On 17 October 2018 at 19:21, Christoffer Dall <christoffer.dall@xxxxxxx> wrote: > This commit adds a paranoid check when entering the guest to make sure > we don't attempt running guest code in an equally or more privilged mode > than the hypervisor. We also catch other accidental programming of the > SPSR_EL2 which results in an illegal exception return and report this > safely back to the user. > > Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxx> > --- > diff --git a/arch/arm64/kvm/hyp/sysreg-sr.c b/arch/arm64/kvm/hyp/sysreg-sr.c > index 9ce223944983..d7ac15412c97 100644 > --- a/arch/arm64/kvm/hyp/sysreg-sr.c > +++ b/arch/arm64/kvm/hyp/sysreg-sr.c > @@ -152,8 +152,25 @@ static void __hyp_text __sysreg_restore_el1_state(struct kvm_cpu_context *ctxt) > static void __hyp_text > __sysreg_restore_el2_return_state(struct kvm_cpu_context *ctxt) > { > + u64 pstate = ctxt->gp_regs.regs.pstate; > + u64 mode = pstate & PSR_AA32_MODE_MASK; > + > + /* > + * Safety check to ensure we're setting the CPU up to enter the guest > + * in a less privileged mode. > + * > + * If we are attempting a return to EL2 or higher in AArch64 state, > + * program SPSR_EL2 with M=EL2h and the IL bit set which ensures that > + * we'll take an illegal exception return exception immediately after This should read "illegal exception state exception", I think (for the 64-bit case we don't do an illegal exception return, we do a legal exception return that sets PSTATE.IL to 1.) > + * the ERET to the guest. Attempts to return to AArch32 Hyp will > + * result in an illegal exception return because EL2's execution state > + * is determined by SCR_EL3.RW. > + */ > + if (!(mode & PSR_MODE32_BIT) && mode >= PSR_MODE_EL2t) > + pstate = PSR_MODE_EL2h | PSR_IL_BIT; thanks -- PMM