What is the security provided by making read-only system registers like Processor Feature Register 1 or Instruction Set Attribute Register 1 inaccessible to code running at EL0?
If code is running at EL0, how can it know which instructions are legal without the ability to query these kinds of things?
If code is running at EL0, how can it know which instructions are legal without the ability to query these kinds of things?
The operating system (which runs at EL1 or higher) is supposed to define some mechanism to inform EL0 code of the CPU capabilities. For instance, Linux exposes these bits via hwcap flags.
This way, the OS has complete control over what the unprivileged code knows about the hardware.
I agree that for some of these flags, there doesn't seem to be any particular danger in letting EL0 know their values. But some of them, EL0 also has no need to know (e.g. for features that aren't available at EL0 anyway). And there could be cases where you really want to sandbox your EL0 code, and don't want to leak any information about the hardware.
Also note that some CPU features, even if present in hardware, can be disabled at EL0, e.g. if the necessary software support isn't present in the kernel. (For instance, SVE can only be safely used if the OS has code to save and restore the SVE registers on context switch.) So allowing EL0 to directly inquire about hardware support isn't really useful, since it has to ask the OS anyway if that support is actually enabled.
Again, some of the flags still seem harmless. But ARM probably found it simpler and safer just to adopt a blanket policy of "not available to EL0, let the OS decide".