From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 058F7286415
	for <kvmarm@lists.linux.dev>; Fri, 20 Feb 2026 14:52:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771599131; cv=none; b=EQH0kh4fuTxKlH3IKzYjt+FNWS1lqcVjAf/1o3ozoolUrofEbjM71ZUWTvWj7teoA8wmjA2o6muhMtfhzIJ4E053SgaTRhqMnMSLA2Ky8a2En3HgZk+Rnu4isCwkwdNh5MbdsLVoivY19JS1DpJzj5ry2ZC50eZpW1D478/qnZY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771599131; c=relaxed/simple;
	bh=cKD/AWPnjjeWq0pI84Atiws6ljOTReoU+0PYJxYItcs=;
	h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References:
	 MIME-Version:Content-Type; b=gbPWNoAMN+4MpD+k/rnbVy7zZgftjP9b7V9OH4rlBDSQavgyNtL6Pii9iAM5eEw1u69WMBgP1qJMZZ25LLK721I1MgK2nUImqw1Tp5Xcfb6XQjoh+JiUW6CF5yrl1biSvShT3KPH4nTUNevZW5gdjlmGkzmhyJRM4tCnuBcCTA4=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TV+Vj8GD; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TV+Vj8GD"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 77C0DC116D0;
	Fri, 20 Feb 2026 14:52:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1771599130;
	bh=cKD/AWPnjjeWq0pI84Atiws6ljOTReoU+0PYJxYItcs=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=TV+Vj8GDWrGz2HdGQNgaKRORsnNRsJ4TtkD1IWFOG1VBtyPjCxEutL4SqXgJTYtT8
	 425NFcgTEigPlV4wtZ5jugVbc64BHY+fEk7kNG5FbPJjN5NDIHXh4OWm6VJI7LeROn
	 dyBWBaNYljwszaSMy2pR4kw9WjdTj7iHUS4Y8FoSoCHM0hS9TduFUD8YdxXweJDySq
	 TIAdq5rlyH7DJReZefkFWpqzCCz89zj8z9lr9g0499nqSS5ld8tdVCYqZPCTz4J7c4
	 sxRm9LOWJ756ZZjI/PJYWbBDtBsFFEJSOdZDe/2T8Zi+dcHc4Fpt+r1C4yJDcZhUqQ
	 QGnSqGj56XncA==
Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org)
	by disco-boy.misterjones.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <maz@kernel.org>)
	id 1vtRrU-0000000CSW5-1neS;
	Fri, 20 Feb 2026 14:52:08 +0000
Date: Fri, 20 Feb 2026 14:52:07 +0000
Message-ID: <86tsvba2nc.wl-maz@kernel.org>
From: Marc Zyngier <maz@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	Will Deacon <will@kernel.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Joey Gouly <joey.gouly@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Oliver Upton <oupton@kernel.org>,
	Zenghui Yu <yuzenghui@huawei.com>
Subject: Re: [PATCH 1/9] arm64: Add logic to fully remove features from sanitised id registers
In-Reply-To: <CA+EHjTzj9wEm7oBKBXF8sYpK60FYeLOJwEapxDiO1HxK5e6Y6g@mail.gmail.com>
References: <20260219195533.2455736-1-maz@kernel.org>
	<20260219195533.2455736-2-maz@kernel.org>
	<CA+EHjTzVRq3r-7UR-MJYvv-Aw4kHQDHEmwtqY9is-fRDm-J06A@mail.gmail.com>
	<86v7frafpx.wl-maz@kernel.org>
	<CA+EHjTzj9wEm7oBKBXF8sYpK60FYeLOJwEapxDiO1HxK5e6Y6g@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/30.1
 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO)
Precedence: bulk
X-Mailing-List: kvmarm@lists.linux.dev
List-Id: <kvmarm.lists.linux.dev>
List-Subscribe: <mailto:kvmarm+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kvmarm+unsubscribe@lists.linux.dev>
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 185.219.108.64
X-SA-Exim-Rcpt-To: tabba@google.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, will@kernel.org, catalin.marinas@arm.com, mark.rutland@arm.com, joey.gouly@arm.com, suzuki.poulose@arm.com, oupton@kernel.org, yuzenghui@huawei.com
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false

