Hi Guys!
I have a kvm-based hypervisor, and
also I have problems with how KVM
handles cr4.VMXE flag.
Problem 1 can be shown as follows.
The below snippet WORKS as expected:
---
sregs.cr4 |= X86_CR4_VMXE;
ret = ioctl(vcpufd, KVM_SET_SREGS, &sregs);
if (ret == -1) {
perror("KVM: KVM_SET_SREGS");
leavedos(99);
}
---
The below one doesn't:
---
ret = ioctl(vcpufd, KVM_SET_SREGS, &sregs);
if (ret == -1) {
perror("KVM: KVM_SET_SREGS");
leavedos(99);
}
sregs.cr4 |= X86_CR4_VMXE;
ret = ioctl(vcpufd, KVM_SET_SREGS, &sregs);
if (ret == -1) {
perror("KVM: KVM_SET_SREGS");
leavedos(99);
}
---
Basically that example demonstrates that
I can set VMXE flag only by the very first
call to KVM_SET_SREGS. Any subsequent
calls do not allow me to modify VMXE flag,
even though no error is returned, and
other flags are modified, if needed, as
expected, but not this one.
Is there any reason why VMXE flag is
"locked" to its very first setting?
Problem 2:
If I set both VME and VMXE flags
(by the very first invocation of KVM_SET_SREGS,
yes), then VME flag does not actually
work. My hypervisor then runs in non-VME
mode.
Is it KVM that clears the VME flag when
VMXE is set, or is it really not a workable
combination of flags?
Problem 3.
Some older Intel CPUs appear to require
the VMXE flag even in non-root VMX.
This is vaguely documented in an Intel
specs:
---
The first processors to support VMX operation require that the
following bits be 1 in VMX operation: CR0.PE, CR0.NE, CR0.PG, and CR4.VMXE.
---
They are not explicit about a non-root
mode, but my experiments show they
meant exactly that. On such CPUs, KVM
otherwise returns KVM_EXIT_FAIL_ENTRY,
"invalid guest state".
Question: did they really mean non-root,
and if so - shouldn't KVM itself work around
such quirks? I wouldn't mind enabling
VMXE myself, if not for the Problem 2 above,
that just disables VME then.
Can KVM be somehow "fixed" to not require
all these dancing, or is there a better ways
of fixing that problem?
Thanks!
