From 31f5ebd6db0805cdcafb1312a91b60d14ff1ac24 Mon Sep 17 00:00:00 2001 From: Tom Lendacky Date: Thu, 7 Jan 2021 12:48:19 -0600 Subject: [PATCH] OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Check the DR7 cached indicator against a specific value. This makes it harder for a hypervisor to just write random data into that field in an attempt to use an invalid DR7 value. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky Message-Id: <65157c1155a9c058c43678400dfc0b486e327a3e.1610045305.git.thomas.lendacky@amd.com> --- OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c index 1671db3a01..5149ab2bc9 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c +++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c @@ -128,10 +128,13 @@ UINT64 // // Per-CPU data mapping structure +// Use UINT32 for cached indicators and compare to a specific value +// so that the hypervisor can't indicate a value is cached by just +// writing random data to that area. // typedef struct { - BOOLEAN Dr7Cached; - UINT64 Dr7; + UINT32 Dr7Cached; + UINT64 Dr7; } SEV_ES_PER_CPU_DATA; @@ -1489,7 +1492,7 @@ Dr7WriteExit ( } SevEsData->Dr7 = *Register; - SevEsData->Dr7Cached = TRUE; + SevEsData->Dr7Cached = 1; return 0; } @@ -1533,7 +1536,7 @@ Dr7ReadExit ( // If there is a cached valued for DR7, return that. Otherwise return the // DR7 standard reset value of 0x400 (no debug breakpoints set). // - *Register = (SevEsData->Dr7Cached) ? SevEsData->Dr7 : 0x400; + *Register = (SevEsData->Dr7Cached == 1) ? SevEsData->Dr7 : 0x400; return 0; }