 p.m. UTC

There can be situations when the registers cannot be emulated to their full
functionality. This can be due to the complexity involved. In such cases, one
can emulate those registers as RAZ/WI for example. We call them as partial
emulation.

Some registers are non-optional and as such there is nothing preventing an OS
from accessing them.
Instead of injecting undefined exception (thus crashing a guest), one may want
to prefer a partial emulation to let the guest running (in some cases accepting
the fact that it might result in unwanted behavior).

A suitable example of this (as seen in subsequent patches) is emulation of
DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
registers can be emulated as RAZ/WI and they can be enclosed within
CONFIG_PARTIAL_EMULATION.

Further, "partial-emulation" command line option allows us to
enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
enables support for partial emulation at compile time (i.e. adds code for
partial emulation), this option may be enabled or disabled by Yocto or other
build systems. However if the build system turns this option on, users
can use scripts like Imagebuilder to generate uboot-script which will append
"partial-emulation=false" to xen command line to turn off the partial
emulation. Thus, it helps to avoid rebuilding xen.

By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
This is done so that Xen supports partial emulation. However, customers are
fully aware when they enable partial emulation. It's important to note that
enabling such support might result in unwanted/non-spec compliant behavior.

Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
---
Changes from v1 :-
1. New patch introduced in v2.

v2 :-
1. Reordered the patches so that the config and command line option is
introduced in the first patch.

v3 :-
1. Defined a macro 'partial_emulation' to reduce if-defs.
2. Fixed style issues.

 docs/misc/xen-command-line.pandoc | 11 +++++++++++
 xen/arch/arm/Kconfig              |  9 +++++++++
 xen/arch/arm/include/asm/traps.h  |  6 ++++++
 xen/arch/arm/traps.c              |  9 +++++++++
 4 files changed, 35 insertions(+)

Comments

Michal Orzel Jan. 31, 2024, 12:43 p.m. UTC | #1

Hi Ayan,

On 31/01/2024 13:10, Ayan Kumar Halder wrote:
> There can be situations when the registers cannot be emulated to their full
> functionality. This can be due to the complexity involved. In such cases, one
> can emulate those registers as RAZ/WI for example. We call them as partial
> emulation.
> 
> Some registers are non-optional and as such there is nothing preventing an OS
> from accessing them.
> Instead of injecting undefined exception (thus crashing a guest), one may want
> to prefer a partial emulation to let the guest running (in some cases accepting
> the fact that it might result in unwanted behavior).
> 
> A suitable example of this (as seen in subsequent patches) is emulation of
> DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
> registers can be emulated as RAZ/WI and they can be enclosed within
> CONFIG_PARTIAL_EMULATION.
> 
> Further, "partial-emulation" command line option allows us to
> enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
> enables support for partial emulation at compile time (i.e. adds code for
> partial emulation), this option may be enabled or disabled by Yocto or other
> build systems. However if the build system turns this option on, users
> can use scripts like Imagebuilder to generate uboot-script which will append
> "partial-emulation=false" to xen command line to turn off the partial
NIT: given that the option is false by default, it would make more sense to give example
with setting it to true to enable it.

> emulation. Thus, it helps to avoid rebuilding xen.
> 
> By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
> This is done so that Xen supports partial emulation. However, customers are
> fully aware when they enable partial emulation. It's important to note that
> enabling such support might result in unwanted/non-spec compliant behavior.
> 
> Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
> ---
> Changes from v1 :-
> 1. New patch introduced in v2.
> 
> v2 :-
> 1. Reordered the patches so that the config and command line option is
> introduced in the first patch.
> 
> v3 :-
> 1. Defined a macro 'partial_emulation' to reduce if-defs.
> 2. Fixed style issues.
> 
>  docs/misc/xen-command-line.pandoc | 11 +++++++++++
>  xen/arch/arm/Kconfig              |  9 +++++++++
>  xen/arch/arm/include/asm/traps.h  |  6 ++++++
>  xen/arch/arm/traps.c              |  9 +++++++++
>  4 files changed, 35 insertions(+)
> 
> diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
> index 8e65f8bd18..22c0d7c9f6 100644
> --- a/docs/misc/xen-command-line.pandoc
> +++ b/docs/misc/xen-command-line.pandoc
> @@ -1949,6 +1949,17 @@ This option is ignored in **pv-shim** mode.
>  
>  > Default: `on`
>  
> +### partial-emulation (arm)
> +> `= <boolean>`
> +
> +> Default: `false`
> +
> +Flag to enable or disable partial emulation of system/coprocessor registers.
> +Only effective if CONFIG_PARTIAL_EMULATION is enabled.
> +
> +**WARNING: Enabling this option might result in unwanted/non-spec compliant
> +behavior.**
> +
>  ### pci
>      = List of [ serr=<bool>, perr=<bool> ]
>  
> diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
> index 50e9bfae1a..8d8f668e7f 100644
> --- a/xen/arch/arm/Kconfig
> +++ b/xen/arch/arm/Kconfig
> @@ -225,6 +225,15 @@ config STATIC_EVTCHN
>  	  This option enables establishing static event channel communication
>  	  between domains on a dom0less system (domU-domU as well as domU-dom0).
>  
> +config PARTIAL_EMULATION
> +	bool "Enable partial emulation of system/coprocessor registers"
> +	default y
> +	help
> +	  This option enables partial emulation of registers to prevent guests
> +	  crashing when accessing registers which are not optional but have not been
> +	  emulated to its complete functionality. Enabling this might result in
NIT: s/its/their

