x86: nVMX: Basic test of interrupt-window exiting

Test various interrupt-window exiting scenarios. In the active
activity state, test without any blocking (with and without event
injection), with bl

x86: nVMX: Basic test of interrupt-window exiting

Test various interrupt-window exiting scenarios. In the active
activity state, test without any blocking (with and without event
injection), with blocking by MOV-SS, with blocking by STI, and with
RFLAGS.IF clear. In the halted activity state, test without any
blocking (with and without event injection).

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

x86: nVMX: Basic test of NMI-window exiting

Test various NMI-window exiting scenarios. In the active activity
state, test without any blocking, with blocking by MOV-SS, no blocking
with event inject

x86: nVMX: Basic test of NMI-window exiting

Test various NMI-window exiting scenarios. In the active activity
state, test without any blocking, with blocking by MOV-SS, no blocking
with event injection, and with blocking by NMI. In the halted activity
state, test without any blocking, with and without event injection.

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

x86: nVMX: Test of IA32_TSC on VM-exit MSR-store list

When IA32_TSC is on the VM-exit MSR-store list, the value saved is not
subject to the "use TSC offsetting" VM-execution control for the
current

x86: nVMX: Test of IA32_TSC on VM-exit MSR-store list

When IA32_TSC is on the VM-exit MSR-store list, the value saved is not
subject to the "use TSC offsetting" VM-execution control for the
current VMCS.

Prior to commit e79f245ddec17 ("X86/KVM: Properly update 'tsc_offset'
to represent the running guest"), kvm did not handle this situation
properly.

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

nVMX x86: Check VMX-preemption timer controls on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 gue

nVMX x86: Check VMX-preemption timer controls on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the "activate VMX-preemption timer" VM-execution control is 0, the
the "save VMX-preemption timer value" VM-exit control must also be 0.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX x86: Check enable-EPT on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the "unr

nVMX x86: Check enable-EPT on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the "unrestricted guest" VM-execution control is 1, the "enable EPT"
VM-execution control must also be 1.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX x86: Check PML and EPT on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the "

nVMX x86: Check PML and EPT on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the "enable PML" VM-execution control is 1, the "enable EPT"
VM-execution control must also be 1. In addition, the PML address
must satisfy the following checks:

* Bits 11:0 of the address must be 0.
* The address should not set any bits beyond the processor's
physical-address width.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Basic test of #DB intercept in L1

Test a single-step trap delivered by hardware to set expectations, and
then test a single-step trap synthesized by L0 to see if those
expectations are me

x86: nVMX: Basic test of #DB intercept in L1

Test a single-step trap delivered by hardware to set expectations, and
then test a single-step trap synthesized by L0 to see if those
expectations are met. Single-step traps in simulated MOVSS-shadow are
tested as well.

As a bonus, test a single-step trap in a transactional region to set
expectations for that unusual case as well.

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nvmx: Check #NM VM-exit reflection

When L1 intercepts #NM exceptions encountered in L2, the #NM exception
should always be reflected from L0 to L1.

Signed-off-by: Jim Mattson <jmattson@google.

x86: nvmx: Check #NM VM-exit reflection

When L1 intercepts #NM exceptions encountered in L2, the #NM exception
should always be reflected from L0 to L1.

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: VMX: Verify blocked vCPU in guest-mode wake when pending interrupt in RVI

This test aims to verify that when entering a guest in HLT activity
state but with a pending interrupt in RVI, the gues

x86: VMX: Verify blocked vCPU in guest-mode wake when pending interrupt in RVI

This test aims to verify that when entering a guest in HLT activity
state but with a pending interrupt in RVI, the guest is in fact not
halted and an interrupt is indeed injected.

For more information, see commit message of kernel patch "KVM: nVMX:
Wake blocked vCPU in guest-mode if pending interrupt in virtual
APICv".

Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: VMX: Introduce util to enable virtual interrupt delivery

Should not change semantics.

Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle

x86: VMX: Introduce util to enable virtual interrupt delivery

Should not change semantics.

Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: VMX: Introduce util to disable intercept on x2APIC MSRs

Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Liran Alon

x86: VMX: Introduce util to disable intercept on x2APIC MSRs

Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: VMX: Verify do not lose pending interrupt queued before entering halted guest

Add test similar to previous patch ("x86: VMX: Verify do not lose
pending interrupt queued before entering guest")

x86: VMX: Verify do not lose pending interrupt queued before entering halted guest

Add test similar to previous patch ("x86: VMX: Verify do not lose
pending interrupt queued before entering guest") but when guest
is configured with HLT activity-state.

Reviewed-by: Nikita Leshchenko <nikita.leshchenko@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: VMX: Verify do not lose pending interrupt queued before entering guest

This patch test the issue fixed by KVM commit "KVM: nVMX: Fix loss of
pending event before entering L2". The test aim to v

x86: VMX: Verify do not lose pending interrupt queued before entering guest

This patch test the issue fixed by KVM commit "KVM: nVMX: Fix loss of
pending event before entering L2". The test aim to verify that a pending
interrupt while interrupts are disabled is dispatched when we enter into
VMX guest instead of being lost.

The test configures VMCS to intercept external-interrupts and then
queue an interrupt by disabling interrupts and issue a self-IPI.
At this point, we enter guest and we expect CPU to immediately exit
guest on external-interrupt. To complete the test, we then re-enable
interrupts, verify interrupt is dispatched and re-enter guest to verify
it completes execution.

Reviewed-by: Nikita Leshchenko <nikita.leshchenko@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX x86: Check EPTP on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the “enabl

nVMX x86: Check EPTP on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the “enable EPT†VM-execution control is 1, the EPTP VM-execution
control field must satisfy the following checks:

— The EPT memory type (bits 2:0) must be a value supported by the
processor as indicated in the IA32_VMX_EPT_VPID_CAP MSR.
— Bits 5:3 (1 less than the EPT page-walk length) must be 3,
indicating an EPT page-walk length of 4.
— Bit 6 (enable bit for accessed and dirty flags for EPT) must be
0 if bit 21 of the IA32_VMX_EPT_VPID_CAP MSR is read as 0,
indicating that the processor does not support accessed and dirty
flags for EPT.
— Reserved bits 11:7 and 63:N (where N is the processor’s
physical-address width) must all be 0.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20180919234238.26034-2-krish.sadhukhan@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX x86: Check VPID value on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the â€

nVMX x86: Check VPID value on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the “enable VPID†VM-execution control is 1, the value of the
of the VPID VM-execution control field must not be 0000H.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX x86: check posted-interrupt control on vmentry of L2

According to section "Checks on VMX Controls" in Intel SDM vol 3C,
the following check needs to be enforced on vmentry of L2 guests:

If

nVMX x86: check posted-interrupt control on vmentry of L2

According to section "Checks on VMX Controls" in Intel SDM vol 3C,
the following check needs to be enforced on vmentry of L2 guests:

If the “process posted interrupts†VM-execution control is 1, the
following must be true:

- The “virtual-interrupt delivery†VM-execution control is 1.
- The “acknowledge interrupt on exit†VM-exit control is 1.
- The posted-interrupt notification vector has a value in the
- range 0–255 (bits 15:8 are all 0).
- Bits 5:0 of the posted-interrupt descriptor address are all 0.
- The posted-interrupt descriptor address does not set any bits
beyond the processor's physical-address width.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Message-Id: <20180824000304.19070-3-krish.sadhukhan@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

remove incorrectly-duplicated commits

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

nVMX x86: "virtualize APIC accesses" must be unset if "virtualize x2APIC" is set

According to section "Checks on VMX Controls" in Intel SDM vol 3C,
the following check needs to be enforced on vmentr

nVMX x86: "virtualize APIC accesses" must be unset if "virtualize x2APIC" is set

According to section "Checks on VMX Controls" in Intel SDM vol 3C,
the following check needs to be enforced on vmentry of L2 guests:

If the "virtualize x2APIC mode" VM-execution control is 1, the
"virtualize APIC accesses" VM-execution control must be 0.

This unit-test validates the above vmentry check.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX x86: APIC virtual controls must be unset if "Use TPR shadow" is unset

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L

nVMX x86: APIC virtual controls must be unset if "Use TPR shadow" is unset

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check needs to be enforced on vmentry of L2 guests:

If the "use TPR shadow" VM-execution control is 0, the following
VM-execution controls must also be 0: "virtualize x2APIC mode",
"APIC-register virtualization" and "virtual-interrupt delivery".

