Re: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Jan Kiszka <jan.kiszka@siemens.com>]

Am 16.11.2010 05:48, Wang, Shane wrote:
> Avi Kivity wrote:
>> On 11/14/2010 12:41 PM, Jan Kiszka wrote:
>>> Am 14.11.2010 11:30, Avi Kivity wrote:
>>>>  On 11/14/2010 11:18 AM, Jan Kiszka wrote:
>>>>>  From: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>
>>>>>  Without CONFIG_INTEL_TXT, the user must not enable this feature
>>>>>  in the BIOS. Otherwise, KVM will not work. Explain this
>>>>> dependency via a kernel  log message. 
>>>>>
>>>>>  Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>  ---
>>>>>    arch/x86/kvm/vmx.c |    7 ++++++-
>>>>>    1 files changed, 6 insertions(+), 1 deletions(-)
>>>>>
>>>>>  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>>>  index 9367abc..ebafd57 100644
>>>>>  --- a/arch/x86/kvm/vmx.c
>>>>>  +++ b/arch/x86/kvm/vmx.c
>>>>>  @@ -1306,8 +1306,13 @@ static __init int
>>>>>                vmx_disabled_by_bios(void) &&   tboot_enabled())
>>>>>                return 1;
>>>>>            if (!(msr&   FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
>>>>>  -&&   !tboot_enabled()) +&&   !tboot_enabled()) {
>>>>>  +#ifndef CONFIG_INTEL_TXT
>>>>>  +            printk(KERN_INFO "kvm: if TXT is enabled in the
>>>>>  bios, " +                     "kvm depends on
>>>>>                CONFIG_INTEL_TXT\n");  +#endif return 1;
>>>>>  +        }
>>>>>        }
>>>>>
> Why do we need this?
> If TXT is enabled in the bios, it doesn't mean TXT is launched but TXT is available.
> tboot_enabled() = TXT is launched. And non-CONFIG_INTEL_TXT means tboot_enabled() = 0.
> If you enable VT in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set.

Probably, this patch is based on my semi-understanding of TXT. What I
observe is that, when I enable TXT in the BIOS of my machine, kvm-intel
does not load and report VT-x being disabled at BIOS level. As my
kernels had CONFIG_INTEL_TXT disabled, I thought that was the reason.

However, it turned out that
A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when TXT
   is enabled in the BIOS
B) enabling CONFIG_INTEL_TXT does not magically solve the issue, KVM
   still does not work

The latter appears to be related to the fact that I do not actually have
a trust chain from the BIOS over the boot loader to the kernel. So
tboot_addr is not set and tboot_enabled remains off. I guess I need some
trusted grub or so to get this running, maybe even more. Still, I'm
unsure if that will give me VT-x support back again. Can you comment on
the requirements and mechanisms behind that?

In any case, what we should catch is the user mistake of enabling TXT in
the BIOS blindly without actually needing it, disabling VT-x this way.
How to express this?

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux