Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
"Montes, Julio" writes:
>> Does you kernel have 95c5c7c77c ("KVM: nVMX: list VMX MSRs in
>> KVM_GET_MSR_INDEX_LIST")?
>
> I was using linux 5.0.0, now I have 5.3.0 and it's working, thanks for fixing
> this
>
Thanks for the confirmation!
I don't see any good solution for kernels without 95c5c7c77c, we'll have
either one issue or another.
--
Vitaly
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
> Does you kernel have 95c5c7c77c ("KVM: nVMX: list VMX MSRs in
> KVM_GET_MSR_INDEX_LIST")?
I was using linux 5.0.0, now I have 5.3.0 and it's working, thanks for fixing
this
From: Vitaly Kuznetsov
Sent: Wednesday, April 1, 2020 1:05 AM
To: Montes, Julio
Cc: Marcelo Tosatti ; Eduardo Habkost
; Dr . David Alan Gilbert ; Richard
Henderson ; Paolo Bonzini ;
qemu-devel@nongnu.org
Subject: Re: [PATCH] target/i386: do not set unsupported VMX secondary
execution controls
"Montes, Julio" writes:
> Hi Vitaly
>
> thanks for raising this, unfortunately this patch didn't work for me, I still
> get the same error:
>
>
Does you kernel have 95c5c7c77c ("KVM: nVMX: list VMX MSRs in
KVM_GET_MSR_INDEX_LIST")?
--
Vitaly
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
"Dr. David Alan Gilbert" writes: > So you would think that would tkae care of RDSEED exiting - but what > about VMCS shadowing? > SECONDARY_EXEC_SHADOW_VMCS is special, we are able to emulate it in KVM even when it is not supported by hardware, see nested_vmx_setup_ctls_msrs(): /* * We can emulate "VMCS shadowing," even if the hardware * doesn't support it. */ msrs->secondary_ctls_high |= SECONDARY_EXEC_SHADOW_VMCS; -- Vitaly
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
"Montes, Julio" writes:
> Hi Vitaly
>
> thanks for raising this, unfortunately this patch didn't work for me, I still
> get the same error:
>
>
Does you kernel have 95c5c7c77c ("KVM: nVMX: list VMX MSRs in
KVM_GET_MSR_INDEX_LIST")?
--
Vitaly
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
David I'm using master 17083d6d1e Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging - Cheers Julio From: Dr. David Alan Gilbert Sent: Tuesday, March 31, 2020 11:26 AM To: Montes, Julio Cc: Paolo Bonzini ; Vitaly Kuznetsov ; qemu-devel@nongnu.org ; Marcelo Tosatti ; Eduardo Habkost ; Richard Henderson Subject: Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls * Montes, Julio (julio.mon...@intel.com) wrote: > Sorry for my last email, it was incomplete > > Hi Vitaly > > thanks for raising this, unfortunately this patch didn't work for me, I still > get the same error: Are you trying that on top of 5.0 or ontop of the older 4.2 world? > qemu-system-x86_64: error: failed to set MSR 0x48b to 0x1582e > qemu-system-x86_64: > /home/testpmem/go/src/github.com/kata-containers/qemu/target/i386/kvm.c:2695: > kvm_buf_set_msrs: Assertion `ret == cpu->kvm_msr_buf->nmsrs If my reading of 0x1582e is correct then we have: 0x1582e VMX_SECONDARY_EXEC_RDSEED_EXITING 0x0001 ! VMX_SECONDARY_EXEC_SHADOW_VMCS 0x4000 ! VMX_SECONDARY_EXEC_ENABLE_INVPCID 0x1000 VMX_SECONDARY_EXEC_RDRAND_EXITING 0x0800 VMX_SECONDARY_EXEC_ENABLE_VPID 0x0020 VMX_SECONDARY_EXEC_ENABLE_EPT 0x0002 VMX_SECONDARY_EXEC_DESC 0x0004 VMX_SECONDARY_EXEC_RDTSCP 0x0008 > > my qemu command line: > /usr/bin/qemu-system-x86_64 -name > sandbox-f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633 > -uuid 8189ac12-5a5c-4989-bf82-c0218f8a3d33 -machine > pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp > unix:/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qmp.sock,server,nowait > -m 2048M,slots=10,maxmem=17041M -device > pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= > -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device > virtconsole,chardev=charconsole0,id=console0 -chardev > socket,id=charconsole0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/console.sock,server,nowait > -device nvdimm,id=nv0,memdev=mem0 -object > memory-backend-file,id=mem0,mem-path=/usr/share/kata-containers/kata-containers-clearlinux-32700-osbuilder-891b61c-agent-73afd1a.img,size=134217728 > -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object > rng-random,id=rng0,filename=/dev/urandom -device > virtio-rng-pci,rng=rng0,romfile= -device > virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev > socket,id=charch0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/kata.sock,server,nowait > -device > virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= > -fsdev > local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633,security_model=none > -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device > driver=virtio-net-pci,netdev=network-0,mac=02:42:ac:11:00:02,disable-modern=true,mq=on,vectors=4,romfile= > -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config > -nodefaults -nographic -daemonize -object > memory-backend-ram,id=dimm1,size=2048M -numa node,memdev=dimm1 -kernel > /usr/share/kata-containers/vmlinuz-5.4.15-71 -append tsc=reliable > no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 > i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 > iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 > rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 debug > systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=4 > agent.use_vsock=false systemd.unit=kata-containers.target > systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket > agent.log=debug agent.log=debug -pidfile > /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f37 > 7a877c03ddc64e1e5e8685633/pid -D > /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qemu.log > -smp 1,cores=1,threads=1,sockets=4,maxcpus=4 > > > > ./vmxcap output: > > secondary processor-based controls > Virtualize APIC accesses no > Enable EPT yes > Descriptor-table exiting yes > Enable RDTSCPyes > Virtualize x2APIC mode no > Enable VPID yes > WBINVD exiting no > Unres
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
* Montes, Julio (julio.mon...@intel.com) wrote: > Sorry for my last email, it was incomplete > > Hi Vitaly > > thanks for raising this, unfortunately this patch didn't work for me, I still > get the same error: Are you trying that on top of 5.0 or ontop of the older 4.2 world? > qemu-system-x86_64: error: failed to set MSR 0x48b to 0x1582e > qemu-system-x86_64: > /home/testpmem/go/src/github.com/kata-containers/qemu/target/i386/kvm.c:2695: > kvm_buf_set_msrs: Assertion `ret == cpu->kvm_msr_buf->nmsrs If my reading of 0x1582e is correct then we have: 0x1582e VMX_SECONDARY_EXEC_RDSEED_EXITING 0x0001 ! VMX_SECONDARY_EXEC_SHADOW_VMCS 0x4000 ! VMX_SECONDARY_EXEC_ENABLE_INVPCID 0x1000 VMX_SECONDARY_EXEC_RDRAND_EXITING 0x0800 VMX_SECONDARY_EXEC_ENABLE_VPID 0x0020 VMX_SECONDARY_EXEC_ENABLE_EPT 0x0002 VMX_SECONDARY_EXEC_DESC 0x0004 VMX_SECONDARY_EXEC_RDTSCP 0x0008 > > my qemu command line: > /usr/bin/qemu-system-x86_64 -name > sandbox-f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633 > -uuid 8189ac12-5a5c-4989-bf82-c0218f8a3d33 -machine > pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp > unix:/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qmp.sock,server,nowait > -m 2048M,slots=10,maxmem=17041M -device > pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= > -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device > virtconsole,chardev=charconsole0,id=console0 -chardev > socket,id=charconsole0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/console.sock,server,nowait > -device nvdimm,id=nv0,memdev=mem0 -object > memory-backend-file,id=mem0,mem-path=/usr/share/kata-containers/kata-containers-clearlinux-32700-osbuilder-891b61c-agent-73afd1a.img,size=134217728 > -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object > rng-random,id=rng0,filename=/dev/urandom -device > virtio-rng-pci,rng=rng0,romfile= -device > virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev > socket,id=charch0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/kata.sock,server,nowait > -device > virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= > -fsdev > local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633,security_model=none > -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device > driver=virtio-net-pci,netdev=network-0,mac=02:42:ac:11:00:02,disable-modern=true,mq=on,vectors=4,romfile= > -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config > -nodefaults -nographic -daemonize -object > memory-backend-ram,id=dimm1,size=2048M -numa node,memdev=dimm1 -kernel > /usr/share/kata-containers/vmlinuz-5.4.15-71 -append tsc=reliable > no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 > i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 > iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 > rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 debug > systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=4 > agent.use_vsock=false systemd.unit=kata-containers.target > systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket > agent.log=debug agent.log=debug -pidfile > /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f37 > 7a877c03ddc64e1e5e8685633/pid -D > /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qemu.log > -smp 1,cores=1,threads=1,sockets=4,maxcpus=4 > > > > ./vmxcap output: > > secondary processor-based controls > Virtualize APIC accesses no > Enable EPT yes > Descriptor-table exiting yes > Enable RDTSCPyes > Virtualize x2APIC mode no > Enable VPID yes > WBINVD exiting no > Unrestricted guest no > APIC register emulation no > Virtual interrupt delivery no > PAUSE-loop exiting no > RDRAND exiting yes > Enable INVPCID yes > Enable VM functions no > VMCS shadowing no < > Enable ENCLS exiting no > RDSEED exiting no < > Enable PML no > EPT-violation #VEno > Conceal non-root operation from PT no > Enable XSAVES/XRSTORSno
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
RDTSCPyes
Virtualize x2APIC mode no
Enable VPID yes
WBINVD exiting no
Unrestricted guest no
APIC register emulation no
Virtual interrupt delivery no
PAUSE-loop exiting no
RDRAND exiting yes
Enable INVPCID yes
Enable VM functions no
VMCS shadowing no
Enable ENCLS exiting no
RDSEED exiting no
Enable PML no
EPT-violation #VEno
Conceal non-root operation from PT no
Enable XSAVES/XRSTORSno
Mode-based execute control (XS/XU) no
Sub-page write permissions no
GPA translation for PT no
TSC scaling no
User wait and pause no
ENCLV exitingno
VM-Exit controls
Save debug controls default
Host address-space size forced
Load IA32_PERF_GLOBAL_CTRL no
Acknowledge interrupt on exityes
Save IA32_PATyes
Load IA32_PATyes
Save IA32_EFER yes
Load IA32_EFER yes
Save VMX-preemption timer value no
Clear IA32_BNDCFGS no
Conceal VM exits from PT no
Clear IA32_RTIT_CTL no
VM-Entry controls
Load debug controls default
IA-32e mode guestyes
Entry to SMM no
Deactivate dual-monitor treatmentno
Load IA32_PERF_GLOBAL_CTRL no
Load IA32_PATyes
Load IA32_EFER yes
Load IA32_BNDCFGSno
Conceal VM entries from PT no
Load IA32_RTIT_CTL no
Miscellaneous data
Hex: 0x40
VMX-preemption timer scale (log2)0
Store EFER.LMA into IA-32e mode guest control no
