| Message ID | 20200428151725.31091-26-joro@8bytes.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86: SEV-ES Guest Support | expand |
On Tue, Apr 28, 2020 at 05:16:35PM +0200, Joerg Roedel wrote: > From: Tom Lendacky <thomas.lendacky@amd.com> > > Add support for decoding and handling #VC exceptions for IOIO events. > > Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> > [ jroedel@suse.de: Adapted code to #VC handling framework ] > Co-developed-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Joerg Roedel <jroedel@suse.de> > --- > arch/x86/boot/compressed/sev-es.c | 32 +++++ > arch/x86/kernel/sev-es-shared.c | 202 ++++++++++++++++++++++++++++++ > 2 files changed, 234 insertions(+) Just nitpicks and some more commenting needed: > +static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt) > +{ > + struct pt_regs *regs = ctxt->regs; > + u64 exit_info_1, exit_info_2; > + enum es_result ret; > + > + ret = vc_ioio_exitinfo(ctxt, &exit_info_1); > + if (ret != ES_OK) > + return ret; > + > + if (exit_info_1 & IOIO_TYPE_STR) { > + int df = (regs->flags & X86_EFLAGS_DF) ? -1 : 1; > + unsigned int io_bytes, exit_bytes; > + unsigned int ghcb_count, op_count; > + unsigned long es_base; > + u64 sw_scratch; > + > + /* > + * For the string variants with rep prefix the amount of in/out > + * operations per #VC exception is limited so that the kernel > + * has a chance to take interrupts an re-schedule while the ^ and > + * instruction is emulated. > + */ > + io_bytes = (exit_info_1 >> 4) & 0x7; > + ghcb_count = sizeof(ghcb->shared_buffer) / io_bytes; > + > + op_count = (exit_info_1 & IOIO_REP) ? regs->cx : 1; > + exit_info_2 = min(op_count, ghcb_count); > + exit_bytes = exit_info_2 * io_bytes; > + > + es_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_ES); In general, I could use some commenting here to find my way around it: /* Read bytes of OUTS into the shared buffer */ > + > + if (!(exit_info_1 & IOIO_TYPE_IN)) { > + ret = vc_insn_string_read(ctxt, > + (void *)(es_base + regs->si), > + ghcb->shared_buffer, io_bytes, > + exit_info_2, df); > + if (ret) > + return ret; > + } /* * Issue an VMGEXIT to the HV to consume the bytes from the * shared buffer or to have it write them into the shared buffer * depending on the instruction: OUTS or INS. */ > + > + sw_scratch = __pa(ghcb) + offsetof(struct ghcb, shared_buffer); > + ghcb_set_sw_scratch(ghcb, sw_scratch); > + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, > + exit_info_1, exit_info_2); Align arguments on the opening brace. > + if (ret != ES_OK) > + return ret; > + > + /* Everything went well, write back results */ /* Read bytes from shared buffer into the guest's destination. */ > + if (exit_info_1 & IOIO_TYPE_IN) { > + ret = vc_insn_string_write(ctxt, > + (void *)(es_base + regs->di), > + ghcb->shared_buffer, io_bytes, > + exit_info_2, df); > + if (ret) > + return ret; > + > + if (df) > + regs->di -= exit_bytes; > + else > + regs->di += exit_bytes; > + } else { > + if (df) > + regs->si -= exit_bytes; > + else > + regs->si += exit_bytes; > + } > + > + if (exit_info_1 & IOIO_REP) > + regs->cx -= exit_info_2; > + > + ret = regs->cx ? ES_RETRY : ES_OK; > + > + } else { /* IN/OUT into/from rAX */ > + int bits = (exit_info_1 & 0x70) >> 1; > + u64 rax = 0; > + > + if (!(exit_info_1 & IOIO_TYPE_IN)) > + rax = lower_bits(regs->ax, bits); > + > + ghcb_set_rax(ghcb, rax); > + > + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0); > + if (ret != ES_OK) > + return ret; > + > + if (exit_info_1 & IOIO_TYPE_IN) { > + if (!ghcb_is_valid_rax(ghcb)) > + return ES_VMM_ERROR; > + regs->ax = lower_bits(ghcb->save.rax, bits); > + } > + } > + > + return ret; > +} > -- Thx.
