From 05f8fd701a47f5e4a331c68a9034a5ced62ee0a6 Mon Sep 17 00:00:00 2001
From: Jason Chen CJ <jason.cj.chen@intel.com>
Date: Mon, 21 May 2018 20:17:40 +0800
Subject: [PATCH] hypercall: do not allow hypercall from UOS except trusty

only trusty related hypercall will come from UOS, others should come from VM0

Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
---
 hypervisor/arch/x86/guest/vmcall.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hypervisor/arch/x86/guest/vmcall.c b/hypervisor/arch/x86/guest/vmcall.c
index ffd599407..97868b9af 100644
--- a/hypervisor/arch/x86/guest/vmcall.c
+++ b/hypervisor/arch/x86/guest/vmcall.c
@@ -57,6 +57,12 @@ int vmcall_vmexit_handler(struct vcpu *vcpu)
 		return -1;
 	}
 
+	if (!is_vm0(vm) && hypcall_id != HC_WORLD_SWITCH &&
+		hypcall_id != HC_INITIALIZE_TRUSTY) {
+		pr_err("hypercall %d is only allowed from VM0!\n", hypcall_id);
+		return -1;
+	}
+
 	/* Dispatch the hypercall handler */
 	switch (hypcall_id) {
 	case HC_GET_API_VERSION: