From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <jbeulich@suse.com>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>
Subject: Re: [PATCH v9 07/10] VMX: support MSR-IMM
Date: Wed, 26 Nov 2025 18:50:52 +0000 [thread overview]
Message-ID: <0b20af96-bfef-43b1-a22a-db85a18b849d@citrix.com> (raw)
In-Reply-To: <1404b901-0821-4e8d-82c7-1eebd8ed4daa@suse.com>
On 24/11/2025 3:00 pm, Jan Beulich wrote:
> Hook up the new VM exit codes and handle guest uses of the insns.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> ---
> v9: New.
> ---
> The lack of an enable bit is concerning; at least for the nested case
> that's a security issue afaict (when L0 isn't aware of the insns, or more
> specifically the exit codes).
This is why we need support statements of new CPUs.
Intel say that unknown VMExits turning into #UD is the expected course
of action. That covers all of these cases which don't have an explicit
enable.
This is better than our current behaviour, which is non-architectural
for supervisor code and practically the most unhelpful course of action
going.
Obviously, logic turning on a new feature is expected to handle all the
VMExit cases it can produce.
The corollary for nested virt is that L0 must never make a Virtual
VMExit with case that isn't enabled. Combined with #UD in the unknown
case, that covers things reasonably well.
> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -453,7 +453,7 @@ void domain_cpu_policy_changed(struct do
> }
>
> /* Nested doesn't have the necessary processing, yet. */
> - if ( nestedhvm_enabled(d) && p->feat.user_msr )
> + if ( nestedhvm_enabled(d) && (p->feat.user_msr || p->feat.msr_imm) )
> return /* -EINVAL */;
What processing is missing? (Aside from correcting the unknown case.)
>
> for_each_vcpu ( d, v )
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -4762,6 +4762,7 @@ void asmlinkage vmx_vmexit_handler(struc
> break;
>
> case EXIT_REASON_URDMSR:
> + case EXIT_REASON_RDMSR_IMM:
Instructions which aren't enumerated in CPUID have reserved behaviour.
The exit handler needs to check cp->feat.msr_imm and inject #UD.
It's not perfect; un-intercepted MSRs will happen to execute correctly
on capable hardware, but most MSRs are not intercepted and it's far
closer to adequate behaviour than omitting the #UD check.
~Andrew
next prev parent reply other threads:[~2025-11-26 18:51 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-24 14:56 [PATCH v9 10/10] x86emul: misc additions Jan Beulich
2025-11-24 14:57 ` [PATCH v9 01/10] x86emul: support LKGS Jan Beulich
2025-11-24 14:58 ` [PATCH v9 02/10] x86emul+VMX: support {RD,WR}MSRLIST Jan Beulich
2025-11-24 14:58 ` [PATCH v9 03/10] x86emul: support USER_MSR instructions Jan Beulich
2025-11-24 14:59 ` [PATCH v9 04/10] x86/cpu-policy: re-arrange no-VMX logic Jan Beulich
2026-04-07 21:58 ` Andrew Cooper
2026-04-08 6:09 ` Jan Beulich
2025-11-24 15:00 ` [PATCH v9 05/10] VMX: support USER-MSR Jan Beulich
2025-11-24 15:00 ` [PATCH v9 06/10] x86emul: support MSR_IMM instructions Jan Beulich
2025-11-24 15:00 ` [PATCH v9 07/10] VMX: support MSR-IMM Jan Beulich
2025-11-26 18:50 ` Andrew Cooper [this message]
2025-11-27 8:18 ` Jan Beulich
2025-11-24 15:01 ` [PATCH v9 08/10] x86emul: support non-SIMD MOVRS Jan Beulich
2025-11-24 15:01 ` [PATCH v9 09/10] x86: use / "support" UDB Jan Beulich
2025-12-05 12:01 ` Andrew Cooper
2025-12-05 12:40 ` Andrew Cooper
2025-12-05 13:13 ` Jan Beulich
2025-12-05 13:15 ` Andrew Cooper
2025-12-05 13:15 ` Jan Beulich
2025-12-05 13:35 ` Andrew Cooper
2025-12-05 13:09 ` Jan Beulich
2025-11-24 15:02 ` [PATCH v9 10/10] x86emul: support AVX512-BMM Jan Beulich
2025-12-05 12:33 ` Andrew Cooper
2025-12-05 12:47 ` Jan Beulich
2026-04-07 15:11 ` Andrew Cooper
2025-11-24 15:03 ` [PATCH v9 00/10] x86emul: misc additions Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0b20af96-bfef-43b1-a22a-db85a18b849d@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.