ITLB Multihit mitigation status report is confusing.

From: Lucius User
Date: Sun Nov 07 2021 - 11:04:15 EST


Hi all.

On a cpu that is vulnerable to iTLB multihit, with VMX enabled in bios and no vms running, the kernel reports the mitigation status as "KVM: Mitigation: VMX disabled". Once a vm starts running, the report changes to "KVM: Vulnerable". Shouldn't the VMX disabled status refer to a situation when VMX is completely disabled via bios, not merely not in use right now?