vm_cpu: Eliminate hgatp and vsatp mismatch

Recently the isa manual added a clarification[1] related to avoiding invalid caching of page translation stemming from vsatp being set for one VM and hgatp configured for another transiently while running in the hypervisor. That guidance is to use the following sequence: - zero vsatp - swap hgatp - set new vsatp To ensure that sequence in salus, set vsatp to zero when saving VM registers. Additionally, on VM restore, restore vm_pages first, setting hgatp in the process if needed, and _then_ restore the vs csrs including vsatp. [1] https://github.com/riscv/riscv-isa-manual/pull/1111/files#diff-519b8bf20dee5e4eba1d389aea0a9c430c3e508a4f7518125582c055cccdc6ebR1680 Signed-off-by: Dylan Reid <dgreid@rivosinc.com>
rivosinc · Sep 13, 2023 · bd842c0 · bd842c0
1 parent 9e261f9
commit bd842c0
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/src/vm_cpu.rs b/src/vm_cpu.rs
@@ -1188,13 +1188,18 @@ impl<'vcpu, 'pages, 'host, T: GuestStagePagingMode> ActiveVmCpu<'vcpu, 'pages, '
         vs_csrs.vsepc = CSR.vsepc.get();
         vs_csrs.vscause = CSR.vscause.get();
         vs_csrs.vstval = CSR.vstval.get();
-        vs_csrs.vsatp = CSR.vsatp.get();
+        // Clear vsatp to ensure no translations are speculatively cached while running in HS
+        // mode. Needed because hgatp can't be cleared atomically when setting vsatp so in some
+        // micro-architectures cached translations have a window where they can be created.
+        vs_csrs.vsatp = CSR.vsatp.atomic_replace(0);
         vs_csrs.vstimecmp = CSR.vstimecmp.get();
     }
 
     fn restore(&mut self) {
-        self.restore_vs_csrs();
         self.restore_vm_pages();
+        // NB: restoring vs csrs must happen _after_ the vm_pages as vsatp must be set after hgatp
+        // to avoid speculative caching of translations on some systems.
+        self.restore_vs_csrs();
         self.pmu().restore_counters();
 
         match self.host_context {