On Fri, Oct 09, 2020 at 05:11:51PM +0300, stsp wrote:
09.10.2020 07:04, Sean Christopherson пишет:On Intel, userspace should be able to stuff CR4.VMXE=1 via KVM_SET_SREGS if
What would be the expected behaviour on Intel, if it is set? Any differenceHmm. But at least it was lyingFor anything VMXE related, yes.
similarly on AMD and Intel CPUs. :)
So I was able to reproduce the problems
myself.
Do you mean, any AMD tests are now useless, and we need to proceed with Intel
tests only?
with AMD?
the 'nested' module param is 1, e.g. if 'modprobe kvm_intel nested=1'. Note,
'nested' is enabled by default on kernel 5.0 and later.
With AMD, setting CR4.VMXE=1 is never allowed as AMD doesn't support VMX,
But we do not use unrestricted guest.Unrestricted guest can kick in even if CR0.PG=1 && CR0.PE=1, e.g. there are
We use v86 under KVM.
segmentation checks that apply if and only if unrestricted_guest=0. Long story
short, without a deep audit, it's basically impossible to rule out a dependency
on unrestricted guest since you're playing around with v86.
The only other effect of setting VMXE was clearing VME. Which shouldn'tHmm, clearing VME would mean that exceptions/interrupts within the guest would
affect anything either, right?
trigger a switch out of v86 and into vanilla protected mode. v86 and PM have
different consistency checks, particularly for segmentation, so it's plausible
that clearing CR4.VME inadvertantly worked around the bug by avoiding invalid
guest state for v86.