On 25/03/19 18:30, Vitaly Kuznetsov wrote:
> static int handle_set_cr4(struct kvm_vcpu *vcpu, unsigned long val)
> {
> + /* VMXE can't be enabled from SMM */
> + if (val & X86_CR4_VMXE && is_smm(vcpu))
> + return 1;
> +
> if (is_guest_mode(vcpu)) {
> struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
> unsigned long orig_val = val;
>
>
> Paolo, as the author of the original commit, what do you think? Would
> this protection be enough or do you envision any other scenarios?
It would still be possible to set it via KVM_SET_SREGS I think, so you'd
need a similar check in kvm_valid_sregs; but it's ugly to put it there
since it's VMX specific.
I like Liran's idea, instead.
Paolo
