From: Jan Beulich <jbeulich@suse.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
"Roger Pau Monné" <roger.pau@citrix.com>
Subject: [PATCH v9 05/10] VMX: support USER-MSR
Date: Mon, 24 Nov 2025 16:00:03 +0100 [thread overview]
Message-ID: <86fd4c01-fd01-4767-a9a1-c734eb037b5e@suse.com> (raw)
In-Reply-To: <926a2315-a2b7-4aad-87e6-d686c9da9e3a@suse.com>
Hook up the new VM exit codes and handle guest accesses, context switch,
and save/restore. At least for now don't allow the guest direct access
to the control MSR; this may need changing if guests were to frequently
access it (e.g. on their own context switch path).
While there also correct a one-off in union ldt_or_tr_instr_info's
comment.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
Needing to change two places in hvm.c continues to be unhelpful; I
recall I already did forget to also adjust hvm_load_cpu_msrs() for XFD.
Considering that MSRs typically arrive in the order the table has it,
couldn't we incrementally look up the incoming MSR index there, falling
back to a full lookup only when the incremental lookup failed (and thus
not normally re-iterating through the initial part of the array)?
Said comment in union ldt_or_tr_instr_info is further odd (same for
union gdt_or_idt_instr_info's) in that Instruction Information is only a
32-bit field. Hence bits 32-63 aren't undefined, but simply don't exist.
RFC: The wee attempt to "deal" with nested is likely wrong, but I'm
afraid I simply don't know where such enforcement would be done
properly. Returning an error there is also commented out, for
domain_cpu_policy_changed() returning void without "x86/xstate:
re-size save area when CPUID policy changes" in place.
---
v9: Use wrmsrns(). Do renames where bits are also going to be used for
MSR-IMM. Re-base.
v8: Re-base.
v5: Introduce user_msr_gpr().
v4: New.
--- a/xen/arch/x86/cpu-policy.c
+++ b/xen/arch/x86/cpu-policy.c
@@ -821,6 +821,12 @@ static void __init calculate_hvm_max_pol
* situations until someone has cross-checked the behaviour for safety.
*/
__clear_bit(X86_FEATURE_PKS, fs);
+
+ /*
+ * Don't expose USER-MSR until it is known how (if at all) it is
+ * virtualized on SVM.
+ */
+ __clear_bit(X86_FEATURE_USER_MSR, fs);
}
if ( !cpu_has_vmx_msrlist )
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -452,6 +452,10 @@ void domain_cpu_policy_changed(struct do
}
}
+ /* Nested doesn't have the necessary processing, yet. */
+ if ( nestedhvm_enabled(d) && p->feat.user_msr )
+ return /* -EINVAL */;
+
for_each_vcpu ( d, v )
{
cpu_policy_updated(v);
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -1391,6 +1391,7 @@ static int cf_check hvm_load_cpu_xsave_s
#define HVM_CPU_MSR_SIZE(cnt) offsetof(struct hvm_msr, msr[cnt])
static const uint32_t msrs_to_send[] = {
+ MSR_USER_MSR_CTL,
MSR_SPEC_CTRL,
MSR_INTEL_MISC_FEATURES_ENABLES,
MSR_PKRS,
@@ -1545,6 +1546,7 @@ static int cf_check hvm_load_cpu_msrs(st
{
int rc;
+ case MSR_USER_MSR_CTL:
case MSR_SPEC_CTRL:
case MSR_INTEL_MISC_FEATURES_ENABLES:
case MSR_PKRS:
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -696,13 +696,18 @@ static void cf_check vmx_vcpu_destroy(st
}
/*
- * To avoid MSR save/restore at every VM exit/entry time, we restore
- * the x86_64 specific MSRs at domain switch time. Since these MSRs
- * are not modified once set for para domains, we don't save them,
- * but simply reset them to values set in percpu_traps_init().
+ * To avoid MSR save/restore at every VM exit/entry time, we restore the
+ * x86_64 specific MSRs at vcpu switch time. Since these MSRs are not
+ * modified once set for para domains, we don't save them, but simply clear
+ * them or reset them to values set in percpu_traps_init().
