[PATCH] driver, tools: ensure jailhouse is not enabled when VT-X is disabled by firmware

Mon, 09 Apr 2018 09:24:58 -0700

Whithout the check, jailhouse enable configs/x86/sysconfig.cell results in a GP and a reboot make sure proper reporting of mandatory firmware enable and optional VMX on SMX. 
do not allow enable if firmware has disabled VT-X

Signed-off-by: Francois-Frederic Ozog <[email protected]>
---
 configs/x86/tiny-demo.c        |  2 +-
 driver/main.c                  | 17 +++++++++++++++++
 tools/jailhouse-hardware-check |  4 ++--
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/configs/x86/tiny-demo.c b/configs/x86/tiny-demo.c
index 9666bf63..ac2368e2 100644
--- a/configs/x86/tiny-demo.c
+++ b/configs/x86/tiny-demo.c
@@ -39,7 +39,7 @@ struct {
        },

        .cpus = {
-               0x4,
+               0x2,
        },

        .mem_regions = {
diff --git a/driver/main.c b/driver/main.c
index ee585848..7a834977 100644
--- a/driver/main.c
+++ b/driver/main.c
@@ -40,6 +40,12 @@
 #ifdef CONFIG_ARM
 #include <asm/virt.h>
 #endif
+#ifdef CONFIG_X86
+#include <asm/cpu.h>
+#include <asm/msr-index.h>
+/* as per IA32_FEATURE_CONTROL MSR documentation */
+#define VMXON_BIOS_ALLOWED (1ULL<<2)
+#endif

 #include "cell.h"
 #include "jailhouse.h"
@@ -392,6 +398,17 @@ static int jailhouse_cmd_enable(struct jailhouse_system __user *arg) 
                goto error_put_module;
        }
 #endif
+#ifdef CONFIG_X86
+       {
+               u64 features;
+               rdmsrl(MSR_IA32_FEATURE_CONTROL, features);
+               if ((features & VMXON_BIOS_ALLOWED) == 0) {
+                       pr_err("jailhouse: vt-x disabled by BIOS\n");
+                       err = -ENODEV;
+                       goto error_put_module;
+               }
+       }
+#endif

        /* Load hypervisor image */
        err = request_firmware(&hypervisor, fw_name, jailhouse_dev);
diff --git a/tools/jailhouse-hardware-check b/tools/jailhouse-hardware-check 
index 67d3b078..f8b35c99 100755
--- a/tools/jailhouse-hardware-check
+++ b/tools/jailhouse-hardware-check
@@ -182,8 +182,8 @@ if cpu_vendor == 'GenuineIntel':
     check_feature('VT-x (VMX)', 'vmx' in cpu_features)

     feature = msr.read(MSR.IA32_FEATURE_CONTROL)
-    check_feature('  VMX without TXT',
-                  (feature & (1 << 0)) == 0 or feature & (1 << 2))
+    check_feature('  VMX allowed by BIOS', feature & (1 << 2))
+    check_feature('  VMX without TXT', (feature & (1 << 0)) == 0, True)
     check_feature('  IA32_TRUE_*_CLTS',
                   msr.read(MSR.IA32_VMX_BASIC) & (1 << 55))

--
2.11.0

--
You received this message because you are subscribed to the Google Groups 
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to