Armv8.5 MTE kernel support


I am able to observe MTE out-of-bounds access exceptions (sync and async) being raised in user space (EL0). However, for memory allocations in kernel space, I am not observing any out-of-bounds exceptions being raised by the processor.

For the test, a kernel memory allocation of size 4KB is created using alloc_page() and vmap() calls with pgprot page attribute set to PROT_NORMAL_TAGGED and GCR_EL1.Exclude = 0. The tag assignment and propagation are handled through "irg" and "stg" instructions respectively.

Below are my observations from the test:

Address before tagging: 0xffff80000a2ef000

1. The tag value is being assigned to the VA: 0xfbff80000a2ef000 (Tag: #3)

2. The tag value read through "ldg" has an odd value in address field: 0xfbff8000095bd2a7 (Was expecting a value of 0xfbff80000a2ef000)

3. Accessing memory granules through a tag mismatched pointer does not raise an exception.

Test setup:

- Qemu 6.2.0 with mte=on

- Linux kernel v5.17


- Does MTE feature architecturally only support user-space (EL0) and not kernel space?

- The kernel version being used might not fully support the use of MTE in EL1. What changes beyond setting the PTE index field to point to MAIR.EL1 memory tagged attribute and setting the GCR_EL1 to include all tags are required to support the use of MTE for kernel memory allocations?


The aforementioned questions may be too generic but any suggestions or thoughts would be much appreciated. Thanks in advance!


Jaidev Shastri

Ph.D. student at Virginia Tech