[PATCH v1 08/26] KVM: arm64: Split up feature sysreg sanitisation
Steffen Eiden
seiden at linux.ibm.com
Fri May 29 08:55:41 PDT 2026
Split ID register sanitisation into distinct stages:
1) static KVM limits (kvm_max_possible_guest_ftr_reg)
2) host-specific (kvm_sanitised_host_ftr_reg)
3) per-vcpu configuration (kvm_sanitise_vcpu_ftr_reg)
This refactoring improves code organization by separating concerns.
Static limits apply regardless of host or guest configuration. Host
capability checks handle features like GIC, GCIE, and Spectre
mitigations. Per-vcpu feature configuration manages SVE, MTE, PMU, and
similar guest-specific features. Additionally, this enables other
architectures to add different host-implementation-based sanitisation in
the future.
Remove helper functions sanitise_id_aa64{pfr0,pfr1,dfr0}_el1
in favor of organized logic.
Co-developed-by: Nina Schoetterl-Glausch <nsg at linux.ibm.com>
Signed-off-by: Nina Schoetterl-Glausch <nsg at linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden at linux.ibm.com>
---
arch/arm64/kvm/sys_regs.c | 291 ++++++++++++++++++++------------------
1 file changed, 153 insertions(+), 138 deletions(-)
diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
index 2434bcc2d50d..b9aa892616ab 100644
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -1841,54 +1841,86 @@ static u8 pmuver_to_perfmon(u8 pmuver)
}
}
-static u64 sanitise_id_aa64pfr0_el1(const struct kvm_vcpu *vcpu, u64 val);
-static u64 sanitise_id_aa64pfr1_el1(const struct kvm_vcpu *vcpu, u64 val);
-static u64 sanitise_id_aa64pfr2_el1(const struct kvm_vcpu *vcpu, u64 val);
-static u64 sanitise_id_aa64dfr0_el1(const struct kvm_vcpu *vcpu, u64 val);
-
-/* Read a sanitised cpufeature ID register by sys_reg_desc */
-static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
- const struct sys_reg_desc *r)
+/*
+ * Sanitise based on the host implementation.
+ */
+static u64 kvm_sanitised_host_ftr_reg(u32 id)
{
- u32 id = reg_to_encoding(r);
- u64 val;
-
- if (sysreg_visible_as_raz(vcpu, r))
- return 0;
-
- val = read_sanitised_ftr_reg(id);
+ u64 val = read_sanitised_ftr_reg(id);
switch (id) {
- case SYS_ID_AA64DFR0_EL1:
- val = sanitise_id_aa64dfr0_el1(vcpu, val);
+ case SYS_ID_AA64ISAR2_EL1:
+ if (!cpus_have_final_cap(ARM64_HAS_WFXT) ||
+ has_broken_cntvoff())
+ val &= ~ID_AA64ISAR2_EL1_WFxT;
break;
case SYS_ID_AA64PFR0_EL1:
- val = sanitise_id_aa64pfr0_el1(vcpu, val);
+ /*
+ * The default is to expose CSV2 == 1 if the HW isn't affected.
+ * Although this is a per-CPU feature, we make it global because
+ * asymmetric systems are just a nuisance.
+ *
+ * Userspace can override this as long as it doesn't promise
+ * the impossible.
