On Fri, Aug 30, 2019 at 4:15 PM Jim Mattson <jmattson@xxxxxxxxxx> wrote: > > On Fri, Aug 30, 2019 at 4:07 PM Krish Sadhukhan > <krish.sadhukhan@xxxxxxxxxx> wrote: > > > > > > > > On 08/29/2019 03:26 PM, Jim Mattson wrote: > > > On Thu, Aug 29, 2019 at 2:25 PM Krish Sadhukhan > > > <krish.sadhukhan@xxxxxxxxxx> wrote: > > >> According to section "Checks on Guest Control Registers, Debug Registers, and > > >> and MSRs" in Intel SDM vol 3C, the following checks are performed on vmentry > > >> of nested guests: > > >> > > >> If the "load debug controls" VM-entry control is 1, bits 63:32 in the DR7 > > >> field must be 0. > > > Can't we just let the hardware check guest DR7? This results in > > > "VM-entry failure due to invalid guest state," right? And we just > > > reflect that to L1? > > > > Just trying to understand the reason why this particular check can be > > deferred to the hardware. > > The vmcs02 field has the same value as the vmcs12 field, and the > physical CPU has the same requirements as the virtual CPU. Sadly, I was mistaken. The guest DR7 value is not transferred from vmcs12 to vmcs02. It is set prior to the vmcs02 VM-entry by kvm_set_dr(). Unfortunately, that function synthesizes a #GP if any bit in the high dword of DR7 is set. So, you are correct, Krish: this field must be checked in software.
