1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AMD Memory Encryption Support 4 * 5 * Copyright (C) 2019 SUSE 6 * 7 * Author: Joerg Roedel <jroedel@suse.de> 8 */ 9 10 #define pr_fmt(fmt) "SEV: " fmt 11 12 #include <linux/sched/debug.h> /* For show_regs() */ 13 #include <linux/percpu-defs.h> 14 #include <linux/cc_platform.h> 15 #include <linux/printk.h> 16 #include <linux/mm_types.h> 17 #include <linux/set_memory.h> 18 #include <linux/memblock.h> 19 #include <linux/kernel.h> 20 #include <linux/mm.h> 21 22 #include <asm/cpu_entry_area.h> 23 #include <asm/stacktrace.h> 24 #include <asm/sev.h> 25 #include <asm/insn-eval.h> 26 #include <asm/fpu/xcr.h> 27 #include <asm/processor.h> 28 #include <asm/realmode.h> 29 #include <asm/setup.h> 30 #include <asm/traps.h> 31 #include <asm/svm.h> 32 #include <asm/smp.h> 33 #include <asm/cpu.h> 34 35 #define DR7_RESET_VALUE 0x400 36 37 /* For early boot hypervisor communication in SEV-ES enabled guests */ 38 static struct ghcb boot_ghcb_page __bss_decrypted __aligned(PAGE_SIZE); 39 40 /* 41 * Needs to be in the .data section because we need it NULL before bss is 42 * cleared 43 */ 44 static struct ghcb __initdata *boot_ghcb; 45 46 /* #VC handler runtime per-CPU data */ 47 struct sev_es_runtime_data { 48 struct ghcb ghcb_page; 49 50 /* 51 * Reserve one page per CPU as backup storage for the unencrypted GHCB. 52 * It is needed when an NMI happens while the #VC handler uses the real 53 * GHCB, and the NMI handler itself is causing another #VC exception. In 54 * that case the GHCB content of the first handler needs to be backed up 55 * and restored. 56 */ 57 struct ghcb backup_ghcb; 58 59 /* 60 * Mark the per-cpu GHCBs as in-use to detect nested #VC exceptions. 61 * There is no need for it to be atomic, because nothing is written to 62 * the GHCB between the read and the write of ghcb_active. So it is safe 63 * to use it when a nested #VC exception happens before the write. 64 * 65 * This is necessary for example in the #VC->NMI->#VC case when the NMI 66 * happens while the first #VC handler uses the GHCB. When the NMI code 67 * raises a second #VC handler it might overwrite the contents of the 68 * GHCB written by the first handler. To avoid this the content of the 69 * GHCB is saved and restored when the GHCB is detected to be in use 70 * already. 71 */ 72 bool ghcb_active; 73 bool backup_ghcb_active; 74 75 /* 76 * Cached DR7 value - write it on DR7 writes and return it on reads. 77 * That value will never make it to the real hardware DR7 as debugging 78 * is currently unsupported in SEV-ES guests. 79 */ 80 unsigned long dr7; 81 }; 82 83 struct ghcb_state { 84 struct ghcb *ghcb; 85 }; 86 87 static DEFINE_PER_CPU(struct sev_es_runtime_data*, runtime_data); 88 DEFINE_STATIC_KEY_FALSE(sev_es_enable_key); 89 90 static __always_inline bool on_vc_stack(struct pt_regs *regs) 91 { 92 unsigned long sp = regs->sp; 93 94 /* User-mode RSP is not trusted */ 95 if (user_mode(regs)) 96 return false; 97 98 /* SYSCALL gap still has user-mode RSP */ 99 if (ip_within_syscall_gap(regs)) 100 return false; 101 102 return ((sp >= __this_cpu_ist_bottom_va(VC)) && (sp < __this_cpu_ist_top_va(VC))); 103 } 104 105 /* 106 * This function handles the case when an NMI is raised in the #VC 107 * exception handler entry code, before the #VC handler has switched off 108 * its IST stack. In this case, the IST entry for #VC must be adjusted, 109 * so that any nested #VC exception will not overwrite the stack 110 * contents of the interrupted #VC handler. 111 * 112 * The IST entry is adjusted unconditionally so that it can be also be 113 * unconditionally adjusted back in __sev_es_ist_exit(). Otherwise a 114 * nested sev_es_ist_exit() call may adjust back the IST entry too 115 * early. 116 * 117 * The __sev_es_ist_enter() and __sev_es_ist_exit() functions always run 118 * on the NMI IST stack, as they are only called from NMI handling code 119 * right now. 120 */ 121 void noinstr __sev_es_ist_enter(struct pt_regs *regs) 122 { 123 unsigned long old_ist, new_ist; 124 125 /* Read old IST entry */ 126 new_ist = old_ist = __this_cpu_read(cpu_tss_rw.x86_tss.ist[IST_INDEX_VC]); 127 128 /* 129 * If NMI happened while on the #VC IST stack, set the new IST 130 * value below regs->sp, so that the interrupted stack frame is 131 * not overwritten by subsequent #VC exceptions. 132 */ 133 if (on_vc_stack(regs)) 134 new_ist = regs->sp; 135 136 /* 137 * Reserve additional 8 bytes and store old IST value so this 138 * adjustment can be unrolled in __sev_es_ist_exit(). 