docs/system/arm/emulation.rst | 1 + target/arm/cpu-features.h | 6 ++++++ target/arm/helper.c | 14 +++++++++++++- 3 files changed, 20 insertions(+), 1 deletion(-)
FEAT_E2H0 is a formalisation of the existing behaviour of HCR_EL2.E2H
being programmable to switch between EL2 host mode and the
"traditional" nVHE EL2 mode. This implies at some point we might want
to model CPUs without FEAT_E2H0 which will always have EL2 host mode
enabled.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
---
comment: I've left a fixme? for HCR_EL2.NV1, I await guidance on if
I'm reading the spec wrong.
---
docs/system/arm/emulation.rst | 1 +
target/arm/cpu-features.h | 6 ++++++
target/arm/helper.c | 14 +++++++++++++-
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index 3f30ea5a30e..74359f3e844 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -53,6 +53,7 @@ the following architecture extensions:
- FEAT_DotProd (Advanced SIMD dot product instructions)
- FEAT_DoubleFault (Double Fault Extension)
- FEAT_E0PD (Preventing EL0 access to halves of address maps)
+- FEAT_E2H0 (Programming of HCR_EL2.E2H)
- FEAT_EBF16 (AArch64 Extended BFloat16 instructions)
- FEAT_ECV (Enhanced Counter Virtualization)
- FEAT_EL0 (Support for execution at EL0)
diff --git a/target/arm/cpu-features.h b/target/arm/cpu-features.h
index a7ca410dcb4..b6ef328fe0a 100644
--- a/target/arm/cpu-features.h
+++ b/target/arm/cpu-features.h
@@ -347,6 +347,7 @@ FIELD(ID_AA64MMFR3, ADERR, 56, 4)
FIELD(ID_AA64MMFR3, SPEC_FPACC, 60, 4)
FIELD(ID_AA64MMFR4, ASID2, 8, 4)
+FIELD(ID_AA64MMFR4, E2H0, 24, 4)
FIELD(ID_AA64DFR0, DEBUGVER, 0, 4)
FIELD(ID_AA64DFR0, TRACEVER, 4, 4)
@@ -1376,6 +1377,11 @@ static inline bool isar_feature_aa64_asid2(const ARMISARegisters *id)
return FIELD_EX64_IDREG(id, ID_AA64MMFR4, ASID2) != 0;
}
+static inline bool isar_feature_aa64_e2h0(const ARMISARegisters *id)
+{
+ return FIELD_EX64_IDREG(id, ID_AA64MMFR4, E2H0) == 0;
+}
+
static inline bool isar_feature_aa64_mec(const ARMISARegisters *id)
{
return FIELD_EX64_IDREG(id, ID_AA64MMFR3, MEC) != 0;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 655ce73ee1b..27b5fb01827 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -3773,7 +3773,8 @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
}
if (arm_feature(env, ARM_FEATURE_AARCH64)) {
- if (cpu_isar_feature(aa64_vh, cpu)) {
+ if (cpu_isar_feature(aa64_vh, cpu) &&
+ cpu_isar_feature(aa64_e2h0, cpu)) {
valid_mask |= HCR_E2H;
}
if (cpu_isar_feature(aa64_ras, cpu)) {
@@ -3797,6 +3798,11 @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
if (cpu_isar_feature(aa64_rme, cpu)) {
valid_mask |= HCR_GPF;
}
+ /*
+ * FIXME? HCR_EL2.NV1 is only meant to be RES0 if
+ * FEAT_E2H0 is not implemented with 0b1110 although the Arm
+ * ARM doesn't explicitly state it is RES1 with 0b1111.
+ */
if (cpu_isar_feature(aa64_nv, cpu)) {
valid_mask |= HCR_NV | HCR_NV1 | HCR_AT;
}
@@ -3820,6 +3826,12 @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
value |= HCR_RW;
}
+ /* Strictly E2H is RES1 unless FEAT_E2H0 relaxes the requirement */
+ if (arm_feature(env, ARM_FEATURE_AARCH64) &&
+ !cpu_isar_feature(aa64_e2h0, cpu)) {
+ value |= HCR_E2H;
+ }
+
/*
* These bits change the MMU setup:
* HCR_VM enables stage 2 translation
--
2.47.3
> On 30. Jan 2026, at 19:16, Alex Bennée <alex.bennee@linaro.org> wrote:
>
> FEAT_E2H0 is a formalisation of the existing behaviour of HCR_EL2.E2H
> being programmable to switch between EL2 host mode and the
> "traditional" nVHE EL2 mode. This implies at some point we might want
> to model CPUs without FEAT_E2H0 which will always have EL2 host mode
> enabled.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>
> ---
> comment: I've left a fixme? for HCR_EL2.NV1, I await guidance on if
> I'm reading the spec wrong.
