From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DF0ADC56204 for ; Fri, 20 Feb 2026 14:52:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:MIME-Version: References:In-Reply-To:Subject:Cc:To:From:Message-ID:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=sTdG8btimHKwmZNKKennypN5GyP/pfImU2mZiCz0IvA=; b=z31pS3KXqn4lKhmwQ649z7TQSV mSkEjcbAj5Lca4YS8qQ5WCltD0jzWh4uuvF3O0BtqgsdgJpHbry0ijR8kHVqNGJbgfyuOo3kLKFak 4JMatc1kXqvMtgZkQuods9DBlSQCv9Y/S9jfN7vqqn2bErEIxP0PZDTVK4cUZbW6nQwLL6Whf3SO/ gfHWY8Bhe3lmBV5KP6yXYIL/T/f7xfMgVqpZlvGFupBm33aOBOFVZUg1Y0mCzIjlqdl1hXSjOaMN1 IsAmD7nIezHcA2LaqebBChBdQpVkV/UeEFhWzGi9PI2GzXS0lT0JfKSm7WrI5y07UTBBkSwgrKBsp In4puG/Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1vtRra-0000000EtrY-0HrU; Fri, 20 Feb 2026 14:52:14 +0000 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1vtRrY-0000000EtrJ-15kc for linux-arm-kernel@lists.infradead.org; Fri, 20 Feb 2026 14:52:12 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id C79DD6185F; Fri, 20 Feb 2026 14:52:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 77C0DC116D0; Fri, 20 Feb 2026 14:52:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771599130; bh=cKD/AWPnjjeWq0pI84Atiws6ljOTReoU+0PYJxYItcs=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=TV+Vj8GDWrGz2HdGQNgaKRORsnNRsJ4TtkD1IWFOG1VBtyPjCxEutL4SqXgJTYtT8 425NFcgTEigPlV4wtZ5jugVbc64BHY+fEk7kNG5FbPJjN5NDIHXh4OWm6VJI7LeROn dyBWBaNYljwszaSMy2pR4kw9WjdTj7iHUS4Y8FoSoCHM0hS9TduFUD8YdxXweJDySq TIAdq5rlyH7DJReZefkFWpqzCCz89zj8z9lr9g0499nqSS5ld8tdVCYqZPCTz4J7c4 sxRm9LOWJ756ZZjI/PJYWbBDtBsFFEJSOdZDe/2T8Zi+dcHc4Fpt+r1C4yJDcZhUqQ QGnSqGj56XncA== Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vtRrU-0000000CSW5-1neS; Fri, 20 Feb 2026 14:52:08 +0000 Date: Fri, 20 Feb 2026 14:52:07 +0000 Message-ID: <86tsvba2nc.wl-maz@kernel.org> From: Marc Zyngier To: Fuad Tabba Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, Will Deacon , Catalin Marinas , Mark Rutland , Joey Gouly , Suzuki K Poulose , Oliver Upton , Zenghui Yu Subject: Re: [PATCH 1/9] arm64: Add logic to fully remove features from sanitised id registers In-Reply-To: References: <20260219195533.2455736-1-maz@kernel.org> <20260219195533.2455736-2-maz@kernel.org> <86v7frafpx.wl-maz@kernel.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/30.1 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: tabba@google.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, will@kernel.org, catalin.marinas@arm.com, mark.rutland@arm.com, joey.gouly@arm.com, suzuki.poulose@arm.com, oupton@kernel.org, yuzenghui@huawei.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, 20 Feb 2026 11:06:03 +0000, Fuad Tabba wrote: > > > > > + switch (ftrp->visibility) { > > > > + case FTR_VISIBLE: > > > > + val = arm64_ftr_set_value(ftrp, val, ftr_new); > > > > user_mask |= ftr_mask; > > > > - else > > > > + break; > > > > + case FTR_ALL_HIDDEN: > > > > + val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val); > > > > + reg->user_val = arm64_ftr_set_value(ftrp, > > > > + reg->user_val, > > > > + ftrp->safe_val); > > > > > > Should we also take the safe value in update_cpu_ftr_reg() for FTR_ALL_HIDDEN? > > > > I would expect arm64_ftr_safe_value() to do the right thing at that > > stage, given that we have primed the boot CPU with the safe value, and > > that we rely on that bootstrap to make the registers converge towards > > something safe. This is also what happens for the command-line override. > > > > Or have you spotted a case where this go wrong? > > I think so... What if a future FTR_ALL_HIDDEN feature is defined as > FTR_HIGHER_SAFE? Wouldn't that cause problems on secondary CPUs? > init_cpu_ftr_reg() primes sys_val with safe_val on the boot CPU, > update_cpu_ftr_reg() on secondary CPUs compares the hardware value > (ftr_new) against safe_val (ftr_cur). For FTR_HIGHER_SAFE, > arm64_ftr_safe_value() returns max(ftr_new, safe_val). Since the > hardware value is higher, update_cpu_ftr_reg() overwrites sys_val with > the hardware value, resurrecting the hidden feature globally. Huh, that's an interesting observation. SpecSEI is the only case we currently deal with that is HIGHER_SAFE. But look at what this feature describes: bloody speculative SErrors! Not taking this into account could be really deadly, and the kernel really ought to know about it. > > The features in this patch are FTR_LOWER_SAFE or FTR_EXACT (which > happen to sink to safe_val), which is why it's not a problem with > these current features. My conclusion is that it is simply not safe to make such feature conditional in any way. Note that's also the case of for an override: look at how we will refuse to downgrade a value in init_cpu_ftr_reg(): if ((ftr_mask & reg->override->mask) == ftr_mask) { s64 tmp = arm64_ftr_safe_value(ftrp, ftr_ovr, ftr_new); char *str = NULL; if (ftr_ovr != tmp) { /* Unsafe, remove the override */ reg->override->mask &= ~ftr_mask; reg->override->val &= ~ftr_mask; tmp = ftr_ovr; str = "ignoring override"; [...] I think we must prevent this downgrade the same way, meaning that ALL_HIDDEN and FTR_HIGHER are mutually exclusive. How about that: diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index d58931e63a0b6..2cae00b4b0c5f 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1067,7 +1067,14 @@ static void init_cpu_ftr_reg(u32 sys_reg, u64 new) user_mask |= ftr_mask; break; case FTR_ALL_HIDDEN: - val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val); + /* + * ALL_HIDDEN and HIGHER_SAFE are incompatible. + * Only hide from userspace, and log the oddity. + */ + if (WARN_ON(ftrp->type == FTR_HIGHER_SAFE)) + val = arm64_ftr_set_value(ftrp, val, ftr_new); + else + val = arm64_ftr_set_value(ftrp, val, ftrp->safe_val); reg->user_val = arm64_ftr_set_value(ftrp, reg->user_val, ftrp->safe_val); Thanks, M. -- Without deviation from the norm, progress is not possible.