rmp adjust the savic page

romank-msft · romank-msft · commit f6e87dc4e009 · 2025-05-02T09:31:47.000-07:00
diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h
@@ -109,7 +109,12 @@ struct rmp_state {
 	u32 asid;
 } __packed;
 
-#define RMPADJUST_VMSA_PAGE_BIT		BIT(16)
+/* Target VMPL takes the first byte */
+#define RMPADJUST_ENABLE_READ			BIT(8)
+#define RMPADJUST_ENABLE_WRITE			BIT(9)
+#define RMPADJUST_USER_EXECUTE			BIT(10)
+#define RMPADJUST_KERNEL_EXECUTE		BIT(11)
+#define RMPADJUST_VMSA_PAGE_BIT			BIT(16)
 
 /* SNP Guest message request */
 struct snp_req_data {
diff --git a/drivers/hv/mshv_vtl_main.c b/drivers/hv/mshv_vtl_main.c
@@ -653,18 +653,24 @@ static int mshv_vtl_alloc_context(unsigned int cpu)
 #endif
 	} else if (hv_isolation_type_snp()) {
 #if defined(CONFIG_X86_64) && defined(CONFIG_SEV_GUEST)
-		int ret;
-
-		struct page *secure_avic_page;
-
-		secure_avic_page = alloc_page(GFP_KERNEL | __GFP_ZERO);
-		if (!secure_avic_page)
-			return -ENOMEM;
-		per_cpu->secure_avic_page = secure_avic_page;
+		if (cc_platform_has(CC_ATTR_SNP_SECURE_AVIC)) {
+			struct page *secure_avic_page = alloc_page(GFP_KERNEL | __GFP_ZERO);
+			int ret = 0;
+
+			if (!secure_avic_page)
+				return -ENOMEM;
+
+			/* VMPL 2 for the VTL0 */
+			ret = rmpadjust((unsigned long)page_address(secure_avic_page),
+						RMP_PG_SIZE_4K, 2 | RMPADJUST_ENABLE_READ | RMPADJUST_ENABLE_WRITE);
+			if (ret) {
+				pr_err("failed to adjust RMP for the secure AVIC page: %d\n", ret);
+				free_page((u64)secure_avic_page);
+				return -EINVAL;
+			}
 
-		ret = mshv_configure_vmsa_page(0, &per_cpu->vmsa_page);
-		if (ret < 0)
-			return ret;
+			per_cpu->secure_avic_page = secure_avic_page;
+		}
 #endif
 	} else if (mshv_vsm_capabilities.intercept_page_available)
 		mshv_vtl_configure_reg_page(per_cpu);
