[PATCH 59/89] KVM: arm64: Do not support MTE for protected VMs

Fuad Tabba tabba at google.com
Fri May 27 00:55:42 PDT 2022


Hi Peter,

On Thu, May 26, 2022 at 9:08 PM Peter Collingbourne <pcc at google.com> wrote:
>
> On Thu, May 19, 2022 at 7:40 AM Will Deacon <will at kernel.org> wrote:
> >
> > From: Fuad Tabba <tabba at google.com>
> >
> > Return an error (-EINVAL) if trying to enable MTE on a protected
> > vm.
>
> I think this commit message needs more explanation as to why MTE is
> not currently supported in protected VMs.

Yes, we need to explain this more. Basically this is an extension of
restricting features for protected VMs done earlier [*].

Various VM feature configurations are allowed in KVM/arm64, each requiring
specific handling logic to deal with traps, context-switching and potentially
emulation. Achieving feature parity in pKVM therefore requires either elevating
this logic to EL2 (and substantially increasing the TCB) or continuing to trust
the host handlers at EL1. Since neither of these options are especially
appealing, pKVM instead limits the CPU features exposed to a guest to a fixed
configuration based on the underlying hardware and which can mostly be provided
straightforwardly by EL2.

This of course can change in the future and we can support more
features for protected VMs as needed. We'll expand on this commit
message when we respin.

Also note that this only applies to protected VMs. Non-protected VMs
in protected mode support MTE.

Cheers,
/fuad

[*] https://lore.kernel.org/kvmarm/20210827101609.2808181-1-tabba@google.com/
>
> Peter



More information about the linux-arm-kernel mailing list