From 66d824d6774241ccb484aedd225ea0c277d20aa7 Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Tue, 12 Nov 2019 16:08:45 +0800
Subject: [PATCH] hv:unmap AP trampoline region from service VM's EPT

 AP trampoline code should be accessile to hypervisor only,
 Unmap this memory region from service VM's EPT mapping
 for security reason..

Tracked-On: #4112
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
---
 hypervisor/arch/x86/guest/guest.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hypervisor/arch/x86/guest/guest.c b/hypervisor/arch/x86/guest/guest.c
index 5c0fd7dc8..fb7f25abc 100644
--- a/hypervisor/arch/x86/guest/guest.c
+++ b/hypervisor/arch/x86/guest/guest.c
@@ -9,6 +9,7 @@
 #include <multiboot.h>
 #include <reloc.h>
 #include <e820.h>
+#include <trampoline.h>
 
 #define ACRN_DBG_GUEST	6U
 
@@ -507,5 +508,14 @@ int32_t prepare_vm0_memmap(struct acrn_vm *vm)
 	 */
 	hv_hpa = get_hv_image_base();
 	ept_mr_del(vm, pml4_page, hv_hpa, CONFIG_HV_RAM_SIZE);
+
+	/* unmap AP trampoline code for security reason.
+	 * 'allocate_pages()' in efi boot mode or
+	 * 'e820_alloc_low_memory()' in direct boot
+	 * mode will ensure the base address of tramploline
+	 * code be page-aligned.
+	 */
+	ept_mr_del(vm, pml4_page, trampoline_start16_paddr, CONFIG_LOW_RAM_SIZE);
+
 	return 0;
 }