[PATCH] KVM: arm64: nv: Allow userspace to de-feature stage-2 TGRANs

[PATCH] KVM: arm64: nv: Allow userspace to de-feature stage-2 TGRANs

[Oliver Upton]

KVM advertises the stage-2 TGRAN fields as writable to userspace but
prevents any modification for NV-enabled VMs. Update the special-cased
sanitization to permit de-featuring a particular TGRAN without allowing
the legacy value which refers to the stage-1 field for support.

Cc: Itaru Kitayama <itaru.kitayama@linux.dev>
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
---
 arch/arm64/kvm/sys_regs.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
index b29f72478a50..83ecfdb46704 100644
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -2148,16 +2148,29 @@ static int set_id_aa64pfr1_el1(struct kvm_vcpu *vcpu,
 	return set_id_reg(vcpu, rd, user_val);
 }
 
+/*
+ * Allow userspace to de-feature a stage-2 translation granule but prevent it
+ * from claiming the impossible.
+ */
+#define tgran2_val_allowed(tg, safe, user)			\
+({								\
+	u8 __s = SYS_FIELD_GET(ID_AA64MMFR0_EL1, tg, safe);	\
+	u8 __u = SYS_FIELD_GET(ID_AA64MMFR0_EL1, tg, user);	\
+								\
+	__s == __u || __u == ID_AA64MMFR0_EL1_##tg##_NI;	\
+})
+
 static int set_id_aa64mmfr0_el1(struct kvm_vcpu *vcpu,
 				const struct sys_reg_desc *rd, u64 user_val)
 {
 	u64 sanitized_val = kvm_read_sanitised_id_reg(vcpu, rd);
-	u64 tgran2_mask = ID_AA64MMFR0_EL1_TGRAN4_2_MASK |
-			  ID_AA64MMFR0_EL1_TGRAN16_2_MASK |
-			  ID_AA64MMFR0_EL1_TGRAN64_2_MASK;
 
-	if (vcpu_has_nv(vcpu) &&
-	    ((sanitized_val & tgran2_mask) != (user_val & tgran2_mask)))
+	if (!vcpu_has_nv(vcpu))
+		return set_id_reg(vcpu, rd, user_val);
+
+	if (!tgran2_val_allowed(TGRAN4_2, sanitized_val, user_val) ||
+	    !tgran2_val_allowed(TGRAN16_2, sanitized_val, user_val) ||
+	    !tgran2_val_allowed(TGRAN64_2, sanitized_val, user_val))
 		return -EINVAL;
 
 	return set_id_reg(vcpu, rd, user_val);

base-commit: b320789d6883cc00ac78ce83bccbfe7ed58afcf0
-- 
2.47.3

Re: [PATCH] KVM: arm64: nv: Allow userspace to de-feature stage-2 TGRANs

[Oliver Upton]

On Thu, Sep 18, 2025 at 09:55:05AM -0700, Oliver Upton wrote:
> KVM advertises the stage-2 TGRAN fields as writable to userspace but
> prevents any modification for NV-enabled VMs. Update the special-cased
> sanitization to permit de-featuring a particular TGRAN without allowing
> the legacy value which refers to the stage-1 field for support.
> 
> Cc: Itaru Kitayama <itaru.kitayama@linux.dev>
> Signed-off-by: Oliver Upton <oliver.upton@linux.dev>

Marc, if you wind up taking this as-is can you please change
s/Cc/Reported-by/ ?

Itaru found this and I just forgot to add the right footer.

Thanks,
Oliver

Re: [PATCH] KVM: arm64: nv: Allow userspace to de-feature stage-2 TGRANs

[Suzuki K Poulose]

On 18/09/2025 17:55, Oliver Upton wrote:
> KVM advertises the stage-2 TGRAN fields as writable to userspace but
> prevents any modification for NV-enabled VMs. Update the special-cased
> sanitization to permit de-featuring a particular TGRAN without allowing
> the legacy value which refers to the stage-1 field for support.
> 
> Cc: Itaru Kitayama <itaru.kitayama@linux.dev>
> Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
> ---
>   arch/arm64/kvm/sys_regs.c | 23 ++++++++++++++++++-----
>   1 file changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> index b29f72478a50..83ecfdb46704 100644
> --- a/arch/arm64/kvm/sys_regs.c
> +++ b/arch/arm64/kvm/sys_regs.c
> @@ -2148,16 +2148,29 @@ static int set_id_aa64pfr1_el1(struct kvm_vcpu *vcpu,
>   	return set_id_reg(vcpu, rd, user_val);
>   }
>   
> +/*
> + * Allow userspace to de-feature a stage-2 translation granule but prevent it
> + * from claiming the impossible.
> + */

super minor nit: May be we could call it "nv_tgran2_val_allowed()", to 
explicitly indicate this is for "NV" case.
Feel free to ignore.

> +#define tgran2_val_allowed(tg, safe, user)			\
> +({								\
> +	u8 __s = SYS_FIELD_GET(ID_AA64MMFR0_EL1, tg, safe);	\
> +	u8 __u = SYS_FIELD_GET(ID_AA64MMFR0_EL1, tg, user);	\
> +								\
> +	__s == __u || __u == ID_AA64MMFR0_EL1_##tg##_NI;	\
> +})
> +

Looks correct to me, we allow user to specify TGRANx_2_NI (== 0b01)
advertising lack of Stage2 support.

>   static int set_id_aa64mmfr0_el1(struct kvm_vcpu *vcpu,
>   				const struct sys_reg_desc *rd, u64 user_val)
>   {
>   	u64 sanitized_val = kvm_read_sanitised_id_reg(vcpu, rd);
> -	u64 tgran2_mask = ID_AA64MMFR0_EL1_TGRAN4_2_MASK |
> -			  ID_AA64MMFR0_EL1_TGRAN16_2_MASK |
> -			  ID_AA64MMFR0_EL1_TGRAN64_2_MASK;
>   
> -	if (vcpu_has_nv(vcpu) &&
> -	    ((sanitized_val & tgran2_mask) != (user_val & tgran2_mask)))
> +	if (!vcpu_has_nv(vcpu))
> +		return set_id_reg(vcpu, rd, user_val);
> +
> +	if (!tgran2_val_allowed(TGRAN4_2, sanitized_val, user_val) ||
> +	    !tgran2_val_allowed(TGRAN16_2, sanitized_val, user_val) ||
> +	    !tgran2_val_allowed(TGRAN64_2, sanitized_val, user_val))
>   		return -EINVAL;
>   
>   	return set_id_reg(vcpu, rd, user_val);

Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>

Re: [PATCH] KVM: arm64: nv: Allow userspace to de-feature stage-2 TGRANs

[Marc Zyngier]

On Thu, 18 Sep 2025 09:55:05 -0700, Oliver Upton wrote:
> KVM advertises the stage-2 TGRAN fields as writable to userspace but
> prevents any modification for NV-enabled VMs. Update the special-cased
> sanitization to permit de-featuring a particular TGRAN without allowing
> the legacy value which refers to the stage-1 field for support.
> 
> 

Applied to next, thanks!

[1/1] KVM: arm64: nv: Allow userspace to de-feature stage-2 TGRANs
      commit: 5aea4096380f5b14e3c0345bdafc291e9ae6d8d1

Cheers,

	M.
-- 
Without deviation from the norm, progress is not possible.