On Fri, 20 Feb 2026 11:06:03 +0000,
Fuad Tabba <tabba@google.com> wrote:
> 
> > > > +               switch (ftrp->visibility) {
> > > > +               case FTR_VISIBLE:
> > > > +                       val = arm64_ftr_set_value(ftrp, val, ftr_new);
> > > >                         user_mask |= ftr_mask;
> > > > -               else
> > > > +                       break;
> > > > +               case FTR_ALL_HIDDEN:
> > > > +                       val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val);
> > > > +                       reg->user_val = arm64_ftr_set_value(ftrp,
> > > > +                                                           reg->user_val,
> > > > +                                                           ftrp->safe_val);
> > >
> > > Should we also take the safe value in update_cpu_ftr_reg() for FTR_ALL_HIDDEN?
> >
> > I would expect arm64_ftr_safe_value() to do the right thing at that
> > stage, given that we have primed the boot CPU with the safe value, and
> > that we rely on that bootstrap to make the registers converge towards
> > something safe. This is also what happens for the command-line override.
> >
> > Or have you spotted a case where this go wrong?
> 
> I think so... What if a future FTR_ALL_HIDDEN feature is defined as
> FTR_HIGHER_SAFE? Wouldn't that cause problems on secondary CPUs?
> init_cpu_ftr_reg() primes sys_val with safe_val on the boot CPU,
> update_cpu_ftr_reg() on secondary CPUs compares the hardware value
> (ftr_new) against safe_val (ftr_cur). For FTR_HIGHER_SAFE,
> arm64_ftr_safe_value() returns max(ftr_new, safe_val). Since the
> hardware value is higher, update_cpu_ftr_reg() overwrites sys_val with
> the hardware value, resurrecting the hidden feature globally.

Huh, that's an interesting observation.

SpecSEI is the only case we currently deal with that is
HIGHER_SAFE. But look at what this feature describes: bloody
speculative SErrors! Not taking this into account could be really
deadly, and the kernel really ought to know about it.

>
> The features in this patch are FTR_LOWER_SAFE or FTR_EXACT (which
> happen to sink to safe_val), which is why it's not a problem with
> these current features.

My conclusion is that it is simply not safe to make such feature
conditional in any way. Note that's also the case of for an override:
look at how we will refuse to downgrade a value in init_cpu_ftr_reg():

		if ((ftr_mask & reg->override->mask) == ftr_mask) {
			s64 tmp = arm64_ftr_safe_value(ftrp, ftr_ovr, ftr_new);
			char *str = NULL;

			if (ftr_ovr != tmp) {
				/* Unsafe, remove the override */
				reg->override->mask &= ~ftr_mask;
				reg->override->val &= ~ftr_mask;
				tmp = ftr_ovr;
				str = "ignoring override";
		[...]

I think we must prevent this downgrade the same way, meaning that
ALL_HIDDEN and FTR_HIGHER are mutually exclusive.

How about that:

diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index d58931e63a0b6..2cae00b4b0c5f 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -1067,7 +1067,14 @@ static void init_cpu_ftr_reg(u32 sys_reg, u64 new)
 			user_mask |= ftr_mask;
 			break;
 		case FTR_ALL_HIDDEN:
-			val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val);
+			/*
+			 * ALL_HIDDEN and HIGHER_SAFE are incompatible.
+			 * Only hide from userspace, and log the oddity.
+			 */
+			if (WARN_ON(ftrp->type == FTR_HIGHER_SAFE))
+				val = arm64_ftr_set_value(ftrp, val, ftr_new);
+			else
+				val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val);
 			reg->user_val = arm64_ftr_set_value(ftrp,
 							    reg->user_val,
 							    ftrp->safe_val);

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.