From: Sascha Bischoff <Sascha.Bischoff@arm.com>
To: "maz@kernel.org" <maz@kernel.org>
Cc: "yuzenghui@huawei.com" <yuzenghui@huawei.com>,
Timothy Hayes <Timothy.Hayes@arm.com>,
Suzuki Poulose <Suzuki.Poulose@arm.com>, nd <nd@arm.com>,
"peter.maydell@linaro.org" <peter.maydell@linaro.org>,
"kvmarm@lists.linux.dev" <kvmarm@lists.linux.dev>,
"jonathan.cameron@huawei.com" <jonathan.cameron@huawei.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
Joey Gouly <Joey.Gouly@arm.com>,
"lpieralisi@kernel.org" <lpieralisi@kernel.org>,
"oliver.upton@linux.dev" <oliver.upton@linux.dev>
Subject: Re: [PATCH v4 11/36] KVM: arm64: gic-v5: Sanitize ID_AA64PFR2_EL1.GCIE
Date: Fri, 30 Jan 2026 17:13:18 +0000 [thread overview]
Message-ID: <6a45dd02fdd2e70e0722dc5b3087ecfb18f01e98.camel@arm.com> (raw)
In-Reply-To: <861pj7baav.wl-maz@kernel.org>
On Fri, 2026-01-30 at 11:38 +0000, Marc Zyngier wrote:
> On Wed, 28 Jan 2026 18:02:09 +0000,
> Sascha Bischoff <Sascha.Bischoff@arm.com> wrote:
> >
> > Set the guest's view of the GCIE field to IMP when running a GICv5
> > VM,
> > NI otherwise. Reject any writes to the register that try to do
> > anything but set GCIE to IMP when running a GICv5 VM.
> >
> > As part of this change, we're also required to extend
> > vgic_is_v3_compat() to check for the actual vgic_model. This has
> > one
> > potential issue - if any of the vgic_is_v*() checks are used prior
> > to
> > setting the vgic_model (that is, before kvm_vgic_create) then
> > vgic_model will be set to 0, which can result in a false-positive.
> >
> > Co-authored-by: Timothy Hayes <timothy.hayes@arm.com>
> > Signed-off-by: Timothy Hayes <timothy.hayes@arm.com>
> > Signed-off-by: Sascha Bischoff <sascha.bischoff@arm.com>
> > Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> > ---
> > arch/arm64/kvm/sys_regs.c | 42 ++++++++++++++++++++++++++++++----
> > ----
> > arch/arm64/kvm/vgic/vgic.h | 10 ++++++++-
> > 2 files changed, 43 insertions(+), 9 deletions(-)
> >
> > diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> > index 88a57ca36d96..73dd2bd85c4f 100644
> > --- a/arch/arm64/kvm/sys_regs.c
> > +++ b/arch/arm64/kvm/sys_regs.c
> > @@ -1758,6 +1758,7 @@ static u8 pmuver_to_perfmon(u8 pmuver)
> >
> > static u64 sanitise_id_aa64pfr0_el1(const struct kvm_vcpu *vcpu,
> > u64 val);
> > static u64 sanitise_id_aa64pfr1_el1(const struct kvm_vcpu *vcpu,
> > u64 val);
> > +static u64 sanitise_id_aa64pfr2_el1(const struct kvm_vcpu *vcpu,
> > u64 val);
> > static u64 sanitise_id_aa64dfr0_el1(const struct kvm_vcpu *vcpu,
> > u64 val);
> >
> > /* Read a sanitised cpufeature ID register by sys_reg_desc */
> > @@ -1783,10 +1784,7 @@ static u64 __kvm_read_sanitised_id_reg(const
> > struct kvm_vcpu *vcpu,
> > val = sanitise_id_aa64pfr1_el1(vcpu, val);
> > break;
> > case SYS_ID_AA64PFR2_EL1:
> > - val &= ID_AA64PFR2_EL1_FPMR |
> > - (kvm_has_mte(vcpu->kvm) ?
