search for: ghcb_set_rax

...> } > > +static enum es_result vc_handle_monitor(struct ghcb *ghcb, > + struct es_em_ctxt *ctxt) > +{ > + phys_addr_t monitor_pa; > + pgd_t *pgd; > + > + pgd = __va(read_cr3_pa()); > + monitor_pa = vc_slow_virt_to_phys(ghcb, ctxt->regs->ax); > + > + ghcb_set_rax(ghcb, monitor_pa); > + ghcb_set_rcx(ghcb, ctxt->regs->cx); > + ghcb_set_rdx(ghcb, ctxt->regs->dx); > + > + return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MONITOR, 0, 0); Why? If SVM has the same behavior as VMX, the MONITOR will be disarmed on VM-Enter, i.e. the VMM can...

...> } > > +static enum es_result vc_handle_monitor(struct ghcb *ghcb, > + struct es_em_ctxt *ctxt) > +{ > + phys_addr_t monitor_pa; > + pgd_t *pgd; > + > + pgd = __va(read_cr3_pa()); > + monitor_pa = vc_slow_virt_to_phys(ghcb, ctxt->regs->ax); > + > + ghcb_set_rax(ghcb, monitor_pa); > + ghcb_set_rcx(ghcb, ctxt->regs->cx); > + ghcb_set_rdx(ghcb, ctxt->regs->dx); > + > + return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MONITOR, 0, 0); Why? If SVM has the same behavior as VMX, the MONITOR will be disarmed on VM-Enter, i.e. the VMM can...

...> + struct es_em_ctxt *ctxt) > > > +{ > > > + phys_addr_t monitor_pa; > > > + pgd_t *pgd; > > > + > > > + pgd = __va(read_cr3_pa()); > > > + monitor_pa = vc_slow_virt_to_phys(ghcb, ctxt->regs->ax); > > > + > > > + ghcb_set_rax(ghcb, monitor_pa); > > > + ghcb_set_rcx(ghcb, ctxt->regs->cx); > > > + ghcb_set_rdx(ghcb, ctxt->regs->dx); > > > + > > > + return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MONITOR, 0, 0); > > > > Why? If SVM has the same behavior as VMX,...

...> + struct es_em_ctxt *ctxt) > > > +{ > > > + phys_addr_t monitor_pa; > > > + pgd_t *pgd; > > > + > > > + pgd = __va(read_cr3_pa()); > > > + monitor_pa = vc_slow_virt_to_phys(ghcb, ctxt->regs->ax); > > > + > > > + ghcb_set_rax(ghcb, monitor_pa); > > > + ghcb_set_rcx(ghcb, ctxt->regs->cx); > > > + ghcb_set_rdx(ghcb, ctxt->regs->dx); > > > + > > > + return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MONITOR, 0, 0); > > > > Why? If SVM has the same behavior as VMX,...

...sev-es-shared.c b/arch/x86/kernel/sev-es-shared.c index 5bfc1f3030d4..cfdafe12da4f 100644 --- a/arch/x86/kernel/sev-es-shared.c +++ b/arch/x86/kernel/sev-es-shared.c @@ -427,8 +427,8 @@ static enum es_result vc_handle_cpuid(struct ghcb *ghcb, u32 cr4 = native_read_cr4(); enum es_result ret; - ghcb_set_rax(ghcb, regs->ax); - ghcb_set_rcx(ghcb, regs->cx); + ghcb_set_rax(ghcb, lower_32_bits(regs->ax)); + ghcb_set_rcx(ghcb, lower_32_bits(regs->cx)); if (cr4 & X86_CR4_OSXSAVE) /* Safe to read xcr0 */ @@ -447,10 +447,10 @@ static enum es_result vc_handle_cpuid(struct ghcb *ghcb,...

.../kernel/sev-es.c @@ -341,6 +341,26 @@ static enum es_result handle_mwait(struct ghcb *ghcb, struct es_em_ctxt *ctxt) return ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MWAIT, 0, 0); } +static enum es_result handle_vmmcall(struct ghcb *ghcb, + struct es_em_ctxt *ctxt) +{ + enum es_result ret; + + ghcb_set_rax(ghcb, ctxt->regs->ax); + ghcb_set_cpl(ghcb, user_mode(ctxt->regs) ? 3 : 0); + + ret = ghcb_hv_call(ghcb, ctxt, SVM_EXIT_VMMCALL, 0, 0); + if (ret != ES_OK) + return ret; + + if (!ghcb_is_valid_rax(ghcb)) + return ES_VMM_ERROR; + + ctxt->regs->ax = ghcb->save.rax; + + return ES_O...

