VMCALL and VMMCALL instructions are used by x86 guests to request services from the host VMM. Both VMCALL and VMMCALL are not restricted to CPL 0. This allows userspace software like open-vm-tools to communicate directly with the VMM. In the context of confidential VMs, direct communication with the host may violate the security model. Existing binaries that make use of hypercalls and are not hardened against malicious hypervisors can become a possible attack surface. For this reason, user-level VMCALLs are not currently forwarded to the host on TDX VMs. This breaks any user-level software that use these instructions. But if user-level software is aware of the risks and has been hardened to address any known violations of the security model, then it seems reasonable to allow hypercalls from this process to proceed. This patchset introduces a new x86 process control flag to address this concern. By setting the TIF_COCO_USER_HCALL thread information flag, the process opts in to user-level hypercalls. When TDX is enabled, the VMCALL will #VE and control will be transferred to a hypervisor-specific hypercall handler (similar to how things work today for SEV with sev_es_hcall_prepare/sev_es_hcall_finish). The flag has no effect on non-TDX VMs. Other confidential computing technologies could use this flag to provide limited access to user-level hypercalls. Tim Merrifield (2): x86/tdx: Add prctl to allow userlevel TDX hypercalls x86/vmware: VMware support for TDX userspace hypercalls arch/x86/coco/tdx/tdx.c | 18 +++++++++++ arch/x86/include/asm/thread_info.h | 2 ++ arch/x86/include/asm/x86_init.h | 1 + arch/x86/include/uapi/asm/prctl.h | 3 ++ arch/x86/kernel/cpu/vmware.c | 51 +++++++++++++++++++++++------- arch/x86/kernel/process.c | 20 ++++++++++++ 6 files changed, 84 insertions(+), 11 deletions(-) -- 2.40.1
