From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: [PATCH] KVM: x86: Disallow hypercalls for guest callers in rings
 > 0
Date: Mon, 03 Aug 2009 10:04:42 -0500
Message-ID: <4A76FC8A.3010308@codemonkey.ws>
References: <4A76EA7B.4080509@siemens.com> <4A76EE85.1090404@codemonkey.ws> <4A76F325.7020309@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Jan Kiszka <jan.kiszka@siemens.com>,
	kvm-devel <kvm@vger.kernel.org>
To: Avi Kivity <avi@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-pz0-f196.google.com ([209.85.222.196]:50120 "EHLO
	mail-pz0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932255AbZHCPEp (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 3 Aug 2009 11:04:45 -0400
Received: by pzk34 with SMTP id 34so2477851pzk.4
        for <kvm@vger.kernel.org>; Mon, 03 Aug 2009 08:04:45 -0700 (PDT)
In-Reply-To: <4A76F325.7020309@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Avi Kivity wrote:
> On 08/03/2009 05:04 PM, Anthony Liguori wrote:
>>
>> Actually, VT mandates that vmcalls can only be done from CPL=0.
>>
>
> That's exactly how I misremembered it.  However the docs say
>
> IF not in VMX operation
>     THEN #UD;
> ELSIF in VMX non-root operation
>     THEN VM exit;
> ELSIF (RFLAGS.VM = 1) OR (IA32_EFER.LMA = 1 and CS.L = 0)
>     THEN #UD;
> ELSIF CPL > 0
>     THEN #GP(0);
>
> So CPL > 0 is only enforced on VMCALL from the hypervisor, not the 
> guest (tip: don't ask what VMCALL in the hypervisor means).

Ah, it's used to call SMM peer mode... awesome :-)

Regards,

Anthony Liguori