KVM: TDX: Add a method to ignore hypercall patching

Because guest TD memory is protected, VMM patching guest binary for
hypercall instruction isn't possible.  Add a method to ignore hypercall
patching.  Note: guest TD kernel needs to be modified to use
TDG.VP.VMCALL for hypercall.

Signed-off-by: Isaku Yamahata <isaku.yamahata@intel.com>
Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
Message-ID: <20250227012021.1778144-18-binbin.wu@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c
index 0021739..3d8a13e 100644 (file)
--- a/arch/x86/kvm/vmx/main.c
+++ b/arch/x86/kvm/vmx/main.c
@@ -673,6 +673,19 @@ static u32 vt_get_interrupt_shadow(struct kvm_vcpu *vcpu)
        return vmx_get_interrupt_shadow(vcpu);
 }
 
+static void vt_patch_hypercall(struct kvm_vcpu *vcpu,
+                                 unsigned char *hypercall)
+{
+       /*
+        * Because guest memory is protected, guest can't be patched. TD kernel
+        * is modified to use TDG.VP.VMCALL for hypercall.
+        */
+       if (is_td_vcpu(vcpu))
+               return;
+
+       vmx_patch_hypercall(vcpu, hypercall);
+}
+
 static void vt_inject_irq(struct kvm_vcpu *vcpu, bool reinjected)
 {
        if (is_td_vcpu(vcpu))
@@ -952,7 +965,7 @@ struct kvm_x86_ops vt_x86_ops __initdata = {
        .update_emulated_instruction = vmx_update_emulated_instruction,
        .set_interrupt_shadow = vt_set_interrupt_shadow,
        .get_interrupt_shadow = vt_get_interrupt_shadow,
-       .patch_hypercall = vmx_patch_hypercall,
+       .patch_hypercall = vt_patch_hypercall,
        .inject_irq = vt_inject_irq,
        .inject_nmi = vt_inject_nmi,
        .inject_exception = vt_inject_exception,