x86: Reject hypercalls issued by userspace contexts

Reject any hypercall issued by userspace contexts, thus enable cells to
establish proper access control to Jailhouse services.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

diff --git a/hypervisor/arch/x86/include/asm/processor.h b/hypervisor/arch/x86/include/asm/processor.h
index ee779f3c42c7deca2811153dc5a567f351388df8..6abdc695cfc03d11f74777df0f041c0e02698fe6 100644 (file)
--- a/hypervisor/arch/x86/include/asm/processor.h
+++ b/hypervisor/arch/x86/include/asm/processor.h
@@ -17,6 +17,8 @@
 
 #define X86_FEATURE_VMX                                        (1 << 5)
 
+#define X86_RFLAGS_VM                                  (1 << 17)
+
 #define X86_CR0_PE                                     0x00000001
 #define X86_CR0_ET                                     0x00000010
 #define X86_CR0_NW                                     0x20000000

diff --git a/hypervisor/arch/x86/vmx.c b/hypervisor/arch/x86/vmx.c
index 69673c448bab9d5a80f2f32f2ac1bec3cde6eb51..9a4e8504c9ed3e128c4a3dddd0f2085b3807af36 100644 (file)
--- a/hypervisor/arch/x86/vmx.c
+++ b/hypervisor/arch/x86/vmx.c
@@ -820,6 +820,13 @@ static void vmx_handle_hypercall(struct registers *guest_regs,
 {
        vmx_skip_emulated_instruction(X86_INST_LEN_VMCALL);
 
+       if ((!(vmcs_read64(GUEST_IA32_EFER) & EFER_LMA) &&
+            vmcs_read64(GUEST_RFLAGS) & X86_RFLAGS_VM) ||
+           (vmcs_read16(GUEST_CS_SELECTOR) & 3) != 0) {
+               guest_regs->rax = -EPERM;
+               return;
+       }
+
        switch (guest_regs->rax) {
        case JAILHOUSE_HC_DISABLE:
                guest_regs->rax = shutdown(cpu_data);