From 30a773f7b0c2f5364023c47b604cd8a9aa3503be Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Tue, 12 Nov 2019 16:08:45 +0800
Subject: [PATCH] hv:unmap AP trampoline region from service VM's EPT

 AP trampoline code should be accessile to hypervisor only,
 Unmap this memory region from service VM's EPT mapping
 for security reason..

Tracked-On: #4091
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
---
 hypervisor/arch/x86/guest/vm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hypervisor/arch/x86/guest/vm.c b/hypervisor/arch/x86/guest/vm.c
index 28f312280..05b126d42 100644
--- a/hypervisor/arch/x86/guest/vm.c
+++ b/hypervisor/arch/x86/guest/vm.c
@@ -25,6 +25,7 @@
 #include <cat.h>
 #include <firmware.h>
 #include <board.h>
+#include <trampoline.h>
 
 vm_sw_loader_t vm_sw_loader;
 
@@ -304,6 +305,14 @@ static void prepare_sos_vm_memmap(struct acrn_vm *vm)
 	 */
 	hv_hpa = hva2hpa((void *)(get_hv_image_base()));
 	ept_mr_del(vm, pml4_page, hv_hpa, CONFIG_HV_RAM_SIZE);
+
+	/* unmap AP trampoline code for security reason.
+	 * 'allocate_pages()' in efi boot mode or
+	 * 'e820_alloc_low_memory()' in direct boot
+	 * mode will ensure the base address of tramploline
+	 * code be page-aligned.
+	 */
+	ept_mr_del(vm, pml4_page, get_trampoline_start16_paddr(), CONFIG_LOW_RAM_SIZE);
 }
 
 /**