From: Mike Larkin Subject: Re: [EXT] Re: SEV-ES guest: In vctrap() only allow CPUID from userspace To: tech@openbsd.org Date: Fri, 11 Jul 2025 09:29:55 -0700 On Thu, Jul 03, 2025 at 01:41:57PM +0200, Hans-Jörg Höxer wrote: > Hi, > > On Wed, Jul 02, 2025 at 11:46:38AM -0700, Mike Larkin wrote: > > > @@ -357,6 +359,8 @@ vctrap(struct trapframe *frame) > > > break; > > > } > > > case SVM_VMEXIT_IOIO: { > > > + if (user) > > > + return 0; /* not allowed from userspace */ > > > > Does this not break cases that use the IOPB for port access from usermode? > > yes, it does break usermode IO access. Right now I'd like to avoid > supporting usermode IO access. > > If we need that in the future, we can implement supoort. This would > involve taking mechanisms like SMAP into account and more elaborate > IO emulation. > probably doesn't really need to be implemented right now, as both of you point out. Makes sense. -ml > > > switch (*rip) { > > > case 0x66: { > > > switch (*(rip + 1)) { > > > @@ -505,7 +509,7 @@ kerntrap(struct trapframe *frame) > > > #endif /* NISA > 0 */ > > > > > > case T_VC: > > > - if (vctrap(frame)) > > > + if (vctrap(frame, 0)) > > > return; > > > goto we_re_toast; > > > } > > > @@ -588,9 +592,11 @@ usertrap(struct trapframe *frame) > > > : ILL_BADSTK; > > > break; > > > case T_VC: > > > - vctrap(frame); > > > - goto out; > > > - > > > + if (vctrap(frame, 1)) > > > + goto out; > > > + sig = SIGILL; > > > + code = ILL_PRVOPC; > > > + break; > > > case T_PAGEFLT: /* page fault */ > > > if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p), > > > "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n", > > > diff --git a/sys/arch/amd64/amd64/vector.S b/sys/arch/amd64/amd64/vector.S > > > index 59823862c18..4181ab216d0 100644 > > > --- a/sys/arch/amd64/amd64/vector.S > > > +++ b/sys/arch/amd64/amd64/vector.S > > > @@ -553,6 +553,7 @@ IDTVEC(vctrap_early) > > > TRAP_ENTRY_KERN /* early #VC has to be in kernel mode */ > > > cld > > > movq %rsp, %rdi > > > + movq $0x0, %rsi > > > call vctrap > > > movq $0,-8(%rsp) > > > INTRFASTEXIT > > > >