Xen project Mailing List

Re: [PATCH v9 07/10] VMX: support MSR-IMM

To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 26 Nov 2025 18:50:52 +0000

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RoRvJbywSJgXWI4WwvVAoe68OPTq7IFqIhXXUwEwflk=; b=HVH1XIXkAB6Brf5DDDmGA8Ay1ECwBP3nH9OuIoa4nY3Gnm31P8Ld1OFhMyG5UxyF9DhOw0bjSgv2bfzW6j1BhE5il+plf6tXG/cAiWJWsgKsSrywtzP+QllUjZL/jKLJbg+Q3QiM58B5pLQf/+3OpbTzfXyR7QY5bBn2Snf7YuGw+GuiTDaydgTqtiTBaPWRPYmxow7JJAJANbbiJY/qjt0Wfl8Byp1ieD8ynGolQSA96qnOR0Bog+Yscrp+AWtwgs8sd2lcv8W8QhzkgJyHl2OTTE3KHwXKhpx8V/h6kuikUl2p8FiLaPu/slyUf2HRpwRv6av++x4L8txl2kywSQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bgbGdcdptSvpWIzgrTauoS8nPP+kKFxko1aoJ/oAzXv1UxeXr7exCjKiY3vX7XSruKuwxEvAhmph77GDK37bZYzEG/8P85b54tw41NnUFCM/nZ3F3uRe9pPNSuJahkoRj5EG7jawFeYwauEmQ5qvZ/J1xDXBXepCpTm6yiN+N75gLe9n10beLxL8IagVNAkgXygM2yrW21KB9OUpSL5sKABdpPfOYMwoGzx1jB/zeRrl8hMGUyiw80tfuM22GD3NIzHj9feZPWss0aiKMKSNc+oEfQrcBxNCxrnCc57DUwHUg1B30fj2uO9nVdxGBtQk/HGmpqjuDPa+bJd6Q1ztpA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Wed, 26 Nov 2025 18:51:20 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 24/11/2025 3:00 pm, Jan Beulich wrote: > Hook up the new VM exit codes and handle guest uses of the insns. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > --- > v9: New. > --- > The lack of an enable bit is concerning; at least for the nested case > that's a security issue afaict (when L0 isn't aware of the insns, or more > specifically the exit codes). This is why we need support statements of new CPUs. Intel say that unknown VMExits turning into #UD is the expected course of action. That covers all of these cases which don't have an explicit enable. This is better than our current behaviour, which is non-architectural for supervisor code and practically the most unhelpful course of action going. Obviously, logic turning on a new feature is expected to handle all the VMExit cases it can produce. The corollary for nested virt is that L0 must never make a Virtual VMExit with case that isn't enabled. Combined with #UD in the unknown case, that covers things reasonably well. > --- a/xen/arch/x86/domain.c > +++ b/xen/arch/x86/domain.c > @@ -453,7 +453,7 @@ void domain_cpu_policy_changed(struct do > } > > /* Nested doesn't have the necessary processing, yet. */ > - if ( nestedhvm_enabled(d) && p->feat.user_msr ) > + if ( nestedhvm_enabled(d) && (p->feat.user_msr || p->feat.msr_imm) ) > return /* -EINVAL */; What processing is missing? (Aside from correcting the unknown case.) > > for_each_vcpu ( d, v ) > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -4762,6 +4762,7 @@ void asmlinkage vmx_vmexit_handler(struc > break; > > case EXIT_REASON_URDMSR: > + case EXIT_REASON_RDMSR_IMM: Instructions which aren't enumerated in CPUID have reserved behaviour. The exit handler needs to check cp->feat.msr_imm and inject #UD. It's not perfect; un-intercepted MSRs will happen to execute correctly on capable hardware, but most MSRs are not intercepted and it's far closer to adequate behaviour than omitting the #UD check. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.