Hi Peter, On Thu, May 26, 2022 at 9:08 PM Peter Collingbourne <pcc@xxxxxxxxxx> wrote: > > On Thu, May 19, 2022 at 7:40 AM Will Deacon <will@xxxxxxxxxx> wrote: > > > > From: Fuad Tabba <tabba@xxxxxxxxxx> > > > > Return an error (-EINVAL) if trying to enable MTE on a protected > > vm. > > I think this commit message needs more explanation as to why MTE is > not currently supported in protected VMs. Yes, we need to explain this more. Basically this is an extension of restricting features for protected VMs done earlier [*]. Various VM feature configurations are allowed in KVM/arm64, each requiring specific handling logic to deal with traps, context-switching and potentially emulation. Achieving feature parity in pKVM therefore requires either elevating this logic to EL2 (and substantially increasing the TCB) or continuing to trust the host handlers at EL1. Since neither of these options are especially appealing, pKVM instead limits the CPU features exposed to a guest to a fixed configuration based on the underlying hardware and which can mostly be provided straightforwardly by EL2. This of course can change in the future and we can support more features for protected VMs as needed. We'll expand on this commit message when we respin. Also note that this only applies to protected VMs. Non-protected VMs in protected mode support MTE. Cheers, /fuad [*] https://lore.kernel.org/kvmarm/20210827101609.2808181-1-tabba@xxxxxxxxxx/ > > Peter