x86/vmx: Don't spuriously crash the domain when INIT is received

In VMX operation, the handling of INIT IPIs is changed. Instead of the CPU resetting, the next VMEntry fails with EXIT_REASON_INIT. From the TXT spec, the intent of this behaviour is so that an entity which cares can scrub secrets from RAM before participating in an orderly shutdown. Right now, Xen's behaviour is that when an INIT arrives, the HVM VM which schedules next is killed (citing an unknown VMExit), *and* we ignore the INIT and continue blindly onwards anyway. This patch addresses only the first of these two problems by ignoring the INIT and continuing without crashing the VM in question. The second wants addressing too, just as soon as we've figured out something better to do... Discovered as collateral damage from when an AP triple faults on S3 resume on Intel TigerLake platforms. Link: QubesOS/qubes-issues#7283 Signed-off-by: Andrew Cooper <[email protected]> Reviewed-by: Kevin Tian <[email protected]> master commit: b1f1127 master date: 2023-03-24 22:49:58 +0000
olafhering · Mar 31, 2023 · f6a3e93 · f6a3e93
1 parent 11c8ef5
commit f6a3e93
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
@@ -4038,6 +4038,10 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
     case EXIT_REASON_MCE_DURING_VMENTRY:
         do_machine_check(regs);
         break;
+
+    case EXIT_REASON_INIT:
+        printk(XENLOG_ERR "Error: INIT received - ignoring\n");
+        return; /* Renter the guest without further processing */
     }
 
     /* Now enable interrupts so it's safe to take locks. */