...hared.c" +static enum es_result handle_msr(struct ghcb *ghcb, struct es_em_ctxt *ctxt) +{ + struct pt_regs *regs = ctxt->regs; + enum es_result ret; + bool write; + u64 exit_info_1; + + write = (ctxt->insn.opcode.bytes[1] == 0x30); + + ghcb_set_rcx(ghcb, regs->cx); + if (write) { + ghcb_set_rax(ghcb, regs->ax); + ghcb_set_rdx(ghcb, regs->dx); + exit_info_1 = 1; + } else { + exit_info_1 = 0; + } + + ret = ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MSR, exit_info_1, 0); + if (ret != ES_OK) + return ret; + else if (!write) { + regs->ax = ghcb->save.rax; + regs->dx = ghcb->save...

...c(struct ghcb *ghcb, struct es_em_ctxt *ctxt return ES_OK; } +static enum es_result vc_handle_monitor(struct ghcb *ghcb, + struct es_em_ctxt *ctxt) +{ + phys_addr_t monitor_pa; + pgd_t *pgd; + + pgd = __va(read_cr3_pa()); + monitor_pa = vc_slow_virt_to_phys(ghcb, ctxt->regs->ax); + + ghcb_set_rax(ghcb, monitor_pa); + ghcb_set_rcx(ghcb, ctxt->regs->cx); + ghcb_set_rdx(ghcb, ctxt->regs->dx); + + return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MONITOR, 0, 0); +} + static enum es_result vc_handle_exitcode(struct es_em_ctxt *ctxt, struct ghcb *ghcb, unsigned long exit_...

...uot; +static enum es_result vc_handle_msr(struct ghcb *ghcb, struct es_em_ctxt *ctxt) +{ + struct pt_regs *regs = ctxt->regs; + enum es_result ret; + u64 exit_info_1; + + exit_info_1 = (ctxt->insn.opcode.bytes[1] == 0x30) ? 1 : 0; + + ghcb_set_rcx(ghcb, regs->cx); + if (exit_info_1) { + ghcb_set_rax(ghcb, regs->ax); + ghcb_set_rdx(ghcb, regs->dx); + exit_info_1 = 1; + } + + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MSR, exit_info_1, 0); + + if ((ret == ES_OK) && (!exit_info_1)) { + regs->ax = ghcb->save.rax; + regs->dx = ghcb->save.rdx; + } + + return ret; +}...

...ed" > + val = (val & 0xffff23ffL) | BIT(10); > + > + /* Early non-zero writes to DR7 are not supported */ > + if (!data && (val & ~DR7_RESET_VALUE)) > + return ES_UNSUPPORTED; > + > + /* Using a value of 0 for ExitInfo1 means RAX holds the value */ > + ghcb_set_rax(ghcb, val); > + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_WRITE_DR7, 0, 0); > + if (ret != ES_OK) > + return ret; > + > + if (data) > + data->dr7 = val; Are we still returning ES_OK if !data? > + > + return ES_OK; > +} -- Regards/Gruss, Boris. https://p...

...c_handle_monitor(struct ghcb *ghcb, > > + struct es_em_ctxt *ctxt) > > +{ > > + phys_addr_t monitor_pa; > > + pgd_t *pgd; > > + > > + pgd = __va(read_cr3_pa()); > > + monitor_pa = vc_slow_virt_to_phys(ghcb, ctxt->regs->ax); > > + > > + ghcb_set_rax(ghcb, monitor_pa); > > + ghcb_set_rcx(ghcb, ctxt->regs->cx); > > + ghcb_set_rdx(ghcb, ctxt->regs->dx); > > + > > + return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MONITOR, 0, 0); > > Why? If SVM has the same behavior as VMX, the MONITOR will be disarmed o...

...ct es_em_ctxt *ctxt) >>>> +{ >>>> + phys_addr_t monitor_pa; >>>> + pgd_t *pgd; >>>> + >>>> + pgd = __va(read_cr3_pa()); >>>> + monitor_pa = vc_slow_virt_to_phys(ghcb, ctxt->regs->ax); >>>> + >>>> + ghcb_set_rax(ghcb, monitor_pa); >>>> + ghcb_set_rcx(ghcb, ctxt->regs->cx); >>>> + ghcb_set_rdx(ghcb, ctxt->regs->dx); >>>> + >>>> + return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MONITOR, 0, 0); >>> >>> Why? If SVM has the same beha...

