Re: [PATCH v1 0/5] KVM: arm64: Enforce MTE disablement at EL2

linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed

From: Oliver Upton <oupton@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
	maz@kernel.org, oliver.upton@linux.dev, joey.gouly@arm.com,
	suzuki.poulose@arm.com, yuzenghui@huawei.com,
	catalin.marinas@arm.com, will@kernel.org
Subject: Re: [PATCH v1 0/5] KVM: arm64: Enforce MTE disablement at EL2
Date: Tue, 2 Dec 2025 14:43:36 -0800	[thread overview]
Message-ID: <aS9rmMgNna7I5g4F@kernel.org> (raw)
In-Reply-To: <20251127122210.4111702-1-tabba@google.com>

Hi Fuad,

On Thu, Nov 27, 2025 at 12:22:05PM +0000, Fuad Tabba wrote:
> pKVM never exposes MTE to protected guests (pVM), but we must also
> ensure a malicious host cannot use MTE to attack the hypervisor or a
> pVM.
> 
> If MTE is supported by the hardware (and is enabled at EL3), it remains
> available to lower exception levels by default. Disabling it in the host
> kernel (e.g., via 'arm64.nomte') only stops the kernel from advertising
> the feature; it does not physically disable MTE in the hardware.
> 
> In this scenario, a malicious host could still access tags in pages
> donated to a guest using MTE instructions (e.g., STG and LDG), bypassing
> the kernel's configuration.
> 
> To prevent this, explicitly disable MTE at EL2 (by clearing HCR_EL2.ATA)
> when the host has MTE disabled. This causes any MTE instruction usage to
> generate a Data Abort (trap) to the hypervisor.
> 
> Additionally, to faithfully mimic hardware that does not support MTE,
> trap accesses to MTE system registers (e.g., GCR_EL1) and inject an
> Undefined Instruction exception back to the host.
> 
> This logic is applied in all non-VHE modes. For non-protected modes,
> this remains beneficial as it prevents unpredictable behavior caused by
> accessing allocation tags when the system considers them disabled.
> 
> Note that this ties into my other outgoing patch series [1], which also
> has some MTE-related fixes, but is not dependent on it.

To be honest, I've actually been having a bit of a hard time
rationalizing some of these targeted fixes for pKVM. It has been in a
half working state upstream for O(years) and we haven't made forward
progress on enabling pVMs.

Fully aware that guest_memfd has been one of the long poles here, but
I'm becoming less interested in fixes addressing "pKVM policy is XYZ"
without having the full picture of the feature.

What are the upstream plans on enabling some basic implementation of
protected VMs?

Thanks,
Oliver

next prev parent reply	other threads:[~2025-12-02 22:43 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-27 12:22 [PATCH v1 0/5] KVM: arm64: Enforce MTE disablement at EL2 Fuad Tabba
2025-11-27 12:22 ` [PATCH v1 1/5] arm64: Remove dead code resetting HCR_EL2 for pKVM Fuad Tabba
2025-11-27 12:22 ` [PATCH v1 2/5] arm64: Clear HCR_EL2.ATA when MTE is not supported or disabled Fuad Tabba
2025-11-27 12:22 ` [PATCH v1 3/5] KVM: arm64: Refactor enter_exception64() Fuad Tabba
2025-11-27 12:22 ` [PATCH v1 4/5] arm64: Inject UNDEF when accessing MTE sysregs with MTE disabled Fuad Tabba
2025-11-27 14:17   ` Marc Zyngier
2025-11-27 14:41     ` Fuad Tabba
2025-11-28  8:43       ` Marc Zyngier
2025-11-28  8:53         ` Fuad Tabba
2025-11-28 12:10         ` Will Deacon
2025-11-27 12:22 ` [PATCH v1 5/5] KVM: arm64: Use kvm_has_mte() in pKVM trap initialization Fuad Tabba
2025-12-02 22:43 ` Oliver Upton [this message]
2025-12-05 17:00   ` [PATCH v1 0/5] KVM: arm64: Enforce MTE disablement at EL2 Will Deacon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aS9rmMgNna7I5g4F@kernel.org \
    --to=oupton@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=joey.gouly@arm.com \
    --cc=kvmarm@lists.linux.dev \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=maz@kernel.org \
    --cc=oliver.upton@linux.dev \
    --cc=suzuki.poulose@arm.com \
    --cc=tabba@google.com \
    --cc=will@kernel.org \
    --cc=yuzenghui@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).