Skip to content

Commit

Permalink
Detect TDX Guest when it's virtualised using Hyper-V (#138)
Browse files Browse the repository at this point in the history
Microsoft has decided to purposefully hide the information of the guest
TEE when VMs are being created using Hyper-V.

This leads us to check for the Hyper-V cpuid features (0x4000000C), and
then for the `ebx` value set.

For Intel TDX, `ebx` is set as `0xbe3`, being 3 the part we're mostly
interested about,according to:
https://github.com/torvalds/linux/blob/d2f51b3516dade79269ff45eae2a7668ae711b25/arch/x86/include/asm/hyperv-tlfs.h#L169-L174

NOTE: On the tests side, we had to manually override the cpuid in order
to avoid the tests failing, and this was suggested by Klaus himself.

Signed-off-by: Fabiano Fidêncio <[email protected]>
  • Loading branch information
fidencio authored Nov 6, 2023
1 parent 21e1a5b commit 3a00e73
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
14 changes: 14 additions & 0 deletions cpuid.go
Original file line number Diff line number Diff line change
Expand Up @@ -1418,6 +1418,20 @@ func support() flagSet {
fs.setIf((a>>24)&1 == 1, VMSA_REGPROT)
}

if mfi >= 0x20 {
// Microsoft has decided to purposefully hide the information
// of the guest TEE when VMs are being created using Hyper-V.
//
// This leads us to check for the Hyper-V cpuid features
// (0x4000000C), and then for the `ebx` value set.
//
// For Intel TDX, `ebx` is set as `0xbe3`, being 3 the part
// we're mostly interested about,according to:
// https://github.com/torvalds/linux/blob/d2f51b3516dade79269ff45eae2a7668ae711b25/arch/x86/include/asm/hyperv-tlfs.h#L169-L174
_, ebx, _, _ := cpuid(0x4000000C)
fs.setIf(ebx == 0xbe3, TDX_GUEST)
}

if mfi >= 0x21 {
// Intel Trusted Domain Extensions Guests have their own cpuid leaf (0x21).
_, ebx, ecx, edx := cpuid(0x21)
Expand Down
2 changes: 1 addition & 1 deletion mockcpu_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ func mockCPU(def []byte) func() {
}(idfuncs{cpuid: cpuid, cpuidex: cpuidex, xgetbv: xgetbv})

cpuid = func(op uint32) (eax, ebx, ecx, edx uint32) {
if op == 0x80000000 || op == 0 {
if op == 0x80000000 || op == 0 || op == 0x4000000c {
var ok bool
_, ok = fakeID[op]
if !ok {
Expand Down

0 comments on commit 3a00e73

Please sign in to comment.