[PATCH v1 08/26] KVM: arm64: Split up feature sysreg sanitisation

[Steffen Eiden]

Split ID register sanitisation into distinct stages:

1) static KVM limits (kvm_max_possible_guest_ftr_reg)
2) host-specific (kvm_sanitised_host_ftr_reg)
3) per-vcpu configuration (kvm_sanitise_vcpu_ftr_reg)

This refactoring improves code organization by separating concerns.
Static limits apply regardless of host or guest configuration. Host
capability checks handle features like GIC, GCIE, and Spectre
mitigations. Per-vcpu feature configuration manages SVE, MTE, PMU, and
similar guest-specific features. Additionally, this enables other
architectures to add different host-implementation-based sanitisation in
the future.

Remove helper functions sanitise_id_aa64{pfr0,pfr1,dfr0}_el1
in favor of organized logic.

Co-developed-by: Nina Schoetterl-Glausch <nsg@xxxxxxxxxxxxx>
Signed-off-by: Nina Schoetterl-Glausch <nsg@xxxxxxxxxxxxx>
Signed-off-by: Steffen Eiden <seiden@xxxxxxxxxxxxx>
---
 arch/arm64/kvm/sys_regs.c | 291 ++++++++++++++++++++------------------
 1 file changed, 153 insertions(+), 138 deletions(-)

diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
index 2434bcc2d50d..b9aa892616ab 100644
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -1841,54 +1841,86 @@ static u8 pmuver_to_perfmon(u8 pmuver)
 	}
 }
 
-static u64 sanitise_id_aa64pfr0_el1(const struct kvm_vcpu *vcpu, u64 val);
-static u64 sanitise_id_aa64pfr1_el1(const struct kvm_vcpu *vcpu, u64 val);
-static u64 sanitise_id_aa64pfr2_el1(const struct kvm_vcpu *vcpu, u64 val);
-static u64 sanitise_id_aa64dfr0_el1(const struct kvm_vcpu *vcpu, u64 val);
-
-/* Read a sanitised cpufeature ID register by sys_reg_desc */
-static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
-				       const struct sys_reg_desc *r)
+/*
+ * Sanitise based on the host implementation.
+ */
+static u64 kvm_sanitised_host_ftr_reg(u32 id)
 {
-	u32 id = reg_to_encoding(r);
-	u64 val;
-
-	if (sysreg_visible_as_raz(vcpu, r))
-		return 0;
-
-	val = read_sanitised_ftr_reg(id);
+	u64 val = read_sanitised_ftr_reg(id);
 
