git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Fuad Tabba <tabba@google.com>
	Thu, 22 Jan 2026 11:22:16 +0000 (11:22 +0000)
committer	Marc Zyngier <maz@kernel.org>
	Fri, 23 Jan 2026 11:28:48 +0000 (11:28 +0000)
commit	f35abcbb8a084db4c24b66ccc8db0405c08e2f61
tree	c9553349a7e4143dc841c644ba8b1888f7dd4215	tree
parent	c103c2dfe4975da31b67a0fcb95761359f30992d	commit \| diff

KVM: arm64: Trap MTE access and discovery when MTE is disabled

If MTE is not supported by the hardware, or is disabled in the kernel
configuration (`CONFIG_ARM64_MTE=n`) or command line (`arm64.nomte`),
the kernel stops advertising MTE to userspace and avoids using MTE
instructions. However, this is a software-level disable only.

When MTE hardware is present and enabled by EL3 firmware, leaving
`HCR_EL2.ATA` set allows the host to execute MTE instructions (STG, LDG,
etc.) and access allocation tags in physical memory.

Prevent this by clearing `HCR_EL2.ATA` when MTE is disabled. Remove it
from the `HCR_HOST_NVHE_FLAGS` default, and conditionally set it in
`cpu_prepare_hyp_mode()` only when `system_supports_mte()` returns true.
This causes MTE instructions to trap to EL2 when `HCR_EL2.ATA` is
cleared.

Additionally, set `HCR_EL2.TID5` when MTE is disabled. This traps reads
of `GMID_EL1` (Multiple tag transfer ID register) to EL2, preventing the
discovery of MTE parameters (such as tag block size) when the feature is
suppressed.

Early boot code in `head.S` temporarily keeps `HCR_ATA` set to avoid
special-casing initialization paths. This is safe because this code
executes before untrusted code runs and will clear `HCR_ATA` if MTE is
disabled.

Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260122112218.531948-3-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>

arch/arm64/include/asm/kvm_arm.h		diff \| blob \| blame \| history
arch/arm64/kernel/head.S		diff \| blob \| blame \| history
arch/arm64/kvm/arm.c		diff \| blob \| blame \| history