*/
-static void vmx_restore_host_msrs(void)
+static void vmx_restore_host_msrs(const struct vcpu *v)
{
+ const struct vcpu_msrs *msrs = v->arch.msrs;
+
+ if ( msrs->user_msr_ctl.enable )
+ wrmsrns(MSR_USER_MSR_CTL, 0);
+
/* No PV guests? No need to restore host SYSCALL infrastructure. */
if ( !IS_ENABLED(CONFIG_PV) )
return;
@@ -756,6 +761,9 @@ static void vmx_restore_guest_msrs(struc
if ( cp->feat.pks )
wrpkrs(msrs->pkrs);
+
+ if ( msrs->user_msr_ctl.enable )
+ wrmsrns(MSR_USER_MSR_CTL, msrs->user_msr_ctl.raw);
}
void vmx_update_cpu_exec_control(struct vcpu *v)
@@ -1199,7 +1207,7 @@ static void cf_check vmx_ctxt_switch_fro
if ( !v->arch.fully_eager_fpu )
vmx_fpu_leave(v);
vmx_save_guest_msrs(v);
- vmx_restore_host_msrs();
+ vmx_restore_host_msrs(v);
vmx_save_dr(v);
if ( v->domain->arch.hvm.pi_ops.flags & PI_CSW_FROM )
@@ -4245,6 +4253,14 @@ static int vmx_handle_apic_write(void)
return vlapic_apicv_write(current, exit_qualification & 0xfff);
}
+static unsigned int msr_imm_gpr(void)
+{
+ msr_imm_instr_info_t info;
+
+ __vmread(VMX_INSTRUCTION_INFO, &info.raw);
+ return info.gpr;
+}
+
static void undo_nmis_unblocked_by_iret(void)
{
unsigned long guest_info;
@@ -4745,6 +4761,41 @@ void asmlinkage vmx_vmexit_handler(struc
hvm_inject_hw_exception(X86_EXC_GP, 0);
break;
+ case EXIT_REASON_URDMSR:
+ {
+ uint64_t msr_content = 0;
+
+ __vmread(EXIT_QUALIFICATION, &exit_qualification);
+ switch ( hvm_msr_read_intercept(exit_qualification, &msr_content) )
+ {
+ case X86EMUL_OKAY:
+ *decode_gpr(regs, msr_imm_gpr()) = msr_content;
+ update_guest_eip(); /* Safe: URDMSR */
+ break;
+
+ case X86EMUL_EXCEPTION:
+ hvm_inject_hw_exception(X86_EXC_GP, 0);
+ break;
+ }
+ break;
+ }
+
+ case EXIT_REASON_UWRMSR:
+ __vmread(EXIT_QUALIFICATION, &exit_qualification);
+ switch ( hvm_msr_write_intercept(exit_qualification,
+ *decode_gpr(regs, msr_imm_gpr()),
+ true) )
+ {
+ case X86EMUL_OKAY:
+ update_guest_eip(); /* Safe: UWRMSR */
+ break;
+
+ case X86EMUL_EXCEPTION:
+ hvm_inject_hw_exception(X86_EXC_GP, 0);
+ break;
+ }
+ break;
+
case EXIT_REASON_VMXOFF:
case EXIT_REASON_VMXON:
case EXIT_REASON_VMCLEAR:
--- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h
+++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h
@@ -203,6 +203,8 @@ static inline void pi_clear_sn(struct pi
#define EXIT_REASON_NOTIFY 75
#define EXIT_REASON_RDMSRLIST 78
#define EXIT_REASON_WRMSRLIST 79
+#define EXIT_REASON_URDMSR 80
+#define EXIT_REASON_UWRMSR 81
/* Remember to also update VMX_PERF_EXIT_REASON_SIZE! */
/*
@@ -578,8 +580,18 @@ typedef union ldt_or_tr_instr_info {
base_reg_invalid :1, /* bit 27 - Base register invalid */
instr_identity :1, /* bit 28 - 0:LDT, 1:TR */
instr_write :1, /* bit 29 - 0:store, 1:load */
- :34; /* bits 31:63 - Undefined */
+ :34; /* bits 30:63 - Undefined */
};
} ldt_or_tr_instr_info_t;
+/* VM-Exit instruction info for URDMSR and UWRMSR */
+typedef union msr_imm_instr_info {
+ unsigned long raw;
+ struct {
+ unsigned int :3, /* Bits 0:2 - Undefined */
+ gpr :4, /* Bits 3:6 - Source/Destination register */
+ :25; /* bits 7:31 - Undefined */
+ };
+} msr_imm_instr_info_t;
+
#endif /* __ASM_X86_HVM_VMX_VMX_H__ */
--- a/xen/arch/x86/include/asm/guest-msr.h
+++ b/xen/arch/x86/include/asm/guest-msr.h
@@ -8,6 +8,20 @@
struct vcpu_msrs
{
/*
+ * 0x0000001c - MSR_USER_MSR_CTL
+ *
+ * Value is guest chosen, and always loaded in vcpu context.
