hv: clear CPUID.07H.EBX[2] to disable SGX from guests

Regarding SGX, guests could access CPUID.07H.EBX[2] before query CPUID leaf 12H. Intel SDM 36.7.2: "If CPUID.(EAX=07H, ECX=0H):EBX.SGX = 1, the processor also supports querying CPUID with EAX=12H on Intel SGX resource capability and configuration." Clear CPUID.07H.ECX[30] SGX_LC to make the guest view consistent. Tracked-On: #1867 Signed-off-by: Zide Chen <zide.chen@intel.com> Acked-by: Anthony Xu <anthony.xu@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2025-06-21 21:19:35 +00:00 · 2018-11-26 09:14:05 -08:00 · 2018-11-26 09:14:05 -08:00 · 36ba7f8aa8
commit 36ba7f8aa8
parent 26dc54ce37
2 changed files with 8 additions and 0 deletions
--- a/hypervisor/arch/x86/cpuid.c
+++ b/hypervisor/arch/x86/cpuid.c
@ -101,6 +101,10 @@ static void init_vcpuid_entry(uint32_t leaf, uint32_t subleaf,
 			entry->ebx &= ~(CPUID_EBX_INVPCID |
 					CPUID_EBX_PQM |
 					CPUID_EBX_PQE);
+
+			/* mask SGX and SGX_LC */
+			entry->ebx &= ~CPUID_EBX_SGX;
+			entry->ecx &= ~CPUID_ECX_SGX_LC;
 		} else {
 			entry->eax = 0U;
 			entry->ebx = 0U;
--- a/hypervisor/include/arch/x86/cpuid.h
+++ b/hypervisor/include/arch/x86/cpuid.h
@ -72,6 +72,10 @@
 #define CPUID_EDX_PBE           (1U<<31U)
 /* CPUID.07H:EBX.TSC_ADJUST*/
 #define CPUID_EBX_TSC_ADJ       (1U<<1U)
+/* CPUID.07H:EBX.SGX */
+#define CPUID_EBX_SGX           (1U<<2U)
+/* CPUID.07H:ECX.SGX_LC*/
+#define CPUID_ECX_SGX_LC        (1U<<30U)
 /* CPUID.07H:EDX.IBRS_IBPB*/
 #define CPUID_EDX_IBRS_IBPB     (1U<<26U)
 /* CPUID.07H:EDX.STIBP*/