OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108

Check the DR7 cached indicator against a specific value. This makes it
harder for a hypervisor to just write random data into that field in an
attempt to use an invalid DR7 value.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Message-Id: <65157c1155a9c058c43678400dfc0b486e327a3e.1610045305.git.thomas.lendacky@amd.com>

diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 1671db3a01b10f775ed7b92cb64ed69bce1793d3..5149ab2bc98927956ea36a3b4b337ceb9fddc55b 100644 (file)
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -128,10 +128,13 @@ UINT64
 \r
 //\r
 // Per-CPU data mapping structure\r
+//   Use UINT32 for cached indicators and compare to a specific value\r
+//   so that the hypervisor can't indicate a value is cached by just\r
+//   writing random data to that area.\r
 //\r
 typedef struct {\r
-  BOOLEAN  Dr7Cached;\r
-  UINT64   Dr7;\r
+  UINT32  Dr7Cached;\r
+  UINT64  Dr7;\r
 } SEV_ES_PER_CPU_DATA;\r
 \r
 \r
@@ -1489,7 +1492,7 @@ Dr7WriteExit (
   }\r
 \r
   SevEsData->Dr7 = *Register;\r
-  SevEsData->Dr7Cached = TRUE;\r
+  SevEsData->Dr7Cached = 1;\r
 \r
   return 0;\r
 }\r
@@ -1533,7 +1536,7 @@ Dr7ReadExit (
   // If there is a cached valued for DR7, return that. Otherwise return the\r
   // DR7 standard reset value of 0x400 (no debug breakpoints set).\r
   //\r
-  *Register = (SevEsData->Dr7Cached) ? SevEsData->Dr7 : 0x400;\r
+  *Register = (SevEsData->Dr7Cached == 1) ? SevEsData->Dr7 : 0x400;\r
 \r
   return 0;\r
 }\r