> On 16 Jul 2019, at 22:39, Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote: > > On 16/07/19 21:34, Liran Alon wrote: >>> When this errata is hit, the CPU will be at CPL3. From hardware >>> point-of-view the below sequence happens: >>> >>> 1. CPL3 guest hits reserved bit NPT fault (MMIO access) >> Why CPU needs to be at CPL3? >> The requirement for SMAP should be that this page is user-accessible in guest page-tables. >> Think on a case where guest have CR4.SMAP=1 and CR4.SMEP=0. >> > > If you are not at CPL3, you'd get a SMAP NPF, not a RSVD NPF. If CR4.SMEP=0, guest vCPU can execute a user-accessible page in guest page-tables with CPL<3. This instruction will successfully execute and can cause by the data it references any type of #NPF. Including RSVD #NPF. When hardware DecodeAssist microcode will attempt to read guest RIP though, it will get a SMAP violation because data read is done by microcode with CPL<3 and is accessing user-accessible page. Therefore, I still don’t think that guest vCPU CPL matters at all. Only whether code page is mapped in guest page-tables as user-accessible or not. -Liran > > Paolo