> ---
> docs/system/arm/emulation.rst | 1 +
> target/arm/cpu-features.h | 6 ++++++
> target/arm/helper.c | 14 +++++++++++++-
> 3 files changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
> index 3f30ea5a30e..74359f3e844 100644
> --- a/docs/system/arm/emulation.rst
> +++ b/docs/system/arm/emulation.rst
> @@ -53,6 +53,7 @@ the following architecture extensions:
> - FEAT_DotProd (Advanced SIMD dot product instructions)
> - FEAT_DoubleFault (Double Fault Extension)
> - FEAT_E0PD (Preventing EL0 access to halves of address maps)
> +- FEAT_E2H0 (Programming of HCR_EL2.E2H)
> - FEAT_EBF16 (AArch64 Extended BFloat16 instructions)
> - FEAT_ECV (Enhanced Counter Virtualization)
> - FEAT_EL0 (Support for execution at EL0)
> diff --git a/target/arm/cpu-features.h b/target/arm/cpu-features.h
> index a7ca410dcb4..b6ef328fe0a 100644
> --- a/target/arm/cpu-features.h
> +++ b/target/arm/cpu-features.h
> @@ -347,6 +347,7 @@ FIELD(ID_AA64MMFR3, ADERR, 56, 4)
> FIELD(ID_AA64MMFR3, SPEC_FPACC, 60, 4)
>
> FIELD(ID_AA64MMFR4, ASID2, 8, 4)
> +FIELD(ID_AA64MMFR4, E2H0, 24, 4)
>
> FIELD(ID_AA64DFR0, DEBUGVER, 0, 4)
> FIELD(ID_AA64DFR0, TRACEVER, 4, 4)
> @@ -1376,6 +1377,11 @@ static inline bool isar_feature_aa64_asid2(const ARMISARegisters *id)
> return FIELD_EX64_IDREG(id, ID_AA64MMFR4, ASID2) != 0;
> }
>
> +static inline bool isar_feature_aa64_e2h0(const ARMISARegisters *id)
> +{
> + return FIELD_EX64_IDREG(id, ID_AA64MMFR4, E2H0) == 0;
> +}
> +
> static inline bool isar_feature_aa64_mec(const ARMISARegisters *id)
> {
> return FIELD_EX64_IDREG(id, ID_AA64MMFR3, MEC) != 0;
> diff --git a/target/arm/helper.c b/target/arm/helper.c
> index 655ce73ee1b..27b5fb01827 100644
> --- a/target/arm/helper.c
> +++ b/target/arm/helper.c
> @@ -3773,7 +3773,8 @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
> }
>
> if (arm_feature(env, ARM_FEATURE_AARCH64)) {
> - if (cpu_isar_feature(aa64_vh, cpu)) {
> + if (cpu_isar_feature(aa64_vh, cpu) &&
> + cpu_isar_feature(aa64_e2h0, cpu)) {
> valid_mask |= HCR_E2H;
> }
> if (cpu_isar_feature(aa64_ras, cpu)) {
> @@ -3797,6 +3798,11 @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
> if (cpu_isar_feature(aa64_rme, cpu)) {
> valid_mask |= HCR_GPF;
> }
> + /*
> + * FIXME? HCR_EL2.NV1 is only meant to be RES0 if
> + * FEAT_E2H0 is not implemented with 0b1110 although the Arm
> + * ARM doesn't explicitly state it is RES1 with 0b1111.
> + */
Hello,
With 0b1111 both VHE and nVHE guests work.
KVM in that case supports both (with an nVHE cap opt-in), and I can’t find a mention of RES1 for this in the spec,
So this comment might be a bit confusing.
0b1111 = E2H being RES1, but NV1 supporting both 0 and 1
0b1110 = Removes the NV1 = 1 support
It’s highlighted further in the ID_AA64MMFR2_EL1.NV bit documentation, where both 0b0001 and 0b0010 define
the HCR_EL2.NV1 bit as implemented.
> if (cpu_isar_feature(aa64_nv, cpu)) {
> valid_mask |= HCR_NV | HCR_NV1 | HCR_AT;
> }
> @@ -3820,6 +3826,12 @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
> value |= HCR_RW;
> }
>
> + /* Strictly E2H is RES1 unless FEAT_E2H0 relaxes the requirement */
> + if (arm_feature(env, ARM_FEATURE_AARCH64) &&
> + !cpu_isar_feature(aa64_e2h0, cpu)) {
> + value |= HCR_E2H;
> + }
> +
> /*
> * These bits change the MMU setup:
> * HCR_VM enables stage 2 translation
> --
> 2.47.3
>
>
© 2016 - 2026 Red Hat, Inc.