From mboxrd@z Thu Jan  1 00:00:00 1970
From: Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>
Subject: Re: [PATCH 2/4] KVM: nSVM: do not forward NMI window singlestep VM
 exits to L1
Date: Fri, 16 Jun 2017 15:26:49 +0200
Message-ID: <20170616132648.GF2224@potion>
References: <20170615112032.15812-1-lprosek@redhat.com>
 <20170615112032.15812-3-lprosek@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: kvm@vger.kernel.org
To: Ladi Prosek <lprosek@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:50646 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752566AbdFPN0w (ORCPT <rfc822;kvm@vger.kernel.org>);
        Fri, 16 Jun 2017 09:26:52 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id BABE5659AE
        for <kvm@vger.kernel.org>; Fri, 16 Jun 2017 13:26:51 +0000 (UTC)
Content-Disposition: inline
In-Reply-To: <20170615112032.15812-3-lprosek@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

2017-06-15 13:20+0200, Ladi Prosek:
> Nested hypervisor should not see singlestep VM exits if singlestepping
> was enabled internally by KVM. Windows is particularly sensitive to this
> and known to bluescreen on unexpected VM exits.
> 
> Signed-off-by: Ladi Prosek <lprosek@redhat.com>
> ---
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> @@ -966,9 +967,13 @@ static void svm_disable_lbrv(struct vcpu_svm *svm)
>  static void disable_nmi_singlestep(struct vcpu_svm *svm)
>  {
>  	svm->nmi_singlestep = false;
> -	if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
> -		svm->vmcb->save.rflags &=
> -			~(X86_EFLAGS_TF | X86_EFLAGS_RF);
> +	if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) {
> +		/* Clear our flags if they were not set by the guest */
> +		if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_TF))
> +			svm->vmcb->save.rflags &= ~X86_EFLAGS_TF;
> +		if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_RF))
> +			svm->vmcb->save.rflags &= ~X86_EFLAGS_RF;

IIUC, we intercept/fault on IRET, disable the interception, set TF+RF
and enter again, the CPU executes IRET and then we get a #DB exit.

IRET pops EFLAGS from before the NMI -- doesn't the CPU properly restore
EFLAGS, so we do not need this part here?

Thanks.