Jan Kiszka wrote: > Am 16.11.2010 14:02, Cihula, Joseph wrote: >>> From: Jan Kiszka [mailto:jan.kiszka@xxxxxxxxxxx] >>> Sent: Tuesday, November 16, 2010 6:23 PM >>> >>> Am 16.11.2010 05:48, Wang, Shane wrote: >>>> Avi Kivity wrote: >>>>> On 11/14/2010 12:41 PM, Jan Kiszka wrote: >>>>>> Am 14.11.2010 11:30, Avi Kivity wrote: >>>>>>> On 11/14/2010 11:18 AM, Jan Kiszka wrote: >>>>>>>> From: Jan Kiszka<jan.kiszka@xxxxxxxxxxx> >>>>>>>> >>>>>>>> Without CONFIG_INTEL_TXT, the user must not enable this >>>>>>>> feature in the BIOS. Otherwise, KVM will not work. Explain >>>>>>>> this dependency via a kernel log message. >>>>>>>> >>>>>>>> Signed-off-by: Jan Kiszka<jan.kiszka@xxxxxxxxxxx> >>>>>>>> --- >>>>>>>> arch/x86/kvm/vmx.c | 7 ++++++- >>>>>>>> 1 files changed, 6 insertions(+), 1 deletions(-) >>>>>>>> >>>>>>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c >>>>>>>> index 9367abc..ebafd57 100644 >>>>>>>> --- a/arch/x86/kvm/vmx.c >>>>>>>> +++ b/arch/x86/kvm/vmx.c >>>>>>>> @@ -1306,8 +1306,13 @@ static __init int >>>>>>>> vmx_disabled_by_bios(void) && >>>>>>>> tboot_enabled()) return 1; if >>>>>>>> (!(msr& FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX) -&& >>>>>>>> !tboot_enabled()) +&& !tboot_enabled()) { +#ifndef >>>>>>>> CONFIG_INTEL_TXT + printk(KERN_INFO "kvm: if TXT >>>>>>>> is enabled in the bios, " + "kvm depends >>>>>>>> on CONFIG_INTEL_TXT\n"); +#endif return 1; + >>>>>>>> } } >>>>>>>> >>>> Why do we need this? >>>> If TXT is enabled in the bios, it doesn't mean TXT is launched but >>>> TXT is available. tboot_enabled() = TXT is launched. And >>>> non-CONFIG_INTEL_TXT means tboot_enabled() = 0. If you enable VT >>>> in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set. >>> >>> Probably, this patch is based on my semi-understanding of TXT. What >>> I observe is that, when I enable TXT in the BIOS of my machine, >>> kvm-intel does not load and report VT-x being disabled at BIOS >>> level. As my kernels had CONFIG_INTEL_TXT disabled, I thought that >>> was the reason. >>> >>> However, it turned out that >>> A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when >>> TXT is enabled in the BIOS B) enabling CONFIG_INTEL_TXT does not >>> magically solve the issue, KVM still does not work >>> >>> The latter appears to be related to the fact that I do not actually >>> have a trust chain from the BIOS over the boot loader to the >>> kernel. So tboot_addr is not set and tboot_enabled remains off. I >>> guess I need some trusted grub or so to get this running, maybe >>> even more. Still, I'm unsure if that will give me VT-x support back >>> again. Can you comment on the requirements and mechanisms behind >>> that? >> >> The setting of the FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX when >> TXT is enabled is up to each OEM. Intel's original guidance was to >> clear this flag, to prevent a Blue Pill type of attack on an >> un-measured OS launch. Intel has since change our guidance to set >> this flag even when TXT is enabled, in order to allow for dual boot >> and late launch uses of TXT along with VT. >> >>> In any case, what we should catch is the user mistake of enabling >>> TXT in the BIOS blindly without actually needing it, disabling VT-x >>> this way. How to express this? >> >> It is probably worth a warning/guidance message to the user that, if >> this condition is detected, they should either disable TXT in the >> BIOS or activate TXT before enabling KVM. > > So the condition to issue the warning is FEATURE_CONTROL_LOCKED && > !FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX? Independent of > tboot_enabled or precisely in that branch I targeted, just without > CONFIG_INTEL_TXT? For me, I prefer the branch you targeted. e.g., to add one more condition (if ENABLED_INSIDE_SMX) to check in the previous if-clause if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX) && !tboot_enabled()) return 1; > > Out of curiosity: Who would enable TXT, and how, so that VT-x becomes > usable again? The trusted boot loader (like tboot)? Yes, tboot. Please download tboot.gz and the corresponding SINIT for your platform from tboot.sourceforge.net. And modify your grub menu like title Linux with tboot kernel tboot.gz ... module vmlinuz ... module initrd.img ... module sinit.bin > > Jan Shane -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