Other than that:
Reviewed-by: Michal Orzel <michal.orzel@amd.com>

~Michal

Julien Grall Feb. 6, 2024, 6:49 p.m. UTC | #2

Hi Ayan,

On 31/01/2024 12:10, Ayan Kumar Halder wrote:
> There can be situations when the registers cannot be emulated to their full
> functionality. This can be due to the complexity involved. In such cases, one
> can emulate those registers as RAZ/WI for example. We call them as partial
> emulation.
> 
> Some registers are non-optional and as such there is nothing preventing an OS
> from accessing them.
> Instead of injecting undefined exception (thus crashing a guest), one may want
> to prefer a partial emulation to let the guest running (in some cases accepting
> the fact that it might result in unwanted behavior).
> 
> A suitable example of this (as seen in subsequent patches) is emulation of
> DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
> registers can be emulated as RAZ/WI and they can be enclosed within
> CONFIG_PARTIAL_EMULATION.
> 
> Further, "partial-emulation" command line option allows us to
> enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
> enables support for partial emulation at compile time (i.e. adds code for
> partial emulation), this option may be enabled or disabled by Yocto or other
> build systems. However if the build system turns this option on, users
> can use scripts like Imagebuilder to generate uboot-script which will append
> "partial-emulation=false" to xen command line to turn off the partial
> emulation. Thus, it helps to avoid rebuilding xen.
> 
> By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
> This is done so that Xen supports partial emulation. However, customers are
> fully aware when they enable partial emulation. It's important to note that
> enabling such support might result in unwanted/non-spec compliant behavior.

Can you remind me why this is built by default? In particular...

> 
> Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
> ---
> Changes from v1 :-
> 1. New patch introduced in v2.
> 
> v2 :-
> 1. Reordered the patches so that the config and command line option is
> introduced in the first patch.
> 
> v3 :-
> 1. Defined a macro 'partial_emulation' to reduce if-defs.
> 2. Fixed style issues.
> 
>   docs/misc/xen-command-line.pandoc | 11 +++++++++++
>   xen/arch/arm/Kconfig              |  9 +++++++++
>   xen/arch/arm/include/asm/traps.h  |  6 ++++++
>   xen/arch/arm/traps.c              |  9 +++++++++
>   4 files changed, 35 insertions(+)
> 
> diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
> index 8e65f8bd18..22c0d7c9f6 100644
> --- a/docs/misc/xen-command-line.pandoc
> +++ b/docs/misc/xen-command-line.pandoc
> @@ -1949,6 +1949,17 @@ This option is ignored in **pv-shim** mode.
>   
>   > Default: `on`
>   
> +### partial-emulation (arm)
> +> `= <boolean>`
> +
> +> Default: `false`
> +
> +Flag to enable or disable partial emulation of system/coprocessor registers.
> +Only effective if CONFIG_PARTIAL_EMULATION is enabled.
> +
> +**WARNING: Enabling this option might result in unwanted/non-spec compliant
> +behavior.**

... leads me to think that the default config should have it off. Still 
letting the integrator optionally opt-in.

It also wants some explanation about the security support statement. Is 
the goal to support any security issue that may arise from someone 
adding 'partial-emulation=true'?

