Re: [PATCH] KVM/VMX: Avoid CR3 VMEXIT during guest real mode when "unrestricted guest" is supported.

["Radim Krčmář" <rkrcmar@redhat.com>]

2017-08-17 13:00+0800, Lan Tianyu:
> On 2017年08月16日 21:26, Radim Krčmář wrote:
> > 2017-08-15 21:58-0400, Lan Tianyu:
> >> These CR3 VMEXITs was introduced for platform without "unrestricted guest"
> >> support. This is to set ept identity table to guest CR3 in guest real
> >> mode because these platforms don't support ept real mode(CR0.PE and CR0.PG
> >> must be set to 1). But these VMEXITs is redundant for platforms with
> >> "unrestricted guest" support.
> >>
> >> Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
> >> ---
> >>  arch/x86/kvm/vmx.c | 22 +++++++++++++---------
> >>  1 file changed, 13 insertions(+), 9 deletions(-)
> >>
> >> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> >> @@ -4311,7 +4313,9 @@ static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
> >>  	}
> >>  
> >>  	vmx_flush_tlb(vcpu);
> >> -	vmcs_writel(GUEST_CR3, guest_cr3);
> >> +
> >> +	if (!enable_unrestricted_guest || !enable_ept)
> >> +		vmcs_writel(GUEST_CR3, guest_cr3);
> > 
> > This looks wrong -- it would prevent update GUEST_CR3 outside of
> > non-root mode with enable_unrestricted_guest.
> > 
> 
> OK. Do you mean nest mode? I didn't consider that case.
> I thought there were three cases here.
> 
> 1) Shadow page mode(enable_ept=0)
> 
> 2) ept mode without unrestricted guest mode
>    (ept=1, enable_unrestricted_guest = 0)
> 
> 3) ept mode with unrestricted guest mode
>    (ept=1, enable_unrestricted_guest = 1)
> 
> From my understanding, only (1) and (2) need to update guest cr3.
> If nest mode is still needed to update guest CR3, we can add
> is_guest_mode() in the if condition. Other choice is to just ignore
> setting guest cr3 for case3. The condition maybe changed to

That too, but I was thinking about a more common (3) with enabled
paging, where GUEST_CR3 should reflect what the guest wants there.
Consider a case where the userspace changed CR3 (e.g. after migration),
how would it get propagated to the guest?

> if (!(enable_unrestricted_guest && enable_ept))
> 	vmcs_writel(GUEST_CR3, guest_cr3);

It is the same. :)

I would think that checking the condition is about as fast as doing the
vmcs write, so we don't need to complicate the code.