KVM: arm64: Fix which features are marked as allowed for protected VMs

Cache maintenance operations are not trapped for protected VMs,
and shouldn't be. Mark them as allowed.

Moreover, features advertised by ID_AA64PFR2 and ID_AA64MMFR3 are
(already) not allowed, mark them as such.

Signed-off-by: Fuad Tabba <tabba@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20231214100158.2305400-16-tabba@google.com

diff --git a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
index e91922daa8ca8e61b5f8e85763580ecae2400dde..8d97dff4bb7b199fe2b89b9cac471a991305646f 100644 (file)
--- a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
+++ b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
@@ -69,6 +69,8 @@
        ARM64_FEATURE_MASK(ID_AA64PFR1_EL1_SSBS) \
        )
 
+#define PVM_ID_AA64PFR2_ALLOW 0ULL
+
 /*
  * Allow for protected VMs:
  * - Mixed-endian
@@ -101,6 +103,7 @@
  * - Privileged Access Never
  * - SError interrupt exceptions from speculative reads
  * - Enhanced Translation Synchronization
+ * - Control for cache maintenance permission
  */
 #define PVM_ID_AA64MMFR1_ALLOW (\
        ARM64_FEATURE_MASK(ID_AA64MMFR1_EL1_HAFDBS) | \
@@ -108,7 +111,8 @@
        ARM64_FEATURE_MASK(ID_AA64MMFR1_EL1_HPDS) | \
        ARM64_FEATURE_MASK(ID_AA64MMFR1_EL1_PAN) | \
        ARM64_FEATURE_MASK(ID_AA64MMFR1_EL1_SpecSEI) | \
-       ARM64_FEATURE_MASK(ID_AA64MMFR1_EL1_ETS) \
+       ARM64_FEATURE_MASK(ID_AA64MMFR1_EL1_ETS) | \
+       ARM64_FEATURE_MASK(ID_AA64MMFR1_EL1_CMOW) \
        )
 
 /*
@@ -133,6 +137,8 @@
        ARM64_FEATURE_MASK(ID_AA64MMFR2_EL1_E0PD) \
        )
 
+#define PVM_ID_AA64MMFR3_ALLOW (0ULL)
+
 /*
  * No support for Scalable Vectors for protected VMs:
  *     Requires additional support from KVM, e.g., context-switching and