From 744d38fab99d0d0b9dbe9f0552cac3c221bc11d3 Mon Sep 17 00:00:00 2001
From: Jon Lange <jlange@microsoft.com>
Date: Fri, 13 Dec 2024 10:40:35 -0800
Subject: [PATCH] igvmbuilder: set VTL2 protection flag where required

The VSM flavor of the IGVM file must specify the "VTL2 protectable" flag
on the kernel memory region in order to execute correctly when running
in VTL 2.

Signed-off-by: Jon Lange <jlange@microsoft.com>
---
 igvmbuilder/src/igvm_builder.rs | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/igvmbuilder/src/igvm_builder.rs b/igvmbuilder/src/igvm_builder.rs
index 14583085a..651334f60 100644
--- a/igvmbuilder/src/igvm_builder.rs
+++ b/igvmbuilder/src/igvm_builder.rs
@@ -313,12 +313,23 @@ impl IgvmBuilder {
         }
 
         // Describe the kernel RAM region
-        self.directives.push(IgvmDirectiveHeader::RequiredMemory {
-            gpa: param_block.kernel_base,
-            compatibility_mask: COMPATIBILITY_MASK.get(),
-            number_of_bytes: param_block.kernel_size,
-            vtl2_protectable: false,
-        });
+        if COMPATIBILITY_MASK.contains(!VSM_COMPATIBILITY_MASK) {
+            self.directives.push(IgvmDirectiveHeader::RequiredMemory {
+                gpa: param_block.kernel_base,
+                compatibility_mask: COMPATIBILITY_MASK.get() & !VSM_COMPATIBILITY_MASK,
+                number_of_bytes: param_block.kernel_size,
+                vtl2_protectable: false,
+            });
+        }
+
+        if COMPATIBILITY_MASK.contains(VSM_COMPATIBILITY_MASK) {
+            self.directives.push(IgvmDirectiveHeader::RequiredMemory {
+                gpa: param_block.kernel_base,
+                compatibility_mask: VSM_COMPATIBILITY_MASK,
+                number_of_bytes: param_block.kernel_size,
+                vtl2_protectable: true,
+            });
+        }
 
         // Create the two parameter areas for memory map and general parameters.
         self.directives.push(IgvmDirectiveHeader::ParameterArea {