From 36ba7f8aa8b7f69e19446d89b1ad11e1175b07d4 Mon Sep 17 00:00:00 2001 From: Zide Chen Date: Mon, 26 Nov 2018 09:14:05 -0800 Subject: [PATCH] hv: clear CPUID.07H.EBX[2] to disable SGX from guests Regarding SGX, guests could access CPUID.07H.EBX[2] before query CPUID leaf 12H. Intel SDM 36.7.2: "If CPUID.(EAX=07H, ECX=0H):EBX.SGX = 1, the processor also supports querying CPUID with EAX=12H on Intel SGX resource capability and configuration." Clear CPUID.07H.ECX[30] SGX_LC to make the guest view consistent. Tracked-On: #1867 Signed-off-by: Zide Chen Acked-by: Anthony Xu Acked-by: Eddie Dong --- hypervisor/arch/x86/cpuid.c | 4 ++++ hypervisor/include/arch/x86/cpuid.h | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/hypervisor/arch/x86/cpuid.c b/hypervisor/arch/x86/cpuid.c index 1c1c15c4a..824b126c3 100644 --- a/hypervisor/arch/x86/cpuid.c +++ b/hypervisor/arch/x86/cpuid.c @@ -101,6 +101,10 @@ static void init_vcpuid_entry(uint32_t leaf, uint32_t subleaf, entry->ebx &= ~(CPUID_EBX_INVPCID | CPUID_EBX_PQM | CPUID_EBX_PQE); + + /* mask SGX and SGX_LC */ + entry->ebx &= ~CPUID_EBX_SGX; + entry->ecx &= ~CPUID_ECX_SGX_LC; } else { entry->eax = 0U; entry->ebx = 0U; diff --git a/hypervisor/include/arch/x86/cpuid.h b/hypervisor/include/arch/x86/cpuid.h index 58ef9a3ad..7bd70749f 100644 --- a/hypervisor/include/arch/x86/cpuid.h +++ b/hypervisor/include/arch/x86/cpuid.h @@ -72,6 +72,10 @@ #define CPUID_EDX_PBE (1U<<31U) /* CPUID.07H:EBX.TSC_ADJUST*/ #define CPUID_EBX_TSC_ADJ (1U<<1U) +/* CPUID.07H:EBX.SGX */ +#define CPUID_EBX_SGX (1U<<2U) +/* CPUID.07H:ECX.SGX_LC*/ +#define CPUID_ECX_SGX_LC (1U<<30U) /* CPUID.07H:EDX.IBRS_IBPB*/ #define CPUID_EDX_IBRS_IBPB (1U<<26U) /* CPUID.07H:EDX.STIBP*/