> +
>   ### pci
>       = List of [ serr=<bool>, perr=<bool> ]
>   
> diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
> index 50e9bfae1a..8d8f668e7f 100644
> --- a/xen/arch/arm/Kconfig
> +++ b/xen/arch/arm/Kconfig
> @@ -225,6 +225,15 @@ config STATIC_EVTCHN
>   	  This option enables establishing static event channel communication
>   	  between domains on a dom0less system (domU-domU as well as domU-dom0).
>   
> +config PARTIAL_EMULATION
> +	bool "Enable partial emulation of system/coprocessor registers"
> +	default y
> +	help
> +	  This option enables partial emulation of registers to prevent guests
> +	  crashing when accessing registers which are not optional but have not been

I think we need to list somewhere (possibly in the command line 
documentation) which registers are partially implemented. This will help 
the admin to quickly figure out whether this option makes sense for them.

> +	  emulated to its complete functionality. Enabling this might result in
> +	  unwanted/non-spec compliant behavior.

The description leads me to think if this is selected, then Xen will do 
the partial emulation. However, this is not matching the code.

Selecting this option doesn't result to unwanted/non-spec compliant 
behavior. What trigger the unwanted behavior if the command line option.

So I would suggest to reword the Kconfig to:

"Partial emulation support"

"Some of the required registers are not properly emulated by Xen. This 
option will allow the admin to select at runtime (via the command line 
'partial-emulation' whether the registers are unimplemented (i.e. a 
fault will be injected on access) or they will be partially emulated.

Partial emulation could be useful if a guest is trying to access any of 
the registers (see XXX for the list).

> +
>   endmenu
>   
>   menu "ARM errata workaround via the alternative framework"
> diff --git a/xen/arch/arm/include/asm/traps.h b/xen/arch/arm/include/asm/traps.h
> index 883dae368e..9a60dbf70e 100644
> --- a/xen/arch/arm/include/asm/traps.h
> +++ b/xen/arch/arm/include/asm/traps.h
> @@ -10,6 +10,12 @@
>   # include <asm/arm64/traps.h>
>   #endif
>   
> +#ifdef CONFIG_PARTIAL_EMULATION
> +extern bool partial_emulation;
> +#else
> +#define partial_emulation false
> +#endif
> +
>   /*
>    * GUEST_BUG_ON is intended for checking that the guest state has not been
>    * corrupted in hardware and/or that the hardware behaves as we
> diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
> index 9c10e8f78c..d1c7a6c516 100644
> --- a/xen/arch/arm/traps.c
> +++ b/xen/arch/arm/traps.c
> @@ -42,6 +42,15 @@
>   #include <asm/vgic.h>
>   #include <asm/vtimer.h>
>   
> +/*
> + * partial_emulation: If true, partial emulation for system/coprocessor
> + * registers will be enabled.
> + */
> +#ifdef CONFIG_PARTIAL_EMULATION
> +bool __ro_after_init partial_emulation = false;
> +boolean_param("partial-emulation", partial_emulation);
> +#endif

I think we should use warning_add() to print a message indicating the 
admin has enabled a configuration that is potentially unsafe for the guest.

> +
>   /* The base of the stack must always be double-word aligned, which means
>    * that both the kernel half of struct cpu_user_regs (which is pushed in
>    * entry.S) and struct cpu_info (which lives at the bottom of a Xen