> > - ID_AA64PFR2_EL1_MTEFAR |
> > ID_AA64PFR2_EL1_MTESTOREONLY :
> > - 0);
> > + val = sanitise_id_aa64pfr2_el1(vcpu, val);
> > break;
> > case SYS_ID_AA64ISAR1_EL1:
> > if (!vcpu_has_ptrauth(vcpu))
> > @@ -2024,6 +2022,23 @@ static u64 sanitise_id_aa64pfr1_el1(const
> > struct kvm_vcpu *vcpu, u64 val)
> > return val;
> > }
> >
> > +static u64 sanitise_id_aa64pfr2_el1(const struct kvm_vcpu *vcpu,
> > u64 val)
> > +{
> > + val &= ID_AA64PFR2_EL1_FPMR |
> > + ID_AA64PFR2_EL1_MTEFAR |
> > + ID_AA64PFR2_EL1_MTESTOREONLY;
> > +
> > + if (!kvm_has_mte(vcpu->kvm)) {
> > + val &= ~ID_AA64PFR2_EL1_MTEFAR;
> > + val &= ~ID_AA64PFR2_EL1_MTESTOREONLY;
> > + }
> > +
> > + if (vgic_is_v5(vcpu->kvm))
> > + val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR2_EL1, GCIE,
> > IMP);
>
> You probably want to clear the field before or'ing something in, or
> you may be promising more than we'd expect.
The GCIE field should already be zeroed at this point as it is filtered
out to begin with. If we have GICv5 (so FEAT_GCIE) we're explicitly
setting this field to IMP, else NI.
>
> > +
> > + return val;
> > +}
> > +
> > static u64 sanitise_id_aa64dfr0_el1(const struct kvm_vcpu *vcpu,
> > u64 val)
> > {
> > val = ID_REG_LIMIT_FIELD_ENUM(val, ID_AA64DFR0_EL1,
> > DebugVer, V8P8);
> > @@ -2221,6 +2236,16 @@ static int set_id_aa64pfr1_el1(struct
> > kvm_vcpu *vcpu,
> > return set_id_reg(vcpu, rd, user_val);
> > }
> >
> > +static int set_id_aa64pfr2_el1(struct kvm_vcpu *vcpu,
> > + const struct sys_reg_desc *rd, u64
> > user_val)
> > +{
> > + if (vgic_is_v5(vcpu->kvm) &&
> > + FIELD_GET(ID_AA64PFR2_EL1_GCIE_MASK, user_val) !=
> > ID_AA64PFR2_EL1_GCIE_IMP)
> > + return -EINVAL;
> > +
> > + return set_id_reg(vcpu, rd, user_val);
> > +}
> > +
> > /*
> > * Allow userspace to de-feature a stage-2 translation granule but
> > prevent it
> > * from claiming the impossible.
> > @@ -3202,10 +3227,11 @@ static const struct sys_reg_desc
> > sys_reg_descs[] = {
> > ID_AA64PFR1_EL1_RES0 |
> > ID_AA64PFR1_EL1_MPAM_frac |
> > ID_AA64PFR1_EL1_MTE)),
> > - ID_WRITABLE(ID_AA64PFR2_EL1,
> > - ID_AA64PFR2_EL1_FPMR |
> > - ID_AA64PFR2_EL1_MTEFAR |
> > - ID_AA64PFR2_EL1_MTESTOREONLY),
> > + ID_FILTERED(ID_AA64PFR2_EL1, id_aa64pfr2_el1,
> > + ~(ID_AA64PFR2_EL1_FPMR |
> > + ID_AA64PFR2_EL1_MTEFAR |
> > + ID_AA64PFR2_EL1_MTESTOREONLY |
> > + ID_AA64PFR2_EL1_GCIE)),
> > ID_UNALLOCATED(4,3),
> > ID_WRITABLE(ID_AA64ZFR0_EL1, ~ID_AA64ZFR0_EL1_RES0),
> > ID_HIDDEN(ID_AA64SMFR0_EL1),
>
> Don't you also need something in kvm_finalize_sys_regs() to hide
> GICv5
> altogether if no irqchip has been instantiated?
