On 20/10/20 11:48, Alexander Graf wrote:
>
> count: 1,
> default_allow: false,
> ranges: [
> {
> flags: KVM_MSR_FILTER_READ,
> nmsrs: 1,
> base: MSR_EFER,
> bitmap: { 1 },
> },
> ],
> }
>
> That filter would set all x2apic registers to "deny", but would not be
> caught by the code above. Conversely, a range that explicitly allows
> x2apic ranges with default_allow=0 would be rejected by this patch.
Yes, but the idea is that x2apic registers are always allowed, even
overriding default_allow, and therefore it makes no sense to have them
in a range. The patch is only making things fail early for userspace,
the policy is defined by Sean's patch.
Paolo
