[Bug 216033] New: KVM VMX nested virtualization: VMXON does not check guest CR0 against IA32_VMX_CR0_FIXED0

[bugzilla-daemon@kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=216033

            Bug ID: 216033
           Summary: KVM VMX nested virtualization: VMXON does not check
                    guest CR0 against IA32_VMX_CR0_FIXED0
           Product: Virtualization
           Version: unspecified
    Kernel Version: 5.17.8-200.fc35.x86_64
          Hardware: Intel
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: ercli@ucdavis.edu
        Regression: No

Created attachment 301050
  --> https://bugzilla.kernel.org/attachment.cgi?id=301050&action=edit
Guest hypervisor to reproduce this bug (xz compressed)

CPU model I am running: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz
Host kernel version: 5.17.8-200.fc35.x86_64
Host kernel arch: x86_64
Guest: a hypervisor I wrote myself, 32-bits, compressed and attached as
c.img.xz.
QEMU command line: qemu-system-x86_64 -m 512M -smp 1 -cpu Haswell,vmx=yes
-enable-kvm -serial stdio -drive media=disk,file=c.img,index=1
The problem does not go away if using -machine kernel_irqchip=off
Since the guest is a hypervisor, -accel tcg cannot be used (TCG does not
support nested virtualization)

Actual behavior: serial port shows:

...
CR0        = 0x0000000080000015
CR0 fixed0 = 0x0000000080000021
CR0 fixed1 = 0x00000000ffffffff
VMXON succeeds

Expected behaivor: serial port shows:

...
CR0        = 0x0000000080000015
CR0 fixed0 = 0x0000000080000021
CR0 fixed1 = 0x00000000ffffffff
[00]: unhandled exception 13 (0xd), halting!
[00]: error code: 0x00000000
[00]: state dump follows...
[00] CS:EIP ...
...

Explanation:

When the guest hypervisor starts VMX using the VMXON instruction, the guest
hypervisor's CR0 is not legal. IA32_VMX_CR0_FIXED0 = 0x0000000080000021. The
0x20 bit in this MSR is 1, which indicates that the 0x20 bit in CR0 must be 1
when executing VMXON. However, my hypervisor uses CR0 = 0x80000015 (the 0x20
bit is 0).

According to SDM 29.3, if "the values of CR0 and CR4 are not supported in VMX
operation", then a general protection exception (#GP(0)) should be raised. This
happens on real hardware, but not on KVM.

The relevant code in my hypervisor is:

https://github.com/lxylxy123456/uberxmhf/blob/770bdaa7afce560b9f46348bee5a05e2c680de06/xmhf/src/xmhf-core/xmhf-runtime/xmhf-startup/lhv-vmx.c#L250

The pseudo code is

print the hypervisor's CR0 to serial port
print MSR value IA32_VMX_CR0_FIXED0 to serial port
print MSR value IA32_VMX_CR0_FIXED1 to serial port
sleep for 3 seconds
run VMXON instruction
If succeed, write "VMXON succeeds" to serial port.
If VMXON receives an exception, write exception details to serial port ("[00]:
unhandled exception...")

To fix this bug, handle_vmon() in arch/x86/kvm/vmx/nested.c needs to be
updated. The check to CR0 and CR4 against IA32_VMX_CR0_FIXED0 etc need to be
added.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.