Check that a protected VM is not setting any of the unsupported features when it's created. Signed-off-by: Fuad Tabba <tabba@xxxxxxxxxx> --- arch/arm64/kvm/pkvm.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/arch/arm64/kvm/pkvm.c b/arch/arm64/kvm/pkvm.c index cf624350fb27..5e58d604faec 100644 --- a/arch/arm64/kvm/pkvm.c +++ b/arch/arm64/kvm/pkvm.c @@ -88,10 +88,41 @@ static void pkvm_teardown_firmware_slot(struct kvm *kvm) kvm->arch.pkvm.firmware_slot = NULL; } +/* + * Check that no unsupported features are enabled for the protected VM's vcpus. + * + * Return 0 if all features enabled for all vcpus are supported, or -EINVAL if + * one or more vcpus has one or more unsupported features. + */ +static int pkvm_check_features(struct kvm *kvm) +{ + int i; + const struct kvm_vcpu *vcpu; + + kvm_for_each_vcpu(i, vcpu, kvm) { + /* + * No support for: + * - AArch32 state for protected VMs + * - Performance Monitoring + * - Scalable Vectors + */ + if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features) || + test_bit(KVM_ARM_VCPU_PMU_V3, vcpu->arch.features) || + test_bit(KVM_ARM_VCPU_SVE, vcpu->arch.features)) + return -EINVAL; + } + + return 0; +} + static int pkvm_enable(struct kvm *kvm, u64 slotid) { int ret; + ret = pkvm_check_features(kvm); + if (ret) + return ret; + ret = pkvm_init_firmware_slot(kvm, slotid); if (ret) return ret; -- 2.32.0.rc1.229.g3e70b5a671-goog