+ */
+ if (arm64_get_spectre_v2_state() == SPECTRE_UNAFFECTED) {
+ val &= ~ID_AA64PFR0_EL1_CSV2_MASK;
+ val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV2, IMP);
+ }
+ if (arm64_get_meltdown_state() == SPECTRE_UNAFFECTED) {
+ val &= ~ID_AA64PFR0_EL1_CSV3_MASK;
+ val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV3, IMP);
+ }
+ if (vgic_host_has_gicv3()) {
+ val &= ~ID_AA64PFR0_EL1_GIC_MASK;
+ val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, GIC, IMP);
+ }
break;
- case SYS_ID_AA64PFR1_EL1:
- val = sanitise_id_aa64pfr1_el1(vcpu, val);
+ case SYS_ID_AA64PFR1_EL1: {
+ u64 pfr0_host = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1);
+
+ if (!(cpus_have_final_cap(ARM64_HAS_RASV1P1_EXTN) &&
+ SYS_FIELD_GET(ID_AA64PFR0_EL1, RAS, pfr0_host) == ID_AA64PFR0_EL1_RAS_IMP))
+ val &= ~ID_AA64PFR1_EL1_RAS_frac;
break;
+ }
case SYS_ID_AA64PFR2_EL1:
- val = sanitise_id_aa64pfr2_el1(vcpu, val);
+ if (vgic_host_has_gicv5())
+ val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR2_EL1, GCIE, IMP);
break;
- case SYS_ID_AA64ISAR1_EL1:
- if (!vcpu_has_ptrauth(vcpu))
- val &= ~(ID_AA64ISAR1_EL1_APA |
- ID_AA64ISAR1_EL1_API |
- ID_AA64ISAR1_EL1_GPA |
- ID_AA64ISAR1_EL1_GPI);
+ case SYS_ID_AA64MMFR3_EL1:
+ if (!system_supports_poe())
+ val &= ~ID_AA64MMFR3_EL1_S1POE;
+ break;
+ }
+
+ return val;
+}
+
+/*
+ * Statically sanitise the host's feature register, independent of the guest's
+ * configuration and host implementation.
+ */
+static u64 kvm_max_possible_guest_ftr_reg(u32 id, u64 val)
+{
+ switch (id) {
+ case SYS_ID_AA64DFR0_EL1:
+ val = ID_REG_LIMIT_FIELD_ENUM(val, ID_AA64DFR0_EL1, DebugVer, V8P8);
+
+ /* Hide SPE from guests */
+ val &= ~ID_AA64DFR0_EL1_PMSVer_MASK;
+
+ /* Hide BRBE from guests */
+ val &= ~ID_AA64DFR0_EL1_BRBE_MASK;
break;
case SYS_ID_AA64ISAR2_EL1:
- if (!vcpu_has_ptrauth(vcpu))
- val &= ~(ID_AA64ISAR2_EL1_APA3 |
- ID_AA64ISAR2_EL1_GPA3);
- if (!cpus_have_final_cap(ARM64_HAS_WFXT) ||
- has_broken_cntvoff())
+ /* Mask WFxT field unless *both* WFET & WFIT are present. */
+ if (!id_has_feat(val, ID_AA64ISAR2_EL1, WFxT, IMP))
val &= ~ID_AA64ISAR2_EL1_WFxT;
break;
case SYS_ID_AA64ISAR3_EL1:
val &= ID_AA64ISAR3_EL1_FPRCVT | ID_AA64ISAR3_EL1_LSFE |
- ID_AA64ISAR3_EL1_FAMINMAX | ID_AA64ISAR3_EL1_LSUI;
+ ID_AA64ISAR3_EL1_FAMINMAX | ID_AA64ISAR3_EL1_LSUI;
break;
case SYS_ID_AA64MMFR2_EL1:
val &= ~ID_AA64MMFR2_EL1_CCIDX_MASK;
@@ -1899,13 +1931,81 @@ static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
ID_AA64MMFR3_EL1_SCTLRX |
ID_AA64MMFR3_EL1_S1POE |
ID_AA64MMFR3_EL1_S1PIE;
-
- if (!system_supports_poe())
- val &= ~ID_AA64MMFR3_EL1_S1POE;
break;
case SYS_ID_MMFR4_EL1:
val &= ~ID_MMFR4_EL1_CCIDX;
break;
+ case SYS_ID_AA64PFR0_EL1:
+ val &= ~ID_AA64PFR0_EL1_AMU_MASK;
+ /*
+ * MPAM is disabled by default as KVM also needs a set of PARTID to
+ * program the MPAMVPMx_EL2 PARTID remapping registers with. But some
+ * older kernels let the guest see the ID bit.
