x86/microcode: adjust sequence of controlling KVM guest and EPC

The current sequence to control SGX-enabled guest and EPC during SGX SVN update is as follows: lock EPC -> halt guest -> resume guest -> unlock EPC There is time window that guest has chance to try to touch EPC while EPC is "locked" for SVN update. To avoid any potential issue, change the order as below, to ensure guest will absolutely have no chance to do anything before SVN update completes. halt guest -> lock EPC -> unlock EPC -> resume guest Signed-off-by: Cathy Zhang <cathy.zhang@intel.com>
cc-api · Oct 11, 2022 · e35ac71 · e35ac71
1 parent 8994e06
commit e35ac71
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
@@ -1009,8 +1009,8 @@ int update_cpusvn_intel(void)
 {
 	int ret;
 
-	sgx_lock_epc();
 	sgx_kvm_notifier_halt();
+	sgx_lock_epc();
 	ret = sgx_zap_pages();
 	if (ret)
 		goto out;
@@ -1032,8 +1032,8 @@ int update_cpusvn_intel(void)
 	}
 
 out:
-	sgx_kvm_notifier_resume();
 	sgx_unlock_epc();
+	sgx_kvm_notifier_resume();
 
 	return ret;
 }