Just a reminder so that this doesn't get lost: On Tue, Apr 28, 2020 at 05:16:35PM +0200, Joerg Roedel wrote: > + if (exit_info_1 & IOIO_TYPE_STR) { > + int df = (regs->flags & X86_EFLAGS_DF) ? -1 : 1; ... > + > + if (!(exit_info_1 & IOIO_TYPE_IN)) { > + ret = vc_insn_string_read(ctxt, > + (void *)(es_base + regs->si), > + ghcb->shared_buffer, io_bytes, > + exit_info_2, df); ^^^^ > + > + /* Everything went well, write back results */ > + if (exit_info_1 & IOIO_TYPE_IN) { > + ret = vc_insn_string_write(ctxt, > + (void *)(es_base + regs->di), > + ghcb->shared_buffer, io_bytes, > + exit_info_2, df); ^^^^
On Tue, Apr 28, 2020 at 05:16:35PM +0200, Joerg Roedel wrote: > From: Tom Lendacky <thomas.lendacky@amd.com> > > Add support for decoding and handling #VC exceptions for IOIO events. > > Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> > [ jroedel@suse.de: Adapted code to #VC handling framework ] > Co-developed-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Joerg Roedel <jroedel@suse.de> > --- > arch/x86/boot/compressed/sev-es.c | 32 +++++ > arch/x86/kernel/sev-es-shared.c | 202 ++++++++++++++++++++++++++++++ > 2 files changed, 234 insertions(+) > > diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c > index 1241697dd156..17765e471e28 100644 > --- a/arch/x86/boot/compressed/sev-es.c > +++ b/arch/x86/boot/compressed/sev-es.c > @@ -23,6 +23,35 @@ ... > +static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt) > +{ > + struct pt_regs *regs = ctxt->regs; > + u64 exit_info_1, exit_info_2; > + enum es_result ret; > + > + ret = vc_ioio_exitinfo(ctxt, &exit_info_1); > + if (ret != ES_OK) > + return ret; > + > + if (exit_info_1 & IOIO_TYPE_STR) { > + int df = (regs->flags & X86_EFLAGS_DF) ? -1 : 1; > + unsigned int io_bytes, exit_bytes; > + unsigned int ghcb_count, op_count; > + unsigned long es_base; > + u64 sw_scratch; > + > + /* > + * For the string variants with rep prefix the amount of in/out > + * operations per #VC exception is limited so that the kernel > + * has a chance to take interrupts an re-schedule while the > + * instruction is emulated. Doesn't this also suppress single-step #DBs? > + */ > + io_bytes = (exit_info_1 >> 4) & 0x7; > + ghcb_count = sizeof(ghcb->shared_buffer) / io_bytes; > + > + op_count = (exit_info_1 & IOIO_REP) ? regs->cx : 1; > + exit_info_2 = min(op_count, ghcb_count); > + exit_bytes = exit_info_2 * io_bytes; > + > + es_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_ES); > + > + if (!(exit_info_1 & IOIO_TYPE_IN)) { > + ret = vc_insn_string_read(ctxt, > + (void *)(es_base + regs->si), SEV(-ES) is 64-bit only, why bother with the es_base charade? > + ghcb->shared_buffer, io_bytes, > + exit_info_2, df); df handling is busted, it's aways non-zero. Same goes for the SI/DI adjustments below. > + if (ret) > + return ret; > + } > + > + sw_scratch = __pa(ghcb) + offsetof(struct ghcb, shared_buffer); > + ghcb_set_sw_scratch(ghcb, sw_scratch); > + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, > + exit_info_1, exit_info_2); > + if (ret != ES_OK) > + return ret; Batching the memory accesses and I/O accesses separately is technically wrong, e.g. a #DB on a memory access will result in bogus data being shown in the debugger. In practice it seems unlikely to matter, but I'm curious as to why string I/O is supported in the first place. I didn't think there was that much string I/O in the kernel? > + > + /* Everything went well, write back results */ > + if (exit_info_1 & IOIO_TYPE_IN) { > + ret = vc_insn_string_write(ctxt, > + (void *)(es_base + regs->di), > + ghcb->shared_buffer, io_bytes, > + exit_info_2, df); > + if (ret) > + return ret; > + > + if (df) > + regs->di -= exit_bytes; > + else > + regs->di += exit_bytes; > + } else { > + if (df) > + regs->si -= exit_bytes; > + else > + regs->si += exit_bytes; > + } > + > + if (exit_info_1 & IOIO_REP) > + regs->cx -= exit_info_2; > + > + ret = regs->cx ? ES_RETRY : ES_OK; > + > + } else { > + int bits = (exit_info_1 & 0x70) >> 1; > + u64 rax = 0; > + > + if (!