[AARCH64] HPFAR_EL2.NS not set for non secure read in S-EL1

Hi Qemu team,

At Trustonic, we use Qemu to develop and test our TEE (Kinibi). Our TEE is running at S-EL1 with Hafnium (S-EL2) and the ARM Trusted Firmware (EL3). When our TEE is starting, we check that its memory is correctly protected. We do a Non-Secure mapping of a page located in "secure" memory" and we check that we have an exception if we try to read the protected memory. It was working fine with Qemu 8.1 but I noticed that it is now freezing with the latest Qemu. I identified the following commit which is changing the behavior: https://github.com/qemu/qemu/commit/4f51edd3cd1746c0eee66eebafdfb642f8dd7e87

In my case, fault_s1ns() is returning false because we have the following values: space=ARMSS_NonSecure s2_mmu_idx=ARMMMUIdx_Stage2 regime_is_stage2(s2_mmu_idx) = true

Thus, the bit HPFAR_EL2.NS is not set. When, the exception is trapped at S-EL2 in Hafnium, the fault is considered as spurious because this bit is not set. https://github.com/TF-Hafnium/hafnium/blob/main/src/vcpu.c#L155

The fault is not injected at S-EL1 and S-EL1 is resumed at the same address. Then, we have the fault again and an infinite loop between S-EL1 and S-EL2.

I am not familiar with this code in Qemu and Hafnium, so I can't tell you if the commit in Qemu is OK and Hafnium should be changed and I would like your opinion.

Host environment

• Operating system: Ubuntu
• OS/kernel version: 6.5.0
• Architecture: x86_64
• QEMU flavor: qemu-system-aarch64
• QEMU version: 7b87a25f (Thu Sep 5 13:02:26 2024 +0100)
• QEMU command line:

Emulated/Virtualized environment

• versions: On the secure side: Hafnium: 33172403a44a1c68a8841fda648dd5750686bad3 (Thu Aug 15 13:15:34 2024 +0100) ATF: v2.10-rc0 TEE: Kinibi 610
• Architecture: AArch64