On Wed, Jul 01, 2020 at 05:47:00PM -0700, Raghu K wrote:
This is interesting. It appears that there is no way on entry to EL3 to guarantee that the out-of-context(el2 and el1) translation regimes are in a consistent state and on every entry into EL3, we have to conservatively assume that it is in an inconsistent state. This is because of the situation Andrew mentioned(interrupts to EL3 can occur at any time).
If this is the case, on EL3 entry:
- For EL1, we will need to save SCTLR_EL1, set SCTLR_EL1.M = 1,.EPDx = 0
This would still be racing against any potential speculative execution of an AT instruction upon the switch to EL3, IIUC. The window would be much smaller but not entirely eliminated.
For KVM, this would be enough as KVM will have already applied this workaround (with Marc's corrections) whenever it is going to enter an inconsistent state. However, other EL2 software may choose to handle the errata differently, possibly going to the lengths of ensuring that no AT instruction is ever mapped executable.