HLT activity state yes
Shutdown activity state no
Wait-for-SIPI activity state no
PT in VMX operation no
IA32_SMBASE support no
Number of CR3-target values 0
MSR-load/store count recommendation 0
IA32_SMM_MONITOR_CTL[2] can be set to 1 no
VMWRITE to VM-exit information fieldsno
Inject event with insn length=0 no
MSEG revision identifier 0
VPID and EPT capabilities
Hex: 0xf0106114040
Execute-only EPT translationsno
Page-walk length 4 yes
Paging-structure memory type UC no
Paging-structure memory type WB yes
2MB EPT pagesyes
1GB EPT pagesno
INVEPT supported yes
EPT accessed and dirty flags no
Advanced VM-exit information for EPT violations no
Single-context INVEPTyes
All-context INVEPT yes
INVVPID supportedyes
Individual-address INVVPID yes
Single-context INVVPID yes
All-context INVVPID yes
Single-context-retaining-globals INVVPID yes
VM Functions
Hex: 0x0
EPTP Switching no
From: Montes, Julio
Sent: Tuesday, March 31, 2020 10:56 AM
To: Paolo Bonzini ; Vitaly Kuznetsov
; qemu-devel@nongnu.org
Cc: Marcelo Tosatti ; Eduardo Habkost
; Dr . David Alan Gilbert ; Richard
Henderson
Subject: Re: [PATCH] target/i386: do not set unsupported VMX secondary
execution controls
Hi Vitaly
thanks for raising this, unfortunately this patch didn't work for me, I still
get the same error:
my qemu command line:
From: Qemu-devel on
behalf of Paolo Bonzini
Sent: Tuesday, March 31, 2020 10:32 AM
To: Vitaly Kuznetsov ; qemu-devel@nongnu.org
Cc: Marcelo Tosatti ; Eduardo Habkost
; Dr . David Alan Gilbert ; Richard
Henderson
Subject: Re: [PATCH] target/i386: do not set unsupported VMX secondary
execution controls
On 31/03/20 18:27, Vitaly Kuznetsov wrote:
> Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for
> secondary execution controls") added a workaround for KVM pre-dating
> commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm
> KVM_GET_MSRS") which wasn't setting certain available controls. The
> workaround uses generic CPUID feature bits to set missing VMX controls.
>
> It was found that in some cases it is possible to observe hosts which
> have certain CPU
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
Hi Vitaly
thanks for raising this, unfortunately this patch didn't work for me, I still
get the same error:
my qemu command line:
From: Qemu-devel on
behalf of Paolo Bonzini
Sent: Tuesday, March 31, 2020 10:32 AM
To: Vitaly Kuznetsov ; qemu-devel@nongnu.org
Cc: Marcelo Tosatti ; Eduardo Habkost
; Dr . David Alan Gilbert ; Richard
Henderson
Subject: Re: [PATCH] target/i386: do not set unsupported VMX secondary
execution controls
On 31/03/20 18:27, Vitaly Kuznetsov wrote:
> Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for
> secondary execution controls") added a workaround for KVM pre-dating
> commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm
> KVM_GET_MSRS") which wasn't setting certain available controls. The
> workaround uses generic CPUID feature bits to set missing VMX controls.
>
> It was found that in some cases it is possible to observe hosts which
> have certain CPUID features but lack the corresponding VMX control.
>
> In particular, it was reported that Azure VMs have RDSEED but lack
> VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature
> bit result in QEMU abort.
>
> Resolve the issue but not applying the workaround when we don't have
> to. As there is no good way to find out if KVM has the fix itself, use
> 95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead
> as these [are supposed to] come together.
>
> Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary
> execution controls")
> Suggested-by: Paolo Bonzini
> Signed-off-by: Vitaly Kuznetsov
Queued, thanks.
Paolo
> ---
> target/i386/kvm.c | 41 ++---
> 1 file changed, 26 insertions(+), 15 deletions(-)
>
> diff --git a/target/i386/kvm.c b/target/i386/kvm.c
> index 69eb43d796e6..4901c6dd747d 100644
> --- a/target/i386/kvm.c
> +++ b/target/i386/kvm.c
> @@ -106,6 +106,7 @@ static bool has_msr_arch_capabs;
> static bool has_msr_core_capabs;
> static bool has_msr_vmx_vmfunc;
> static bool has_msr_ucode_rev;
> +static bool has_msr_vmx_procbased_ctls2;
>
> static uint32_t has_architectural_pmu_version;
> static uint32_t num_architectural_pmu_gp_counters;
> @@ -490,21 +491,28 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState
> *s, uint32_t index)
> value = msr_data.entries[0].data;
> switch (index) {
> case MSR_IA32_VMX_PROCBASED_CTLS2:
> -/* KVM forgot to add these bits for some time, do this ourselves. */
> -if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
> CPUID_XSAVE_XSAVES) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND)
> {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> CPUID_7_0_EBX_INVPCID) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> CPUID_7_0_EBX_RDSEED) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 0x8001, 0, R_EDX) &
> CPUID_EXT2_RDTSCP) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> +if (!has_msr_vmx_procbased_ctls2) {
> +/* KVM forgot to add these bits for some time, do this
> ourselves. */
> +if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
> +CPUID_XSAVE_XSAVES) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) &
> +CPUID_EXT_RDRAND) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> +CPUID_7_0_EBX_INVPCID) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> +CPUID_7_0_EBX_RDSEED) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 0x8001, 0, R_EDX) &
> +CPUID_EXT2_RDTSCP) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> +}
> }
> /* fall through */
> case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
> @@ -2060,6 +2068,9 @@ static int kvm_get_supported_msrs(KVMState *s)
> case MSR_IA32_UCODE_REV:
> has_msr_ucode_rev = true;
> break;
> +case MSR_IA32_VMX_PROCBASED_CTLS2:
> +has_msr_vmx_procbased_ctls2 = true;
> +break;
> }
> }
> }
>
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
On 31/03/20 18:27, Vitaly Kuznetsov wrote:
> Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for
> secondary execution controls") added a workaround for KVM pre-dating
> commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm
> KVM_GET_MSRS") which wasn't setting certain available controls. The
> workaround uses generic CPUID feature bits to set missing VMX controls.
>
> It was found that in some cases it is possible to observe hosts which
> have certain CPUID features but lack the corresponding VMX control.
>
> In particular, it was reported that Azure VMs have RDSEED but lack
> VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature
> bit result in QEMU abort.
>
> Resolve the issue but not applying the workaround when we don't have
> to. As there is no good way to find out if KVM has the fix itself, use
> 95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead
> as these [are supposed to] come together.
>
> Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary
> execution controls")
> Suggested-by: Paolo Bonzini
> Signed-off-by: Vitaly Kuznetsov
Queued, thanks.
Paolo
> ---
> target/i386/kvm.c | 41 ++---
> 1 file changed, 26 insertions(+), 15 deletions(-)
>
> diff --git a/target/i386/kvm.c b/target/i386/kvm.c
> index 69eb43d796e6..4901c6dd747d 100644
> --- a/target/i386/kvm.c
> +++ b/target/i386/kvm.c
> @@ -106,6 +106,7 @@ static bool has_msr_arch_capabs;
> static bool has_msr_core_capabs;
> static bool has_msr_vmx_vmfunc;
> static bool has_msr_ucode_rev;
> +static bool has_msr_vmx_procbased_ctls2;
>
> static uint32_t has_architectural_pmu_version;
> static uint32_t num_architectural_pmu_gp_counters;
> @@ -490,21 +491,28 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState
> *s, uint32_t index)
> value = msr_data.entries[0].data;
> switch (index) {
> case MSR_IA32_VMX_PROCBASED_CTLS2:
> -/* KVM forgot to add these bits for some time, do this ourselves. */
> -if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
> CPUID_XSAVE_XSAVES) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND)
> {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> CPUID_7_0_EBX_INVPCID) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> CPUID_7_0_EBX_RDSEED) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> -}
> -if (kvm_arch_get_supported_cpuid(s, 0x8001, 0, R_EDX) &
> CPUID_EXT2_RDTSCP) {
> -value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> +if (!has_msr_vmx_procbased_ctls2) {
> +/* KVM forgot to add these bits for some time, do this
> ourselves. */
> +if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
> +CPUID_XSAVE_XSAVES) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) &
> +CPUID_EXT_RDRAND) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> +CPUID_7_0_EBX_INVPCID) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> +CPUID_7_0_EBX_RDSEED) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> +}
> +if (kvm_arch_get_supported_cpuid(s, 0x8001, 0, R_EDX) &
> +CPUID_EXT2_RDTSCP) {
> +value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> +}
> }
> /* fall through */
> case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
> @@ -2060,6 +2068,9 @@ static int kvm_get_supported_msrs(KVMState *s)
> case MSR_IA32_UCODE_REV:
> has_msr_ucode_rev = true;
> break;
> +case MSR_IA32_VMX_PROCBASED_CTLS2:
> +has_msr_vmx_procbased_ctls2 = true;
> +break;
> }
> }
> }
>
[PATCH] target/i386: do not set unsupported VMX secondary execution controls
Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for
secondary execution controls") added a workaround for KVM pre-dating
commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm
KVM_GET_MSRS") which wasn't setting certain available controls. The
workaround uses generic CPUID feature bits to set missing VMX controls.
It was found that in some cases it is possible to observe hosts which
have certain CPUID features but lack the corresponding VMX control.
In particular, it was reported that Azure VMs have RDSEED but lack
VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature
bit result in QEMU abort.
Resolve the issue but not applying the workaround when we don't have
to. As there is no good way to find out if KVM has the fix itself, use
95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead
as these [are supposed to] come together.
Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary
execution controls")
Suggested-by: Paolo Bonzini
Signed-off-by: Vitaly Kuznetsov
---
target/i386/kvm.c | 41 ++---
1 file changed, 26 insertions(+), 15 deletions(-)
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 69eb43d796e6..4901c6dd747d 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -106,6 +106,7 @@ static bool has_msr_arch_capabs;
static bool has_msr_core_capabs;
static bool has_msr_vmx_vmfunc;
static bool has_msr_ucode_rev;
+static bool has_msr_vmx_procbased_ctls2;
static uint32_t has_architectural_pmu_version;
static uint32_t num_architectural_pmu_gp_counters;
@@ -490,21 +491,28 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s,
uint32_t index)
value = msr_data.entries[0].data;
switch (index) {
case MSR_IA32_VMX_PROCBASED_CTLS2:
-/* KVM forgot to add these bits for some time, do this ourselves. */
-if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
CPUID_XSAVE_XSAVES) {
-value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
-}
-if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND) {
-value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
-}
-if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
CPUID_7_0_EBX_INVPCID) {
-value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
-}
-if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
CPUID_7_0_EBX_RDSEED) {
-value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
-}
-if (kvm_arch_get_supported_cpuid(s, 0x8001, 0, R_EDX) &
CPUID_EXT2_RDTSCP) {
-value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
+if (!has_msr_vmx_procbased_ctls2) {
+/* KVM forgot to add these bits for some time, do this ourselves.
*/
+if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
+CPUID_XSAVE_XSAVES) {
+value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
+}
+if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) &
+CPUID_EXT_RDRAND) {
+value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
+}
+if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
+CPUID_7_0_EBX_INVPCID) {
+value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
+}
+if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
+CPUID_7_0_EBX_RDSEED) {
+value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
+}
+if (kvm_arch_get_supported_cpuid(s, 0x8001, 0, R_EDX) &
+CPUID_EXT2_RDTSCP) {
+value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
+}
}
/* fall through */
case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
@@ -2060,6 +2068,9 @@ static int kvm_get_supported_msrs(KVMState *s)
case MSR_IA32_UCODE_REV:
has_msr_ucode_rev = true;
break;
+case MSR_IA32_VMX_PROCBASED_CTLS2:
+has_msr_vmx_procbased_ctls2 = true;
+break;
}
}
}
--
2.25.1
