https://bugzilla.kernel.org/show_bug.cgi?id=216033 Bug ID: 216033 Summary: KVM VMX nested virtualization: VMXON does not check guest CR0 against IA32_VMX_CR0_FIXED0 Product: Virtualization Version: unspecified Kernel Version: 5.17.8-200.fc35.x86_64 Hardware: Intel OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: kvm Assignee: virtualization_kvm@xxxxxxxxxxxxxxxxxxxx Reporter: ercli@xxxxxxxxxxx Regression: No Created attachment 301050 --> https://bugzilla.kernel.org/attachment.cgi?id=301050&action=edit Guest hypervisor to reproduce this bug (xz compressed) CPU model I am running: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz Host kernel version: 5.17.8-200.fc35.x86_64 Host kernel arch: x86_64 Guest: a hypervisor I wrote myself, 32-bits, compressed and attached as c.img.xz. QEMU command line: qemu-system-x86_64 -m 512M -smp 1 -cpu Haswell,vmx=yes -enable-kvm -serial stdio -drive media=disk,file=c.img,index=1 The problem does not go away if using -machine kernel_irqchip=off Since the guest is a hypervisor, -accel tcg cannot be used (TCG does not support nested virtualization) Actual behavior: serial port shows: ... CR0 = 0x0000000080000015 CR0 fixed0 = 0x0000000080000021 CR0 fixed1 = 0x00000000ffffffff VMXON succeeds Expected behaivor: serial port shows: ... CR0 = 0x0000000080000015 CR0 fixed0 = 0x0000000080000021 CR0 fixed1 = 0x00000000ffffffff [00]: unhandled exception 13 (0xd), halting! [00]: error code: 0x00000000 [00]: state dump follows... [00] CS:EIP ... ... Explanation: When the guest hypervisor starts VMX using the VMXON instruction, the guest hypervisor's CR0 is not legal. IA32_VMX_CR0_FIXED0 = 0x0000000080000021. The 0x20 bit in this MSR is 1, which indicates that the 0x20 bit in CR0 must be 1 when executing VMXON. However, my hypervisor uses CR0 = 0x80000015 (the 0x20 bit is 0). According to SDM 29.3, if "the values of CR0 and CR4 are not supported in VMX operation", then a general protection exception (#GP(0)) should be raised. This happens on real hardware, but not on KVM. The relevant code in my hypervisor is: https://github.com/lxylxy123456/uberxmhf/blob/770bdaa7afce560b9f46348bee5a05e2c680de06/xmhf/src/xmhf-core/xmhf-runtime/xmhf-startup/lhv-vmx.c#L250 The pseudo code is print the hypervisor's CR0 to serial port print MSR value IA32_VMX_CR0_FIXED0 to serial port print MSR value IA32_VMX_CR0_FIXED1 to serial port sleep for 3 seconds run VMXON instruction If succeed, write "VMXON succeeds" to serial port. If VMXON receives an exception, write exception details to serial port ("[00]: unhandled exception...") To fix this bug, handle_vmon() in arch/x86/kvm/vmx/nested.c needs to be updated. The check to CR0 and CR4 against IA32_VMX_CR0_FIXED0 etc need to be added. -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.
