From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: "Montes, Julio" <julio.montes@intel.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls
Date: Tue, 31 Mar 2020 18:26:40 +0100 [thread overview]
Message-ID: <20200331172640.GE2896@work-vm> (raw)
In-Reply-To: <BY5PR11MB3960FE6E5F51F95EF9DFAAAB9AC80@BY5PR11MB3960.namprd11.prod.outlook.com>
* Montes, Julio (julio.montes@intel.com) wrote:
> Sorry for my last email, it was incomplete
>
> Hi Vitaly
>
> thanks for raising this, unfortunately this patch didn't work for me, I still get the same error:
Are you trying that on top of 5.0 or ontop of the older 4.2 world?
> qemu-system-x86_64: error: failed to set MSR 0x48b to 0x1582e00000000
> qemu-system-x86_64: /home/testpmem/go/src/github.com/kata-containers/qemu/target/i386/kvm.c:2695: kvm_buf_set_msrs: Assertion `ret == cpu->kvm_msr_buf->nmsrs
If my reading of 0x1582e00000000 is correct then we have:
0x1582e 00000000
VMX_SECONDARY_EXEC_RDSEED_EXITING 0x00010000 !
VMX_SECONDARY_EXEC_SHADOW_VMCS 0x00004000 !
VMX_SECONDARY_EXEC_ENABLE_INVPCID 0x00001000
VMX_SECONDARY_EXEC_RDRAND_EXITING 0x00000800
VMX_SECONDARY_EXEC_ENABLE_VPID 0x00000020
VMX_SECONDARY_EXEC_ENABLE_EPT 0x00000002
VMX_SECONDARY_EXEC_DESC 0x00000004
VMX_SECONDARY_EXEC_RDTSCP 0x00000008
>
> my qemu command line:
> /usr/bin/qemu-system-x86_64 -name sandbox-f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633 -uuid 8189ac12-5a5c-4989-bf82-c0218f8a3d33 -machine pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp unix:/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qmp.sock,server,nowait -m 2048M,slots=10,maxmem=17041M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/console.sock,server,nowait -device nvdimm,id=nv0,memdev=mem0 -object memory-backend-file,id=mem0,mem-path=/usr/share/kata-containers/kata-containers-clearlinux-32700-osbuilder-891b61c-agent-73afd1a.img,size=134217728 -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng-pci,rng=rng0,romfile= -device virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev socket,id=charch0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/kata.sock,server,nowait -device virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= -fsdev local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633,security_model=none -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device driver=virtio-net-pci,netdev=network-0,mac=02:42:ac:11:00:02,disable-modern=true,mq=on,vectors=4,romfile= -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -object memory-backend-ram,id=dimm1,size=2048M -numa node,memdev=dimm1 -kernel /usr/share/kata-containers/vmlinuz-5.4.15-71 -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=4 agent.use_vsock=false systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket agent.log=debug agent.log=debug -pidfile /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f37
> 7a877c03ddc64e1e5e8685633/pid -D /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qemu.log -smp 1,cores=1,threads=1,sockets=4,maxcpus=4
>
>
>
> ./vmxcap output:
>
> secondary processor-based controls
> Virtualize APIC accesses no
> Enable EPT yes
> Descriptor-table exiting yes
> Enable RDTSCP yes
> Virtualize x2APIC mode no
> Enable VPID yes
> WBINVD exiting no
> Unrestricted guest no
> APIC register emulation no
> Virtual interrupt delivery no
> PAUSE-loop exiting no
> RDRAND exiting yes
> Enable INVPCID yes
> Enable VM functions no
> VMCS shadowing no <<<<<
> Enable ENCLS exiting no
> RDSEED exiting no <<<<<
> Enable PML no
> EPT-violation #VE no
> Conceal non-root operation from PT no
> Enable XSAVES/XRSTORS no
> Mode-based execute control (XS/XU) no
> Sub-page write permissions no
> GPA translation for PT no
> TSC scaling no
> User wait and pause no
> ENCLV exiting no
So we're apparently trying to enable both RDSEED_EXITING and SHADOW_VMCS
which are missing.
> On 31/03/20 18:27, Vitaly Kuznetsov wrote:
> > case MSR_IA32_VMX_PROCBASED_CTLS2:
> > - /* KVM forgot to add these bits for some time, do this ourselves. */
> > - if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & CPUID_XSAVE_XSAVES) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_INVPCID) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_RDSEED) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & CPUID_EXT2_RDTSCP) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> > + if (!has_msr_vmx_procbased_ctls2) {
> > + /* KVM forgot to add these bits for some time, do this ourselves. */
> > + if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
> > + CPUID_XSAVE_XSAVES) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) &
> > + CPUID_EXT_RDRAND) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> > + CPUID_7_0_EBX_INVPCID) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> > + CPUID_7_0_EBX_RDSEED) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) &
> > + CPUID_EXT2_RDTSCP) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> > + }
So you would think that would tkae care of RDSEED exiting - but what
about VMCS shadowing?
Dave
> > }
> > /* fall through */
> > case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
> > @@ -2060,6 +2068,9 @@ static int kvm_get_supported_msrs(KVMState *s)
> > case MSR_IA32_UCODE_REV:
> > has_msr_ucode_rev = true;
> > break;
> > + case MSR_IA32_VMX_PROCBASED_CTLS2:
> > + has_msr_vmx_procbased_ctls2 = true;
> > + break;
> > }
> > }
> > }
> >
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2020-03-31 17:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 16:27 [PATCH] target/i386: do not set unsupported VMX secondary execution controls Vitaly Kuznetsov
2020-03-31 16:32 ` Paolo Bonzini
2020-03-31 16:56 ` Montes, Julio
2020-03-31 16:59 ` Montes, Julio
2020-03-31 17:26 ` Dr. David Alan Gilbert [this message]
2020-03-31 17:37 ` Montes, Julio
2020-04-01 7:08 ` Vitaly Kuznetsov
2020-04-01 7:05 ` Vitaly Kuznetsov
2020-04-01 14:23 ` Montes, Julio
2020-04-01 14:36 ` Vitaly Kuznetsov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200331172640.GE2896@work-vm \
--to=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=julio.montes@intel.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
--cc=vkuznets@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.