[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution
|
From: |
Dr. David Alan Gilbert |
|
Subject: |
Re: [PATCH] target/i386: do not set unsupported VMX secondary execution controls |
|
Date: |
Tue, 31 Mar 2020 18:26:40 +0100 |
|
User-agent: |
Mutt/1.13.3 (2020-01-12) |
* Montes, Julio (address@hidden) wrote:
> Sorry for my last email, it was incomplete
>
> Hi Vitaly
>
> thanks for raising this, unfortunately this patch didn't work for me, I still
> get the same error:
Are you trying that on top of 5.0 or ontop of the older 4.2 world?
> qemu-system-x86_64: error: failed to set MSR 0x48b to 0x1582e00000000
> qemu-system-x86_64:
> /home/testpmem/go/src/github.com/kata-containers/qemu/target/i386/kvm.c:2695:
> kvm_buf_set_msrs: Assertion `ret == cpu->kvm_msr_buf->nmsrs
If my reading of 0x1582e00000000 is correct then we have:
0x1582e 00000000
VMX_SECONDARY_EXEC_RDSEED_EXITING 0x00010000 !
VMX_SECONDARY_EXEC_SHADOW_VMCS 0x00004000 !
VMX_SECONDARY_EXEC_ENABLE_INVPCID 0x00001000
VMX_SECONDARY_EXEC_RDRAND_EXITING 0x00000800
VMX_SECONDARY_EXEC_ENABLE_VPID 0x00000020
VMX_SECONDARY_EXEC_ENABLE_EPT 0x00000002
VMX_SECONDARY_EXEC_DESC 0x00000004
VMX_SECONDARY_EXEC_RDTSCP 0x00000008
>
> my qemu command line:
> /usr/bin/qemu-system-x86_64 -name
> sandbox-f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633
> -uuid 8189ac12-5a5c-4989-bf82-c0218f8a3d33 -machine
> pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp
> unix:/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qmp.sock,server,nowait
> -m 2048M,slots=10,maxmem=17041M -device
> pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile=
> -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device
> virtconsole,chardev=charconsole0,id=console0 -chardev
> socket,id=charconsole0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/console.sock,server,nowait
> -device nvdimm,id=nv0,memdev=mem0 -object
> memory-backend-file,id=mem0,mem-path=/usr/share/kata-containers/kata-containers-clearlinux-32700-osbuilder-891b61c-agent-73afd1a.img,size=134217728
> -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object
> rng-random,id=rng0,filename=/dev/urandom -device
> virtio-rng-pci,rng=rng0,romfile= -device
> virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev
> socket,id=charch0,path=/run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/kata.sock,server,nowait
> -device
> virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile=
> -fsdev
> local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633,security_model=none
> -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device
> driver=virtio-net-pci,netdev=network-0,mac=02:42:ac:11:00:02,disable-modern=true,mq=on,vectors=4,romfile=
> -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config
> -nodefaults -nographic -daemonize -object
> memory-backend-ram,id=dimm1,size=2048M -numa node,memdev=dimm1 -kernel
> /usr/share/kata-containers/vmlinuz-5.4.15-71 -append tsc=reliable
> no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1
> i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1
> iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1
> rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 debug
> systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=4
> agent.use_vsock=false systemd.unit=kata-containers.target
> systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket
> agent.log=debug agent.log=debug -pidfile
> /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f37
> 7a877c03ddc64e1e5e8685633/pid -D
> /run/vc/vm/f218abcb05f6e05cc68768f74e9106303066f377a877c03ddc64e1e5e8685633/qemu.log
> -smp 1,cores=1,threads=1,sockets=4,maxcpus=4
>
>
>
> ./vmxcap output:
>
> secondary processor-based controls
> Virtualize APIC accesses no
> Enable EPT yes
> Descriptor-table exiting yes
> Enable RDTSCP yes
> Virtualize x2APIC mode no
> Enable VPID yes
> WBINVD exiting no
> Unrestricted guest no
> APIC register emulation no
> Virtual interrupt delivery no
> PAUSE-loop exiting no
> RDRAND exiting yes
> Enable INVPCID yes
> Enable VM functions no
> VMCS shadowing no <<<<<
> Enable ENCLS exiting no
> RDSEED exiting no <<<<<
> Enable PML no
> EPT-violation #VE no
> Conceal non-root operation from PT no
> Enable XSAVES/XRSTORS no
> Mode-based execute control (XS/XU) no
> Sub-page write permissions no
> GPA translation for PT no
> TSC scaling no
> User wait and pause no
> ENCLV exiting no
So we're apparently trying to enable both RDSEED_EXITING and SHADOW_VMCS
which are missing.
> On 31/03/20 18:27, Vitaly Kuznetsov wrote:
> > case MSR_IA32_VMX_PROCBASED_CTLS2:
> > - /* KVM forgot to add these bits for some time, do this ourselves.
> > */
> > - if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
> > CPUID_XSAVE_XSAVES) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) &
> > CPUID_EXT_RDRAND) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> > CPUID_7_0_EBX_INVPCID) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> > CPUID_7_0_EBX_RDSEED) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> > - }
> > - if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) &
> > CPUID_EXT2_RDTSCP) {
> > - value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> > + if (!has_msr_vmx_procbased_ctls2) {
> > + /* KVM forgot to add these bits for some time, do this
> > ourselves. */
> > + if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) &
> > + CPUID_XSAVE_XSAVES) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) &
> > + CPUID_EXT_RDRAND) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> > + CPUID_7_0_EBX_INVPCID) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) &
> > + CPUID_7_0_EBX_RDSEED) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32;
> > + }
> > + if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) &
> > + CPUID_EXT2_RDTSCP) {
> > + value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32;
> > + }
So you would think that would tkae care of RDSEED exiting - but what
about VMCS shadowing?
Dave
> > }
> > /* fall through */
> > case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
> > @@ -2060,6 +2068,9 @@ static int kvm_get_supported_msrs(KVMState *s)
> > case MSR_IA32_UCODE_REV:
> > has_msr_ucode_rev = true;
> > break;
> > + case MSR_IA32_VMX_PROCBASED_CTLS2:
> > + has_msr_vmx_procbased_ctls2 = true;
> > + break;
> > }
> > }
> > }
> >
>
>
--
Dr. David Alan Gilbert / address@hidden / Manchester, UK