On 20/11/19 15:33, Liran Alon wrote: > "Virtualize APIC accesses" VM-execution control was changed > from 0 to 1, OR the value of apic_access_page was changed. > > Examining prepare_vmcs02(), one could note that L0 won't flush > physical TLB only in case: L0 use VPID, L1 use VPID and L0 > can guarantee TLB entries populated while running L1 are tagged > differently than TLB entries populated while running L2. > The last condition can only occur if either L0 use EPT or > L0 use different VPID for L1 and L2 > (i.e. vmx->vpid != vmx->nested.vpid02). > > If L0 use EPT, L0 use different EPTP when running L2 than L1 > (Because guest_mode is part of mmu-role) and therefore SDM section > 28.3.3.4 doesn't apply. Otherwise, L0 use different VPID when > running L2 than L1 and therefore SDM section 28.3.3.3 doesn't > apply. I don't understand this. You could still have a stale EPTP entry from a previous L2 vmenter. If L1 uses neither EPT nor VPID, it expects a TLB flush to occur on every vmentry, but this won't happen if L0 uses EPT. Paolo
