From: Marc Zyngier <maz@kernel.org>
To: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev
Cc: Fuad Tabba <tabba@google.com>, Will Deacon <will@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oupton@kernel.org>,
Zenghui Yu <yuzenghui@huawei.com>
Subject: [PATCH v2 03/11] arm64: Add logic to fully remove features from sanitised id registers
Date: Mon, 2 Mar 2026 11:56:44 +0000 [thread overview]
Message-ID: <20260302115653.1517326-4-maz@kernel.org> (raw)
In-Reply-To: <20260302115653.1517326-1-maz@kernel.org>
We currently make support for some features such as Pointer Auth,
SVE or S1POE a compile time decision.
However, while we hide that feature from userspace when such support
is disabled, we still leave the value provided by the HW visible to
the rest of the kernel, including KVM.
This has the potential to result in ugly state leakage, as half of
the kernel knows about the feature, and the other doesn't.
Short of completely banning such compilation options and restore
universal knowledge, introduce the possibility to fully remove such
knowledge from the sanitised id registers.
This has more or less the same effect as the idreg override that
a user can pass on the command-line, only defined at build-time.
For that purpose, we provide a new macro (FTR_CONFIG()) that defines
the behaviour of a feature, both when enabled and disabled.
At this stage, nothing is making use of this anti-feature.
Signed-off-by: Marc Zyngier <maz@kernel.org>
---
arch/arm64/include/asm/cpufeature.h | 17 +++++++++------
arch/arm64/kernel/cpufeature.c | 32 ++++++++++++++++++++++-------
2 files changed, 36 insertions(+), 13 deletions(-)
diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
index 4de51f8d92cba..e853a0ac7db38 100644
--- a/arch/arm64/include/asm/cpufeature.h
+++ b/arch/arm64/include/asm/cpufeature.h
@@ -53,17 +53,22 @@ enum ftr_type {
#define FTR_SIGNED true /* Value should be treated as signed */
#define FTR_UNSIGNED false /* Value should be treated as unsigned */
-#define FTR_VISIBLE true /* Feature visible to the user space */
-#define FTR_HIDDEN false /* Feature is hidden from the user */
+enum ftr_visibility {
+ FTR_HIDDEN, /* Feature hidden from the user */
+ FTR_ALL_HIDDEN, /* Feature hidden from kernel, user and KVM */
+ FTR_VISIBLE, /* Feature visible to all observers */
+};
+
+#define FTR_CONFIG(c, e, d) \
+ (IS_ENABLED(c) ? FTR_ ## e : FTR_ ## d)
-#define FTR_VISIBLE_IF_IS_ENABLED(config) \
- (IS_ENABLED(config) ? FTR_VISIBLE : FTR_HIDDEN)
+#define FTR_VISIBLE_IF_IS_ENABLED(c) FTR_CONFIG(c, VISIBLE, HIDDEN)
struct arm64_ftr_bits {
bool sign; /* Value is signed ? */
- bool visible;
+ enum ftr_visibility visibility:8;
bool strict; /* CPU Sanity check: strict matching required ? */
- enum ftr_type type;
+ enum ftr_type type:8;
u8 shift;
u8 width;
s64 safe_val; /* safe value for FTR_EXACT features */
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 102c5bac4d502..965dd2acf0640 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -192,7 +192,7 @@ void dump_cpu_features(void)
#define __ARM64_FTR_BITS(SIGNED, VISIBLE, STRICT, TYPE, SHIFT, WIDTH, SAFE_VAL) \
{ \
.sign = SIGNED, \
- .visible = VISIBLE, \
+ .visibility = VISIBLE, \
.strict = STRICT, \
.type = TYPE, \
.shift = SHIFT, \
@@ -1063,16 +1063,33 @@ static void init_cpu_ftr_reg(u32 sys_reg, u64 new)
ftrp->shift);
}
- val = arm64_ftr_set_value(ftrp, val, ftr_new);
-
valid_mask |= ftr_mask;
if (!ftrp->strict)
strict_mask &= ~ftr_mask;
- if (ftrp->visible)
+
+ switch (ftrp->visibility) {
+ case FTR_VISIBLE:
+ val = arm64_ftr_set_value(ftrp, val, ftr_new);
user_mask |= ftr_mask;
- else
+ break;
+ case FTR_ALL_HIDDEN:
+ /*
+ * ALL_HIDDEN and HIGHER_SAFE are incompatible.
