KVM: arm64: Prevent userspace from disabling AArch64 support at any virtualisable EL

A sorry excuse for a selftest is trying to disable AArch64 support.
And yes, this goes as well as you can imagine.

Let's forbid this sort of things. Normal userspace shouldn't get
caught doing that.

Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Ganapatrao Kulkarni <gankulkarni@os.amperecomputing.com>
Link: https://lore.kernel.org/r/20250429114117.3618800-2-maz@kernel.org
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>

diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
index 005ad28f7306810201df9d093f7bbb6d936d6c2b..5dde9285afc80924fda8b2469004e75f0a4e9d9b 100644 (file)
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -1945,6 +1945,12 @@ static int set_id_aa64pfr0_el1(struct kvm_vcpu *vcpu,
        if ((hw_val & mpam_mask) == (user_val & mpam_mask))
                user_val &= ~ID_AA64PFR0_EL1_MPAM_MASK;
 
+       /* Fail the guest's request to disable the AA64 ISA at EL{0,1,2} */
+       if (!FIELD_GET(ID_AA64PFR0_EL1_EL0, user_val) ||
+           !FIELD_GET(ID_AA64PFR0_EL1_EL1, user_val) ||
+           (vcpu_has_nv(vcpu) && !FIELD_GET(ID_AA64PFR0_EL1_EL2, user_val)))
+               return -EINVAL;
+
        return set_id_reg(vcpu, rd, user_val);
 }