139 */ 140 new_ist -= sizeof(old_ist); 141 *(unsigned long *)new_ist = old_ist; 142 143 /* Set new IST entry */ 144 this_cpu_write(cpu_tss_rw.x86_tss.ist[IST_INDEX_VC], new_ist); 145 } 146 147 void noinstr __sev_es_ist_exit(void) 148 { 149 unsigned long ist; 150 151 /* Read IST entry */ 152 ist = __this_cpu_read(cpu_tss_rw.x86_tss.ist[IST_INDEX_VC]); 153 154 if (WARN_ON(ist == __this_cpu_ist_top_va(VC))) 155 return; 156 157 /* Read back old IST entry and write it to the TSS */ 158 this_cpu_write(cpu_tss_rw.x86_tss.ist[IST_INDEX_VC], *(unsigned long *)ist); 159 } 160 161 /* 162 * Nothing shall interrupt this code path while holding the per-CPU 163 * GHCB. The backup GHCB is only for NMIs interrupting this path. 164 * 165 * Callers must disable local interrupts around it. 166 */ 167 static noinstr struct ghcb *__sev_get_ghcb(struct ghcb_state *state) 168 { 169 struct sev_es_runtime_data *data; 170 struct ghcb *ghcb; 171 172 WARN_ON(!irqs_disabled()); 173 174 data = this_cpu_read(runtime_data); 175 ghcb = &data->ghcb_page; 176 177 if (unlikely(data->ghcb_active)) { 178 /* GHCB is already in use - save its contents */ 179 180 if (unlikely(data->backup_ghcb_active)) { 181 /* 182 * Backup-GHCB is also already in use. There is no way 183 * to continue here so just kill the machine. To make 184 * panic() work, mark GHCBs inactive so that messages 185 * can be printed out. 186 */ 187 data->ghcb_active = false; 188 data->backup_ghcb_active = false; 189 190 instrumentation_begin(); 191 panic("Unable to handle #VC exception! GHCB and Backup GHCB are already in use"); 192 instrumentation_end(); 193 } 194 195 /* Mark backup_ghcb active before writing to it */ 196 data->backup_ghcb_active = true; 197 198 state->ghcb = &data->backup_ghcb; 199 200 /* Backup GHCB content */ 201 *state->ghcb = *ghcb; 202 } else { 203 state->ghcb = NULL; 204 data->ghcb_active = true; 205 } 206 207 return ghcb; 208 } 209 210 static inline u64 sev_es_rd_ghcb_msr(void) 211 { 212 return __rdmsr(MSR_AMD64_SEV_ES_GHCB); 213 } 214 215 static __always_inline void sev_es_wr_ghcb_msr(u64 val) 216 { 217 u32 low, high; 218 219 low = (u32)(val); 220 high = (u32)(val >> 32); 221 222 native_wrmsr(MSR_AMD64_SEV_ES_GHCB, low, high); 223 } 224 225 static int vc_fetch_insn_kernel(struct es_em_ctxt *ctxt, 226 unsigned char *buffer) 227 { 228 return copy_from_kernel_nofault(buffer, (unsigned char *)ctxt->regs->ip, MAX_INSN_SIZE); 229 } 230 231 static enum es_result __vc_decode_user_insn(struct es_em_ctxt *ctxt) 232 { 233 char buffer[MAX_INSN_SIZE]; 234 int insn_bytes; 235 236 insn_bytes = insn_fetch_from_user_inatomic(ctxt->regs, buffer); 237 if (insn_bytes == 0) { 238 /* Nothing could be copied */ 239 ctxt->fi.vector = X86_TRAP_PF; 240 ctxt->fi.error_code = X86_PF_INSTR | X86_PF_USER; 241 ctxt->fi.cr2 = ctxt->regs->ip; 242 return ES_EXCEPTION; 243 } else if (insn_bytes == -EINVAL) { 244 /* Effective RIP could not be calculated */ 245 ctxt->fi.vector = X86_TRAP_GP; 246 ctxt->fi.error_code = 0; 247 ctxt->fi.cr2 = 0; 248 return ES_EXCEPTION; 249 } 250 251 if (!insn_decode_from_regs(&ctxt->insn, ctxt->regs, buffer, insn_bytes)) 252 return ES_DECODE_FAILED; 253 254 if (ctxt->insn.immediate.got) 255 return ES_OK; 256 else 257 return ES_DECODE_FAILED; 258 } 259 260 static enum es_result __vc_decode_kern_insn(struct es_em_ctxt *ctxt) 261 { 262 char buffer[MAX_INSN_SIZE]; 263 int res, ret; 264 265 res = vc_fetch_insn_kernel(ctxt, buffer); 266 if (res) { 267 ctxt->fi.vector = X86_TRAP_PF; 268 ctxt->fi.error_code = X86_PF_INSTR; 269 ctxt->fi.cr2 = ctxt->regs->ip; 270 return ES_EXCEPTION; 271 } 272 273 ret = insn_decode(&ctxt->insn, buffer, MAX_INSN_SIZE, INSN_MODE_64); 274 if (ret < 0) 275 return ES_DECODE_FAILED; 276 else 277 return ES_OK; 278 } 279 280 static enum es_result vc_decode_insn(struct es_em_ctxt *ctxt) 281 { 282 if (user_mode(ctxt->regs)) 283 return __vc_decode_user_insn(ctxt); 284 else 285 return __vc_decode_kern_insn(ctxt); 286 } 287 288 static enum es_result vc_write_mem(struct es_em_ctxt *ctxt, 289 char *dst, char *buf, size_t size) 290 { 291 unsigned long error_code = X86_PF_PROT | X86_PF_WRITE; 292 293 /* 294 * This function uses __put_user() independent of whether kernel or user 295 * memory is accessed. This works fine because __put_user() does no 296 * sanity checks of the pointer being accessed. All that it does is 297 * to report when the access failed. 298 * 299 * Also, this function runs in atomic context, so __put_user() is not 300 * allowed to sleep. The page-fault handler detects that it is running 301 * in atomic context and will not try to take mmap_sem and handle the 302 * fault, so additional pagefault_enable()/disable() calls are not 303 * needed. 304 * 305 * The access can't be done via copy_to_user() here because 306 * vc_write_mem() must not use string instructions to access unsafe 307 * memory. The reason is that MOVS is emulated by the #VC handler by 308 * splitting the move up into a read and a write and taking a nested #VC 309 * exception on whatever of them is the MMIO access. Using string 310 * instructions here would cause infinite nesting. 