From: Alexandru Elisei <alexandru.elisei@arm.com>
To: Marc Zyngier <maz@kernel.org>
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
kvm@vger.kernel.org, Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oupton@kernel.org>,
Zenghui Yu <yuzenghui@huawei.com>
Subject: Re: [PATCH 4/4] KVM: arm64: Convert VTCR_EL2 to config-driven sanitisation
Date: Wed, 3 Dec 2025 14:03:51 +0000 [thread overview]
Message-ID: <aTBDRx1oeGDs2SFl@raptor> (raw)
In-Reply-To: <86ikenpvna.wl-maz@kernel.org>
Hi Marc,
On Wed, Dec 03, 2025 at 01:00:57PM +0000, Marc Zyngier wrote:
> On Wed, 03 Dec 2025 11:44:14 +0000,
> Alexandru Elisei <alexandru.elisei@arm.com> wrote:
> >
> > Hi Marc,
> >
> > On Sat, Nov 29, 2025 at 02:45:25PM +0000, Marc Zyngier wrote:
> > > Describe all the VTCR_EL2 fields and their respective configurations,
> > > making sure that we correctly ignore the bits that are not defined
> > > for a given guest configuration.
> > >
> > > Signed-off-by: Marc Zyngier <maz@kernel.org>
> > > ---
> > > arch/arm64/kvm/config.c | 69 +++++++++++++++++++++++++++++++++++++++++
> > > arch/arm64/kvm/nested.c | 3 +-
> > > 2 files changed, 70 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/arch/arm64/kvm/config.c b/arch/arm64/kvm/config.c
> > > index a02c28d6a61c9..c36e133c51912 100644
> > > --- a/arch/arm64/kvm/config.c
> > > +++ b/arch/arm64/kvm/config.c
> > > @@ -141,6 +141,7 @@ struct reg_feat_map_desc {
> > > #define FEAT_AA64EL1 ID_AA64PFR0_EL1, EL1, IMP
> > > #define FEAT_AA64EL2 ID_AA64PFR0_EL1, EL2, IMP
> > > #define FEAT_AA64EL3 ID_AA64PFR0_EL1, EL3, IMP
> > > +#define FEAT_SEL2 ID_AA64PFR0_EL1, SEL2, IMP
> > > #define FEAT_AIE ID_AA64MMFR3_EL1, AIE, IMP
> > > #define FEAT_S2POE ID_AA64MMFR3_EL1, S2POE, IMP
> > > #define FEAT_S1POE ID_AA64MMFR3_EL1, S1POE, IMP
> > > @@ -202,6 +203,8 @@ struct reg_feat_map_desc {
> > > #define FEAT_ASID2 ID_AA64MMFR4_EL1, ASID2, IMP
> > > #define FEAT_MEC ID_AA64MMFR3_EL1, MEC, IMP
> > > #define FEAT_HAFT ID_AA64MMFR1_EL1, HAFDBS, HAFT
> > > +#define FEAT_HDBSS ID_AA64MMFR1_EL1, HAFDBS, HDBSS
> > > +#define FEAT_HPDS2 ID_AA64MMFR1_EL1, HPDS, HPDS2
> > > #define FEAT_BTI ID_AA64PFR1_EL1, BT, IMP
> > > #define FEAT_ExS ID_AA64MMFR0_EL1, EXS, IMP
> > > #define FEAT_IESB ID_AA64MMFR2_EL1, IESB, IMP
> > > @@ -219,6 +222,7 @@ struct reg_feat_map_desc {
> > > #define FEAT_FGT2 ID_AA64MMFR0_EL1, FGT, FGT2
> > > #define FEAT_MTPMU ID_AA64DFR0_EL1, MTPMU, IMP
> > > #define FEAT_HCX ID_AA64MMFR1_EL1, HCX, IMP
> > > +#define FEAT_S2PIE ID_AA64MMFR3_EL1, S2PIE, IMP
> > >
> > > static bool not_feat_aa64el3(struct kvm *kvm)
> > > {
> > > @@ -362,6 +366,28 @@ static bool feat_pmuv3p9(struct kvm *kvm)
> > > return check_pmu_revision(kvm, V3P9);
> > > }
> > >
> > > +#define has_feat_s2tgran(k, s) \
> > > + ((kvm_has_feat_enum(kvm, ID_AA64MMFR0_EL1, TGRAN##s##_2, TGRAN##s) && \
> > > + !kvm_has_feat_enum(kvm, ID_AA64MMFR0_EL1, TGRAN##s, NI)) || \
> >
> > Wouldn't that read better as kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN##s, IMP)?
> > I think that would also be correct.
>
> Sure, I don't mind either way,
>
> >
> > > + kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN##s##_2, IMP))
> >
> > A bit unexpected to treat the same field first as an enum, then as an integer,
> > but it saves one line.
>
> It potentially saves more if the encoding grows over time. I don't
> think it matters.
Doesn't, was just aestethics and saves someone having to check the values to
make sure it wasn't an error.
>
> >
> > > +
> > > +static bool feat_lpa2(struct kvm *kvm)
> > > +{
> > > + return ((kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN4, 52_BIT) ||
> > > + !kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN4, IMP)) &&
> > > + (kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN16, 52_BIT) ||
> > > + !kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN16, IMP)) &&
> > > + (kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN4_2, 52_BIT) ||
> > > + !has_feat_s2tgran(kvm, 4)) &&
> > > + (kvm_has_feat(kvm, ID_AA64MMFR0_EL1, TGRAN16_2, 52_BIT) ||
> > > + !has_feat_s2tgran(kvm, 16)));
> > > +}
> >
> > That was a doozy, but looks correct to me if the intention was to have the check
> > as relaxed as possible - i.e, a VM can advertise 52 bit support for one granule,
> > but not the other (same for stage 1 and stage 2).
>
> Not quite. The intent is that, for all the possible granules, at all
> the possible stages, either the granule size isn't implemented at all,
> or it supports 52 bits. I think this covers it, but as you said, this
> is a bit of a bran fsck.
Hm... this sounds like something that should be sanitised in
set_id_aa64mmfr0_el1(). Sorry, but I just can't tell if TGran{4,16,64} are
writable by userspace.
>
> This is essentially a transliteration of the MRS:
>
> (FEAT_LPA2 && FEAT_S2TGran4K) <=> (UInt(ID_AA64MMFR0_EL1.TGran4_2) >= 3))
> (FEAT_LPA2 && FEAT_S2TGran16K) <=> (UInt(ID_AA64MMFR0_EL1.TGran16_2) >= 3))
> (FEAT_LPA2 && FEAT_TGran4K) <=> (SInt(ID_AA64MMFR0_EL1.TGran4) >= 1))
> (FEAT_LPA2 && FEAT_TGran16K) <=> (UInt(ID_AA64MMFR0_EL1.TGran16) >= 2))
> FEAT_S2TGran4K <=> (((UInt(ID_AA64MMFR0_EL1.TGran4_2) == 0) && FEAT_TGran4K) || (UInt(ID_AA64MMFR0_EL1.TGran4_2) >= 2))
> FEAT_S2TGran16K <=> (((UInt(ID_AA64MMFR0_EL1.TGran16_2) == 0) && FEAT_TGran16K) || (UInt(ID_AA64MMFR0_EL1.TGran16_2) >= 2))
> FEAT_TGran4K <=> (SInt(ID_AA64MMFR0_EL1.TGran4) >= 0)
> FEAT_TGran16K <=> (UInt(ID_AA64MMFR0_EL1.TGran16) >= 1)
How about (untested):
static bool feat_lpas2(struct kvm *kvm)
{
if (kvm_has_feat_exact(kvm, ID_AA64MMFR0_EL1, TGRAN4, IMP) ||
kvm_has_feat_exact(kvm, ID_AA64MMFR0_EL1, TGRAN16, IMP) ||
kvm_has_feat_exact(kvm, ID_AA64MMFR0_EL1, TGRAN4_2, IMP) ||
kvm_has_feat_exact(kvm, ID_AA64MMFR0_EL1, TGRAN16_2, IMP))
return false;
return true;
}
where, in case there's not something similar already and I just don't know about
it:
#define kvm_has_feat_exact(kvm, id, fld, val) \
kvm_cmp_feat(kvm, id, fld, =, val)
The idea being that if one of the granules does not support 52 bit, then it's
not supported by any of the other granules.
Thanks,
Alex
next prev parent reply other threads:[~2025-12-03 14:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-29 14:45 [PATCH 0/4] KVM: arm64: VTCR_EL2 conversion to feature dependency framework Marc Zyngier
2025-11-29 14:45 ` [PATCH 1/4] arm64: Convert ID_AA64MMFR0_EL1.TGRAN{4,16,64}_2 to UnsignedEnum Marc Zyngier
2025-11-29 14:45 ` [PATCH 2/4] arm64: Convert VTCR_EL2 to sysreg infratructure Marc Zyngier
2025-12-03 11:43 ` Alexandru Elisei
2025-11-29 14:45 ` [PATCH 3/4] KVM: arm64: Account for RES1 bits in DECLARE_FEAT_MAP() Marc Zyngier
2025-11-29 14:45 ` [PATCH 4/4] KVM: arm64: Convert VTCR_EL2 to config-driven sanitisation Marc Zyngier
2025-12-03 11:44 ` Alexandru Elisei
2025-12-03 13:00 ` Marc Zyngier
2025-12-03 14:03 ` Alexandru Elisei [this message]
2025-12-03 14:58 ` Marc Zyngier
2025-12-03 15:20 ` Alexandru Elisei
2025-12-03 16:17 ` Joey Gouly
2025-12-03 16:43 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTBDRx1oeGDs2SFl@raptor \
--to=alexandru.elisei@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).