Suppose that both vmcs01 and vmcs02 enable "virtualize APIC accesses." Prepare_vmcs02 sets the APIC access page to the HPA associated with the L1 GPA specified in vmcs12->apic_access_addr (L2's APIC access page in L1's physical address space). This sets up the virtualization hardware to deliver APIC_ACCESS VM-exits when L2 accesses this page. L0 will forward these VM-exits to L1. So far, this is correct. Now, suppose that L2 accesses the HPA associated with L1's APIC access page? We need a VM-exit to L0, so that L0 can perform the appropriate APIC emulation for L1. However, that isn't going to happen, since that HPA is mapped without access restrictions in the EPT tables for L1. Accesses from L2 to L1's APIC access page will behave as normal memory reads and writes. If vmcs12 enables EPT, then L0 could refuse to create a mapping in L2's shadow EPT table for any entry in the L2 EPT table that maps to L1's APIC access page. However, if L1 uses shadow x86 page tables for L2 instead of virtual EPT, this isn't an option. We could remove the mapping for L1's APIC access page from L1's EPT tables when L2 is active, but since the EPT tables are shared across all vCPUs, this would effectively disable APIC virtualization for all L1 vCPUs whenever any L1 vCPU is in virtual VMX non-root operation. And the TLB shootdown overhead might be excessive. Unfortunately, the VMX specification doesn't provide a way for the virtual CPU to indicate that "virtualize APIC accesses" is contingent upon the use of EPT. Thoughts? -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