311 */ 312 switch (size) { 313 case 1: { 314 u8 d1; 315 u8 __user *target = (u8 __user *)dst; 316 317 memcpy(&d1, buf, 1); 318 if (__put_user(d1, target)) 319 goto fault; 320 break; 321 } 322 case 2: { 323 u16 d2; 324 u16 __user *target = (u16 __user *)dst; 325 326 memcpy(&d2, buf, 2); 327 if (__put_user(d2, target)) 328 goto fault; 329 break; 330 } 331 case 4: { 332 u32 d4; 333 u32 __user *target = (u32 __user *)dst; 334 335 memcpy(&d4, buf, 4); 336 if (__put_user(d4, target)) 337 goto fault; 338 break; 339 } 340 case 8: { 341 u64 d8; 342 u64 __user *target = (u64 __user *)dst; 343 344 memcpy(&d8, buf, 8); 345 if (__put_user(d8, target)) 346 goto fault; 347 break; 348 } 349 default: 350 WARN_ONCE(1, "%s: Invalid size: %zu\n", __func__, size); 351 return ES_UNSUPPORTED; 352 } 353 354 return ES_OK; 355 356 fault: 357 if (user_mode(ctxt->regs)) 358 error_code |= X86_PF_USER; 359 360 ctxt->fi.vector = X86_TRAP_PF; 361 ctxt->fi.error_code = error_code; 362 ctxt->fi.cr2 = (unsigned long)dst; 363 364 return ES_EXCEPTION; 365 } 366 367 static enum es_result vc_read_mem(struct es_em_ctxt *ctxt, 368 char *src, char *buf, size_t size) 369 { 370 unsigned long error_code = X86_PF_PROT; 371 372 /* 373 * This function uses __get_user() independent of whether kernel or user 374 * memory is accessed. This works fine because __get_user() does no 375 * sanity checks of the pointer being accessed. All that it does is 376 * to report when the access failed. 377 * 378 * Also, this function runs in atomic context, so __get_user() is not 379 * allowed to sleep. The page-fault handler detects that it is running 380 * in atomic context and will not try to take mmap_sem and handle the 381 * fault, so additional pagefault_enable()/disable() calls are not 382 * needed. 383 * 384 * The access can't be done via copy_from_user() here because 385 * vc_read_mem() must not use string instructions to access unsafe 386 * memory. The reason is that MOVS is emulated by the #VC handler by 387 * splitting the move up into a read and a write and taking a nested #VC 388 * exception on whatever of them is the MMIO access. Using string 389 * instructions here would cause infinite nesting. 390 */ 391 switch (size) { 392 case 1: { 393 u8 d1; 394 u8 __user *s = (u8 __user *)src; 395 396 if (__get_user(d1, s)) 397 goto fault; 398 memcpy(buf, &d1, 1); 399 break; 400 } 401 case 2: { 402 u16 d2; 403 u16 __user *s = (u16 __user *)src; 404 405 if (__get_user(d2, s)) 406 goto fault; 407 memcpy(buf, &d2, 2); 408 break; 409 } 410 case 4: { 411 u32 d4; 412 u32 __user *s = (u32 __user *)src; 413 414 if (__get_user(d4, s)) 415 goto fault; 416 memcpy(buf, &d4, 4); 417 break; 418 } 419 case 8: { 420 u64 d8; 421 u64 __user *s = (u64 __user *)src; 422 if (__get_user(d8, s)) 423 goto fault; 424 memcpy(buf, &d8, 8); 425 break; 426 } 427 default: 428 WARN_ONCE(1, "%s: Invalid size: %zu\n", __func__, size); 429 return ES_UNSUPPORTED; 430 } 431 432 return ES_OK; 433 434 fault: 435 if (user_mode(ctxt->regs)) 436 error_code |= X86_PF_USER; 437 438 ctxt->fi.vector = X86_TRAP_PF; 439 ctxt->fi.error_code = error_code; 440 ctxt->fi.cr2 = (unsigned long)src; 441 442 return ES_EXCEPTION; 443 } 444 445 static enum es_result vc_slow_virt_to_phys(struct ghcb *ghcb, struct es_em_ctxt *ctxt, 446 unsigned long vaddr, phys_addr_t *paddr) 447 { 448 unsigned long va = (unsigned long)vaddr; 449 unsigned int level; 450 phys_addr_t pa; 451 pgd_t *pgd; 452 pte_t *pte; 453 454 pgd = __va(read_cr3_pa()); 455 pgd = &pgd[pgd_index(va)]; 456 pte = lookup_address_in_pgd(pgd, va, &level); 457 if (!pte) { 458 ctxt->fi.vector = X86_TRAP_PF; 459 ctxt->fi.cr2 = vaddr; 460 ctxt->fi.error_code = 0; 461 462 if (user_mode(ctxt->regs)) 463 ctxt->fi.error_code |= X86_PF_USER; 464 465 return ES_EXCEPTION; 466 } 467 468 if (WARN_ON_ONCE(pte_val(*pte) & _PAGE_ENC)) 469 /* Emulated MMIO to/from encrypted memory not supported */ 470 return ES_UNSUPPORTED; 471 472 pa = (phys_addr_t)pte_pfn(*pte) << PAGE_SHIFT; 473 pa |= va & ~page_level_mask(level); 474 475 *paddr = pa; 476 477 return ES_OK; 478 } 479 480 /* Include code shared with pre-decompression boot stage */ 481 #include "sev-shared.c" 482 483 static noinstr void __sev_put_ghcb(struct ghcb_state *state) 484 { 485 struct sev_es_runtime_data *data; 486 struct ghcb *ghcb; 487 488 WARN_ON(!irqs_disabled()); 489 490 data = this_cpu_read(runtime_data); 491 ghcb = &data->ghcb_page; 492 493 if (state->ghcb) { 494 /* Restore GHCB from Backup */ 495 *ghcb = *state->ghcb; 496 data->backup_ghcb_active = false; 497 state->ghcb = NULL; 498 } else { 499 /* 500 * Invalidate the GHCB so a VMGEXIT instruction issued 501 * from userspace won't appear to be valid. 