On Fri, Feb 25, 2022 at 10:29 AM Sean Christopherson <seanjc@xxxxxxxxxx> wrote: > > On Fri, Feb 25, 2022, Jim Mattson wrote: > > On Fri, Feb 25, 2022 at 7:13 AM Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote: > > > > > > On 2/25/22 16:12, Xiaoyao Li wrote: > > > >>>> > > > >>> > > > >>> I don't like the idea of making things up without notifying userspace > > > >>> that this is fictional. How is my customer running nested VMs supposed > > > >>> to know that L2 didn't actually shutdown, but L0 killed it because the > > > >>> notify window was exceeded? If this information isn't reported to > > > >>> userspace, I have no way of getting the information to the customer. > > > >> > > > >> Then, maybe a dedicated software define VM exit for it instead of > > > >> reusing triple fault? > > > >> > > > > > > > > Second thought, we can even just return Notify VM exit to L1 to tell L2 > > > > causes Notify VM exit, even thought Notify VM exit is not exposed to L1. > > > > > > That might cause NULL pointer dereferences or other nasty occurrences. > > > > Could we synthesize a machine check? I haven't looked in detail at the > > MCE MSRs, but surely there must be room in there for Intel to reserve > > some encodings for synthesized machine checks. > > I don't think we have any choice but to synthesize SHUTDOWN until we get more > details on the exact semantics of VM_CONTEXT_INVALID. E.g. if GUEST_EFER or any > other critical guest field is corrupted, attempting to re-enter the guest, even > to (attempt to) inject a machine check, is risking undefined behavior in the guest. Synthesizing shutdown is fine, as long as userspace is notified.
