KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure (ad5b3532) · Commits · Librem5 / linux

Commit ad5b3532 authored 3 years ago by Tom Lendacky Committed by Paolo Bonzini 3 years ago

KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure


Currently, an SEV-ES guest is terminated if the validation of the VMGEXIT
exit code or exit parameters fails.

The VMGEXIT instruction can be issued from userspace, even though
userspace (likely) can't update the GHCB. To prevent userspace from being
able to kill the guest, return an error through the GHCB when validation
fails rather than terminating the guest. For cases where the GHCB can't be
updated (e.g. the GHCB can't be mapped, etc.), just return back to the
guest.

The new error codes are documented in the lasest update to the GHCB
specification.

Fixes: 291bd20d ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Message-Id: <b57280b5562893e2616257ac9c2d4525a9aeeb42.1638471124.git.thomas.lendacky@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent a655276a

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 71 additions and 46 deletions

Please register or to comment

Admin message

Admin message

KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure