kernel/cpu: Fix access permissions for SVSM VMSAs

Make sure the guest OS can not access the VMSA pages of the SVSM by only giving permissions up to VMPL1. Signed-off-by: Joerg Roedel <jroedel@suse.de>
coconut-svsm · Dec 17, 2024 · 4db3325 · 4db3325
1 parent 928e8ff
commit 4db3325
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/kernel/src/cpu/percpu.rs b/kernel/src/cpu/percpu.rs
@@ -838,7 +838,7 @@ impl PerCpu {
             return Err(SvsmError::Mem);
         }
 
-        let mut vmsa = VmsaPage::new(RMPFlags::GUEST_VMPL)?;
+        let mut vmsa = VmsaPage::new(RMPFlags::VMPL1)?;
         let paddr = vmsa.paddr();
 
         // Initialize VMSA