Cheers,

Michal Orzel Feb. 7, 2024, 7:45 a.m. UTC | #3

Hi Julien,

On 06/02/2024 19:49, Julien Grall wrote:
> 
> 
> Hi Ayan,
> 
> On 31/01/2024 12:10, Ayan Kumar Halder wrote:
>> There can be situations when the registers cannot be emulated to their full
>> functionality. This can be due to the complexity involved. In such cases, one
>> can emulate those registers as RAZ/WI for example. We call them as partial
>> emulation.
>>
>> Some registers are non-optional and as such there is nothing preventing an OS
>> from accessing them.
>> Instead of injecting undefined exception (thus crashing a guest), one may want
>> to prefer a partial emulation to let the guest running (in some cases accepting
>> the fact that it might result in unwanted behavior).
>>
>> A suitable example of this (as seen in subsequent patches) is emulation of
>> DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
>> registers can be emulated as RAZ/WI and they can be enclosed within
>> CONFIG_PARTIAL_EMULATION.
>>
>> Further, "partial-emulation" command line option allows us to
>> enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
>> enables support for partial emulation at compile time (i.e. adds code for
>> partial emulation), this option may be enabled or disabled by Yocto or other
>> build systems. However if the build system turns this option on, users
>> can use scripts like Imagebuilder to generate uboot-script which will append
>> "partial-emulation=false" to xen command line to turn off the partial
>> emulation. Thus, it helps to avoid rebuilding xen.
>>
>> By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
>> This is done so that Xen supports partial emulation. However, customers are
>> fully aware when they enable partial emulation. It's important to note that
>> enabling such support might result in unwanted/non-spec compliant behavior.
> 
> Can you remind me why this is built by default? In particular...
This is the result of RFC discussion we had, where both Bertrand and Stefano agreed on having
the Kconfig enabled by default to improve user experience:
Bertrand:
https://lore.kernel.org/xen-devel/C0ADC33B-1966-4D3E-B081-A3AA0C3AE76D@arm.com/
Stefano:
https://lore.kernel.org/xen-devel/alpine.DEB.2.22.394.2312081514450.1703076@ubuntu-linux-20-04-desktop/

~Michal

Julien Grall Feb. 7, 2024, 10:06 a.m. UTC | #4

Hi Michal,

On 07/02/2024 07:45, Michal Orzel wrote:
> On 06/02/2024 19:49, Julien Grall wrote:
>> On 31/01/2024 12:10, Ayan Kumar Halder wrote:
>>> There can be situations when the registers cannot be emulated to their full
>>> functionality. This can be due to the complexity involved. In such cases, one
>>> can emulate those registers as RAZ/WI for example. We call them as partial
>>> emulation.
>>>
>>> Some registers are non-optional and as such there is nothing preventing an OS
>>> from accessing them.
>>> Instead of injecting undefined exception (thus crashing a guest), one may want
>>> to prefer a partial emulation to let the guest running (in some cases accepting
>>> the fact that it might result in unwanted behavior).
>>>
>>> A suitable example of this (as seen in subsequent patches) is emulation of
>>> DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
>>> registers can be emulated as RAZ/WI and they can be enclosed within
>>> CONFIG_PARTIAL_EMULATION.
>>>
>>> Further, "partial-emulation" command line option allows us to
>>> enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
>>> enables support for partial emulation at compile time (i.e. adds code for
>>> partial emulation), this option may be enabled or disabled by Yocto or other
>>> build systems. However if the build system turns this option on, users
>>> can use scripts like Imagebuilder to generate uboot-script which will append
>>> "partial-emulation=false" to xen command line to turn off the partial
>>> emulation. Thus, it helps to avoid rebuilding xen.
>>>
>>> By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
>>> This is done so that Xen supports partial emulation. However, customers are
>>> fully aware when they enable partial emulation. It's important to note that
>>> enabling such support might result in unwanted/non-spec compliant behavior.
>>
>> Can you remind me why this is built by default? In particular...
> This is the result of RFC discussion we had, where both Bertrand and Stefano agreed on having
> the Kconfig enabled by default to improve user experience:
> Bertrand:
> https://lore.kernel.org/xen-devel/C0ADC33B-1966-4D3E-B081-A3AA0C3AE76D@arm.com/
> Stefano:
> https://lore.kernel.org/xen-devel/alpine.DEB.2.22.394.2312081514450.1703076@ubuntu-linux-20-04-desktop/

Thanks for the pointer. I thought a bit more and per-se the default of 
the Kconfig doesn't really matter too much. So I am fine to keep it on 
by default.

That said, I think we need to detail the security support for the 
command line in SUPPORT.md. I think we want to consider to not security 
support any issue that would allow the userland to attack the guest OS 
due to a bug in the partial emulation.

I would be fine with security supporting any issue that would 
DoS/compromise Xen.

