[PATCH v1] x86/vvmx: don't enable vmcs shadowing for nested guests

[PATCH v1] x86/vvmx: don't enable vmcs shadowing for nested guests

[Sergey Dyasli]

Running "./xtf_runner vvmx" in L1 Xen under L0 Xen produces the
following result on H/W with VMCS shadowing:

    Test: vmxon
    Failure in test_vmxon_in_root_cpl0()
      Expected 0x8200000f: VMfailValid(15) VMXON_IN_ROOT
           Got 0x82004400: VMfailValid(17408) <unknown>
    Test result: FAILURE

This happens because SDM allows vmentries with enabled VMCS shadowing
VM-execution control and VMCS link pointer value of ~0ull. But results
of a nested VMREAD are undefined in such cases.

Fix this by not copying the value of VMCS shadowing control from vmcs01
to vmcs02.

Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
---
 xen/arch/x86/hvm/vmx/vvmx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index dde02c076b..013d049f8a 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -633,6 +633,7 @@ void nvmx_update_secondary_exec_control(struct vcpu *v,
                     SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY;
 
     host_cntrl &= ~apicv_bit;
+    host_cntrl &= ~SECONDARY_EXEC_ENABLE_VMCS_SHADOWING;
     shadow_cntrl = get_vvmcs(v, SECONDARY_VM_EXEC_CONTROL);
 
     /* No vAPIC-v support, so it shouldn't be set in vmcs12. */
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v1] x86/vvmx: don't enable vmcs shadowing for nested guests

[Tian, Kevin]

> From: Sergey Dyasli [mailto:sergey.dyasli@citrix.com]
> Sent: Monday, October 23, 2017 5:33 PM
> 
> Running "./xtf_runner vvmx" in L1 Xen under L0 Xen produces the
> following result on H/W with VMCS shadowing:
> 
>     Test: vmxon
>     Failure in test_vmxon_in_root_cpl0()
>       Expected 0x8200000f: VMfailValid(15) VMXON_IN_ROOT
>            Got 0x82004400: VMfailValid(17408) <unknown>
>     Test result: FAILURE
> 
> This happens because SDM allows vmentries with enabled VMCS
> shadowing
> VM-execution control and VMCS link pointer value of ~0ull. But results
> of a nested VMREAD are undefined in such cases.
> 
> Fix this by not copying the value of VMCS shadowing control from vmcs01
> to vmcs02.
> 
> Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>

Acked-by: Kevin Tian <kevin.tian@intel.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v1] x86/vvmx: don't enable vmcs shadowing for nested guests

[Andrew Cooper]

On 02/11/17 04:35, Tian, Kevin wrote:
>> From: Sergey Dyasli [mailto:sergey.dyasli@citrix.com]
>> Sent: Monday, October 23, 2017 5:33 PM
>>
>> Running "./xtf_runner vvmx" in L1 Xen under L0 Xen produces the
>> following result on H/W with VMCS shadowing:
>>
>>     Test: vmxon
>>     Failure in test_vmxon_in_root_cpl0()
>>       Expected 0x8200000f: VMfailValid(15) VMXON_IN_ROOT
>>            Got 0x82004400: VMfailValid(17408) <unknown>
>>     Test result: FAILURE
>>
>> This happens because SDM allows vmentries with enabled VMCS
>> shadowing
>> VM-execution control and VMCS link pointer value of ~0ull. But results
>> of a nested VMREAD are undefined in such cases.
>>
>> Fix this by not copying the value of VMCS shadowing control from vmcs01
>> to vmcs02.
>>
>> Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
> Acked-by: Kevin Tian <kevin.tian@intel.com>

Pulled into x86-next

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel