From: Hans-Jörg Höxer Subject: Re: [EXT] Re: SEV-ES guest: In vctrap() only allow CPUID from userspace To: Date: Thu, 3 Jul 2025 13:41:57 +0200 Hi, On Wed, Jul 02, 2025 at 11:46:38AM -0700, Mike Larkin wrote: > > @@ -357,6 +359,8 @@ vctrap(struct trapframe *frame) > > break; > > } > > case SVM_VMEXIT_IOIO: { > > + if (user) > > + return 0; /* not allowed from userspace */ > > Does this not break cases that use the IOPB for port access from usermode? yes, it does break usermode IO access. Right now I'd like to avoid supporting usermode IO access. If we need that in the future, we can implement supoort. This would involve taking mechanisms like SMAP into account and more elaborate IO emulation. > > switch (*rip) { > > case 0x66: { > > switch (*(rip + 1)) { > > @@ -505,7 +509,7 @@ kerntrap(struct trapframe *frame) > > #endif /* NISA > 0 */ > > > > case T_VC: > > - if (vctrap(frame)) > > + if (vctrap(frame, 0)) > > return; > > goto we_re_toast; > > } > > @@ -588,9 +592,11 @@ usertrap(struct trapframe *frame) > > : ILL_BADSTK; > > break; > > case T_VC: > > - vctrap(frame); > > - goto out; > > - > > + if (vctrap(frame, 1)) > > + goto out; > > + sig = SIGILL; > > + code = ILL_PRVOPC; > > + break; > > case T_PAGEFLT: /* page fault */ > > if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p), > > "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n", > > diff --git a/sys/arch/amd64/amd64/vector.S b/sys/arch/amd64/amd64/vector.S > > index 59823862c18..4181ab216d0 100644 > > --- a/sys/arch/amd64/amd64/vector.S > > +++ b/sys/arch/amd64/amd64/vector.S > > @@ -553,6 +553,7 @@ IDTVEC(vctrap_early) > > TRAP_ENTRY_KERN /* early #VC has to be in kernel mode */ > > cld > > movq %rsp, %rdi > > + movq $0x0, %rsi > > call vctrap > > movq $0,-8(%rsp) > > INTRFASTEXIT > >