From: Sean Christopherson <seanjc@google.com>
To: Chao Gao <chao.gao@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Yosry Ahmed <yosry.ahmed@linux.dev>
Subject: Re: [PATCH] KVM: nVMX: Disallow access to vmcs12 fields that aren't supported by "hardware"
Date: Wed, 17 Dec 2025 06:38:06 -0800 [thread overview]
Message-ID: <aULATi4uMa-5z08k@google.com> (raw)
In-Reply-To: <aUJqoJMVoGebFqv4@intel.com>
On Wed, Dec 17, 2025, Chao Gao wrote:
> >+static __init bool cpu_has_vmcs12_field(unsigned int idx)
> >+{
> >+ switch (VMCS12_IDX_TO_ENC(idx)) {
> >+ case VIRTUAL_PROCESSOR_ID: return cpu_has_vmx_vpid();
> >+ case POSTED_INTR_NV: return cpu_has_vmx_posted_intr();
> >+ VMCS12_CASE64(TSC_MULTIPLIER): return cpu_has_vmx_tsc_scaling();
> >+ VMCS12_CASE64(VIRTUAL_APIC_PAGE_ADDR): return cpu_has_vmx_tpr_shadow();
> >+ VMCS12_CASE64(APIC_ACCESS_ADDR): return cpu_has_vmx_virtualize_apic_accesses();
> >+ VMCS12_CASE64(POSTED_INTR_DESC_ADDR): return cpu_has_vmx_posted_intr();
> >+ VMCS12_CASE64(VM_FUNCTION_CONTROL): return cpu_has_vmx_vmfunc();
> >+ VMCS12_CASE64(EPT_POINTER): return cpu_has_vmx_ept();
> >+ VMCS12_CASE64(EPTP_LIST_ADDRESS): return cpu_has_vmx_vmfunc();
> >+ VMCS12_CASE64(XSS_EXIT_BITMAP): return cpu_has_vmx_xsaves();
> >+ VMCS12_CASE64(ENCLS_EXITING_BITMAP): return cpu_has_vmx_encls_vmexit();
> >+ VMCS12_CASE64(GUEST_IA32_PERF_GLOBAL_CTRL): return cpu_has_load_perf_global_ctrl();
> >+ VMCS12_CASE64(HOST_IA32_PERF_GLOBAL_CTRL): return cpu_has_load_perf_global_ctrl();
> >+ case TPR_THRESHOLD: return cpu_has_vmx_tpr_shadow();
> >+ case SECONDARY_VM_EXEC_CONTROL: return cpu_has_secondary_exec_ctrls();
> >+ case GUEST_S_CET: return cpu_has_load_cet_ctrl();
> >+ case GUEST_SSP: return cpu_has_load_cet_ctrl();
> >+ case GUEST_INTR_SSP_TABLE: return cpu_has_load_cet_ctrl();
> >+ case HOST_S_CET: return cpu_has_load_cet_ctrl();
> >+ case HOST_SSP: return cpu_has_load_cet_ctrl();
> >+ case HOST_INTR_SSP_TABLE: return cpu_has_load_cet_ctrl();
>
> Most fields here are not shadowed, e.g., CET-related fields. So, the plan is
> that new fields should be added here regardless of whether they are shadowed or
> not, right?
Yep. It'll be mildly annoying to keep up-to-date, but I hopefully having an
"unconditional" rule will be less confusing than limiting the checks to fields
that are allowed to hit the shadow VMCS.
> And GUEST_INTR_STATUS is missing here. It depends on APICv and is handled
> explicitly in init_vmcs_shadow_fields().
Gah, I had that one on my todo list, but got sidetracked for a week and completely
forgot about it.
Thank you!
prev parent reply other threads:[~2025-12-17 14:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-16 1:29 [PATCH] KVM: nVMX: Disallow access to vmcs12 fields that aren't supported by "hardware" Sean Christopherson
2025-12-17 7:08 ` Xin Li
2025-12-17 14:41 ` Sean Christopherson
2025-12-17 8:32 ` Chao Gao
2025-12-17 14:38 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aULATi4uMa-5z08k@google.com \
--to=seanjc@google.com \
--cc=chao.gao@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=yosry.ahmed@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.