Re: [PATCH v3] KVM: arm64: Prevent the host from using an smc with imm16 != 0

[Vincent Donnefort <vdonnefort@google.com>]

On Mon, Mar 30, 2026 at 10:54:41AM +0000, Sebastian Ene wrote:
> The ARM Service Calling Convention (SMCCC) specifies that the function
> identifier and parameters should be passed in registers, leaving the
> 16-bit immediate field un-handled in pKVM when an SMC instruction is
> trapped.
> Since the HVC is a private interface between EL2 and the host,
> enforce the host kernel running under pKVM to use an immediate value
> of 0 only when using SMCs to make it clear for non-compliant software
> talking to Trustzone that we only use SMCCC.
> 
> Signed-off-by: Sebastian Ene <sebastianene@google.com>

Reviewed-by: Vincent Donnefort <vdonnefort@google.com>

> ---
> v2 -> current:
>  - move the ESR decoding of the imm16 in the handle_host_smc where it
>    was supposed to be
>  - updated the commit message to include the reason behind while we are
>    not doing for HVCs as well
>  - updated the commit message to clarify that pKVM is not handling the
>    imm16
> 
> v1 -> v2:
>  - Dropped injecting an UNDEF and return an error instead
>    (SMCCC_RET_NOT_SUPPORTED)
>  - Used the mask ESR_ELx_xVC_IMM_MASK instead of masking with U16_MAX
>  - Updated the title of the commit message from:
>    "[PATCH] KVM: arm64: Inject UNDEF when host is executing an
>     smc with imm16 != 0"
> 
> Link to v2:
> https://lore.kernel.org/all/20260325113138.4171430-1-sebastianene@google.com/
> Link to v1:
> https://lore.kernel.org/all/20260324135728.3532400-1-sebastianene@google.com/
> 
> ---
>  arch/arm64/kvm/hyp/nvhe/hyp-main.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> index e7790097db93..461cf5cb5ac7 100644
> --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> @@ -676,8 +676,14 @@ static void default_host_smc_handler(struct kvm_cpu_context *host_ctxt)
>  static void handle_host_smc(struct kvm_cpu_context *host_ctxt)
>  {
>  	DECLARE_REG(u64, func_id, host_ctxt, 0);
> +	u64 esr = read_sysreg_el2(SYS_ESR);
>  	bool handled;
>  
> +	if (esr & ESR_ELx_xVC_IMM_MASK) {
> +		cpu_reg(host_ctxt, 0) = SMCCC_RET_NOT_SUPPORTED;
> +		goto exit_skip_instr;
> +	}
> +
>  	func_id &= ~ARM_SMCCC_CALL_HINTS;
>  
>  	handled = kvm_host_psci_handler(host_ctxt, func_id);
> @@ -686,6 +692,7 @@ static void handle_host_smc(struct kvm_cpu_context *host_ctxt)
>  	if (!handled)
>  		default_host_smc_handler(host_ctxt);
>  
> +exit_skip_instr:
>  	/* SMC was trapped, move ELR past the current PC. */
>  	kvm_skip_host_instr();
>  }
> -- 
> 2.53.0.1018.g2bb0e51243-goog
>