Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp7850303rwn;
        Wed, 14 Sep 2022 05:34:07 -0700 (PDT)
X-Google-Smtp-Source: AA6agR79Yo3kBGkbwSNy+1FZwvZgpK6SfgdOF1nW+imgcT7JGCBACblx1wCPKktppEt+co/fNQDz
X-Received: by 2002:a17:902:ab8d:b0:172:9382:4d1e with SMTP id f13-20020a170902ab8d00b0017293824d1emr36104735plr.133.1663158847234;
        Wed, 14 Sep 2022 05:34:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663158847; cv=none;
        d=google.com; s=arc-20160816;
        b=N70cUo2GWqSsJxcF55ncioO/ZBDjKznDohNV5hlNw+uk5ay3zfjRz1TUYz/Zt+t+4o
         TeijjkR7IUpxjuSWjIsIjD3ohiSRysNioqWERz0oro/atRhur2VMiKjirbSQu4Pr1y3q
         PyKHQG+dFsTMKui7dnH4E8Z6HH/HMArhZbhFL8Z5ic+wj7gdml+u8a3p3S1HOEfYVYIF
         Y3P9/1FKtPmSVuW4pFm+C9LFXI/bR92sUtld55E02rJCX1+sEupmTJ9mSCjxAfFPnUti
         fTmi2Td3oHXCGDUgZilGBr88PmvF9u/r4cuhngkhoeIYLTXYEgiRIZzL2rk9QVgiOeX6
         g3Zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=f4M35f+aEvL/h8SX2VN5pDSQC69LevoSdwjheqgj0Sw=;
        b=svId28eFnZAey4a5r073TDS3+4mq2Z+SRViofg7DA2P0fCPS8ki+7oUnTsOI7DbAXm
         YAn46XyHsZID3/2S8gpvn2F29CdMBXS5rwDKdzOGlXlrpck1ePubxbvxQuffqfeDsgTh
         mJdzwr8k5397E6d471R0DUEnjGi6s98FwKDbnfAC4omG+F8XdtUdJ6AlbRpMK/i4cJYn
         LzewdGWteY0Fbon4RdqXP6aIqNmS5IByrjtcDo299KMi/SRW2RgiLOSFPuDZ9Wcxb7a0
         M1AbSGEYI2agz4AWIoY/vxQAxWAC4fFYtSLjPIEboyzg9Tx3KRQ2YiJw+0G1rQMEGvfR
         TMJQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id mv16-20020a17090b199000b001fba7516a73si14230476pjb.165.2022.09.14.05.33.50;
        Wed, 14 Sep 2022 05:34:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229565AbiINMJu (ORCPT
        <rfc822;andriy.druk.mailinglists@gmail.com> + 99 others);
        Wed, 14 Sep 2022 08:09:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40854 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229748AbiINMJs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Sep 2022 08:09:48 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B778B10FE1
        for <linux-kernel@vger.kernel.org>; Wed, 14 Sep 2022 05:09:46 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 5BF6661CC8
        for <linux-kernel@vger.kernel.org>; Wed, 14 Sep 2022 12:09:46 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id AE0C0C433C1;
        Wed, 14 Sep 2022 12:09:43 +0000 (UTC)
Date:   Wed, 14 Sep 2022 13:09:40 +0100
From:   Catalin Marinas <catalin.marinas@arm.com>
To:     Evgenii Stepanov <eugenis@google.com>
Cc:     Peter Collingbourne <pcc@google.com>,
        Kenny Root <kroot@google.com>, Marc Zyngier <maz@kernel.org>,
        Will Deacon <will@kernel.org>,
        Vincenzo Frascino <vincenzo.frascino@arm.com>,
        Andrey Konovalov <andreyknvl@gmail.com>,
        Mark Brown <broonie@kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        LKML <linux-kernel@vger.kernel.org>,
        kernel test robot <lkp@intel.com>
Subject: Re: [PATCH v4] arm64: mte: move register initialization to C
Message-ID: <YyHEhIvqY8y/PmTc@arm.com>
References: <20220907003630.1115439-1-eugenis@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220907003630.1115439-1-eugenis@google.com>
X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Sep 06, 2022 at 05:36:30PM -0700, Evgenii Stepanov wrote:
> If FEAT_MTE2 is disabled via the arm64.nomte command line argument on a
> CPU that claims to support FEAT_MTE2, the kernel will use Tagged Normal
> in the MAIR. If we interpret arm64.nomte to mean that the CPU does not
> in fact implement FEAT_MTE2, setting the system register like this may
> lead to UNSPECIFIED behavior. Fix it by arranging for MAIR to be set
> in the C function cpu_enable_mte which is called based on the sanitized
> version of the system register.
> 
> There is no need for the rest of the MTE-related system register
> initialization to happen from assembly, with the exception of TCR_EL1,
> which must be set to include at least TBI1 because the secondary CPUs
> access KASan-allocated data structures early. Therefore, make the TCR_EL1
> initialization unconditional and move the rest of the initialization to
> cpu_enable_mte so that we no longer have a dependency on the unsanitized
> ID register value.
> 
> Signed-off-by: Peter Collingbourne <pcc@google.com>
> Signed-off-by: Evgenii Stepanov <eugenis@google.com>

Does this need a Co-developed-by from Peter? The sign-off on its own
doesn't make sense unless Peter sent the patch.

If we want this as a fix (though we have an alternative to transfer
mair_el12 to mair_el2), I'd also add:

Fixes: 3b714d24ef17 ("arm64: mte: CPU feature detection and initial sysreg configuration")
Cc: <stable@vger.kernel.org> # 5.10.x

together with some comment what it fixes.

> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index af4de817d7123..d7a077b5ccd1c 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -2034,7 +2034,8 @@ static void bti_enable(const struct arm64_cpu_capabilities *__unused)
>  static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
>  {
>  	sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_ATA | SCTLR_EL1_ATA0);

I wonder if we need to keep this here on its own rather than moving it
to mte_cpu_setup(). I guess we avoid writing this register the third
time on the resume path.

> -	isb();
> +
> +	mte_cpu_setup();
>  

So in principle I'm fine with moving the initialisation to C. However,
a concern I have is that we may no longer spot potential SoC issues that
trigger SErrors on tag accesses. The architecture does allow any Normal
Cacheable mapping to fetch tags, even if marked as untagged, though most
current implementations won't do this. In addition, if you run this in a
virtualised environment, a guest without this patch (or a malicious one)
can simply enable tagging in MAIR_EL1. HCR_EL2.ATA==0 does not have any
effect, so you haven't solved the problem.

So if part of RAM in your SoC does not support MTE, I don't think you
should rely on any kernel command-line options, just make sure no
untrusted guest can access memory that may trigger SErrors even if MTE
is disabled and the control registers level. Current behaviour (without
this patch) comes in handy to detect such issues.

-- 
Catalin