+ */
+ union {
+ uint64_t raw;
+ struct {
+ bool enable:1;
+ unsigned int :11;
+ unsigned long bitmap:52;
+ };
+ } user_msr_ctl;
+
+ /*
* 0x00000048 - MSR_SPEC_CTRL
* 0xc001011f - MSR_VIRT_SPEC_CTRL (if X86_FEATURE_AMD_SSBD)
*
--- a/xen/arch/x86/include/asm/perfc_defn.h
+++ b/xen/arch/x86/include/asm/perfc_defn.h
@@ -6,7 +6,7 @@ PERFCOUNTER_ARRAY(exceptions,
#ifdef CONFIG_HVM
-#define VMX_PERF_EXIT_REASON_SIZE 80
+#define VMX_PERF_EXIT_REASON_SIZE 82
#define VMEXIT_NPF_PERFC 143
#define SVM_PERF_EXIT_REASON_SIZE (VMEXIT_NPF_PERFC + 1)
PERFCOUNTER_ARRAY(vmexits, "vmexits",
--- a/xen/arch/x86/msr.c
+++ b/xen/arch/x86/msr.c
@@ -280,6 +280,12 @@ int guest_rdmsr(struct vcpu *v, uint32_t
*val = msrs->xss.raw;
break;
+ case MSR_USER_MSR_CTL:
+ if ( !cp->feat.user_msr )
+ goto gp_fault;
+ *val = msrs->user_msr_ctl.raw;
+ break;
+
case 0x40000000 ... 0x400001ff:
if ( is_viridian_domain(d) )
{
@@ -618,6 +624,19 @@ int guest_wrmsr(struct vcpu *v, uint32_t
msrs->xss.raw = val;
break;
+ case MSR_USER_MSR_CTL:
+ if ( !cp->feat.user_msr )
+ goto gp_fault;
+
+ if ( (val & ~(USER_MSR_ENABLE | USER_MSR_ADDR_MASK)) ||
+ !is_canonical_address(val) )
+ goto gp_fault;
+
+ msrs->user_msr_ctl.raw = val;
+ if ( v == curr )
+ wrmsrns(MSR_USER_MSR_CTL, val);
+ break;
+
case 0x40000000 ... 0x400001ff:
if ( is_viridian_domain(d) )
{
--- a/xen/include/public/arch-x86/cpufeatureset.h
+++ b/xen/include/public/arch-x86/cpufeatureset.h
@@ -360,7 +360,7 @@ XEN_CPUFEATURE(AMX_COMPLEX, 15*32
XEN_CPUFEATURE(AVX_VNNI_INT16, 15*32+10) /*A AVX-VNNI-INT16 Instructions */
XEN_CPUFEATURE(UTMR, 15*32+13) /* User Timer */
XEN_CPUFEATURE(PREFETCHI, 15*32+14) /*A PREFETCHIT{0,1} Instructions */
-XEN_CPUFEATURE(USER_MSR, 15*32+15) /* U{RD,WR}MSR Instructions */
+XEN_CPUFEATURE(USER_MSR, 15*32+15) /*s U{RD,WR}MSR Instructions */
XEN_CPUFEATURE(UIRET_UIF, 15*32+17) /* UIRET updates UIF */
XEN_CPUFEATURE(CET_SSS, 15*32+18) /* CET Supervisor Shadow Stacks safe to use */
XEN_CPUFEATURE(SLSM, 15*32+24) /* Static Lockstep Mode */
next prev parent reply other threads:[~2025-11-24 15:04 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-24 14:56 [PATCH v9 10/10] x86emul: misc additions Jan Beulich
2025-11-24 14:57 ` [PATCH v9 01/10] x86emul: support LKGS Jan Beulich
2025-11-24 14:58 ` [PATCH v9 02/10] x86emul+VMX: support {RD,WR}MSRLIST Jan Beulich
2025-11-24 14:58 ` [PATCH v9 03/10] x86emul: support USER_MSR instructions Jan Beulich
2025-11-24 14:59 ` [PATCH v9 04/10] x86/cpu-policy: re-arrange no-VMX logic Jan Beulich
2026-04-07 21:58 ` Andrew Cooper
2026-04-08 6:09 ` Jan Beulich
2025-11-24 15:00 ` Jan Beulich [this message]
2025-11-24 15:00 ` [PATCH v9 06/10] x86emul: support MSR_IMM instructions Jan Beulich
2025-11-24 15:00 ` [PATCH v9 07/10] VMX: support MSR-IMM Jan Beulich
2025-11-26 18:50 ` Andrew Cooper
2025-11-27 8:18 ` Jan Beulich
2025-11-24 15:01 ` [PATCH v9 08/10] x86emul: support non-SIMD MOVRS Jan Beulich
2025-11-24 15:01 ` [PATCH v9 09/10] x86: use / "support" UDB Jan Beulich
2025-12-05 12:01 ` Andrew Cooper
2025-12-05 12:40 ` Andrew Cooper
2025-12-05 13:13 ` Jan Beulich
2025-12-05 13:15 ` Andrew Cooper
2025-12-05 13:15 ` Jan Beulich
2025-12-05 13:35 ` Andrew Cooper
2025-12-05 13:09 ` Jan Beulich
2025-11-24 15:02 ` [PATCH v9 10/10] x86emul: support AVX512-BMM Jan Beulich
2025-12-05 12:33 ` Andrew Cooper
2025-12-05 12:47 ` Jan Beulich
2026-04-07 15:11 ` Andrew Cooper
2025-11-24 15:03 ` [PATCH v9 00/10] x86emul: misc additions Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86fd4c01-fd01-4767-a9a1-c734eb037b5e@suse.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=roger.pau@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.