[PATCH v3 0/4] KVM: arm64: Enforce MTE disablement at EL2

public inbox for linux-arm-kernel@lists.infradead.org
 help / color / mirror / Atom feed

From: Fuad Tabba <tabba@google.com>
To: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org
Cc: maz@kernel.org, oliver.upton@linux.dev, joey.gouly@arm.com,
	 suzuki.poulose@arm.com, yuzenghui@huawei.com,
	catalin.marinas@arm.com,  will@kernel.org, tabba@google.com
Subject: [PATCH v3 0/4] KVM: arm64: Enforce MTE disablement at EL2
Date: Thu, 22 Jan 2026 11:22:14 +0000	[thread overview]
Message-ID: <20260122112218.531948-1-tabba@google.com> (raw)

Changes since v2 [1]:
- Trap accesses to GMID_EL1 by setting `HCR_EL2.TID5` when MTE is
  disabled (Marc)
- Dropped patch refactoring `enter_exception64()` in favor of open-coded
  logic in `inject_undef64()` in patch 3/4 (Marc)
- Based on Linux 6.19-rc6

pKVM never exposes MTE to protected guests (pVM), but we must also
ensure that a malicious host cannot use MTE to attack the hypervisor or
a protected VM.

If MTE is supported by the hardware (and is enabled at EL3), it remains
available to lower exception levels by default. Disabling it in the host
kernel (e.g., via 'arm64.nomte') only stops the kernel from advertising
the feature; it does not physically disable MTE in the hardware.

The ability to disable MTE in the host kernel is used by some systems,
such as Android, so that the physical memory otherwise used as tag
storage can be used for other things (i.e. treated just like the rest of
memory). In this scenario, a malicious host could still access tags in
pages donated to a guest using MTE instructions (e.g., STG and LDG),
bypassing the kernel's configuration.

To prevent this, explicitly disable MTE at EL2 (by clearing
`HCR_EL2.ATA` and setting `HCR_EL2.TID5`) when the host has MTE
disabled. This causes MTE instructions to trap to the hypervisor.

Cheers,
/fuad

[1] https://lore.kernel.org/all/20251211113828.370370-1-tabba@google.com/

Fuad Tabba (4):
  KVM: arm64: Remove dead code resetting HCR_EL2 for pKVM
  KVM: arm64: Trap MTE access and discovery when MTE is disabled
  KVM: arm64: Inject UNDEF when accessing MTE sysregs with MTE disabled
  KVM: arm64: Use kvm_has_mte() in pKVM trap initialization

 arch/arm64/include/asm/kvm_arm.h   |  2 +-
 arch/arm64/kernel/head.S           |  2 +-
 arch/arm64/kvm/arm.c               |  6 +++
 arch/arm64/kvm/hyp/nvhe/hyp-init.S |  5 ---
 arch/arm64/kvm/hyp/nvhe/hyp-main.c | 67 ++++++++++++++++++++++++++++++
 arch/arm64/kvm/hyp/nvhe/pkvm.c     |  2 +-
 6 files changed, 76 insertions(+), 8 deletions(-)

base-commit: 24d479d26b25bce5faea3ddd9fa8f3a6c3129ea7
-- 
2.52.0.457.g6b5491de43-goog

next             reply	other threads:[~2026-01-22 11:22 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-22 11:22 Fuad Tabba [this message]
2026-01-22 11:22 ` [PATCH v3 1/4] KVM: arm64: Remove dead code resetting HCR_EL2 for pKVM Fuad Tabba
2026-01-22 11:22 ` [PATCH v3 2/4] KVM: arm64: Trap MTE access and discovery when MTE is disabled Fuad Tabba
2026-01-22 11:22 ` [PATCH v3 3/4] KVM: arm64: Inject UNDEF when accessing MTE sysregs with MTE disabled Fuad Tabba
2026-01-22 11:22 ` [PATCH v3 4/4] KVM: arm64: Use kvm_has_mte() in pKVM trap initialization Fuad Tabba
2026-01-23 11:47 ` [PATCH v3 0/4] KVM: arm64: Enforce MTE disablement at EL2 Marc Zyngier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260122112218.531948-1-tabba@google.com \
    --to=tabba@google.com \
    --cc=catalin.marinas@arm.com \
    --cc=joey.gouly@arm.com \
    --cc=kvmarm@lists.linux.dev \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=maz@kernel.org \
    --cc=oliver.upton@linux.dev \
    --cc=suzuki.poulose@arm.com \
    --cc=will@kernel.org \
    --cc=yuzenghui@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox