According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:
If the “enable EPT” VM-execution control is 1, the EPTP VM-execution
control field must satisfy the following checks:
— The EPT memory type (bits 2:0) must be a value supported by the
processor as indicated in the IA32_VMX_EPT_VPID_CAP MSR.
— Bits 5:3 (1 less than the EPT page-walk length) must be 3,
indicating an EPT page-walk length of 4.
— Bit 6 (enable bit for accessed and dirty flags for EPT) must be
0 if bit 21 of the IA32_VMX_EPT_VPID_CAP MSR is read as 0, indicating
that the processor does not support accessed and dirty flags for EPT.
— Reserved bits 11:7 and 63:N (where N is the processor’s
physical-address width) must all be 0.
The first patch does the necessary check in KVM while the second one adds
a KVM unit test.
[PATCH 1/2][KVM] nVMX x86: Check EPTP on vmentry of L2 guests
[PATCH 2/2][kvm-unit-test] nVMX x86: Check EPTP on vmentry of L2 guests
arch/x86/include/asm/vmx.h | 4 +++-
arch/x86/kvm/vmx.c | 9 ++++++---
2 files changed, 9 insertions(+), 4 deletions(-)
Krish Sadhukhan (1):
nVMX x86: Check EPTP on vmentry of L2 guests
x86/vmx.h | 4 ++
x86/vmx_tests.c | 179 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 183 insertions(+)
Krish Sadhukhan (1):
nVMX x86: Check EPTP on vmentry of L2 guests