502 */ 503 vc_ghcb_invalidate(ghcb); 504 data->ghcb_active = false; 505 } 506 } 507 508 void noinstr __sev_es_nmi_complete(void) 509 { 510 struct ghcb_state state; 511 struct ghcb *ghcb; 512 513 ghcb = __sev_get_ghcb(&state); 514 515 vc_ghcb_invalidate(ghcb); 516 ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_NMI_COMPLETE); 517 ghcb_set_sw_exit_info_1(ghcb, 0); 518 ghcb_set_sw_exit_info_2(ghcb, 0); 519 520 sev_es_wr_ghcb_msr(__pa_nodebug(ghcb)); 521 VMGEXIT(); 522 523 __sev_put_ghcb(&state); 524 } 525 526 static u64 get_jump_table_addr(void) 527 { 528 struct ghcb_state state; 529 unsigned long flags; 530 struct ghcb *ghcb; 531 u64 ret = 0; 532 533 local_irq_save(flags); 534 535 ghcb = __sev_get_ghcb(&state); 536 537 vc_ghcb_invalidate(ghcb); 538 ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_AP_JUMP_TABLE); 539 ghcb_set_sw_exit_info_1(ghcb, SVM_VMGEXIT_GET_AP_JUMP_TABLE); 540 ghcb_set_sw_exit_info_2(ghcb, 0); 541 542 sev_es_wr_ghcb_msr(__pa(ghcb)); 543 VMGEXIT(); 544 545 if (ghcb_sw_exit_info_1_is_valid(ghcb) && 546 ghcb_sw_exit_info_2_is_valid(ghcb)) 547 ret = ghcb->save.sw_exit_info_2; 548 549 __sev_put_ghcb(&state); 550 551 local_irq_restore(flags); 552 553 return ret; 554 } 555 556 int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) 557 { 558 u16 startup_cs, startup_ip; 559 phys_addr_t jump_table_pa; 560 u64 jump_table_addr; 561 u16 __iomem *jump_table; 562 563 jump_table_addr = get_jump_table_addr(); 564 565 /* On UP guests there is no jump table so this is not a failure */ 566 if (!jump_table_addr) 567 return 0; 568 569 /* Check if AP Jump Table is page-aligned */ 570 if (jump_table_addr & ~PAGE_MASK) 571 return -EINVAL; 572 573 jump_table_pa = jump_table_addr & PAGE_MASK; 574 575 startup_cs = (u16)(rmh->trampoline_start >> 4); 576 startup_ip = (u16)(rmh->sev_es_trampoline_start - 577 rmh->trampoline_start); 578 579 jump_table = ioremap_encrypted(jump_table_pa, PAGE_SIZE); 580 if (!jump_table) 581 return -EIO; 582 583 writew(startup_ip, &jump_table[0]); 584 writew(startup_cs, &jump_table[1]); 585 586 iounmap(jump_table); 587 588 return 0; 589 } 590 591 /* 592 * This is needed by the OVMF UEFI firmware which will use whatever it finds in 593 * the GHCB MSR as its GHCB to talk to the hypervisor. So make sure the per-cpu 594 * runtime GHCBs used by the kernel are also mapped in the EFI page-table. 595 */ 596 int __init sev_es_efi_map_ghcbs(pgd_t *pgd) 597 { 598 struct sev_es_runtime_data *data; 599 unsigned long address, pflags; 600 int cpu; 601 u64 pfn; 602 603 if (!cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT)) 604 return 0; 605 606 pflags = _PAGE_NX | _PAGE_RW; 607 608 for_each_possible_cpu(cpu) { 609 data = per_cpu(runtime_data, cpu); 610 611 address = __pa(&data->ghcb_page); 612 pfn = address >> PAGE_SHIFT; 613 614 if (kernel_map_pages_in_pgd(pgd, pfn, address, 1, pflags)) 615 return 1; 616 } 617 618 return 0; 619 } 620 621 static enum es_result vc_handle_msr(struct ghcb *ghcb, struct es_em_ctxt *ctxt) 622 { 623 struct pt_regs *regs = ctxt->regs; 624 enum es_result ret; 625 u64 exit_info_1; 626 627 /* Is it a WRMSR? */ 628 exit_info_1 = (ctxt->insn.opcode.bytes[1] == 0x30) ? 1 : 0; 629 630 ghcb_set_rcx(ghcb, regs->cx); 631 if (exit_info_1) { 632 ghcb_set_rax(ghcb, regs->ax); 633 ghcb_set_rdx(ghcb, regs->dx); 634 } 635 636 ret = sev_es_ghcb_hv_call(ghcb, true, ctxt, SVM_EXIT_MSR, 637 exit_info_1, 0); 638 639 if ((ret == ES_OK) && (!exit_info_1)) { 640 regs->ax = ghcb->save.rax; 641 regs->dx = ghcb->save.rdx; 642 } 643 644 return ret; 645 } 646 647 /* 648 * This function runs on the first #VC exception after the kernel 649 * switched to virtual addresses. 650 */ 651 static bool __init sev_es_setup_ghcb(void) 652 { 653 /* First make sure the hypervisor talks a supported protocol. */ 654 if (!sev_es_negotiate_protocol()) 655 return false; 656 657 /* 658 * Clear the boot_ghcb. The first exception comes in before the bss 659 * section is cleared. 660 */ 661 memset(&boot_ghcb_page, 0, PAGE_SIZE); 662 663 /* Alright - Make the boot-ghcb public */ 664 boot_ghcb = &boot_ghcb_page; 665 666 return true; 667 } 668 669 #ifdef CONFIG_HOTPLUG_CPU 670 static void sev_es_ap_hlt_loop(void) 671 { 672 struct ghcb_state state; 673 struct ghcb *ghcb; 674 675 ghcb = __sev_get_ghcb(&state); 676 677 while (true) { 678 vc_ghcb_invalidate(ghcb); 679 ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_AP_HLT_LOOP); 680 ghcb_set_sw_exit_info_1(ghcb, 0); 681 ghcb_set_sw_exit_info_2(ghcb, 0); 682 683 sev_es_wr_ghcb_msr(__pa(ghcb)); 684 VMGEXIT(); 685 686 /* Wakeup signal? */ 687 if (ghcb_sw_exit_info_2_is_valid(ghcb) && 688 ghcb->save.sw_exit_info_2) 689 break; 690 } 691 692 __sev_put_ghcb(&state); 693 } 694 695 /* 696 * Play_dead handler when running under SEV-ES. This is needed because 697 * the hypervisor can't deliver an SIPI request to restart the AP. 698 * Instead the kernel has to issue a VMGEXIT to halt the VCPU until the 699 * hypervisor wakes it up again. 700 */ 701 static void sev_es_play_dead(void) 702 { 703 play_dead_common(); 704 705 /* IRQs now disabled */ 706 707 sev_es_ap_hlt_loop(); 708 709 /* 710 * If we get here, the VCPU was woken up again. Jump to CPU 711 * startup code to get it back online. 