KVM: arm64: Mark PAuth as a restricted feature for protected VMs

Protected VMs will only support basic PAuth (FEAT_PAuth). Mark it
as restricted to ensure that later versions aren't supported for
protected guests.

Signed-off-by: Fuad Tabba <tabba@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20231214100158.2305400-17-tabba@google.com

diff --git a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
index 8d97dff4bb7b199fe2b89b9cac471a991305646f..51f043649146aa4ed4d373a8e9311adda9d95214 100644 (file)
--- a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
+++ b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
@@ -184,10 +184,18 @@
        ARM64_FEATURE_MASK(ID_AA64ISAR0_EL1_RNDR) \
        )
 
+/* Restrict pointer authentication to the basic version. */
+#define PVM_ID_AA64ISAR1_RESTRICT_UNSIGNED (\
+       FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_APA), ID_AA64ISAR1_EL1_APA_PAuth) | \
+       FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_API), ID_AA64ISAR1_EL1_API_PAuth) \
+       )
+
+#define PVM_ID_AA64ISAR2_RESTRICT_UNSIGNED (\
+       FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_APA3), ID_AA64ISAR2_EL1_APA3_PAuth) \
+       )
+
 #define PVM_ID_AA64ISAR1_ALLOW (\
        ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_DPB) | \
-       ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_APA) | \
-       ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_API) | \
        ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_JSCVT) | \
        ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_FCMA) | \
        ARM64_FEATURE_MASK(ID_AA64ISAR1_EL1_LRCPC) | \
@@ -202,8 +210,8 @@
        )
 
 #define PVM_ID_AA64ISAR2_ALLOW (\
+       ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_ATS1A)| \
        ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_GPA3) | \
-       ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_APA3) | \
        ARM64_FEATURE_MASK(ID_AA64ISAR2_EL1_MOPS) \
        )