HV: deny HV owned PCI bar access from SOS

This patch denies Service VM the access permission to device resources owned by hypervisor. HV may own these devices: (1) debug uart pci device for debug version (2) type 1 pci device if have pre-launched VMs. Current implementation exposes the mmio/pio resource of HV owned devices to SOS, should remove them from SOS. Tracked-On: #5615 Signed-off-by: Tao Yuhong <yuhong.tao@intel.com>
2025-09-21 00:38:28 +00:00 · 2021-01-29 17:16:10 -05:00
parent 6e7ce4a73f
commit 50d8525618
6 changed files with 73 additions and 36 deletions
--- a/hypervisor/arch/x86/guest/vm.c
+++ b/hypervisor/arch/x86/guest/vm.c
@@ -332,6 +332,17 @@ static void deny_pdevs(struct acrn_vm *sos, struct acrn_vm_pci_dev_config *pci_d
 	}
 }

+static void deny_hv_owned_devices(struct acrn_vm *sos)
+{
+	uint32_t i;
+
+	const struct pci_pdev **hv_owned = get_hv_owned_pdevs();
+
+	for (i = 0U; i < get_hv_owned_pdev_num(); i++) {
+		deny_pci_bar_access(sos, hv_owned[i]);
+	}
+}
+
 /**
 * @param[inout] vm pointer to a vm descriptor
 *
@@ -410,6 +421,8 @@ static void prepare_sos_vm_memmap(struct acrn_vm *vm)
 		}
 	}

+	deny_hv_owned_devices(vm);
+
 	/* unmap AP trampoline code for security
 	 * This buffer is guaranteed to be page aligned.
 	 */