712 */ 713 start_cpu0(); 714 } 715 #else /* CONFIG_HOTPLUG_CPU */ 716 #define sev_es_play_dead native_play_dead 717 #endif /* CONFIG_HOTPLUG_CPU */ 718 719 #ifdef CONFIG_SMP 720 static void __init sev_es_setup_play_dead(void) 721 { 722 smp_ops.play_dead = sev_es_play_dead; 723 } 724 #else 725 static inline void sev_es_setup_play_dead(void) { } 726 #endif 727 728 static void __init alloc_runtime_data(int cpu) 729 { 730 struct sev_es_runtime_data *data; 731 732 data = memblock_alloc(sizeof(*data), PAGE_SIZE); 733 if (!data) 734 panic("Can't allocate SEV-ES runtime data"); 735 736 per_cpu(runtime_data, cpu) = data; 737 } 738 739 static void __init init_ghcb(int cpu) 740 { 741 struct sev_es_runtime_data *data; 742 int err; 743 744 data = per_cpu(runtime_data, cpu); 745 746 err = early_set_memory_decrypted((unsigned long)&data->ghcb_page, 747 sizeof(data->ghcb_page)); 748 if (err) 749 panic("Can't map GHCBs unencrypted"); 750 751 memset(&data->ghcb_page, 0, sizeof(data->ghcb_page)); 752 753 data->ghcb_active = false; 754 data->backup_ghcb_active = false; 755 } 756 757 void __init sev_es_init_vc_handling(void) 758 { 759 int cpu; 760 761 BUILD_BUG_ON(offsetof(struct sev_es_runtime_data, ghcb_page) % PAGE_SIZE); 762 763 if (!cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT)) 764 return; 765 766 if (!sev_es_check_cpu_features()) 767 panic("SEV-ES CPU Features missing"); 768 769 /* Enable SEV-ES special handling */ 770 static_branch_enable(&sev_es_enable_key); 771 772 /* Initialize per-cpu GHCB pages */ 773 for_each_possible_cpu(cpu) { 774 alloc_runtime_data(cpu); 775 init_ghcb(cpu); 776 } 777 778 sev_es_setup_play_dead(); 779 780 /* Secondary CPUs use the runtime #VC handler */ 781 initial_vc_handler = (unsigned long)kernel_exc_vmm_communication; 782 } 783 784 static void __init vc_early_forward_exception(struct es_em_ctxt *ctxt) 785 { 786 int trapnr = ctxt->fi.vector; 787 788 if (trapnr == X86_TRAP_PF) 789 native_write_cr2(ctxt->fi.cr2); 790 791 ctxt->regs->orig_ax = ctxt->fi.error_code; 792 do_early_exception(ctxt->regs, trapnr); 793 } 794 795 static long *vc_insn_get_rm(struct es_em_ctxt *ctxt) 796 { 797 long *reg_array; 798 int offset; 799 800 reg_array = (long *)ctxt->regs; 801 offset = insn_get_modrm_rm_off(&ctxt->insn, ctxt->regs); 802 803 if (offset < 0) 804 return NULL; 805 806 offset /= sizeof(long); 807 808 return reg_array + offset; 809 } 810 static enum es_result vc_do_mmio(struct ghcb *ghcb, struct es_em_ctxt *ctxt, 811 unsigned int bytes, bool read) 812 { 813 u64 exit_code, exit_info_1, exit_info_2; 814 unsigned long ghcb_pa = __pa(ghcb); 815 enum es_result res; 816 phys_addr_t paddr; 817 void __user *ref; 818 819 ref = insn_get_addr_ref(&ctxt->insn, ctxt->regs); 820 if (ref == (void __user *)-1L) 821 return ES_UNSUPPORTED; 822 823 exit_code = read ? SVM_VMGEXIT_MMIO_READ : SVM_VMGEXIT_MMIO_WRITE; 824 825 res = vc_slow_virt_to_phys(ghcb, ctxt, (unsigned long)ref, &paddr); 826 if (res != ES_OK) { 827 if (res == ES_EXCEPTION && !read) 828 ctxt->fi.error_code |= X86_PF_WRITE; 829 830 return res; 831 } 832 833 exit_info_1 = paddr; 834 /* Can never be greater than 8 */ 835 exit_info_2 = bytes; 836 837 ghcb_set_sw_scratch(ghcb, ghcb_pa + offsetof(struct ghcb, shared_buffer)); 838 839 return sev_es_ghcb_hv_call(ghcb, true, ctxt, exit_code, exit_info_1, exit_info_2); 840 } 841 842 /* 843 * The MOVS instruction has two memory operands, which raises the 844 * problem that it is not known whether the access to the source or the 845 * destination caused the #VC exception (and hence whether an MMIO read 846 * or write operation needs to be emulated). 847 * 848 * Instead of playing games with walking page-tables and trying to guess 849 * whether the source or destination is an MMIO range, split the move 850 * into two operations, a read and a write with only one memory operand. 851 * This will cause a nested #VC exception on the MMIO address which can 852 * then be handled. 853 * 854 * This implementation has the benefit that it also supports MOVS where 855 * source _and_ destination are MMIO regions. 856 * 857 * It will slow MOVS on MMIO down a lot, but in SEV-ES guests it is a 858 * rare operation. If it turns out to be a performance problem the split 859 * operations can be moved to memcpy_fromio() and memcpy_toio(). 860 */ 861 static enum es_result vc_handle_mmio_movs(struct es_em_ctxt *ctxt, 862 unsigned int bytes) 863 { 864 unsigned long ds_base, es_base; 865 unsigned char *src, *dst; 866 unsigned char buffer[8]; 867 enum es_result ret; 868 bool rep; 869 int off; 870 871 ds_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_DS); 872 es_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_ES); 873 874 if (ds_base == -1L || es_base == -1L) { 875 ctxt->fi.vector = X86_TRAP_GP; 876 ctxt->fi.error_code = 0; 877 return ES_EXCEPTION; 878 } 879 880 src = ds_base + (unsigned char *)ctxt->regs->si; 881 dst = es_base + (unsigned char *)ctxt->regs->di; 882 883 ret = vc_read_mem(ctxt, src, buffer, bytes); 884 if (ret != ES_OK) 885 return ret; 886 887 ret = vc_write_mem(ctxt, dst, buffer, bytes); 888 if (ret != ES_OK) 889 return ret; 890 891 if (ctxt->regs->flags & X86_EFLAGS_DF) 892 off = -bytes; 893 else 894 off = bytes; 895 896 ctxt->regs->si += off; 897 ctxt->regs->di += off; 898 899 rep = insn_has_rep_prefix(&ctxt->insn); 900 if (rep) 901 ctxt->regs->cx -= 1; 902 903 if (!rep || ctxt->regs->cx == 0) 904 return ES_OK; 905 else 906 return ES_RETRY; 907 } 908 909 static enum es_result vc_handle_mmio(struct ghcb *ghcb, struct es_em_ctxt *ctxt) 910 { 911 struct insn *insn = &ctxt->insn; 912 unsigned int bytes = 0; 913 enum mmio_type mmio; 914 enum es_result ret; 915 u8 sign_byte; 916 long *reg_data; 917 918 mmio = insn_decode_mmio(insn, &bytes); 919 if (mmio == MMIO_DECODE_FAILED) 920 return ES_DECODE_FAILED; 921 922 if (mmio != MMIO_WRITE_IMM && mmio != MMIO_MOVS) { 923 reg_data = insn_get_modrm_reg_ptr(insn, ctxt->regs); 924 if (!reg_data) 925 return ES_DECODE_FAILED; 926 } 927 928 switch (mmio) { 929 case MMIO_WRITE: 930 memcpy(ghcb->shared_buffer, reg_data, bytes); 931 ret = vc_do_mmio(ghcb, ctxt, bytes, false); 932 break; 933 case MMIO_WRITE_IMM: 934 memcpy(ghcb->shared_buffer, insn->immediate1.bytes, bytes); 935 ret = vc_do_mmio(ghcb, ctxt, bytes, false); 936 break; 937 case MMIO_READ: 938 ret = vc_do_mmio(ghcb, ctxt, bytes, true); 939 if (ret) 940 break; 941 942 /* Zero-extend for 32-bit operation */ 943 if (bytes == 4) 944 *reg_data = 0; 945 946 memcpy(reg_data, ghcb->shared_buffer, bytes); 947 break; 948 case MMIO_READ_ZERO_EXTEND: 949 ret = vc_do_mmio(ghcb, ctxt, bytes, true); 950 if (ret) 951 break; 952 953 /* Zero extend based on operand size */ 954 memset(reg_data, 0, insn->opnd_bytes); 955 memcpy(reg_data, ghcb->shared_buffer, bytes); 956 break; 957 case MMIO_READ_SIGN_EXTEND: 958 ret = vc_do_mmio(ghcb, ctxt, bytes, true); 959 if (ret) 960 break; 961 962 if (bytes == 1) { 963 u8 *val = (u8 *)ghcb->shared_buffer; 964 965 sign_byte = (*val & 0x80) ? 0xff : 0x00; 966 } else { 967 u16 *val = (u16 *)ghcb->shared_buffer; 968 969 sign_byte = (*val & 0x8000) ? 0xff : 0x00; 970 } 971 972 /* Sign extend based on operand size */ 973 memset(reg_data, sign_byte, insn->opnd_bytes); 974 memcpy(reg_data, ghcb->shared_buffer, bytes); 975 break; 976 case MMIO_MOVS: 977 ret = vc_handle_mmio_movs(ctxt, bytes); 978 break; 979 default: 980 ret = ES_UNSUPPORTED; 981 break; 982 } 983 984 return ret; 985 } 986 987 static enum es_result vc_handle_dr7_write(struct ghcb *ghcb, 988 struct es_em_ctxt *ctxt) 989 { 990 struct sev_es_runtime_data *data = this_cpu_read(runtime_data); 991 long val, *reg = vc_insn_get_rm(ctxt); 992 enum es_result ret; 993 994 if (!reg) 995 return ES_DECODE_FAILED; 996 997 val = *reg; 998 999 /* Upper 32 bits must be written as zeroes */ 1000 if (val >> 32) { 1001 ctxt->fi.vector = X86_TRAP_GP; 1002 ctxt->fi.error_code = 0; 1003 return ES_EXCEPTION; 1004 } 1005 1006 /* Clear out other reserved bits and set bit 10 */ 1007 val = (val & 0xffff23ffL) | BIT(10); 1008 1009 /* Early non-zero writes to DR7 are not supported */ 1010 if (!data && (val & ~DR7_RESET_VALUE)) 1011 return ES_UNSUPPORTED; 1012 1013 /* Using a value of 0 for ExitInfo1 means RAX holds the value */ 1014 ghcb_set_rax(ghcb, val); 1015 ret = sev_es_ghcb_hv_call(ghcb, true, ctxt, SVM_EXIT_WRITE_DR7, 0, 0); 1016 if (ret != ES_OK) 1017 return ret; 1018 1019 if (data) 1020 data->dr7 = val; 1021 1022 return ES_OK; 1023 } 1024 1025 static enum es_result vc_handle_dr7_read(struct ghcb *ghcb, 1026 struct es_em_ctxt *ctxt) 1027 { 1028 struct sev_es_runtime_data *data = this_cpu_read(runtime_data); 1029 long *reg = vc_insn_get_rm(ctxt); 1030 1031 if (!reg) 1032 return ES_DECODE_FAILED; 1033 1034 if (data) 1035 *reg = data->dr7; 1036 else 1037 *reg = DR7_RESET_VALUE; 1038 1039 return ES_OK; 1040 } 1041 1042 static enum es_result vc_handle_wbinvd(struct ghcb *ghcb, 1043 struct es_em_ctxt *ctxt) 1044 { 1045 return sev_es_ghcb_hv_call(ghcb, true, ctxt, SVM_EXIT_WBINVD, 0, 0); 1046 } 1047 1048 static enum es_result vc_handle_rdpmc(struct ghcb *ghcb, struct es_em_ctxt *ctxt) 1049 { 1050 enum es_result ret; 1051 1052 ghcb_set_rcx(ghcb, ctxt->regs->cx); 1053 1054 ret = sev_es_ghcb_hv_call(ghcb, true, ctxt, SVM_EXIT_RDPMC, 0, 0); 1055 if (ret != ES_OK) 1056 return ret; 1057 1058 if (!(ghcb_rax_is_valid(ghcb) && ghcb_rdx_is_valid(ghcb))) 1059 return ES_VMM_ERROR; 1060 1061 ctxt->regs->ax = ghcb->save.rax; 1062 ctxt->regs->dx = ghcb->save.rdx; 1063 1064 return ES_OK; 1065 } 1066 1067 static enum es_result vc_handle_monitor(struct ghcb *ghcb, 1068 struct es_em_ctxt *ctxt) 1069 { 1070 /* 1071 * Treat it as a NOP and do not leak a physical address to the 1072 * hypervisor. 1073 */ 1074 return ES_OK; 1075 } 1076 1077 static enum es_result vc_handle_mwait(struct ghcb *ghcb, 1078 struct es_em_ctxt *ctxt) 1079 { 1080 /* Treat the same as MONITOR/MONITORX */ 1081 return ES_OK; 1082 } 1083 1084 static enum es_result vc_handle_vmmcall(struct ghcb *ghcb, 1085 struct es_em_ctxt *ctxt) 1086 { 1087 enum es_result ret; 1088 1089 ghcb_set_rax(ghcb, ctxt->regs->ax); 1090 ghcb_set_cpl(ghcb, user_mode(ctxt->regs) ? 