Ah, I think you're right. I'll make sure we hide GICv5 there if we
don't have an in-kernel irqchip!
> It'd be worth
> extending the "no-vgic-v3" test to also cover GICv5.
OK, I'm looking into that.
Thanks,
Sascha
>
> Thanks,
>
> M.
>
next prev parent reply other threads:[~2026-01-30 17:14 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-28 17:59 [PATCH v4 00/36] KVM: arm64: Introduce vGIC-v5 with PPI support Sascha Bischoff
2026-01-28 17:59 ` [PATCH v4 01/36] KVM: arm64: Account for RES1 bits in DECLARE_FEAT_MAP() and co Sascha Bischoff
2026-01-28 17:59 ` [PATCH v4 02/36] KVM: arm64: gic-v3: Switch vGIC-v3 to use generated ICH_VMCR_EL2 Sascha Bischoff
2026-01-28 18:00 ` [PATCH v4 03/36] arm64/sysreg: Drop ICH_HFGRTR_EL2.ICC_HAPR_EL1 and make RES1 Sascha Bischoff
2026-01-28 18:00 ` [PATCH v4 04/36] arm64/sysreg: Add remaining GICv5 ICC_ & ICH_ sysregs for KVM support Sascha Bischoff
2026-01-28 18:00 ` [PATCH v4 05/36] arm64/sysreg: Add GICR CDNMIA encoding Sascha Bischoff
2026-01-28 18:00 ` [PATCH v4 06/36] KVM: arm64: gic: Set vgic_model before initing private IRQs Sascha Bischoff
2026-01-28 18:01 ` [PATCH v4 07/36] KVM: arm64: gic-v5: Add ARM_VGIC_V5 device to KVM headers Sascha Bischoff
2026-01-28 18:01 ` [PATCH v4 08/36] KVM: arm64: gic: Introduce interrupt type helpers Sascha Bischoff
2026-01-28 18:01 ` [PATCH v4 09/36] KVM: arm64: gic-v5: Add Arm copyright header Sascha Bischoff
2026-01-28 18:01 ` [PATCH v4 10/36] KVM: arm64: gic-v5: Detect implemented PPIs on boot Sascha Bischoff
2026-01-29 12:15 ` Jonathan Cameron
2026-01-30 11:03 ` Marc Zyngier
2026-01-30 12:33 ` Sascha Bischoff
2026-01-28 18:02 ` [PATCH v4 11/36] KVM: arm64: gic-v5: Sanitize ID_AA64PFR2_EL1.GCIE Sascha Bischoff
2026-01-30 11:38 ` Marc Zyngier
2026-01-30 17:13 ` Sascha Bischoff [this message]
2026-01-30 17:26 ` Marc Zyngier
2026-01-28 18:02 ` [PATCH v4 12/36] KVM: arm64: gic-v5: Support GICv5 FGTs & FGUs Sascha Bischoff
2026-01-28 18:02 ` [PATCH v4 13/36] KVM: arm64: gic-v5: Add emulation for ICC_IAFFIDR_EL1 accesses Sascha Bischoff
2026-01-28 18:02 ` [PATCH v4 14/36] KVM: arm64: gic-v5: Add vgic-v5 save/restore hyp interface Sascha Bischoff
2026-01-28 18:03 ` [PATCH v4 15/36] KVM: arm64: gic-v5: Implement GICv5 load/put and save/restore Sascha Bischoff
2026-01-28 18:03 ` [PATCH v4 16/36] KVM: arm64: gic-v5: Implement direct injection of PPIs Sascha Bischoff
2026-01-28 18:03 ` [PATCH v4 17/36] KVM: arm64: gic-v5: Finalize GICv5 PPIs and generate mask Sascha Bischoff
2026-01-28 18:03 ` [PATCH v4 18/36] KVM: arm64: gic: Introduce queue_irq_unlock to irq_ops Sascha Bischoff
