From: Marc Zyngier <maz@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
Will Deacon <will@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oupton@kernel.org>,
Zenghui Yu <yuzenghui@huawei.com>
Subject: Re: [PATCH 1/9] arm64: Add logic to fully remove features from sanitised id registers
Date: Mon, 23 Feb 2026 09:48:24 +0000 [thread overview]
Message-ID: <86pl5vaizb.wl-maz@kernel.org> (raw)
In-Reply-To: <CA+EHjTyiHALTEgA7tuqQZ2ZLW3_vFdTU=vUb7+vn1T4OoMjgsw@mail.gmail.com>
Hi Fuad,
On Fri, 20 Feb 2026 15:36:37 +0000,
Fuad Tabba <tabba@google.com> wrote:
>
> > I think we must prevent this downgrade the same way, meaning that
> > ALL_HIDDEN and FTR_HIGHER are mutually exclusive.
> >
> > How about that:
> >
> > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> > index d58931e63a0b6..2cae00b4b0c5f 100644
> > --- a/arch/arm64/kernel/cpufeature.c
> > +++ b/arch/arm64/kernel/cpufeature.c
> > @@ -1067,7 +1067,14 @@ static void init_cpu_ftr_reg(u32 sys_reg, u64 new)
> > user_mask |= ftr_mask;
> > break;
> > case FTR_ALL_HIDDEN:
> > - val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val);
> > + /*
> > + * ALL_HIDDEN and HIGHER_SAFE are incompatible.
> > + * Only hide from userspace, and log the oddity.
> > + */
> > + if (WARN_ON(ftrp->type == FTR_HIGHER_SAFE))
> > + val = arm64_ftr_set_value(ftrp, val, ftr_new);
> > + else
> > + val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val);
> > reg->user_val = arm64_ftr_set_value(ftrp,
> > reg->user_val,
> > ftrp->safe_val);
> >
>
> Yes, I think WARN_ON() here is the right call.
>
> That said, I still think you should explicitly short-circuit
> update_cpu_ftr_reg() for FTR_ALL_HIDDEN features, in addition to the
> WARN_ON(). Relying on arm64_ftr_safe_value() to naturally preserve the
> safe_val during secondary CPU boot seems mathematically fragile.
>
> Take MTE_frac as an example. It uses S_ARM64_FTR_BITS and
> FTR_LOWER_SAFE with a safe_val of 0. If it were marked FTR_ALL_HIDDEN,
> init_cpu_ftr_reg() would prime sys_val with 0. But if a secondary CPU
> boots and reports -1 (NI), arm64_ftr_safe_value() will execute min(-1,
> 0) and return -1. update_cpu_ftr_reg() will then overwrite the primed
> safe_val (0) with -1. The "hidden" state established by the boot CPU
> is gone, and the feature's hardware state is now exposed globally.
>
> Note that MTE is currently ALL_HIDDEN when configured out, so it's not
> totally inconceivable that someone decides to make MTE_frac ALL_HIDDEN
> as well. Explicitly short-circuiting for FTR_ALL_HIDDEN features in
> update_cpu_ftr_reg() seems to be the safer bet here.
Right, the signed feature is a pretty compelling argument. And we
should do the same thing for overrides, probably as a preliminary
patch.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-02-23 9:48 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-19 19:55 [PATCH 0/9] arm64: Fully disable configured-out features Marc Zyngier
2026-02-19 19:55 ` [PATCH 1/9] arm64: Add logic to fully remove features from sanitised id registers Marc Zyngier
2026-02-20 8:36 ` Fuad Tabba
2026-02-20 10:09 ` Marc Zyngier
2026-02-20 11:06 ` Fuad Tabba
2026-02-20 14:52 ` Marc Zyngier
2026-02-20 15:36 ` Fuad Tabba
2026-02-23 9:48 ` Marc Zyngier [this message]
2026-02-23 18:18 ` Suzuki K Poulose
2026-02-19 19:55 ` [PATCH 2/9] arm64: Convert CONFIG_ARM64_PTR_AUTH to FTR_CONFIG() Marc Zyngier
2026-02-19 19:55 ` [PATCH 3/9] arm64: Convert CONFIG_ARM64_SVE " Marc Zyngier
2026-02-19 19:55 ` [PATCH 4/9] arm64: Convert CONFIG_ARM64_SME " Marc Zyngier
2026-02-19 19:55 ` [PATCH 5/9] arm64: Convert CONFIG_ARM64_GCS " Marc Zyngier
2026-02-19 19:55 ` [PATCH 6/9] arm64: Convert CONFIG_ARM64_MTE " Marc Zyngier
2026-02-19 19:55 ` [PATCH 7/9] arm64: Convert CONFIG_ARM64_POE " Marc Zyngier
2026-02-19 19:55 ` [PATCH 8/9] arm64: Convert CONFIG_ARM64_BTI " Marc Zyngier
2026-02-19 19:55 ` [PATCH 9/9] arm64: Remove FTR_VISIBLE_IF_IS_ENABLED() Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86pl5vaizb.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=oupton@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.