From: "Tian, Kevin" <kevin.tian@intel.com>
To: Roger Pau Monne <roger.pau@citrix.com>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>,
"Nakajima, Jun" <jun.nakajima@intel.com>
Subject: Re: [Xen-devel] [PATCH v2 2/2] nvmx: always trap accesses to x2APIC MSRs
Date: Mon, 3 Feb 2020 08:07:25 +0000 [thread overview]
Message-ID: <AADFC41AFE54684AB9EE6CBC0274A5D19D75F8B5@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <20200129144514.96686-3-roger.pau@citrix.com>
> From: Roger Pau Monne <roger.pau@citrix.com>
> Sent: Wednesday, January 29, 2020 10:45 PM
>
> Nested VMX doesn't expose support for
> SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE,
> SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY or
> SECONDARY_EXEC_APIC_REGISTER_VIRT, and hence the x2APIC MSRs should
> always be trapped in the nested guest MSR bitmap, or else a nested
> guest could access the hardware x2APIC MSRs given certain conditions.
>
> Accessing the hardware MSRs could be achieved by forcing the L0 Xen to
> use SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE and
> SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY or
> SECONDARY_EXEC_APIC_REGISTER_VIRT (if supported), and then creating a
> L2 guest with a MSR bitmap that doesn't trap accesses to the x2APIC
> MSR range. Then OR'ing both L0 and L1 MSR bitmaps would result in a
> bitmap that doesn't trap certain x2APIC MSRs and a VMCS that doesn't
> have SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE and
> SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY or
> SECONDARY_EXEC_APIC_REGISTER_VIRT set either.
>
> Fix this by making sure x2APIC MSRs are always trapped in the nested
> MSR bitmap.
>
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
prev parent reply other threads:[~2020-02-03 8:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-29 14:45 [Xen-devel] [PATCH v2 0/2] nvmx: implement support for MSR bitmaps Roger Pau Monne
2020-01-29 14:45 ` [Xen-devel] [PATCH v2 1/2] " Roger Pau Monne
2020-02-03 8:05 ` Tian, Kevin
2020-02-03 17:13 ` Roger Pau Monné
2020-01-29 14:45 ` [Xen-devel] [PATCH v2 2/2] nvmx: always trap accesses to x2APIC MSRs Roger Pau Monne
2020-02-03 8:07 ` Tian, Kevin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AADFC41AFE54684AB9EE6CBC0274A5D19D75F8B5@SHSMSX104.ccr.corp.intel.com \
--to=kevin.tian@intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=jun.nakajima@intel.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.