2026-01-28 18:04 ` [PATCH v4 19/36] KVM: arm64: gic-v5: Implement PPI interrupt injection Sascha Bischoff
2026-01-28 18:04 ` [PATCH v4 20/36] KVM: arm64: gic-v5: Init Private IRQs (PPIs) for GICv5 Sascha Bischoff
2026-01-28 18:04 ` [PATCH v4 21/36] KVM: arm64: gic-v5: Check for pending PPIs Sascha Bischoff
2026-01-29 12:21 ` Jonathan Cameron
2026-01-28 18:04 ` [PATCH v4 22/36] KVM: arm64: gic-v5: Trap and mask guest ICC_PPI_ENABLERx_EL1 writes Sascha Bischoff
2026-01-28 18:05 ` [PATCH v4 23/36] KVM: arm64: gic-v5: Support GICv5 interrupts with KVM_IRQ_LINE Sascha Bischoff
2026-01-28 18:05 ` [PATCH v4 24/36] KVM: arm64: gic-v5: Create and initialise vgic_v5 Sascha Bischoff
2026-01-28 18:05 ` [PATCH v4 25/36] KVM: arm64: gic-v5: Reset vcpu state Sascha Bischoff
2026-01-28 18:06 ` [PATCH v4 26/36] KVM: arm64: gic-v5: Bump arch timer for GICv5 Sascha Bischoff
2026-01-28 18:06 ` [PATCH v4 27/36] KVM: arm64: gic-v5: Mandate architected PPI for PMU emulation on GICv5 Sascha Bischoff
2026-01-28 18:06 ` [PATCH v4 28/36] KVM: arm64: gic: Hide GICv5 for protected guests Sascha Bischoff
2026-01-28 18:06 ` [PATCH v4 29/36] KVM: arm64: gic-v5: Hide FEAT_GCIE from NV GICv5 guests Sascha Bischoff
2026-01-28 18:07 ` [PATCH v4 30/36] KVM: arm64: gic-v5: Introduce kvm_arm_vgic_v5_ops and register them Sascha Bischoff
2026-01-28 18:07 ` [PATCH v4 31/36] KVM: arm64: gic-v5: Set ICH_VCTLR_EL2.En on boot Sascha Bischoff
2026-01-28 18:07 ` [PATCH v4 32/36] irqchip/gic-v5: Check if impl is virt capable Sascha Bischoff
2026-01-30 11:14 ` Marc Zyngier
2026-01-30 13:58 ` Sascha Bischoff
2026-01-28 18:07 ` [PATCH v4 33/36] KVM: arm64: gic-v5: Probe for GICv5 device Sascha Bischoff
2026-01-28 18:08 ` [PATCH v4 34/36] Documentation: KVM: Introduce documentation for VGICv5 Sascha Bischoff
2026-01-28 18:08 ` [PATCH v4 35/36] KVM: arm64: selftests: Introduce a minimal GICv5 PPI selftest Sascha Bischoff
2026-01-29 11:29 ` kernel test robot
2026-01-28 18:08 ` [PATCH v4 36/36] KVM: arm64: gic-v5: Communicate userspace-driveable PPIs via a UAPI Sascha Bischoff
2026-01-29 12:25 ` Jonathan Cameron
2026-01-30 11:18 ` (subset) [PATCH v4 00/36] KVM: arm64: Introduce vGIC-v5 with PPI support Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a45dd02fdd2e70e0722dc5b3087ecfb18f01e98.camel@arm.com \
--to=sascha.bischoff@arm.com \
--cc=Joey.Gouly@arm.com \
--cc=Suzuki.Poulose@arm.com \
--cc=Timothy.Hayes@arm.com \
--cc=jonathan.cameron@huawei.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=lpieralisi@kernel.org \
--cc=maz@kernel.org \
--cc=nd@arm.com \
--cc=oliver.upton@linux.dev \
--cc=peter.maydell@linaro.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox