On Thu, May 02, 2024 at 07:00:20PM +0100, Marc Zyngier wrote:
> When taking a trap for an SMC instruction on the host, we must
> stau true to the letter of the architecture and perform all the
typo: stay
> actions that the CPU would otherwise do. Among those are clearing
> the BTYPE and SS bits.
>
> Just do that.
>
> Fixes: a805e1fb3099 ("KVM: arm64: Add SMC handler in nVHE EL2")
> Signed-off-by: Marc Zyngier <maz@xxxxxxxxxx>
> ---
> arch/arm64/kvm/hyp/include/hyp/adjust_pc.h | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h b/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h
> index 4fdfeabefeb4..b1afb7b59a31 100644
> --- a/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h
> +++ b/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h
> @@ -47,7 +47,13 @@ static inline void __kvm_skip_instr(struct kvm_vcpu *vcpu)
> */
> static inline void kvm_skip_host_instr(void)
> {
> + u64 spsr = read_sysreg_el2(SYS_SPSR);
> +
> write_sysreg_el2(read_sysreg_el2(SYS_ELR) + 4, SYS_ELR);
> +
> + spsr &= ~(PSR_BTYPE_MASK | DBG_SPSR_SS);
> +
> + write_sysreg_el2(spsr, SYS_SPSR);
The handling of SS looks correct to me, but I think the BTYPE
manipulation could do with a little more commentary as it looks quite
subtle when the SMC is in a guarded page. Am I right in thinking:
* If the SMC is in a guarded page, the Branch Target exception is
higher priority (12) than the trap to EL2 and so the host will
handle it.
* Therefore if a trapping SMC is in a guarded page, BTYPE must be
zero and we don't have to worry about injecting a Branch Target
exception.
* Otherwise, if the SMC is in a non-guarded page, we should clear it
to 0 per the architecture (R_YWFHD).
?
Having said that, I can't actually find the priority of an SMC trapped
to EL2 by HCR_EL2.TSC in the Arm ARM. Trapped HVCs are priority 15 and
SMCs trapped to EL3 are priority 23.
Will