3 : 0); 1091 1092 if (x86_platform.hyper.sev_es_hcall_prepare) 1093 x86_platform.hyper.sev_es_hcall_prepare(ghcb, ctxt->regs); 1094 1095 ret = sev_es_ghcb_hv_call(ghcb, true, ctxt, SVM_EXIT_VMMCALL, 0, 0); 1096 if (ret != ES_OK) 1097 return ret; 1098 1099 if (!ghcb_rax_is_valid(ghcb)) 1100 return ES_VMM_ERROR; 1101 1102 ctxt->regs->ax = ghcb->save.rax; 1103 1104 /* 1105 * Call sev_es_hcall_finish() after regs->ax is already set. 1106 * This allows the hypervisor handler to overwrite it again if 1107 * necessary. 1108 */ 1109 if (x86_platform.hyper.sev_es_hcall_finish && 1110 !x86_platform.hyper.sev_es_hcall_finish(ghcb, ctxt->regs)) 1111 return ES_VMM_ERROR; 1112 1113 return ES_OK; 1114 } 1115 1116 static enum es_result vc_handle_trap_ac(struct ghcb *ghcb, 1117 struct es_em_ctxt *ctxt) 1118 { 1119 /* 1120 * Calling ecx_alignment_check() directly does not work, because it 1121 * enables IRQs and the GHCB is active. Forward the exception and call 1122 * it later from vc_forward_exception(). 1123 */ 1124 ctxt->fi.vector = X86_TRAP_AC; 1125 ctxt->fi.error_code = 0; 1126 return ES_EXCEPTION; 1127 } 1128 1129 static enum es_result vc_handle_exitcode(struct es_em_ctxt *ctxt, 1130 struct ghcb *ghcb, 1131 unsigned long exit_code) 1132 { 1133 enum es_result result; 1134 1135 switch (exit_code) { 1136 case SVM_EXIT_READ_DR7: 1137 result = vc_handle_dr7_read(ghcb, ctxt); 1138 break; 1139 case SVM_EXIT_WRITE_DR7: 1140 result = vc_handle_dr7_write(ghcb, ctxt); 1141 break; 1142 case SVM_EXIT_EXCP_BASE + X86_TRAP_AC: 1143 result = vc_handle_trap_ac(ghcb, ctxt); 1144 break; 1145 case SVM_EXIT_RDTSC: 1146 case SVM_EXIT_RDTSCP: 1147 result = vc_handle_rdtsc(ghcb, ctxt, exit_code); 1148 break; 1149 case SVM_EXIT_RDPMC: 1150 result = vc_handle_rdpmc(ghcb, ctxt); 1151 break; 1152 case SVM_EXIT_INVD: 1153 pr_err_ratelimited("#VC exception for INVD??? Seriously???\n"); 1154 result = ES_UNSUPPORTED; 1155 break; 1156 case SVM_EXIT_CPUID: 1157 result = vc_handle_cpuid(ghcb, ctxt); 1158 break; 1159 case SVM_EXIT_IOIO: 1160 result = vc_handle_ioio(ghcb, ctxt); 1161 break; 1162 case SVM_EXIT_MSR: 1163 result = vc_handle_msr(ghcb, ctxt); 1164 break; 1165 case SVM_EXIT_VMMCALL: 1166 result = vc_handle_vmmcall(ghcb, ctxt); 1167 break; 1168 case SVM_EXIT_WBINVD: 1169 result = vc_handle_wbinvd(ghcb, ctxt); 1170 break; 1171 case SVM_EXIT_MONITOR: 1172 result = vc_handle_monitor(ghcb, ctxt); 1173 break; 1174 case SVM_EXIT_MWAIT: 1175 result = vc_handle_mwait(ghcb, ctxt); 1176 break; 1177 case SVM_EXIT_NPF: 1178 result = vc_handle_mmio(ghcb, ctxt); 1179 break; 1180 default: 1181 /* 1182 * Unexpected #VC exception 1183 */ 1184 result = ES_UNSUPPORTED; 1185 } 1186 1187 return result; 1188 } 1189 1190 static __always_inline void vc_forward_exception(struct es_em_ctxt *ctxt) 1191 { 1192 long error_code = ctxt->fi.error_code; 1193 int trapnr = ctxt->fi.vector; 1194 1195 ctxt->regs->orig_ax = ctxt->fi.error_code; 1196 1197 switch (trapnr) { 1198 case X86_TRAP_GP: 1199 exc_general_protection(ctxt->regs, error_code); 1200 break; 1201 case X86_TRAP_UD: 1202 exc_invalid_op(ctxt->regs); 1203 break; 1204 case X86_TRAP_PF: 1205 write_cr2(ctxt->fi.cr2); 1206 exc_page_fault(ctxt->regs, error_code); 1207 break; 1208 case X86_TRAP_AC: 1209 exc_alignment_check(ctxt->regs, error_code); 1210 break; 1211 default: 1212 pr_emerg("Unsupported exception in #VC instruction emulation - can't continue\n"); 1213 BUG(); 1214 } 1215 } 1216 1217 static __always_inline bool is_vc2_stack(unsigned long sp) 1218 { 1219 return (sp >= __this_cpu_ist_bottom_va(VC2) && sp < __this_cpu_ist_top_va(VC2)); 1220 } 1221 1222 static __always_inline bool vc_from_invalid_context(struct pt_regs *regs) 1223 { 1224 unsigned long sp, prev_sp; 1225 1226 sp = (unsigned long)regs; 1227 prev_sp = regs->sp; 1228 1229 /* 1230 * If the code was already executing on the VC2 stack when the #VC 1231 * happened, let it proceed to the normal handling routine. This way the 1232 * code executing on the VC2 stack can cause #VC exceptions to get handled. 1233 */ 1234 return is_vc2_stack(sp) && !is_vc2_stack(prev_sp); 1235 } 1236 1237 static bool vc_raw_handle_exception(struct pt_regs *regs, unsigned long error_code) 1238 { 1239 struct ghcb_state state; 1240 struct es_em_ctxt ctxt; 1241 enum es_result result; 1242 struct ghcb *ghcb; 1243 bool ret = true; 1244 1245 ghcb = __sev_get_ghcb(&state); 1246 1247 vc_ghcb_invalidate(ghcb); 1248 result = vc_init_em_ctxt(&ctxt, regs, error_code); 1249 1250 if (result == ES_OK) 1251 result = vc_handle_exitcode(&ctxt, ghcb, error_code); 1252 1253 __sev_put_ghcb(&state); 1254 1255 /* Done - now check the result */ 1256 switch (result) { 1257 case ES_OK: 1258 vc_finish_insn(&ctxt); 1259 break; 1260 case ES_UNSUPPORTED: 1261 pr_err_ratelimited("Unsupported