Cheers,

Michal Orzel Feb. 7, 2024, 11:52 a.m. UTC | #5

On 07/02/2024 11:06, Julien Grall wrote:
> 
> 
> Hi Michal,
> 
> On 07/02/2024 07:45, Michal Orzel wrote:
>> On 06/02/2024 19:49, Julien Grall wrote:
>>> On 31/01/2024 12:10, Ayan Kumar Halder wrote:
>>>> There can be situations when the registers cannot be emulated to their full
>>>> functionality. This can be due to the complexity involved. In such cases, one
>>>> can emulate those registers as RAZ/WI for example. We call them as partial
>>>> emulation.
>>>>
>>>> Some registers are non-optional and as such there is nothing preventing an OS
>>>> from accessing them.
>>>> Instead of injecting undefined exception (thus crashing a guest), one may want
>>>> to prefer a partial emulation to let the guest running (in some cases accepting
>>>> the fact that it might result in unwanted behavior).
>>>>
>>>> A suitable example of this (as seen in subsequent patches) is emulation of
>>>> DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
>>>> registers can be emulated as RAZ/WI and they can be enclosed within
>>>> CONFIG_PARTIAL_EMULATION.
>>>>
>>>> Further, "partial-emulation" command line option allows us to
>>>> enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
>>>> enables support for partial emulation at compile time (i.e. adds code for
>>>> partial emulation), this option may be enabled or disabled by Yocto or other
>>>> build systems. However if the build system turns this option on, users
>>>> can use scripts like Imagebuilder to generate uboot-script which will append
>>>> "partial-emulation=false" to xen command line to turn off the partial
>>>> emulation. Thus, it helps to avoid rebuilding xen.
>>>>
>>>> By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
>>>> This is done so that Xen supports partial emulation. However, customers are
>>>> fully aware when they enable partial emulation. It's important to note that
>>>> enabling such support might result in unwanted/non-spec compliant behavior.
>>>
>>> Can you remind me why this is built by default? In particular...
>> This is the result of RFC discussion we had, where both Bertrand and Stefano agreed on having
>> the Kconfig enabled by default to improve user experience:
>> Bertrand:
>> https://lore.kernel.org/xen-devel/C0ADC33B-1966-4D3E-B081-A3AA0C3AE76D@arm.com/
>> Stefano:
>> https://lore.kernel.org/xen-devel/alpine.DEB.2.22.394.2312081514450.1703076@ubuntu-linux-20-04-desktop/
> 
> Thanks for the pointer. I thought a bit more and per-se the default of
> the Kconfig doesn't really matter too much. So I am fine to keep it on
> by default.
> 
> That said, I think we need to detail the security support for the
> command line in SUPPORT.md. I think we want to consider to not security
> support any issue that would allow the userland to attack the guest OS
> due to a bug in the partial emulation.
> 
> I would be fine with security supporting any issue that would
> DoS/compromise Xen.
Sounds good to me. Something like:
### ARM/Partial emulation

Enable partial emulation of registers, otherwise considered unimplemented,
that would normally trigger a fault injection.

    Status: Supported, with caveats

Bugs allowing the userspace to attack the guest OS will not be considered
security vulnerabilities.

Bugs that could compromise Xen will be considered security vulnerabilities.

