That should really say that a nested #HV should never be raised by the
hypervisor, but if it is, then the guest should detect that and
self-terminate knowing that the hypervisor is possibly being malicious.
I've yet to see code that can do that reliably.
- Currently, we are detecting the direct nested #HV with below check and
guest self terminate.
<snip>
if (get_stack_info_noinstr(stack, current, &info) &&
(info.type == (STACK_TYPE_EXCEPTION + ESTACK_HV) ||
info.type == (STACK_TYPE_EXCEPTION + ESTACK_HV2)))
panic("Nested #HV exception, HV IST corrupted, stack
type = %d\n", info.type);
</snip>
- Thinking about below solution to detect the nested
#HV reliably:
-- Make reliable IST stack switching for #VC -> #HV -> #VC case
(similar to done in __sev_es_ist_enter/__sev_es_ist_exit for NMI
IST stack).
-- In addition to this, we can make nested #HV detection (with another
exception type) more reliable with refcounting (percpu?).
Need your inputs before I implement this solution. Or any other idea in
software you have in mind?
Thanks,
Pankaj