 	switch (id) {
-	case SYS_ID_AA64DFR0_EL1:
-		val = sanitise_id_aa64dfr0_el1(vcpu, val);
+	case SYS_ID_AA64ISAR2_EL1:
+		if (!cpus_have_final_cap(ARM64_HAS_WFXT) ||
+		    has_broken_cntvoff())
+			val &= ~ID_AA64ISAR2_EL1_WFxT;
 		break;
 	case SYS_ID_AA64PFR0_EL1:
-		val = sanitise_id_aa64pfr0_el1(vcpu, val);
+		/*
+		 * The default is to expose CSV2 == 1 if the HW isn't affected.
+		 * Although this is a per-CPU feature, we make it global because
+		 * asymmetric systems are just a nuisance.
+		 *
+		 * Userspace can override this as long as it doesn't promise
+		 * the impossible.
+		 */
+		if (arm64_get_spectre_v2_state() == SPECTRE_UNAFFECTED) {
+			val &= ~ID_AA64PFR0_EL1_CSV2_MASK;
+			val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV2, IMP);
+		}
+		if (arm64_get_meltdown_state() == SPECTRE_UNAFFECTED) {
+			val &= ~ID_AA64PFR0_EL1_CSV3_MASK;
+			val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV3, IMP);
+		}
+		if (vgic_host_has_gicv3()) {
+			val &= ~ID_AA64PFR0_EL1_GIC_MASK;
+			val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, GIC, IMP);
+		}
 		break;
-	case SYS_ID_AA64PFR1_EL1:
-		val = sanitise_id_aa64pfr1_el1(vcpu, val);
+	case SYS_ID_AA64PFR1_EL1: {
+		u64 pfr0_host = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1);
+
+		if (!(cpus_have_final_cap(ARM64_HAS_RASV1P1_EXTN) &&
+		      SYS_FIELD_GET(ID_AA64PFR0_EL1, RAS, pfr0_host) == ID_AA64PFR0_EL1_RAS_IMP))
+			val &= ~ID_AA64PFR1_EL1_RAS_frac;
 		break;
+	}
 	case SYS_ID_AA64PFR2_EL1:
-		val = sanitise_id_aa64pfr2_el1(vcpu, val);
+		if (vgic_host_has_gicv5())
+			val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR2_EL1, GCIE, IMP);
 		break;
-	case SYS_ID_AA64ISAR1_EL1:
-		if (!vcpu_has_ptrauth(vcpu))
-			val &= ~(ID_AA64ISAR1_EL1_APA |
-				 ID_AA64ISAR1_EL1_API |
-				 ID_AA64ISAR1_EL1_GPA |
-				 ID_AA64ISAR1_EL1_GPI);
+	case SYS_ID_AA64MMFR3_EL1:
+		if (!system_supports_poe())
+			val &= ~ID_AA64MMFR3_EL1_S1POE;
+		break;
+	}
+
+	return val;
+}
+
+/*
+ * Statically sanitise the host's feature register, independent of the guest's
+ * configuration and host implementation.
+ */
+static u64 kvm_max_possible_guest_ftr_reg(u32 id, u64 val)
+{
+	switch (id) {
+	case SYS_ID_AA64DFR0_EL1:
+		val = ID_REG_LIMIT_FIELD_ENUM(val, ID_AA64DFR0_EL1, DebugVer, V8P8);
+
+		/* Hide SPE from guests */
+		val &= ~ID_AA64DFR0_EL1_PMSVer_MASK;
+
+		/* Hide BRBE from guests */
+		val &= ~ID_AA64DFR0_EL1_BRBE_MASK;
 		break;
 	case SYS_ID_AA64ISAR2_EL1:
-		if (!vcpu_has_ptrauth(vcpu))
-			val &= ~(ID_AA64ISAR2_EL1_APA3 |
-				 ID_AA64ISAR2_EL1_GPA3);
-		if (!cpus_have_final_cap(ARM64_HAS_WFXT) ||
-		    has_broken_cntvoff())
+		/* Mask WFxT field unless *both* WFET & WFIT are present. */
+		if (!id_has_feat(val, ID_AA64ISAR2_EL1, WFxT, IMP))
 			val &= ~ID_AA64ISAR2_EL1_WFxT;
 		break;
 	case SYS_ID_AA64ISAR3_EL1:
 		val &= ID_AA64ISAR3_EL1_FPRCVT | ID_AA64ISAR3_EL1_LSFE |
-			ID_AA64ISAR3_EL1_FAMINMAX | ID_AA64ISAR3_EL1_LSUI;
+		       ID_AA64ISAR3_EL1_FAMINMAX | ID_AA64ISAR3_EL1_LSUI;
 		break;
 	case SYS_ID_AA64MMFR2_EL1:
 		val &= ~ID_AA64MMFR2_EL1_CCIDX_MASK;
@@ -1899,13 +1931,81 @@ static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
 		       ID_AA64MMFR3_EL1_SCTLRX |
 		       ID_AA64MMFR3_EL1_S1POE |
 		       ID_AA64MMFR3_EL1_S1PIE;
-
-		if (!system_supports_poe())
-			val &= ~ID_AA64MMFR3_EL1_S1POE;
 		break;
 	case SYS_ID_MMFR4_EL1:
 		val &= ~ID_MMFR4_EL1_CCIDX;
 		break;
+	case SYS_ID_AA64PFR0_EL1:
+		val &= ~ID_AA64PFR0_EL1_AMU_MASK;
+		/*
+		 * MPAM is disabled by default as KVM also needs a set of PARTID to
+		 * program the MPAMVPMx_EL2 PARTID remapping registers with. But some
+		 * older kernels let the guest see the ID bit.
+		 */
+		val &= ~ID_AA64PFR0_EL1_MPAM_MASK;
+		break;
+	case SYS_ID_AA64PFR1_EL1:
+		val &= ~ID_AA64PFR1_EL1_SME;
+		val &= ~ID_AA64PFR1_EL1_RNDR_trap;
+		val &= ~ID_AA64PFR1_EL1_NMI;
+		val &= ~ID_AA64PFR1_EL1_GCS;
+		val &= ~ID_AA64PFR1_EL1_THE;
+		val &= ~ID_AA64PFR1_EL1_MTEX;
+		val &= ~ID_AA64PFR1_EL1_PFAR;
+		val &= ~ID_AA64PFR1_EL1_MPAM_frac;
+		break;
+	case SYS_ID_AA64PFR2_EL1:
+		val &= ID_AA64PFR2_EL1_FPMR |
+		       ID_AA64PFR2_EL1_MTEFAR |
+		       ID_AA64PFR2_EL1_MTESTOREONLY;
+		break;
+	}
+
+	return val;
+}
+
+/*
+ * Sanitise based on vCPU configuration.
+ */
+static u64 kvm_sanitise_vcpu_ftr_reg(const struct kvm_vcpu *vcpu, u32 id, u64 val)
+{
+	switch (id) {
+	case SYS_ID_AA64DFR0_EL1:
+		/*
+		 * Only initialize the PMU version if the vCPU was configured with one.
+		 */
+		val &= ~ID_AA64DFR0_EL1_PMUVer_MASK;
+		if (kvm_vcpu_has_pmu(vcpu))
+			val |= SYS_FIELD_PREP(ID_AA64DFR0_EL1, PMUVer,
+					      kvm_arm_pmu_get_pmuver_limit());
+		break;
+	case SYS_ID_AA64PFR0_EL1:
+		if (!vcpu_has_sve(vcpu))
+			val &= ~ID_AA64PFR0_EL1_SVE_MASK;
+		break;
+	case SYS_ID_AA64PFR1_EL1:
+		if (!kvm_has_mte(vcpu->kvm)) {
+			val &= ~ID_AA64PFR1_EL1_MTE;
+			val &= ~ID_AA64PFR1_EL1_MTE_frac;
+		}
+		break;
+	case SYS_ID_AA64PFR2_EL1:
+		if (!kvm_has_mte(vcpu->kvm)) {
+			val &= ~ID_AA64PFR2_EL1_MTEFAR;
+			val &= ~ID_AA64PFR2_EL1_MTESTOREONLY;
+		}
+		break;
+	case SYS_ID_AA64ISAR1_EL1:
+		if (!vcpu_has_ptrauth(vcpu))
+			val &= ~(ID_AA64ISAR1_EL1_APA |
+				 ID_AA64ISAR1_EL1_API |
+				 ID_AA64ISAR1_EL1_GPA |
+				 ID_AA64ISAR1_EL1_GPI);
+		break;
+	case SYS_ID_AA64ISAR2_EL1:
+		if (!vcpu_has_ptrauth(vcpu))
+			val &= ~(ID_AA64ISAR2_EL1_APA3 |
+				 ID_AA64ISAR2_EL1_GPA3);
 	}
 