+ */
+ val &= ~ID_AA64PFR0_EL1_MPAM_MASK;
+ break;
+ case SYS_ID_AA64PFR1_EL1:
+ val &= ~ID_AA64PFR1_EL1_SME;
+ val &= ~ID_AA64PFR1_EL1_RNDR_trap;
+ val &= ~ID_AA64PFR1_EL1_NMI;
+ val &= ~ID_AA64PFR1_EL1_GCS;
+ val &= ~ID_AA64PFR1_EL1_THE;
+ val &= ~ID_AA64PFR1_EL1_MTEX;
+ val &= ~ID_AA64PFR1_EL1_PFAR;
+ val &= ~ID_AA64PFR1_EL1_MPAM_frac;
+ break;
+ case SYS_ID_AA64PFR2_EL1:
+ val &= ID_AA64PFR2_EL1_FPMR |
+ ID_AA64PFR2_EL1_MTEFAR |
+ ID_AA64PFR2_EL1_MTESTOREONLY;
+ break;
+ }
+
+ return val;
+}
+
+/*
+ * Sanitise based on vCPU configuration.
+ */
+static u64 kvm_sanitise_vcpu_ftr_reg(const struct kvm_vcpu *vcpu, u32 id, u64 val)
+{
+ switch (id) {
+ case SYS_ID_AA64DFR0_EL1:
+ /*
+ * Only initialize the PMU version if the vCPU was configured with one.
+ */
+ val &= ~ID_AA64DFR0_EL1_PMUVer_MASK;
+ if (kvm_vcpu_has_pmu(vcpu))
+ val |= SYS_FIELD_PREP(ID_AA64DFR0_EL1, PMUVer,
+ kvm_arm_pmu_get_pmuver_limit());
+ break;
+ case SYS_ID_AA64PFR0_EL1:
+ if (!vcpu_has_sve(vcpu))
+ val &= ~ID_AA64PFR0_EL1_SVE_MASK;
+ break;
+ case SYS_ID_AA64PFR1_EL1:
+ if (!kvm_has_mte(vcpu->kvm)) {
+ val &= ~ID_AA64PFR1_EL1_MTE;
+ val &= ~ID_AA64PFR1_EL1_MTE_frac;
+ }
+ break;
+ case SYS_ID_AA64PFR2_EL1:
+ if (!kvm_has_mte(vcpu->kvm)) {
+ val &= ~ID_AA64PFR2_EL1_MTEFAR;
+ val &= ~ID_AA64PFR2_EL1_MTESTOREONLY;
+ }
+ break;
+ case SYS_ID_AA64ISAR1_EL1:
+ if (!vcpu_has_ptrauth(vcpu))
+ val &= ~(ID_AA64ISAR1_EL1_APA |
+ ID_AA64ISAR1_EL1_API |
+ ID_AA64ISAR1_EL1_GPA |
+ ID_AA64ISAR1_EL1_GPI);
+ break;
+ case SYS_ID_AA64ISAR2_EL1:
+ if (!vcpu_has_ptrauth(vcpu))
+ val &= ~(ID_AA64ISAR2_EL1_APA3 |
+ ID_AA64ISAR2_EL1_GPA3);
}
if (vcpu_has_nv(vcpu))
@@ -1914,6 +2014,23 @@ static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
return val;
}
+/* Read a sanitised cpufeature ID register by sys_reg_desc */
+static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
+ const struct sys_reg_desc *r)
+{
+ u32 id = reg_to_encoding(r);
+ u64 val;
+
+ if (sysreg_visible_as_raz(vcpu, r))
+ return 0;
+
+ val = kvm_sanitised_host_ftr_reg(id);
+ val = kvm_max_possible_guest_ftr_reg(id, val);
+ val = kvm_sanitise_vcpu_ftr_reg(vcpu, id, val);
+
+ return val;
+}
+
static u64 kvm_read_sanitised_id_reg(struct kvm_vcpu *vcpu,
const struct sys_reg_desc *r)
{
@@ -2046,108 +2163,6 @@ static unsigned int fp8_visibility(const struct kvm_vcpu *vcpu,
return REG_HIDDEN;
}
-static u64 sanitise_id_aa64pfr0_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
- if (!vcpu_has_sve(vcpu))
- val &= ~ID_AA64PFR0_EL1_SVE_MASK;
-
- /*
- * The default is to expose CSV2 == 1 if the HW isn't affected.