(exit_info_1 & IOIO_TYPE_IN)) > + rax = lower_bits(regs->ax, bits); > + > + ghcb_set_rax(ghcb, rax); > + > + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0); > + if (ret != ES_OK) > + return ret; > + > + if (exit_info_1 & IOIO_TYPE_IN) { > + if (!ghcb_is_valid_rax(ghcb)) > + return ES_VMM_ERROR; > + regs->ax = lower_bits(ghcb->save.rax, bits); > + } > + } > + > + return ret; > +} > -- > 2.17.1 >
On Sat, May 16, 2020 at 09:57:14AM +0200, Borislav Petkov wrote: > Just a reminder so that this doesn't get lost: > > On Tue, Apr 28, 2020 at 05:16:35PM +0200, Joerg Roedel wrote: > > + if (exit_info_1 & IOIO_TYPE_STR) { > > + int df = (regs->flags & X86_EFLAGS_DF) ? -1 : 1; > > ... Thanks, this is fixed now.
Hi Jean, On Tue, May 19, 2020 at 11:20:55PM -0700, Sean Christopherson wrote: > On Tue, Apr 28, 2020 at 05:16:35PM +0200, Joerg Roedel wrote: > > + /* > > + * For the string variants with rep prefix the amount of in/out > > + * operations per #VC exception is limited so that the kernel > > + * has a chance to take interrupts an re-schedule while the > > + * instruction is emulated. > > Doesn't this also suppress single-step #DBs? Yes it does. > > > + */ > > + io_bytes = (exit_info_1 >> 4) & 0x7; > > + ghcb_count = sizeof(ghcb->shared_buffer) / io_bytes; > > + > > + op_count = (exit_info_1 & IOIO_REP) ? regs->cx : 1; > > + exit_info_2 = min(op_count, ghcb_count); > > + exit_bytes = exit_info_2 * io_bytes; > > + > > + es_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_ES); > > + > > + if (!(exit_info_1 & IOIO_TYPE_IN)) { > > + ret = vc_insn_string_read(ctxt, > > + (void *)(es_base + regs->si), > > SEV(-ES) is 64-bit only, why bother with the es_base charade? User-space can also cause IOIO #VC exceptions, and user-space can be 32-bit legacy code with segments, so es_base has to be taken into account. > > > + ghcb->shared_buffer, io_bytes, > > + exit_info_2, df); > > df handling is busted, it's aways non-zero. Same goes for the SI/DI > adjustments below. Right, this is fixed now. > Batching the memory accesses and I/O accesses separately is technically > wrong, e.g. a #DB on a memory access will result in bogus data being shown > in the debugger. In practice it seems unlikely to matter, but I'm curious > as to why string I/O is supported in the first place. I didn't think there > was that much string I/O in the kernel? True, #DBs won't be correct anymore. Currently debugging is not supported in SEV-ES guests anyway, but if it is supported the #DB exception would happen in the #VC handler and not on the original instruction. Regards, Joerg
On Wed, Jun 03, 2020 at 04:23:25PM +0200, Joerg Roedel wrote: > > > + */ > > > + io_bytes = (exit_info_1 >> 4) & 0x7; > > > + ghcb_count = sizeof(ghcb->shared_buffer) / io_bytes; > > > + > > > + op_count = (exit_info_1 & IOIO_REP) ? regs->cx : 1; > > > + exit_info_2 = min(op_count, ghcb_count); > > > + exit_bytes = exit_info_2 * io_bytes; > > > + > > > + es_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_ES); > > > + > > > + if (!