On 24/08/2017 11:09, Yang Zhang wrote: >> + if (static_cpu_has(X86_FEATURE_OSPKE) && > > We expose protection key to VM without check whether OSPKE is enabled or > not. Why not check guest's cpuid here which also can avoid unnecessary > access to pkru? Checking guest CPUID is pretty slow. We could check CR4.PKE though. Also, using static_cpu_has with OSPKE is probably wrong. But if we do check CR4.PKE, we can check X86_FEATURE_PKU instead, so something like if (static_cpu_has(X86_FEATURE_PKU) && kvm_read_cr4_bits(vcpu, X86_CR4_PKE) && vcpu->arch.pkru != vmx->host_pkru) ... but then, kvm_read_cr4_bits is also pretty slow---and we don't really need it, since all CR4 writes cause a vmexit. So for now I'd stay with this patch, only s/static_cpu_has/boot_cpu_has/g. Of course you can send improvements on top! Paolo >> + vcpu->arch.pkru != vmx->host_pkru) >> + __write_pkru(vcpu->arch.pkru);
