On 16/12/2016 09:01, Borislav Petkov wrote: > @@ -91,6 +92,17 @@ static bool __init check_loader_disabled_bsp(void) > if (cmdline_find_option_bool(cmdline, option)) > *res = true; > > + if (!have_cpuid_p()) > + *res = true; > + > + a = 1; > + c = 0; > + native_cpuid(&a, &b, &c, &d); > + > + /* CPUID(1).ECX[31]: reserved for hypervisor use */ > + if (c & BIT(31)) > + *res = true;
This will work for any VT-x/SVM based virt, but won't work for ring de-privileging based virt such as Xen PV and lguest. Without CPUID Faulting, this will still get the real hardware CPUID without the hypervisor bit set. How about an additional cpl check here, which should cover all the ring de-privileging methods in a virt-neutral way? ~Andrew
