hypercall: do not allow hypercall from UOS except trusty

only trusty related hypercall will come from UOS, others should come from VM0 Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
projectacrn · May 22, 2018 · 05f8fd7 · 05f8fd7
1 parent f505f33
commit 05f8fd7
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/hypervisor/arch/x86/guest/vmcall.c b/hypervisor/arch/x86/guest/vmcall.c
@@ -57,6 +57,12 @@ int vmcall_vmexit_handler(struct vcpu *vcpu)
 		return -1;
 	}
 
+	if (!is_vm0(vm) && hypcall_id != HC_WORLD_SWITCH &&
+		hypcall_id != HC_INITIALIZE_TRUSTY) {
+		pr_err("hypercall %d is only allowed from VM0!\n", hypcall_id);
+		return -1;
+	}
+
 	/* Dispatch the hypercall handler */
 	switch (hypcall_id) {
 	case HC_GET_API_VERSION: