From: Jan Kiszka [mailto:jan.kis...@siemens.com]
Sent: Tuesday, November 16, 2010 6:23 PM
Am 16.11.2010 05:48, Wang, Shane wrote:
Avi Kivity wrote:
On 11/14/2010 12:41 PM, Jan Kiszka wrote:
Am 14.11.2010 11:30, Avi Kivity wrote:
On 11/14/2010 11:18 AM, Jan Kiszka wrote:
From: Jan Kiszkajan.kis...@siemens.com
Without CONFIG_INTEL_TXT, the user must not enable this feature
in the BIOS. Otherwise, KVM will not work. Explain this
dependency via a kernel log message.
Signed-off-by: Jan Kiszkajan.kis...@siemens.com
---
arch/x86/kvm/vmx.c |7 ++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 9367abc..ebafd57 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1306,8 +1306,13 @@ static __init int
vmx_disabled_by_bios(void)tboot_enabled())
return 1;
if (!(msr FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
- !tboot_enabled()) + !tboot_enabled()) {
+#ifndef CONFIG_INTEL_TXT
+printk(KERN_INFO kvm: if TXT is enabled in the
bios, + kvm depends on
CONFIG_INTEL_TXT\n); +#endif return 1;
+}
}
Why do we need this?
If TXT is enabled in the bios, it doesn't mean TXT is launched but TXT is
available.
tboot_enabled() = TXT is launched. And non-CONFIG_INTEL_TXT means
tboot_enabled() = 0.
If you enable VT in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set.
Probably, this patch is based on my semi-understanding of TXT. What I
observe is that, when I enable TXT in the BIOS of my machine, kvm-intel
does not load and report VT-x being disabled at BIOS level. As my
kernels had CONFIG_INTEL_TXT disabled, I thought that was the reason.
However, it turned out that
A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when TXT
is enabled in the BIOS
B) enabling CONFIG_INTEL_TXT does not magically solve the issue, KVM
still does not work
The latter appears to be related to the fact that I do not actually have
a trust chain from the BIOS over the boot loader to the kernel. So
tboot_addr is not set and tboot_enabled remains off. I guess I need some
trusted grub or so to get this running, maybe even more. Still, I'm
unsure if that will give me VT-x support back again. Can you comment on
the requirements and mechanisms behind that?
The setting of the FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX when TXT is
enabled is up to each OEM. Intel's original guidance was to clear this flag,
to prevent a Blue Pill type of attack on an un-measured OS launch. Intel has
since change our guidance to set this flag even when TXT is enabled, in order
to allow for dual boot and late launch uses of TXT along with VT.
In any case, what we should catch is the user mistake of enabling TXT in
the BIOS blindly without actually needing it, disabling VT-x this way.
How to express this?
It is probably worth a warning/guidance message to the user that, if this
condition is detected, they should either disable TXT in the BIOS or activate
TXT before enabling KVM.
Jan
--
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