- * Although this is a per-CPU feature, we make it global because
- * asymmetric systems are just a nuisance.
- *
- * Userspace can override this as long as it doesn't promise
- * the impossible.
- */
- if (arm64_get_spectre_v2_state() == SPECTRE_UNAFFECTED) {
- val &= ~ID_AA64PFR0_EL1_CSV2_MASK;
- val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV2, IMP);
- }
- if (arm64_get_meltdown_state() == SPECTRE_UNAFFECTED) {
- val &= ~ID_AA64PFR0_EL1_CSV3_MASK;
- val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV3, IMP);
- }
-
- if (vgic_host_has_gicv3()) {
- val &= ~ID_AA64PFR0_EL1_GIC_MASK;
- val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, GIC, IMP);
- }
-
- val &= ~ID_AA64PFR0_EL1_AMU_MASK;
-
- /*
- * MPAM is disabled by default as KVM also needs a set of PARTID to
- * program the MPAMVPMx_EL2 PARTID remapping registers with. But some
- * older kernels let the guest see the ID bit.
- */
- val &= ~ID_AA64PFR0_EL1_MPAM_MASK;
-
- return val;
-}
-
-static u64 sanitise_id_aa64pfr1_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
- u64 pfr0 = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1);
-
- if (!kvm_has_mte(vcpu->kvm)) {
- val &= ~ID_AA64PFR1_EL1_MTE;
- val &= ~ID_AA64PFR1_EL1_MTE_frac;
- }
-
- if (!(cpus_have_final_cap(ARM64_HAS_RASV1P1_EXTN) &&
- SYS_FIELD_GET(ID_AA64PFR0_EL1, RAS, pfr0) == ID_AA64PFR0_EL1_RAS_IMP))
- val &= ~ID_AA64PFR1_EL1_RAS_frac;
-
- val &= ~ID_AA64PFR1_EL1_SME;
- val &= ~ID_AA64PFR1_EL1_RNDR_trap;
- val &= ~ID_AA64PFR1_EL1_NMI;
- val &= ~ID_AA64PFR1_EL1_GCS;
- val &= ~ID_AA64PFR1_EL1_THE;
- val &= ~ID_AA64PFR1_EL1_MTEX;
- val &= ~ID_AA64PFR1_EL1_PFAR;
- val &= ~ID_AA64PFR1_EL1_MPAM_frac;
-
- return val;
-}
-
-static u64 sanitise_id_aa64pfr2_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
- val &= ID_AA64PFR2_EL1_FPMR |
- ID_AA64PFR2_EL1_MTEFAR |
- ID_AA64PFR2_EL1_MTESTOREONLY;
-
- if (!kvm_has_mte(vcpu->kvm)) {
- val &= ~ID_AA64PFR2_EL1_MTEFAR;
- val &= ~ID_AA64PFR2_EL1_MTESTOREONLY;
- }
-
- if (vgic_host_has_gicv5())
- val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR2_EL1, GCIE, IMP);
-
- return val;
-}
-
-static u64 sanitise_id_aa64dfr0_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
- val = ID_REG_LIMIT_FIELD_ENUM(val, ID_AA64DFR0_EL1, DebugVer, V8P8);
-
- /*
- * Only initialize the PMU version if the vCPU was configured with one.
- */
- val &= ~ID_AA64DFR0_EL1_PMUVer_MASK;
- if (kvm_vcpu_has_pmu(vcpu))
- val |= SYS_FIELD_PREP(ID_AA64DFR0_EL1, PMUVer,
- kvm_arm_pmu_get_pmuver_limit());
-
- /* Hide SPE from guests */
- val &= ~ID_AA64DFR0_EL1_PMSVer_MASK;
-
- /* Hide BRBE from guests */
- val &= ~ID_AA64DFR0_EL1_BRBE_MASK;
-
- return val;
-}
-
/*
* Older versions of KVM erroneously claim support for FEAT_DoubleLock with
* NV-enabled VMs on unsupporting hardware. Silently ignore the incorrect
--
2.53.0
More information about the linux-arm-kernel
mailing list