(exit_info_1 & IOIO_TYPE_IN)) { > > > + ret = vc_insn_string_read(ctxt, > > > + (void *)(es_base + regs->si), > > > > SEV(-ES) is 64-bit only, why bother with the es_base charade? > > User-space can also cause IOIO #VC exceptions, and user-space can be > 32-bit legacy code with segments, so es_base has to be taken into > account. Is there actually a use case for this? Exposing port IO to userspace doesn't exactly improve security. Given that i386 ABI requires EFLAGS.DF=0 upon function entry/exit, i.e. is the de facto default, the DF bug implies this hasn't been tested. And I don't see how this could possibly have worked for SEV given that the kernel unrolls string I/O because the VMM can't emulate string I/O. Presumably someone would have complained if they "needed" to run legacy crud. The host and guest obviously need major updates, so supporting e.g. DPDK with legacy virtio seems rather silly. > > > + ghcb->shared_buffer, io_bytes, > > > + exit_info_2, df); > > > > df handling is busted, it's aways non-zero. Same goes for the SI/DI > > adjustments below. > > Right, this is fixed now. > > > Batching the memory accesses and I/O accesses separately is technically > > wrong, e.g. a #DB on a memory access will result in bogus data being shown > > in the debugger. In practice it seems unlikely to matter, but I'm curious > > as to why string I/O is supported in the first place. I didn't think there > > was that much string I/O in the kernel? > > True, #DBs won't be correct anymore. Currently debugging is not > supported in SEV-ES guests anyway, but if it is supported the #DB > exception would happen in the #VC handler and not on the original > instruction. As in, the guest can't debug itself? Or the host can't debug the guest?
On Wed, Jun 03, 2020 at 04:07:16PM -0700, Sean Christopherson wrote: > On Wed, Jun 03, 2020 at 04:23:25PM +0200, Joerg Roedel wrote: > > User-space can also cause IOIO #VC exceptions, and user-space can be > > 32-bit legacy code with segments, so es_base has to be taken into > > account. > > Is there actually a use case for this? Exposing port IO to userspace > doesn't exactly improve security. Might be true, but Linux supports it and this patch-set is not the place to challenge this feature. > Given that i386 ABI requires EFLAGS.DF=0 upon function entry/exit, i.e. is > the de facto default, the DF bug implies this hasn't been tested. And I > don't see how this could possibly have worked for SEV given that the kernel > unrolls string I/O because the VMM can't emulate string I/O. Presumably > someone would have complained if they "needed" to run legacy crud. The > host and guest obviously need major updates, so supporting e.g. DPDK with > legacy virtio seems rather silly. With SEV-ES and this unrolling of string-io doesn't need to happen anymore. It is on the list of things to improve, but this patch-set is already pretty big. > > True, #DBs won't be correct anymore. Currently debugging is not > > supported in SEV-ES guests anyway, but if it is supported the #DB > > exception would happen in the #VC handler and not on the original > > instruction. > > As in, the guest can't debug itself? Or the host can't debug the guest? Both, the guest can't debug itself because writes to DR7 never make it to the hardware DR7 register. And the host obviously can't debug the guest because it has no access to its unencrypted memory and register state. Regards, Joerg
On Thu, Jun 04, 2020 at 12:15:02PM +0200, Joerg Roedel wrote: > On Wed, Jun 03, 2020 at 04:07:16PM -0700, Sean Christopherson wrote: > > On Wed, Jun 03, 2020 at 04:23:25PM +0200, Joerg Roedel wrote: > > > User-space can also cause IOIO #VC exceptions, and user-space can be > > > 32-bit legacy code with segments, so es_base has to be taken into > > > account. > > > > Is there actually a use case for this? Exposing port IO to userspace > > doesn't exactly improve security. > > Might be true, but Linux supports it and this patch-set is not the place > to challenge this feature. But SEV already broke it, no?
