From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3F467B
	for <kvmarm@lists.linux.dev>; Thu, 27 Oct 2022 20:54:51 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D294AC433D6;
	Thu, 27 Oct 2022 20:54:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1666904091;
	bh=+pTnUy/mTIc+OeLTV3Ks3EjJ1S8TA0xkhfJ8yhGCzU0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=rIC2640IYVv15RcqrQMHfIQSN0XKIN+vyC076MvYKzkDUlHrqKtpDE40OkoKjjhD0
	 iT/UwbmdWpSKo7iPHv9uNFMftHUvbcEz/i5GMrsXGf8Dcd18CQy4KEgDCjewV7GS9K
	 hkUgJRvkWFLfRJ+Z9z7LV2gpNHhw3HOi6OOuE0dAn2ydRuSM7K7CZzECKdRGKUTQQM
	 qRP1Z4Jdfqc2GKPMhl73d9ddk8giI4C/jQQs+EvwN5CJWlNLFjmrUeo3Skkt98G8oE
	 Xqv79AKYeK/gtiSnswsmVNnRZwZQXf0lCQUV0pFwCsMUHfW5Ca97d832bTHVr62gHb
	 2sdgm5XxJfyvQ==
From: Mark Brown <broonie@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Marc Zyngier <maz@kernel.org>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Richard Henderson <richard.henderson@linaro.org>,
	Vincent Donnefort <vdonnefort@google.com>,
	James Morse <james.morse@arm.com>,
	Alexandru Elisei <alexandru.elisei@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Oliver Upton <oliver.upton@linux.dev>,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	Mark Brown <broonie@kernel.org>
Subject: [PATCH v1 2/2] KVM: arm: Refuse to enable KVM on systems with FEAT_SME but not FEAT_FGT
Date: Thu, 27 Oct 2022 21:52:46 +0100
Message-Id: <20221027205246.812586-3-broonie@kernel.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20221027205246.812586-1-broonie@kernel.org>
References: <20221027205246.812586-1-broonie@kernel.org>
Precedence: bulk
X-Mailing-List: kvmarm@lists.linux.dev
List-Id: <kvmarm.lists.linux.dev>
List-Subscribe: <mailto:kvmarm+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kvmarm+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1620; i=broonie@kernel.org; h=from:subject; bh=+pTnUy/mTIc+OeLTV3Ks3EjJ1S8TA0xkhfJ8yhGCzU0=; b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBjWu+eqllgJ302OsXNofBTqSr/EO5cloDdca11cBSB IEpZkouJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY1rvngAKCRAk1otyXVSH0LjRCA CBLgMJwF7VjgdS1unHbRyI/pof7SOn9L7zSZlISKoveyLz9E2WKRAqPmVObUyaQB6ZloQCerSAqSo0 rfIuHOZXSPbt+UnrQrF3lUGpEIuzK5y093FwSbp9ud4OE29P+NYnbna/9eeMFp1oexmkOH0ebLTgbe ONr5k9gtf3DHuoPJ3XtTHT0OaGuXj2/crgpFfqLtDtCg2egNSycOiupcJhBT7/i0R2SqvXe2rHmm6R 3R6aDp+Uwc6ICNgZmZbpbtIn4ZEqvogeV9/L2TOpD1E5mexnZnpeW43zQtyaAYGXilVedwmz3MWiV/ GaUnXJP1jhK55BeqMwcFdysPQp53vi
X-Developer-Key: i=broonie@kernel.org; a=openpgp; fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Content-Transfer-Encoding: 8bit

The architecture requires that any system which implements SME also has
fine grained traps since SME is a v9.2 feature, meaning that v8.7 must be
implemented, and FGT is mandatory from v8.6. Virtualisation support for
SME relies on fine grained traps to control access to SMPRI_EL1 and in
nVHE mode to TPIDR2_EL0, without traps SMPRI_EL1.Priority and TPIDR2_EL0
can be used as side channels even if SME support is not exposed to the
guest.

Reported-by: Vincent Donnefort <vdonnefort@google.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kvm/arm.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 94d33e296e10..4662407ee789 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -2183,6 +2183,21 @@ int kvm_arch_init(void *opaque)
 		return -ENODEV;
 	}
 
+	/*
+	 * SME without fine grained traps is an architecturally
+	 * invalid configuration since SME is a v9.2 feature and FGT
+	 * is required from v8.6 but virtual platforms have been
+	 * encountered which don't respect this. Without FGT we can't
+	 * trap access to TPIDR2_EL0 in nVHE mode or SMPRI_EL1 in any
+	 * mode, making this conditional in the code would lead to
+	 * side channels on these out of spec systems.
+	 */
+	if (cpus_have_final_cap(ARM64_SME) &&
+	    !cpus_have_final_cap(ARM64_HAS_FGT)) {
+		kvm_err("KVM disabled since system has SME without FGT\n");
+		return -ENODEV;
+	}
+
 	if (kvm_get_mode() == KVM_MODE_NONE) {
 		kvm_info("KVM disabled from command line\n");
 		return -ENODEV;
-- 
2.30.2


