From: Marc Zyngier <maz@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
oliver.upton@linux.dev, joey.gouly@arm.com,
suzuki.poulose@arm.com, yuzenghui@huawei.com,
catalin.marinas@arm.com, will@kernel.org
Subject: Re: [PATCH v2 2/5] arm64: Clear HCR_EL2.ATA when MTE is not supported or disabled
Date: Tue, 20 Jan 2026 15:11:44 +0000 [thread overview]
Message-ID: <863440co9b.wl-maz@kernel.org> (raw)
In-Reply-To: <20251211113828.370370-3-tabba@google.com>
On Thu, 11 Dec 2025 11:38:25 +0000,
Fuad Tabba <tabba@google.com> wrote:
>
> If MTE is not supported by the hardware, or is disabled in the kernel
> configuration (CONFIG_ARM64_MTE=n) or command line (arm64.nomte), the
> kernel stops advertising MTE to userspace and avoids using MTE
> instructions. However, this is a software-level disable only.
>
> When MTE hardware is present and enabled by EL3 firmware, leaving
> HCR_EL2.ATA set allows the host to execute MTE instructions (STG, LDG,
> etc.) and access allocation tags in physical memory. This creates a
> security risk where a malicious or buggy host could lead to system
> crashes, undefined behavior, or compromise guests.
>
> Prevent this by clearing HCR_EL2.ATA when MTE is disabled. Remove it
> from the HCR_HOST_NVHE_FLAGS default, and conditionally set it in
> cpu_prepare_hyp_mode() only when system_supports_mte() returns true.
> This causes MTE instructions to trap to EL2 when HCR_EL2.ATA is cleared.
>
> Early boot code in head.S temporarily keeps HCR_ATA set to avoid
> special-casing initialization paths. This is safe because this code
> executes before untrusted code runs and will clear HCR_ATA if MTE is
> disabled.
>
> Signed-off-by: Fuad Tabba <tabba@google.com>
> ---
> arch/arm64/include/asm/kvm_arm.h | 2 +-
> arch/arm64/kernel/head.S | 2 +-
> arch/arm64/kvm/arm.c | 4 ++++
> 3 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
> index 1da290aeedce..a41e3087e00a 100644
> --- a/arch/arm64/include/asm/kvm_arm.h
> +++ b/arch/arm64/include/asm/kvm_arm.h
> @@ -101,7 +101,7 @@
> HCR_BSU_IS | HCR_FB | HCR_TACR | \
> HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW | HCR_TLOR | \
> HCR_FMO | HCR_IMO | HCR_PTW | HCR_TID3 | HCR_TID1)
> -#define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK | HCR_ATA)
> +#define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK)
> #define HCR_HOST_NVHE_PROTECTED_FLAGS (HCR_HOST_NVHE_FLAGS | HCR_TSC)
> #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H | HCR_AMO | HCR_IMO | HCR_FMO)
>
> diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
> index ca04b338cb0d..87a822e5c4ca 100644
> --- a/arch/arm64/kernel/head.S
> +++ b/arch/arm64/kernel/head.S
> @@ -299,7 +299,7 @@ SYM_INNER_LABEL(init_el2, SYM_L_LOCAL)
> isb
> 0:
>
> - init_el2_hcr HCR_HOST_NVHE_FLAGS
> + init_el2_hcr HCR_HOST_NVHE_FLAGS | HCR_ATA
> init_el2_state
>
> /* Hypervisor stub */
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 052bf0d4d0b0..c03006b1c5bc 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -2030,6 +2030,10 @@ static void __init cpu_prepare_hyp_mode(int cpu, u32 hyp_va_bits)
> params->hcr_el2 = HCR_HOST_NVHE_PROTECTED_FLAGS;
> else
> params->hcr_el2 = HCR_HOST_NVHE_FLAGS;
> +
> + if (system_supports_mte())
> + params->hcr_el2 |= HCR_ATA;
> +
How about TID5? If you really want to hide MTE, you also need to catch
accesses to GMID_EL1.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-01-20 15:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 11:38 [PATCH v2 0/5] KVM: arm64: Enforce MTE disablement at EL2 Fuad Tabba
2025-12-11 11:38 ` [PATCH v2 1/5] arm64: Remove dead code resetting HCR_EL2 for pKVM Fuad Tabba
2025-12-11 11:38 ` [PATCH v2 2/5] arm64: Clear HCR_EL2.ATA when MTE is not supported or disabled Fuad Tabba
2026-01-20 15:11 ` Marc Zyngier [this message]
2025-12-11 11:38 ` [PATCH v2 3/5] KVM: arm64: Refactor enter_exception64() Fuad Tabba
2026-01-20 14:57 ` Marc Zyngier
2025-12-11 11:38 ` [PATCH v2 4/5] arm64: Inject UNDEF when accessing MTE sysregs with MTE disabled Fuad Tabba
2025-12-11 11:38 ` [PATCH v2 5/5] KVM: arm64: Use kvm_has_mte() in pKVM trap initialization Fuad Tabba
2026-01-20 9:05 ` [PATCH v2 0/5] KVM: arm64: Enforce MTE disablement at EL2 Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=863440co9b.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=oliver.upton@linux.dev \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.