+ * Only hide from userspace, and log the oddity.
+ */
+ if (WARN_ON(ftrp->type == FTR_HIGHER_SAFE))
+ val = arm64_ftr_set_value(ftrp, val, ftr_new);
+ else
+ val = arm64_ftr_set_safe_value(ftrp, val);
reg->user_val = arm64_ftr_set_safe_value(ftrp,
reg->user_val);
+ break;
+ case FTR_HIDDEN:
+ val = arm64_ftr_set_value(ftrp, val, ftr_new);
+ reg->user_val = arm64_ftr_set_safe_value(ftrp,
+ reg->user_val);
+ break;
+ }
}
val &= valid_mask;
@@ -1230,9 +1247,10 @@ static void update_cpu_ftr_reg(struct arm64_ftr_reg *reg, u64 new)
/*
* Don't alter the initial value that has been forced
- * by an override.
+ * by an override or a disabled feature.
*/
- if ((reg->override->mask & arm64_ftr_mask(ftrp)) == arm64_ftr_mask(ftrp))
+ if (ftrp->visibility == FTR_ALL_HIDDEN ||
+ (reg->override->mask & arm64_ftr_mask(ftrp)) == arm64_ftr_mask(ftrp))
continue;
if (ftr_cur == ftr_new)
--
2.47.3
next prev parent reply other threads:[~2026-03-02 11:57 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-02 11:56 [PATCH v2 00/11] arm64: Fully disable configured-out features Marc Zyngier
2026-03-02 11:56 ` [PATCH v2 01/11] arm64: Skip update of an idreg field affected by an override Marc Zyngier
2026-03-02 13:05 ` Fuad Tabba
2026-03-02 13:14 ` Fuad Tabba
2026-03-02 13:47 ` Marc Zyngier
2026-03-02 13:24 ` Suzuki K Poulose
2026-03-19 15:34 ` Catalin Marinas
2026-03-25 14:54 ` Suzuki K Poulose
2026-03-25 17:51 ` Catalin Marinas
2026-03-02 11:56 ` [PATCH v2 02/11] arm64: Add a helper setting a feature field to its safe value Marc Zyngier
2026-03-02 13:24 ` Suzuki K Poulose
2026-03-02 13:41 ` Fuad Tabba
2026-03-02 11:56 ` Marc Zyngier [this message]
2026-03-02 13:35 ` [PATCH v2 03/11] arm64: Add logic to fully remove features from sanitised id registers Suzuki K Poulose
2026-03-02 14:57 ` Fuad Tabba
2026-03-19 17:38 ` Catalin Marinas
2026-03-02 11:56 ` [PATCH v2 04/11] arm64: Convert CONFIG_ARM64_PTR_AUTH to FTR_CONFIG() Marc Zyngier
2026-03-02 11:56 ` [PATCH v2 05/11] arm64: Convert CONFIG_ARM64_SVE " Marc Zyngier
2026-03-02 11:56 ` [PATCH v2 06/11] arm64: Convert CONFIG_ARM64_SME " Marc Zyngier
2026-03-02 11:56 ` [PATCH v2 07/11] arm64: Convert CONFIG_ARM64_GCS " Marc Zyngier
2026-03-02 11:56 ` [PATCH v2 08/11] arm64: Convert CONFIG_ARM64_MTE " Marc Zyngier
2026-03-02 15:14 ` Fuad Tabba
2026-03-02 11:56 ` [PATCH v2 09/11] arm64: Convert CONFIG_ARM64_POE " Marc Zyngier
2026-03-02 11:56 ` [PATCH v2 10/11] arm64: Convert CONFIG_ARM64_BTI " Marc Zyngier
2026-03-02 11:56 ` [PATCH v2 11/11] arm64: Remove FTR_VISIBLE_IF_IS_ENABLED() Marc Zyngier
2026-03-02 18:07 ` [PATCH v2 00/11] arm64: Fully disable configured-out features Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260302115653.1517326-4-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=oupton@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox