In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix ID register initialization for non-protected pKVM guests
In protected mode, the hypervisor maintains a separate instance of
the kvm structure for each VM. For non-protected VMs, this structure is
initialized from the host's kvm state.
Currently, pkvm_init_features_from_host() copies the
KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag from the host without the
underlying id_regs data being initialized. This results in the
hypervisor seeing the flag as set while the ID registers remain zeroed.
Consequently, kvm_has_feat() checks at EL2 fail (return 0) for
non-protected VMs. This breaks logic that relies on feature detection,
such as ctxt_has_tcrx() for TCR2_EL1 support. As a result, certain
system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not
saved/restored during the world switch, which could lead to state
corruption.
Fix this by explicitly copying the ID registers from the host kvm to
the hypervisor kvm for non-protected VMs during initialization, since
we trust the host with its non-protected guests' features. Also ensure
KVM_ARCH_FLAG_ID_REGS_INITIALIZED is cleared initially in
pkvm_init_features_from_host so that vm_copy_id_regs can properly
initialize them and set the flag once done.