This unit-test validates the above vmentry check.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX x86: "external-interrupt exiting" must be set if "virtual-interrupt delivery" is set

According to section "Checks on VMX Controls" in Intel SDM vol 3C,
the following check needs to be enforced

nVMX x86: "external-interrupt exiting" must be set if "virtual-interrupt delivery" is set

According to section "Checks on VMX Controls" in Intel SDM vol 3C,
the following check needs to be enforced on vmentry of L2 guests:

If the "virtual-interrupt delivery" VM-execution control is 1, the
"external-interrupt exiting" VM-execution control must be 1.

This unit-test validates the above vmentry check.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: vmx: remove xfail from invalid APIC-access page tests

KVM disables "virtualize APIC-accesses" if the APIC-access page
cannot be mapped (the feature is effectively disabled anyways if
the guest

x86: vmx: remove xfail from invalid APIC-access page tests

KVM disables "virtualize APIC-accesses" if the APIC-access page
cannot be mapped (the feature is effectively disabled anyways if
the guest can't access the page), i.e. KVM doesn't incorrectly
signal VMFail on a legal-but-unbacked APIC-access page.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: vmx: shift TPR threshold when generating vTPR

The TPR thresold field stores its value in bits 3:0, while the vTPR's
effective value is in bits 7:4. Shift the threshold value accordingly
when g

x86: vmx: shift TPR threshold when generating vTPR

The TPR thresold field stores its value in bits 3:0, while the vTPR's
effective value is in bits 7:4. Shift the threshold value accordingly
when generating an "interesting" vTPR, otherwise we'll always use an
effective vTPR of 0, which is...uninteresting.

Cc: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: vmx: restore primary controls in test_tpr_threshold early return

test_tpr_threshold() could theoretically leave CPU_TPR_SHADOW set in
its early return path when none of the secondary controls n

x86: vmx: restore primary controls in test_tpr_threshold early return

test_tpr_threshold() could theoretically leave CPU_TPR_SHADOW set in
its early return path when none of the secondary controls needed for
the remaining tests are supported.

Fix the prefix for the TPR-enabled, sec_exec-disabled case.

Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Add tests for VMCS Shadowing

The test iterates over every possible valid VMCS field and verifies that:
- If VMWRITE/VMREAD bitmaps intercept both VMREAD & VMWRITE, then
VMREAD & VMWRITE

x86: nVMX: Add tests for VMCS Shadowing

The test iterates over every possible valid VMCS field and verifies that:
- If VMWRITE/VMREAD bitmaps intercept both VMREAD & VMWRITE, then
VMREAD & VMWRITE to this field is intercepted.
- If VMWRITE/VMREAD bitmaps intercept only VMREAD, then VMREAD of this
field is intercepted and VMWRITE is pass-throughed and written value
written correctly to shadow VMCS.
- If VMWRITE/VMREAD bitmaps intercept only VMWRITE, then VMWRITE of
this field is intercepted and VMREAD is pass-throughed and value is
read correctly from shadow VMCS.
- If VMWRITE/VMREAD bitmaps neither intercept VMWRITE nor VMREAD of
this field, then both VMREAD & VMWRITE of this field is pass-through
and value is written and read correctly from shadow VMCS.
- If field is pass-through for VMREAD/VMWRITE and field is not
supported by physical CPU, then VMREAD/VMWRITE to it from guest
should be intercepted with VMX_INST_ERROR equal to
VMXERR_UNSUPPORTED_VMCS_COMPONENT.

Above tests also verify that RFLAGS is updated correctly after
VMREAD/VMWRITE simulation/pass-through. In addition, these tests are
run again with shadow_vmcs==-1ull because this is a special valid case
in which VMREAD/VMWRITE to shadowed-fields should fail with RFLAGS.CF
being set.

In addition, these tests are also run against non-valid VMCS fields
(Fields having one bit set in bit-range 15-64. Each iteration with a
single bit set on a different position) and verify that all
VMREAD/VMWRITE to these fields are intercepted.

Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Define VMCS header

Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>