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id D5661FA3740
	for <linux-arm-kernel@archiver.kernel.org>; Thu, 27 Oct 2022 20:56:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=mWBfWC5VSdo0JC17Cx3/qHJgN8bHzZ11NhRrNg4bXT0=; b=M8uaIZBZcEEWSc
	+oe58ZV0xdrIAnmAaBUa7j+hzJMt0VxxbKsFubk76cxXQT6WuH+ywmAnin7yf0AulrnEsCUM0otAK
	SmGaTo94ydW8OyYmkgMy2H121C0DUGHqMyXshc7/MFyjJ2R0KFWBiEyzW7NfSNWTtxaxWAFuCPCWS
	aQqdEn6eRx3IsntO45RipXEW/g45L9lHoqSyxJv7JtQmZF5aO42nJEhKYQnusOiQTA+kQhlYbaHr8
	eEjSNrxQMICKMQNdti1AUyWnsr8Dzj71yN5QA37Fa8QAkg43/LaPwf06FlmkJE6qfE5UNUln6nro1
	I9WrEVSVRDhV7Evnra4w==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1oo9uB-00EpVD-G8; Thu, 27 Oct 2022 20:55:11 +0000
Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1oo9ts-00EpLl-FK
	for linux-arm-kernel@lists.infradead.org; Thu, 27 Oct 2022 20:54:53 +0000
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id 17846621EE;
	Thu, 27 Oct 2022 20:54:52 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D294AC433D6;
	Thu, 27 Oct 2022 20:54:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1666904091;
	bh=+pTnUy/mTIc+OeLTV3Ks3EjJ1S8TA0xkhfJ8yhGCzU0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=rIC2640IYVv15RcqrQMHfIQSN0XKIN+vyC076MvYKzkDUlHrqKtpDE40OkoKjjhD0
	 iT/UwbmdWpSKo7iPHv9uNFMftHUvbcEz/i5GMrsXGf8Dcd18CQy4KEgDCjewV7GS9K
	 hkUgJRvkWFLfRJ+Z9z7LV2gpNHhw3HOi6OOuE0dAn2ydRuSM7K7CZzECKdRGKUTQQM
	 qRP1Z4Jdfqc2GKPMhl73d9ddk8giI4C/jQQs+EvwN5CJWlNLFjmrUeo3Skkt98G8oE
	 Xqv79AKYeK/gtiSnswsmVNnRZwZQXf0lCQUV0pFwCsMUHfW5Ca97d832bTHVr62gHb
	 2sdgm5XxJfyvQ==
From: Mark Brown <broonie@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Marc Zyngier <maz@kernel.org>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Richard Henderson <richard.henderson@linaro.org>,
	Vincent Donnefort <vdonnefort@google.com>,
	James Morse <james.morse@arm.com>,
	Alexandru Elisei <alexandru.elisei@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Oliver Upton <oliver.upton@linux.dev>,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	Mark Brown <broonie@kernel.org>
Subject: [PATCH v1 2/2] KVM: arm: Refuse to enable KVM on systems with FEAT_SME but not FEAT_FGT
Date: Thu, 27 Oct 2022 21:52:46 +0100
Message-Id: <20221027205246.812586-3-broonie@kernel.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20221027205246.812586-1-broonie@kernel.org>
References: <20221027205246.812586-1-broonie@kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1620; i=broonie@kernel.org; h=from:subject; bh=+pTnUy/mTIc+OeLTV3Ks3EjJ1S8TA0xkhfJ8yhGCzU0=; b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBjWu+eqllgJ302OsXNofBTqSr/EO5cloDdca11cBSB IEpZkouJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY1rvngAKCRAk1otyXVSH0LjRCA CBLgMJwF7VjgdS1unHbRyI/pof7SOn9L7zSZlISKoveyLz9E2WKRAqPmVObUyaQB6ZloQCerSAqSo0 rfIuHOZXSPbt+UnrQrF3lUGpEIuzK5y093FwSbp9ud4OE29P+NYnbna/9eeMFp1oexmkOH0ebLTgbe ONr5k9gtf3DHuoPJ3XtTHT0OaGuXj2/crgpFfqLtDtCg2egNSycOiupcJhBT7/i0R2SqvXe2rHmm6R 3R6aDp+Uwc6ICNgZmZbpbtIn4ZEqvogeV9/L2TOpD1E5mexnZnpeW43zQtyaAYGXilVedwmz3MWiV/ GaUnXJP1jhK55BeqMwcFdysPQp53vi
X-Developer-Key: i=broonie@kernel.org; a=openpgp; fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20221027_135452_630953_64E5DFF6 
X-CRM114-Status: GOOD (  13.12  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

The architecture requires that any system which implements SME also has
fine grained traps since SME is a v9.2 feature, meaning that v8.7 must be
implemented, and FGT is mandatory from v8.6. Virtualisation support for
SME relies on fine grained traps to control access to SMPRI_EL1 and in
nVHE mode to TPIDR2_EL0, without traps SMPRI_EL1.Priority and TPIDR2_EL0
can be used as side channels even if SME support is not exposed to the
guest.

Reported-by: Vincent Donnefort <vdonnefort@google.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kvm/arm.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 94d33e296e10..4662407ee789 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -2183,6 +2183,21 @@ int kvm_arch_init(void *opaque)
 		return -ENODEV;
 	}
 
+	/*
+	 * SME without fine grained traps is an architecturally
+	 * invalid configuration since SME is a v9.2 feature and FGT
+	 * is required from v8.6 but virtual platforms have been
+	 * encountered which don't respect this. Without FGT we can't
+	 * trap access to TPIDR2_EL0 in nVHE mode or SMPRI_EL1 in any
+	 * mode, making this conditional in the code would lead to
+	 * side channels on these out of spec systems.
+	 */
+	if (cpus_have_final_cap(ARM64_SME) &&
+	    !cpus_have_final_cap(ARM64_HAS_FGT)) {
+		kvm_err("KVM disabled since system has SME without FGT\n");
+		return -ENODEV;
+	}
+
 	if (kvm_get_mode() == KVM_MODE_NONE) {
 		kvm_info("KVM disabled from command line\n");
 		return -ENODEV;
-- 
2.30.2


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel