From 8227804b0981cf05b48983fcf2301c77fefc90d6 Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Sat, 2 Nov 2019 20:32:35 +0800
Subject: [PATCH] hv:Unmap AP trampoline region from service VM's EPT

 AP trampoline code should be accessible
 to hypervisor only, this patch is to unmap
 this region from service VM's EPT for security
 reason.

Tracked-On: #3992
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Fei Li <fei1.li@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
---
 hypervisor/arch/x86/guest/vm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hypervisor/arch/x86/guest/vm.c b/hypervisor/arch/x86/guest/vm.c
index 65ed18226..b6b6f03ca 100644
--- a/hypervisor/arch/x86/guest/vm.c
+++ b/hypervisor/arch/x86/guest/vm.c
@@ -25,6 +25,7 @@
 #include <mmu.h>
 #include <logmsg.h>
 #include <vboot_info.h>
+#include <vboot.h>
 #include <board.h>
 #include <sgx.h>
 #include <sbuf.h>
@@ -380,6 +381,14 @@ static void prepare_sos_vm_memmap(struct acrn_vm *vm)
 			ept_del_mr(vm, pml4_page, vm_config->memory.start_hpa, vm_config->memory.size);
 		}
 	}
+
+	/* unmap AP trampoline code for security
+	 * 'allocate_pages()' in depri boot mode or
+	 * 'e820_alloc_low_memory()' in direct boot
+	 * mode will ensure the base address of tramploline
+	 * code be page-aligned.
+	 */
+	ept_del_mr(vm, pml4_page, get_ap_trampoline_buf(), CONFIG_LOW_RAM_SIZE);
 }
 
 /* Add EPT mapping of EPC reource for the VM */