Commit 7e03d07d authored Jan 09, 2026 by Fuad Tabba Committed by Marc Zyngier Jan 15, 2026

KVM: arm64: selftests: Disable unused TTBR1_EL1 translations



KVM selftests map all guest code and data into the lower virtual address
range (0x0000...) managed by TTBR0_EL1. The upper range (0xFFFF...)
managed by TTBR1_EL1 is unused and uninitialized.

If a guest accesses the upper range, the MMU attempts a translation
table walk using uninitialized registers, leading to unpredictable
behavior.

Set `TCR_EL1.EPD1` to disable translation table walks for TTBR1_EL1,
ensuring that any access to the upper range generates an immediate
Translation Fault. Additionally, set `TCR_EL1.TBI1` (Top Byte Ignore) to
ensure that tagged pointers in the upper range also deterministically
trigger a Translation Fault via EPD1.

Define `TCR_EPD1_MASK`, `TCR_EPD1_SHIFT`, and `TCR_TBI1` in
`processor.h` to support this configuration. These are based on their
definitions in `arch/arm64/include/asm/pgtable-hwdef.h`.

Suggested-by: Will Deacon <will@kernel.org>
Reviewed-by: Itaru Kitayama <itaru.kitayama@fujitsu.com>
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260109082218.3236580-2-tabba@google.com


Signed-off-by: Marc Zyngier <maz@kernel.org>

parent 9ace4753

tools/testing/selftests/kvm/include/arm64/processor.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -90,6 +90,9 @@
		#define TCR_TG0_64K (UL(1) << TCR_TG0_SHIFT)
		#define TCR_TG0_16K (UL(2) << TCR_TG0_SHIFT)

		#define TCR_EPD1_SHIFT 23
		#define TCR_EPD1_MASK (UL(1) << TCR_EPD1_SHIFT)

		#define TCR_IPS_SHIFT 32
		#define TCR_IPS_MASK (UL(7) << TCR_IPS_SHIFT)
		#define TCR_IPS_52_BITS (UL(6) << TCR_IPS_SHIFT)
		@@ -97,6 +100,7 @@
		#define TCR_IPS_40_BITS (UL(2) << TCR_IPS_SHIFT)
		#define TCR_IPS_36_BITS (UL(1) << TCR_IPS_SHIFT)

		#define TCR_TBI1 (UL(1) << 38)
		#define TCR_HA (UL(1) << 39)
		#define TCR_DS (UL(1) << 59)

tools/testing/selftests/kvm/lib/arm64/processor.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -384,6 +384,8 @@ void aarch64_vcpu_setup(struct kvm_vcpu vcpu, struct kvm_vcpu_init init)

		tcr_el1 \|= TCR_IRGN0_WBWA \| TCR_ORGN0_WBWA \| TCR_SH0_INNER;
		tcr_el1 \|= TCR_T0SZ(vm->va_bits);
		tcr_el1 \|= TCR_TBI1;
		tcr_el1 \|= TCR_EPD1_MASK;
		if (use_lpa2_pte_format(vm))
		tcr_el1 \|= TCR_DS;

Original line number	Diff line number	Diff line
		@@ -384,6 +384,8 @@ void aarch64_vcpu_setup(struct kvm_vcpu vcpu, struct kvm_vcpu_init init)

		tcr_el1 \|= TCR_IRGN0_WBWA \| TCR_ORGN0_WBWA \| TCR_SH0_INNER;
		tcr_el1 \|= TCR_T0SZ(vm->va_bits);
		tcr_el1 \|= TCR_TBI1;
		tcr_el1 \|= TCR_EPD1_MASK;
		if (use_lpa2_pte_format(vm))
		tcr_el1 \|= TCR_DS;