According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:
If either the "unrestricted guest" VM-execution control or the "mode-based
execute control for EPT" VM-execution control is 1, the "enable EPT"
VM-execution control must also be 1.
The KVM check already exists. This patch adds a unit test.
Note that "mode-based execute control for EPT" has been omitted from the
unit test. The reason is that that control is not set in setup_vmcs_config()
today and so if I set it in L2's VMCS for testing, consistency checks fail
on vmentry of L2.
[PATCH 1/1][kvm-unit-test] nVMX x86: Check enable-EPT on vmentry of L2 guests
[root@ban25x6uut29 kvm-unit-tests]# /root/Tools/git-format-patch.sh 0bc9613
x86/vmx_tests.c | 56 ++++++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 42 insertions(+), 14 deletions(-)
Krish Sadhukhan (1):
nVMX x86: Check enable-EPT on vmentry of L2 guests
