hv: disable mpx capability for guest

This patch hide Memory Protection Extention (MPX) capability from guest. - vCPUID change: Clear cpuid.07H.0.ebx[14] Clear cpuid.0DH.0.eax[4:3] - vMSR change: Add MSR_IA32_BNDCFGS to un-supported MSR array. - XCR0[4:3] is not allowed to set by guest. Tracked-On: #2821 Signed-off-by: Binbin Wu <binbin.wu@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2025-09-21 08:50:27 +00:00 · 2019-03-19 10:55:52 +08:00
parent 71ce4c255e
commit f32b59d73d
5 changed files with 38 additions and 3 deletions
--- a/hypervisor/include/arch/x86/cpu.h
+++ b/hypervisor/include/arch/x86/cpu.h
@@ -83,6 +83,14 @@
 #define CR4_SMAP                (1UL<<21U)
 #define CR4_PKE                 (1UL<<22U)	/* Protect-key-enable */

+/* XCR0_SSE */
+#define XCR0_SSE		(1U<<1U)
+/* XCR0_AVX */
+#define XCR0_AVX		(1U<<2U)
+/* XCR0_BNDREGS */
+#define XCR0_BNDREGS		(1U<<3U)
+/* XCR0_BNDCSR */
+#define XCR0_BNDCSR		(1U<<4U)

 /*
 * Entries in the Interrupt Descriptor Table (IDT)
--- a/hypervisor/include/arch/x86/cpuid.h
+++ b/hypervisor/include/arch/x86/cpuid.h
@@ -76,6 +76,8 @@
 #define CPUID_EBX_TSC_ADJ       (1U<<1U)
 /* CPUID.07H:EBX.SGX */
 #define CPUID_EBX_SGX           (1U<<2U)
+/* CPUID.07H:EBX.MPX */
+#define CPUID_EBX_MPX           (1U<<14U)
 /* CPUID.07H:ECX.SGX_LC*/
 #define CPUID_ECX_SGX_LC        (1U<<30U)
 /* CPUID.07H:EDX.IBRS_IBPB*/
@@ -94,6 +96,10 @@
 #define CPUID_EBX_PROC_TRC      (1U<<25U)
 /* CPUID.01H:ECX.PCID*/
 #define CPUID_ECX_PCID          (1U<<17U)
+/* CPUID.0DH.EAX.XCR0_BNDREGS */
+#define CPUID_EAX_XCR0_BNDREGS	(1U<<3U)
+/* CPUID.0DH.EAX.XCR0_BNDCSR */
+#define CPUID_EAX_XCR0_BNDCSR	(1U<<4U)

 /* CPUID source operands */
 #define CPUID_VENDORSTRING      0U