If the guest supports RDTSCP, it already has read access to the
hardware IA32_TSC_AUX MSR via RDTSCP, so we can allow it read access
via the RDMSR instruction as well. If the guest doesn't support
RDTSCP, intercept all accesses to the IA32_TSC_AUX MSR, so that kvm
can synthesize a #GP. (IA32_TSC_AUX exists iff RDTSCP is supported.)
Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
Reviewed-by: Marc Orr <marcorr@xxxxxxxxxx>
Reviewed-by: Peter Shier <pshier@xxxxxxxxxx>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@xxxxxxxxxx>
Reviewed-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
---
v1 -> v2: Rebased across vmx directory creation.
Modified commit message based on Sean's comments.
arch/x86/kvm/vmx/vmx.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index d175429c91b0..04a728976d96 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4070,6 +4070,10 @@ static void vmx_compute_secondary_exec_control(struct vcpu_vmx *vmx)
if (vmx_rdtscp_supported()) {
bool rdtscp_enabled = guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP);
+
+ vmx_set_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_TSC_AUX,
+ MSR_TYPE_R, !rdtscp_enabled);
+
if (!rdtscp_enabled)
exec_control &= ~SECONDARY_EXEC_RDTSCP;
--
2.24.0.393.g34dc348eaf-goog
