Hi,

On Wed, Jul 02, 2025 at 11:46:38AM -0700, Mike Larkin wrote:
> > @@ -357,6 +359,8 @@ vctrap(struct trapframe *frame)
> >  		break;
> >  	    }
> >  	case SVM_VMEXIT_IOIO: {
> > +		if (user)
> > +			return 0;	/* not allowed from userspace */
> 
> Does this not break cases that use the IOPB for port access from usermode?

yes, it does break usermode IO access.  Right now I'd like to avoid
supporting usermode IO access.

If we need that in the future, we can implement supoort.  This would
involve taking mechanisms like SMAP into account and more elaborate
IO emulation.

> >  		switch (*rip) {
> >  		case 0x66: {
> >  			switch (*(rip + 1)) {
> > @@ -505,7 +509,7 @@ kerntrap(struct trapframe *frame)
> >  #endif /* NISA > 0 */
> >
> >  	case T_VC:
> > -		if (vctrap(frame))
> > +		if (vctrap(frame, 0))
> >  			return;
> >  		goto we_re_toast;
> >  	}
> > @@ -588,9 +592,11 @@ usertrap(struct trapframe *frame)
> >  		    : ILL_BADSTK;
> >  		break;
> >  	case T_VC:
> > -		vctrap(frame);
> > -		goto out;
> > -
> > +		if (vctrap(frame, 1))
> > +			goto out;
> > +		sig = SIGILL;
> > +		code = ILL_PRVOPC;
> > +		break;
> >  	case T_PAGEFLT:			/* page fault */
> >  		if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p),
> >  		    "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n",
> > diff --git a/sys/arch/amd64/amd64/vector.S b/sys/arch/amd64/amd64/vector.S
> > index 59823862c18..4181ab216d0 100644
> > --- a/sys/arch/amd64/amd64/vector.S
> > +++ b/sys/arch/amd64/amd64/vector.S
> > @@ -553,6 +553,7 @@ IDTVEC(vctrap_early)
> >  	TRAP_ENTRY_KERN		/* early #VC has to be in kernel mode */
> >  	cld
> >  	movq	%rsp, %rdi
> > +	movq	$0x0, %rsi
> >  	call	vctrap
> >  	movq	$0,-8(%rsp)
> >  	INTRFASTEXIT
> 
> 

• smime.p7s (5K)