On Thu, Jun 04, 2020 at 07:59:33AM -0700, Sean Christopherson wrote:
> But SEV already broke it, no?
True, but with SEV-ES is can be fixed again, and all SEV hardware also
supports SEV-ES.
Regards,
Joerg
diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c index 1241697dd156..17765e471e28 100644 --- a/arch/x86/boot/compressed/sev-es.c +++ b/arch/x86/boot/compressed/sev-es.c @@ -23,6 +23,35 @@ struct ghcb boot_ghcb_page __aligned(PAGE_SIZE); struct ghcb *boot_ghcb; +/* + * Copy a version of this function here - insn-eval.c can't be used in + * pre-decompression code. + */ +static bool insn_has_rep_prefix(struct insn *insn) +{ + int i; + + insn_get_prefixes(insn); + + for (i = 0; i < insn->prefixes.nbytes; i++) { + insn_byte_t p = insn->prefixes.bytes[i]; + + if (p == 0xf2 || p == 0xf3) + return true; + } + + return false; +} + +/* + * Only a dummy for insn_get_seg_base() - Early boot-code is 64bit only and + * doesn't use segments. + */ +static unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) +{ + return 0UL; +} + static inline u64 sev_es_rd_ghcb_msr(void) { unsigned long low, high; @@ -150,6 +179,9 @@ void do_boot_stage2_vc(struct pt_regs *regs, unsigned long exit_code) goto finish; switch (exit_code) { + case SVM_EXIT_IOIO: + result = vc_handle_ioio(boot_ghcb, &ctxt); + break; default: result = ES_UNSUPPORTED; break; diff --git a/arch/x86/kernel/sev-es-shared.c b/arch/x86/kernel/sev-es-shared.c index 22eb3ed89186..5d4d0e2b7777 100644 --- a/arch/x86/kernel/sev-es-shared.c +++ b/arch/x86/kernel/sev-es-shared.c @@ -217,3 +217,205 @@ static enum es_result vc_insn_string_write(struct es_em_ctxt *ctxt, return ret; } + +#define IOIO_TYPE_STR BIT(2) +#define IOIO_TYPE_IN 1 +#define IOIO_TYPE_INS (IOIO_TYPE_IN | IOIO_TYPE_STR) +#define IOIO_TYPE_OUT 0 +#define IOIO_TYPE_OUTS (IOIO_TYPE_OUT | IOIO_TYPE_STR) + +#define IOIO_REP BIT(3) + +#define IOIO_ADDR_64 BIT(9) +#define IOIO_ADDR_32 BIT(8) +#define IOIO_ADDR_16 BIT(7) + +#define IOIO_DATA_32 BIT(6) +#define IOIO_DATA_16 BIT(5) +#define IOIO_DATA_8 BIT(4) + +#define IOIO_SEG_ES (0 << 10) +#define IOIO_SEG_DS (3 << 10) + +static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo) +{ + struct insn *insn = &ctxt->insn; + *exitinfo = 0; + + switch (insn->opcode.bytes[0]) { + /* INS opcodes */ + case 0x6c: + case 0x6d: + *exitinfo |= IOIO_TYPE_INS; + *exitinfo |= IOIO_SEG_ES; + *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; + break; + + /* OUTS opcodes */ + case 0x6e: + case 0x6f: + *exitinfo |= IOIO_TYPE_OUTS; + *exitinfo |= IOIO_SEG_DS; + *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; + break; + + /* IN immediate opcodes */ + case 0xe4: + case 0xe5: + *exitinfo |= IOIO_TYPE_IN; + *exitinfo |= insn->immediate.value << 16; + break; + + /* OUT immediate opcodes */ + case 0xe6: + case 0xe7: + *exitinfo |= IOIO_TYPE_OUT; + *exitinfo |= insn->immediate.value << 16; + break; + + /* IN register opcodes */ + case 0xec: + case 0xed: + *exitinfo |= IOIO_TYPE_IN; + *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; + break; + + /* OUT register