~Michal

Julien Grall Feb. 7, 2024, 12:07 p.m. UTC | #6

Hi Michal,

On 07/02/2024 11:52, Michal Orzel wrote:
> 
> 
> On 07/02/2024 11:06, Julien Grall wrote:
>>
>>
>> Hi Michal,
>>
>> On 07/02/2024 07:45, Michal Orzel wrote:
>>> On 06/02/2024 19:49, Julien Grall wrote:
>>>> On 31/01/2024 12:10, Ayan Kumar Halder wrote:
>>>>> There can be situations when the registers cannot be emulated to their full
>>>>> functionality. This can be due to the complexity involved. In such cases, one
>>>>> can emulate those registers as RAZ/WI for example. We call them as partial
>>>>> emulation.
>>>>>
>>>>> Some registers are non-optional and as such there is nothing preventing an OS
>>>>> from accessing them.
>>>>> Instead of injecting undefined exception (thus crashing a guest), one may want
>>>>> to prefer a partial emulation to let the guest running (in some cases accepting
>>>>> the fact that it might result in unwanted behavior).
>>>>>
>>>>> A suitable example of this (as seen in subsequent patches) is emulation of
>>>>> DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
>>>>> registers can be emulated as RAZ/WI and they can be enclosed within
>>>>> CONFIG_PARTIAL_EMULATION.
>>>>>
>>>>> Further, "partial-emulation" command line option allows us to
>>>>> enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
>>>>> enables support for partial emulation at compile time (i.e. adds code for
>>>>> partial emulation), this option may be enabled or disabled by Yocto or other
>>>>> build systems. However if the build system turns this option on, users
>>>>> can use scripts like Imagebuilder to generate uboot-script which will append
>>>>> "partial-emulation=false" to xen command line to turn off the partial
>>>>> emulation. Thus, it helps to avoid rebuilding xen.
>>>>>
>>>>> By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
>>>>> This is done so that Xen supports partial emulation. However, customers are
>>>>> fully aware when they enable partial emulation. It's important to note that
>>>>> enabling such support might result in unwanted/non-spec compliant behavior.
>>>>
>>>> Can you remind me why this is built by default? In particular...
>>> This is the result of RFC discussion we had, where both Bertrand and Stefano agreed on having
>>> the Kconfig enabled by default to improve user experience:
>>> Bertrand:
>>> https://lore.kernel.org/xen-devel/C0ADC33B-1966-4D3E-B081-A3AA0C3AE76D@arm.com/
>>> Stefano:
>>> https://lore.kernel.org/xen-devel/alpine.DEB.2.22.394.2312081514450.1703076@ubuntu-linux-20-04-desktop/
>>
>> Thanks for the pointer. I thought a bit more and per-se the default of
>> the Kconfig doesn't really matter too much. So I am fine to keep it on
>> by default.
>>
>> That said, I think we need to detail the security support for the
>> command line in SUPPORT.md. I think we want to consider to not security
>> support any issue that would allow the userland to attack the guest OS
>> due to a bug in the partial emulation.
>>
>> I would be fine with security supporting any issue that would
>> DoS/compromise Xen.
> Sounds good to me. Something like:
> ### ARM/Partial emulation
> 
> Enable partial emulation of registers, otherwise considered unimplemented,
> that would normally trigger a fault injection.
> 
>      Status: Supported, with caveats
> 
> Bugs allowing the userspace to attack the guest OS will not be considered
> security vulnerabilities.
> 
> Bugs that could compromise Xen will be considered security vulnerabilities.

LGTM.

Cheers,

Patch

diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 8e65f8bd18..22c0d7c9f6 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -1949,6 +1949,17 @@  This option is ignored in **pv-shim** mode.
 
 > Default: `on`
 
+### partial-emulation (arm)
+> `= <boolean>`
+
+> Default: `false`
+
+Flag to enable or disable partial emulation of system/coprocessor registers.
+Only effective if CONFIG_PARTIAL_EMULATION is enabled.
+
+**WARNING: Enabling this option might result in unwanted/non-spec compliant
+behavior.**
+
 ### pci
     = List of [ serr=<bool>, perr=<bool> ]
 
diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index 50e9bfae1a..8d8f668e7f 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -225,6 +225,15 @@  config STATIC_EVTCHN
 	  This option enables establishing static event channel communication
 	  between domains on a dom0less system (domU-domU as well as domU-dom0).
 
+config PARTIAL_EMULATION
+	bool "Enable partial emulation of system/coprocessor registers"
+	default y
+	help
+	  This option enables partial emulation of registers to prevent guests
+	  crashing when accessing registers which are not optional but have not been
+	  emulated to its complete functionality. Enabling this might result in
+	  unwanted/non-spec compliant behavior.
+
 endmenu
 
 menu "ARM errata workaround via the alternative framework"
diff --git a/xen/arch/arm/include/asm/traps.h b/xen/arch/arm/include/asm/traps.h
index 883dae368e..9a60dbf70e 100644
--- a/xen/arch/arm/include/asm/traps.h
+++ b/xen/arch/arm/include/asm/traps.h
@@ -10,6 +10,12 @@ 
 # include <asm/arm64/traps.h>
 #endif
 
+#ifdef CONFIG_PARTIAL_EMULATION
+extern bool partial_emulation;
+#else
+#define partial_emulation false
+#endif
+
 /*
  * GUEST_BUG_ON is intended for checking that the guest state has not been
  * corrupted in hardware and/or that the hardware behaves as we
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 9c10e8f78c..d1c7a6c516 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -42,6 +42,15 @@ 
 #include <asm/vgic.h>
 #include <asm/vtimer.h>
 
+/*
+ * partial_emulation: If true, partial emulation for system/coprocessor
+ * registers will be enabled.
+ */
+#ifdef CONFIG_PARTIAL_EMULATION
+bool __ro_after_init partial_emulation = false;
+boolean_param("partial-emulation", partial_emulation);
+#endif
+
 /* The base of the stack must always be double-word aligned, which means
  * that both the kernel half of struct cpu_user_regs (which is pushed in
  * entry.S) and struct cpu_info (which lives at the bottom of a Xen