From 881362e4e13dd5912f0eff01d07810947d3da5ff Mon Sep 17 00:00:00 2001
From: hshoexer <hshoexer@openbsd.org>
Date: Mon, 16 Feb 2026 15:10:39 +0000
Subject: [PATCH] Handle VMMCALL in vctrap()

When SEV guest userland issues a vmmcall instruction, a #VC exception
with code SVM_VMEXIT_VMMCALL will be raised in the guest kernel.
For now we do not allow vmmcalls from guest userland, thus terminate
the userland process with SIGILL.

This is similar to the non-SEV case.

ok mlarkin@
---
 sys/arch/amd64/amd64/trap.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sys/arch/amd64/amd64/trap.c b/sys/arch/amd64/amd64/trap.c
index 2e5728e3853..e7204d48015 100644
--- a/sys/arch/amd64/amd64/trap.c
+++ b/sys/arch/amd64/amd64/trap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: trap.c,v 1.116 2025/11/26 13:48:57 sf Exp $	*/
+/*	$OpenBSD: trap.c,v 1.117 2026/02/16 15:10:39 hshoexer Exp $	*/
 /*	$NetBSD: trap.c,v 1.2 2003/05/04 23:51:56 fvdl Exp $	*/
 
 /*-
@@ -437,6 +437,14 @@ vctrap(struct trapframe *frame, int user, int *sig, int *code)
 		}
 		break;
 	    }
+	case SVM_VMEXIT_VMMCALL:
+		if (user) {
+			*sig = SIGILL;
+			*code = ILL_PRVOPC;
+			return 0;	/* not allowed from userspace */
+		}
+		panic("unexpected VMMCALL in kernelspace");
+		/* NOTREACHED */
 	case SVM_VMEXIT_NPF:
 		if (user) {
 			*sig = SIGBUS;