exit-code 0x%02lx in #VC exception (IP: 0x%lx)\n", 1262 error_code, regs->ip); 1263 ret = false; 1264 break; 1265 case ES_VMM_ERROR: 1266 pr_err_ratelimited("Failure in communication with VMM (exit-code 0x%02lx IP: 0x%lx)\n", 1267 error_code, regs->ip); 1268 ret = false; 1269 break; 1270 case ES_DECODE_FAILED: 1271 pr_err_ratelimited("Failed to decode instruction (exit-code 0x%02lx IP: 0x%lx)\n", 1272 error_code, regs->ip); 1273 ret = false; 1274 break; 1275 case ES_EXCEPTION: 1276 vc_forward_exception(&ctxt); 1277 break; 1278 case ES_RETRY: 1279 /* Nothing to do */ 1280 break; 1281 default: 1282 pr_emerg("Unknown result in %s():%d\n", __func__, result); 1283 /* 1284 * Emulating the instruction which caused the #VC exception 1285 * failed - can't continue so print debug information 1286 */ 1287 BUG(); 1288 } 1289 1290 return ret; 1291 } 1292 1293 static __always_inline bool vc_is_db(unsigned long error_code) 1294 { 1295 return error_code == SVM_EXIT_EXCP_BASE + X86_TRAP_DB; 1296 } 1297 1298 /* 1299 * Runtime #VC exception handler when raised from kernel mode. Runs in NMI mode 1300 * and will panic when an error happens. 1301 */ 1302 DEFINE_IDTENTRY_VC_KERNEL(exc_vmm_communication) 1303 { 1304 irqentry_state_t irq_state; 1305 1306 /* 1307 * With the current implementation it is always possible to switch to a 1308 * safe stack because #VC exceptions only happen at known places, like 1309 * intercepted instructions or accesses to MMIO areas/IO ports. They can 1310 * also happen with code instrumentation when the hypervisor intercepts 1311 * #DB, but the critical paths are forbidden to be instrumented, so #DB 1312 * exceptions currently also only happen in safe places. 1313 * 1314 * But keep this here in case the noinstr annotations are violated due 1315 * to bug elsewhere. 1316 */ 1317 if (unlikely(vc_from_invalid_context(regs))) { 1318 instrumentation_begin(); 1319 panic("Can't handle #VC exception from unsupported context\n"); 1320 instrumentation_end(); 1321 } 1322 1323 /* 1324 * Handle #DB before calling into !noinstr code to avoid recursive #DB. 1325 */ 1326 if (vc_is_db(error_code)) { 1327 exc_debug(regs); 1328 return; 1329 } 1330 1331 irq_state = irqentry_nmi_enter(regs); 1332 1333 instrumentation_begin(); 1334 1335 if (!vc_raw_handle_exception(regs, error_code)) { 1336 /* Show some debug info */ 1337 show_regs(regs); 1338 1339 /* Ask hypervisor to sev_es_terminate */ 1340 sev_es_terminate(GHCB_SEV_ES_GEN_REQ); 1341 1342 /* If that fails and we get here - just panic */ 1343 panic("Returned from Terminate-Request to Hypervisor\n"); 1344 } 1345 1346 instrumentation_end(); 1347 irqentry_nmi_exit(regs, irq_state); 1348 } 1349 1350 /* 1351 * Runtime #VC exception handler when raised from user mode. Runs in IRQ mode 1352 * and will kill the current task with SIGBUS when an error happens. 1353 */ 1354 DEFINE_IDTENTRY_VC_USER(exc_vmm_communication) 1355 { 1356 /* 1357 * Handle #DB before calling into !noinstr code to avoid recursive #DB. 1358 */ 1359 if (vc_is_db(error_code)) { 1360 noist_exc_debug(regs); 1361 return; 1362 } 1363 1364 irqentry_enter_from_user_mode(regs); 1365 instrumentation_begin(); 1366 1367 if (!vc_raw_handle_exception(regs, error_code)) { 1368 /* 1369 * Do not kill the machine if user-space triggered the 1370 * exception. Send SIGBUS instead and let user-space deal with 1371 * it. 1372 */ 1373 force_sig_fault(SIGBUS, BUS_OBJERR, (void __user *)0); 1374 } 1375 1376 instrumentation_end(); 1377 irqentry_exit_to_user_mode(regs); 1378 } 1379 1380 bool __init handle_vc_boot_ghcb(struct pt_regs *regs) 1381 { 1382 unsigned long exit_code = regs->orig_ax; 1383 struct es_em_ctxt ctxt; 1384 enum es_result result; 1385 1386 /* Do initial setup or terminate the guest */ 1387 if (unlikely(boot_ghcb == NULL && !sev_es_setup_ghcb())) 1388 sev_es_terminate(GHCB_SEV_ES_GEN_REQ); 1389 1390 vc_ghcb_invalidate(boot_ghcb); 1391 1392 result = vc_init_em_ctxt(&ctxt, regs, exit_code); 1393 if (result == ES_OK) 1394 result = vc_handle_exitcode(&ctxt, boot_ghcb, exit_code); 1395 1396 /* Done - now check the result */ 1397 switch (result) { 1398 case ES_OK: 1399 vc_finish_insn(&ctxt); 1400 break; 1401 case ES_UNSUPPORTED: 1402 early_printk("PANIC: Unsupported exit-code 0x%02lx in early #VC exception (IP: 0x%lx)\n", 1403 exit_code, regs->ip); 1404 goto fail; 1405 case ES_VMM_ERROR: 1406 early_printk("PANIC: Failure in communication with VMM (exit-code 0x%02lx IP: 0x%lx)\n", 1407 exit_code, regs->ip); 1408 goto fail; 1409 case ES_DECODE_FAILED: 1410 early_printk("PANIC: Failed to decode instruction (exit-code 0x%02lx IP: 0x%lx)\n", 1411 exit_code, regs->ip); 1412 goto fail; 1413 case ES_EXCEPTION: 1414 vc_early_forward_exception(&ctxt); 1415 break; 1416 case ES_RETRY: 1417 /* Nothing to do */ 1418 break; 1419 default: 1420 BUG(); 1421 } 1422 1423 return true; 1424 1425 fail: 1426 show_regs(regs); 1427 1428 while (true) 1429 halt(); 1430 } 1431