opcodes */ + case 0xee: + case 0xef: + *exitinfo |= IOIO_TYPE_OUT; + *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; + break; + + default: + return ES_DECODE_FAILED; + } + + switch (insn->opcode.bytes[0]) { + case 0x6c: + case 0x6e: + case 0xe4: + case 0xe6: + case 0xec: + case 0xee: + /* Single byte opcodes */ + *exitinfo |= IOIO_DATA_8; + break; + default: + /* Length determined by instruction parsing */ + *exitinfo |= (insn->opnd_bytes == 2) ? IOIO_DATA_16 + : IOIO_DATA_32; + } + switch (insn->addr_bytes) { + case 2: + *exitinfo |= IOIO_ADDR_16; + break; + case 4: + *exitinfo |= IOIO_ADDR_32; + break; + case 8: + *exitinfo |= IOIO_ADDR_64; + break; + } + + if (insn_has_rep_prefix(insn)) + *exitinfo |= IOIO_REP; + + return ES_OK; +} + +static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt) +{ + struct pt_regs *regs = ctxt->regs; + u64 exit_info_1, exit_info_2; + enum es_result ret; + + ret = vc_ioio_exitinfo(ctxt, &exit_info_1); + if (ret != ES_OK) + return ret; + + if (exit_info_1 & IOIO_TYPE_STR) { + int df = (regs->flags & X86_EFLAGS_DF) ? -1 : 1; + unsigned int io_bytes, exit_bytes; + unsigned int ghcb_count, op_count; + unsigned long es_base; + u64 sw_scratch; + + /* + * For the string variants with rep prefix the amount of in/out + * operations per #VC exception is limited so that the kernel + * has a chance to take interrupts an re-schedule while the + * instruction is emulated. + */ + io_bytes = (exit_info_1 >> 4) & 0x7; + ghcb_count = sizeof(ghcb->shared_buffer) / io_bytes; + + op_count = (exit_info_1 & IOIO_REP) ? regs->cx : 1; + exit_info_2 = min(op_count, ghcb_count); + exit_bytes = exit_info_2 * io_bytes; + + es_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_ES); + + if (!(exit_info_1 & IOIO_TYPE_IN)) { + ret = vc_insn_string_read(ctxt, + (void *)(es_base + regs->si), + ghcb->shared_buffer, io_bytes, + exit_info_2, df); + if (ret) + return ret; + } + + sw_scratch = __pa(ghcb) + offsetof(struct ghcb, shared_buffer); + ghcb_set_sw_scratch(ghcb, sw_scratch); + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, + exit_info_1, exit_info_2); + if (ret != ES_OK) + return ret; + + /* Everything went well, write back results */ + if (exit_info_1 & IOIO_TYPE_IN) { + ret = vc_insn_string_write(ctxt, + (void *)(es_base + regs->di), + ghcb->shared_buffer, io_bytes, + exit_info_2, df); + if (ret) + return ret; + + if (df) + regs->di -= exit_bytes; + else + regs->di += exit_bytes; + } else { + if (df) + regs->si -= exit_bytes; + else + regs->si += exit_bytes; + } + + if (exit_info_1 & IOIO_REP) + regs->cx -= exit_info_2; + + ret = regs->cx ? ES_RETRY : ES_OK; + + } else { + int bits = (exit_info_1 & 0x70) >> 1; + u64 rax = 0; + + if (!(exit_info_1 & IOIO_TYPE_IN)) + rax = lower_bits(regs->ax, bits); + + ghcb_set_rax(ghcb, rax); + + ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0); + if (ret != ES_OK) + return ret; + + if (exit_info_1 & IOIO_TYPE_IN) { + if (!ghcb_is_valid_rax(ghcb)) + return ES_VMM_ERROR; + regs->ax = lower_bits(ghcb->save.rax, bits); + } + } + + return ret; +}