On Mon, 2018-04-09, David Hildenbrand wrote:
> On 09.04.2018 09:26, Jidong Xiao wrote:
> > On Mon, Apr 9, 2018 at 1:21 AM, David Hildenbrand <david@xxxxxxxxxx> wrote:
> >> On 09.04.2018 09:17, Jidong Xiao wrote:
> >>> On Mon, Apr 9, 2018 at 1:10 AM, David Hildenbrand <david@xxxxxxxxxx> wrote:
> >>>> On 09.04.2018 06:21, Jidong Xiao wrote:
> >>>>> Hi,
> >>>>>
> >>>>> The Intel SDM says:
> >>>>>
> >>>>> "The launch state of a VMCS determines which VM-entry instruction
> >>>>> should be used with that VMCS: the
> >>>>> VMLAUNCH instruction requires a VMCS whose launch state is “clear”;
> >>>>> the VMRESUME instruction requires a VMCS
> >>>>> whose launch state is “launched”. A logical processor maintains a
> >>>>> VMCS’s launch state in the corresponding VMCS
> >>>>> region."
> >>>>>
> >>>>> "There are no other ways to modify the launch state of a VMCS (it
> >>>>> cannot be modified using VMWRITE) and there
> >>>>> is no direct way to discover it (it cannot be read using VMREAD).'
> >>>>>
> >>>>> According to the above description, the launch state is stored in the
> >>>>> VMCS region, but it seems the SDM doesn't say where exactly the launch
> >>>>> state is stored in the VMCS. For example, the VMCS data is organized
> >>>>> into six logic groups: Guest-state area, Host-state area, VM-execution
> >>>>> control fields, VM-exit control fields, VM-entry control fields,
> >>>>> VM-exit information fields. However, I can't find the "launch state"
> >>>>> in any of these fields.
> >>>>>
> >>>>> If it's in the VMCS region, then why can't I find it? and why it can't
> >>>>> be discovered by VMREAD?
> >>>>
> >>>> Why do you assume the launch state has to be stored inside the VMCS region?
> >>>>
> >>>> It is just being stated that you cannot detect/modify it via
> >>>> VMWRITE/VMREAD. Which is perfectly true if the launch state is stored
> >>>> outside of the VMCS region.
> >>>>
> >>>> What the SDM states here simply is that the caller has to remember if a
> >>>> VMCS has already been launched. This is what we do with the "launched"
> >>>> variable.
> >>>>
> >>>> And this is also what we use for emulation of VMLAUNCH/VMRESUME in
> >>>> nested_vmx_run().
> >>>>
> >>>>>
> >>>>> I saw in the kvm source code a variable called launched is defined,
> >>>>> which enables kvm to trace the launch state of the VMCS, but is this
> >>>>> launch state really existing in the VMCS region? If so, where exactly
> >>>>> is it?
> >>>>
> >>>> Nope, not in the region, it's glued to struct loaded_vmcs.
> >>>>
> >>> Oh, okay, thanks David, I see. The reason I assumed it's in the VMCS
> >>> region is because the SDM says:
> >>>
> >>> "A logical processor maintains a VMCS’s launch state in the
> >>> corresponding VMCS region."
> >>>
> >>> Since it's not really in the region, I guess the SDM is inaccurate on this.
> >>
> >> Guess as the guest has to way to access it via VMREAD/VMWRITE it doesn't
> >> make any difference, or do you have something in mind?
> >>
> > Oh, because the SDM clearly says it's in the region, but then it
> > doesn't say where exactly it is in the region; so I was just confused.
> > But now I understand. Thanks David!
> >
>
> Oh, by the way, I just realized that we actually have for nested VMX
> launch_state contained in "struct __packed vmcs12", so it is indeed
> contained in the VMCS region for nested VMX!
"Real" VMCS structures also have a launch state field, but it's a micro-
architectural field, i.e. it cannot be accessed via VMREAD/VMWRITE. A
VMCS may have other microarchitectural fields that the CPU uses, e.g. to
save/restore state across VMExit/VMEnter, but generally speaking they're
undocumented because, well, they're microarchitectural. Launch state is
documented in the SDM because it has architecturally visible behavior,
e.g. VMLAUNCH will fail if the target VMCS's launch state is 'true', and
VMCLEAR resets the launch state. This architecturally visible behavior
needs to be emulated by KVM, thus struct vmcs12 has a launch_state field
which is checked/set by nested_vmx_run and reset by handle_vmclear.
SDM's VMCLEAR description snippet:
The instruction ensures that VMCS data for that VMCS (some of these
data may be currently maintained on the processor) are copied to the
VMCS region in memory. It also initializes parts of the VMCS region
(for example, it sets the launch state of that VMCS to clear).
> "Any VMX implementation has a VMCS structure, and vmcs12 is our emulated
> VMX's VMCS"
>
> Sorry I missed that before!
>
>
> --
>
> Thanks,
>
> David / dhildenb
>