...> > --- > > + > > +static enum es_result vc_handle_cpuid(struct ghcb *ghcb, > > + struct es_em_ctxt *ctxt) > > +{ > > + struct pt_regs *regs = ctxt->regs; > > + u32 cr4 = native_read_cr4(); > > + enum es_result ret; > > + > > + ghcb_set_rax(ghcb, regs->ax); > > + ghcb_set_rcx(ghcb, regs->cx); > > + > > + if (cr4 & X86_CR4_OSXSAVE) > > Will this ever happen? trampoline_32bit_src will clear CR4 except for > PAE and possibly LA57, no? This same code is later re-used in the runtime handler and there...

...Clear out other reservered bits and set bit 10 */ + val = (val & 0xffff23ffL) | BIT(10); + + /* Early non-zero writes to DR7 are not supported */ + if (!data && (val & ~DR7_RESET_VALUE)) + return ES_UNSUPPORTED; + + /* Using a value of 0 for ExitInfo1 means RAX holds the value */ + ghcb_set_rax(ghcb, val); + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_WRITE_DR7, 0, 0); + if (ret != ES_OK) + return ret; + + if (data) + data->dr7 = val; + + return ES_OK; +} + +static enum es_result vc_handle_dr7_read(struct ghcb *ghcb, + struct es_em_ctxt *ctxt) +{ + struct sev_es_runtime_data...

...exit_bytes; + } + + if (exit_info_1 & IOIO_REP) + regs->cx -= exit_info_2; + + ret = regs->cx ? ES_RETRY : ES_OK; + + } else { + int bits = (exit_info_1 & 0x70) >> 1; + u64 rax = 0; + + if (!(exit_info_1 & IOIO_TYPE_IN)) + rax = lower_bits(regs->ax, bits); + + ghcb_set_rax(ghcb, rax); + + ret = ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0); + if (ret != ES_OK) + return ret; + + if (exit_info_1 & IOIO_TYPE_IN) { + if (!ghcb_is_valid_rax(ghcb)) + return ES_VMM_ERROR; + regs->ax = copy_lower_bits(regs->ax, ghcb->save.rax, + bit...

...exit_bytes; + } + + if (exit_info_1 & IOIO_REP) + regs->cx -= exit_info_2; + + ret = regs->cx ? ES_RETRY : ES_OK; + + } else { + int bits = (exit_info_1 & 0x70) >> 1; + u64 rax = 0; + + if (!(exit_info_1 & IOIO_TYPE_IN)) + rax = lower_bits(regs->ax, bits); + + ghcb_set_rax(ghcb, rax); + + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0); + if (ret != ES_OK) + return ret; + + if (exit_info_1 & IOIO_TYPE_IN) { + if (!ghcb_is_valid_rax(ghcb)) + return ES_VMM_ERROR; + regs->ax = lower_bits(ghcb->save.rax, bits); + } + } + + retu...

...+ regs->cx -= exit_info_2; > + > + ret = regs->cx ? ES_RETRY : ES_OK; > + > + } else { > + int bits = (exit_info_1 & 0x70) >> 1; > + u64 rax = 0; > + > + if (!(exit_info_1 & IOIO_TYPE_IN)) > + rax = lower_bits(regs->ax, bits); > + > + ghcb_set_rax(ghcb, rax); > + > + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0); > + if (ret != ES_OK) > + return ret; > + > + if (exit_info_1 & IOIO_TYPE_IN) { > + if (!ghcb_is_valid_rax(ghcb)) > + return ES_VMM_ERROR; > + regs->ax = lower_bit...

...+ regs->cx -= exit_info_2; > + > + ret = regs->cx ? ES_RETRY : ES_OK; > + > + } else { > + int bits = (exit_info_1 & 0x70) >> 1; > + u64 rax = 0; > + > + if (!(exit_info_1 & IOIO_TYPE_IN)) > + rax = lower_bits(regs->ax, bits); > + > + ghcb_set_rax(ghcb, rax); > + > + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0); > + if (ret != ES_OK) > + return ret; > + > + if (exit_info_1 & IOIO_TYPE_IN) { > + if (!ghcb_is_valid_rax(ghcb)) > + return ES_VMM_ERROR; > + regs->ax = lower_bit...

Hi, here is the next version of changes to enable Linux to run as an SEV-ES guest. The code was rebased to v5.7-rc3 and got a fair number of changes since the last version. What is SEV-ES ============== SEV-ES is an acronym for 'Secure Encrypted Virtualization - Encrypted State' and means a hardware feature of AMD processors which hides the register state of VCPUs to the hypervisor by

Hi, here is the next version of changes to enable Linux to run as an SEV-ES guest. The code was rebased to v5.7-rc3 and got a fair number of changes since the last version. What is SEV-ES ============== SEV-ES is an acronym for 'Secure Encrypted Virtualization - Encrypted State' and means a hardware feature of AMD processors which hides the register state of VCPUs to the hypervisor by