 	if (vcpu_has_nv(vcpu))
@@ -1914,6 +2014,23 @@ static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
 	return val;
 }
 
+/* Read a sanitised cpufeature ID register by sys_reg_desc */
+static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
+				       const struct sys_reg_desc *r)
+{
+	u32 id = reg_to_encoding(r);
+	u64 val;
+
+	if (sysreg_visible_as_raz(vcpu, r))
+		return 0;
+
+	val = kvm_sanitised_host_ftr_reg(id);
+	val = kvm_max_possible_guest_ftr_reg(id, val);
+	val = kvm_sanitise_vcpu_ftr_reg(vcpu, id, val);
+
+	return val;
+}
+
 static u64 kvm_read_sanitised_id_reg(struct kvm_vcpu *vcpu,
 				     const struct sys_reg_desc *r)
 {
@@ -2046,108 +2163,6 @@ static unsigned int fp8_visibility(const struct kvm_vcpu *vcpu,
 	return REG_HIDDEN;
 }
 
-static u64 sanitise_id_aa64pfr0_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
-	if (!vcpu_has_sve(vcpu))
-		val &= ~ID_AA64PFR0_EL1_SVE_MASK;
-
-	/*
-	 * The default is to expose CSV2 == 1 if the HW isn't affected.
-	 * Although this is a per-CPU feature, we make it global because
-	 * asymmetric systems are just a nuisance.
-	 *
-	 * Userspace can override this as long as it doesn't promise
-	 * the impossible.
-	 */
-	if (arm64_get_spectre_v2_state() == SPECTRE_UNAFFECTED) {
-		val &= ~ID_AA64PFR0_EL1_CSV2_MASK;
-		val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV2, IMP);
-	}
-	if (arm64_get_meltdown_state() == SPECTRE_UNAFFECTED) {
-		val &= ~ID_AA64PFR0_EL1_CSV3_MASK;
-		val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, CSV3, IMP);
-	}
-
-	if (vgic_host_has_gicv3()) {
-		val &= ~ID_AA64PFR0_EL1_GIC_MASK;
-		val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, GIC, IMP);
-	}
-
-	val &= ~ID_AA64PFR0_EL1_AMU_MASK;
-
-	/*
-	 * MPAM is disabled by default as KVM also needs a set of PARTID to
-	 * program the MPAMVPMx_EL2 PARTID remapping registers with. But some
-	 * older kernels let the guest see the ID bit.
-	 */
-	val &= ~ID_AA64PFR0_EL1_MPAM_MASK;
-
-	return val;
-}
-
-static u64 sanitise_id_aa64pfr1_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
-	u64 pfr0 = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1);
-
-	if (!kvm_has_mte(vcpu->kvm)) {
-		val &= ~ID_AA64PFR1_EL1_MTE;
-		val &= ~ID_AA64PFR1_EL1_MTE_frac;
-	}
-
-	if (!(cpus_have_final_cap(ARM64_HAS_RASV1P1_EXTN) &&
-	      SYS_FIELD_GET(ID_AA64PFR0_EL1, RAS, pfr0) == ID_AA64PFR0_EL1_RAS_IMP))
-		val &= ~ID_AA64PFR1_EL1_RAS_frac;
-
-	val &= ~ID_AA64PFR1_EL1_SME;
-	val &= ~ID_AA64PFR1_EL1_RNDR_trap;
-	val &= ~ID_AA64PFR1_EL1_NMI;
-	val &= ~ID_AA64PFR1_EL1_GCS;
-	val &= ~ID_AA64PFR1_EL1_THE;
-	val &= ~ID_AA64PFR1_EL1_MTEX;
-	val &= ~ID_AA64PFR1_EL1_PFAR;
-	val &= ~ID_AA64PFR1_EL1_MPAM_frac;
-
-	return val;
-}
-
-static u64 sanitise_id_aa64pfr2_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
-	val &= ID_AA64PFR2_EL1_FPMR |
-	       ID_AA64PFR2_EL1_MTEFAR |
-	       ID_AA64PFR2_EL1_MTESTOREONLY;
-
-	if (!kvm_has_mte(vcpu->kvm)) {
-		val &= ~ID_AA64PFR2_EL1_MTEFAR;
-		val &= ~ID_AA64PFR2_EL1_MTESTOREONLY;
-	}
-
-	if (vgic_host_has_gicv5())
-		val |= SYS_FIELD_PREP_ENUM(ID_AA64PFR2_EL1, GCIE, IMP);
-
-	return val;
-}
-
-static u64 sanitise_id_aa64dfr0_el1(const struct kvm_vcpu *vcpu, u64 val)
-{
-	val = ID_REG_LIMIT_FIELD_ENUM(val, ID_AA64DFR0_EL1, DebugVer, V8P8);
-
-	/*
-	 * Only initialize the PMU version if the vCPU was configured with one.
-	 */
-	val &= ~ID_AA64DFR0_EL1_PMUVer_MASK;
-	if (kvm_vcpu_has_pmu(vcpu))
-		val |= SYS_FIELD_PREP(ID_AA64DFR0_EL1, PMUVer,
-				      kvm_arm_pmu_get_pmuver_limit());
-
-	/* Hide SPE from guests */
-	val &= ~ID_AA64DFR0_EL1_PMSVer_MASK;
-
-	/* Hide BRBE from guests */
-	val &= ~ID_AA64DFR0_EL1_BRBE_MASK;
-
-	return val;
-}
-
 /*
  * Older versions of KVM erroneously claim support for FEAT_DoubleLock with
  * NV-enabled VMs on unsupporting hardware. Silently ignore the incorrect
-- 
2.53.0