VirtualBox

Browse Source

Changeset 107854 in vbox for trunk/src/VBox/VMM

Timestamp:

Jan 18, 2025 11:59:26 PM (3 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

167053

Message:

x86.h,VMM: More AMD CPUID bits; addressed some old todos related to these; fixed bugs in svn & vmx world switcher (sanity checks, ++). jiraref:VBP-947 bugref:10738

Location:

trunk/src/VBox/VMM

Files:

: 11 edited

VMMAll/CPUMAllCpuId.cpp (modified) (4 diffs)
VMMR0/CPUMR0.cpp (modified) (4 diffs)
VMMR0/HMR0.cpp (modified) (2 diffs)
VMMR0/HMR0A.asm (modified) (15 diffs)
VMMR0/HMSVMR0.cpp (modified) (1 diff)
VMMR0/HMVMXR0.cpp (modified) (2 diffs)
VMMR3/CPUMR3CpuId.cpp (modified) (24 diffs)
VMMR3/CPUMR3Db.cpp (modified) (6 diffs)
include/CPUMInternal.h (modified) (3 diffs)
include/HMInternal.h (modified) (3 diffs)
include/HMInternal.mac (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/VMM/VMMAll/CPUMAllCpuId.cpp

-              r107749
+              r107854
+void cpumCpuIdExplodeFeaturesX86SetSummaryBits(CPUMFEATURESX86 *pFeatures)
+{
+    /* Summary or all bits indicating the presence of the IA32_SPEC_CTRL MSR. */
+    pFeatures->fSpecCtrlMsr = pFeatures->fIbrs
+                            | pFeatures->fStibp
+                            | pFeatures->fSsbd
+                            | pFeatures->fPsfd
+                            | pFeatures->fIpredCtrl
+                            | pFeatures->fRrsbaCtrl
+                            | pFeatures->fDdpdU
+                            | pFeatures->fBhiCtrl
+                            ;
+}
 int cpumCpuIdExplodeFeaturesX86(PCCPUMCPUIDLEAF paLeaves, uint32_t cLeaves, PCCPUMMSRS pMsrs, CPUMFEATURESX86 *pFeatures)
+{
 …
             pFeatures->fMmx            |= RT_BOOL(pExtLeaf->uEdx & X86_CPUID_AMD_FEATURE_EDX_MMX);
             pFeatures->fTsc            |= RT_BOOL(pExtLeaf->uEdx & X86_CPUID_AMD_FEATURE_EDX_TSC);
-            pFeatures->fIbpb           |= pExtLeaf8 && (pExtLeaf8->uEbx & X86_CPUID_AMD_EFEID_EBX_IBPB);
             pFeatures->fAmdMmxExts      = RT_BOOL(pExtLeaf->uEdx & X86_CPUID_AMD_FEATURE_EDX_AXMMX);
             pFeatures->fXop             = RT_BOOL(pExtLeaf->uEcx & X86_CPUID_AMD_FEATURE_ECX_XOP);
             pFeatures->fTbm             = RT_BOOL(pExtLeaf->uEcx & X86_CPUID_AMD_FEATURE_ECX_TBM);
             pFeatures->fSvm             = RT_BOOL(pExtLeaf->uEcx & X86_CPUID_AMD_FEATURE_ECX_SVM);
+            if (pExtLeaf8)
+            {
+                pFeatures->fIbpb      |= RT_BOOL(pExtLeaf8->uEbx & X86_CPUID_AMD_EFEID_EBX_IBPB);
+                pFeatures->fIbrs      |= RT_BOOL(pExtLeaf8->uEbx & X86_CPUID_AMD_EFEID_EBX_IBRS);
+                pFeatures->fStibp     |= RT_BOOL(pExtLeaf8->uEbx & X86_CPUID_AMD_EFEID_EBX_STIBP);
+                pFeatures->fSsbd      |= RT_BOOL(pExtLeaf8->uEbx & X86_CPUID_AMD_EFEID_EBX_SPEC_CTRL_SSBD);
+                pFeatures->fPsfd      |= RT_BOOL(pExtLeaf8->uEbx & X86_CPUID_AMD_EFEID_EBX_PSFD);
+            }
+            PCCPUMCPUIDLEAF pExtLeaf21 = cpumCpuIdFindLeaf(paLeaves, cLeaves, 0x80000021);
+            if (pExtLeaf21)
+            {
+                /** @todo IBPB_BRTYPE is implied on Zen 1 & 2.
+                 *  https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf */
+            }
             if (pFeatures->fSvm)
+            {
 …
     else
         AssertLogRelReturn(cLeaves == 0, VERR_CPUM_IPE_1);
+    cpumCpuIdExplodeFeaturesX86SetSummaryBits(pFeatures);
     return VINF_SUCCESS;
+}
 …
  * Helper for extracting feature bits from IA32_ARCH_CAPABILITIES.
  */
 static void cpumCpuIdExplodeArchCapabilities(CPUMFEATURESX86 *pFeatures, bool fHasArchCap, uint64_t fArchVal)
+void cpumCpuIdExplodeArchCapabilities(CPUMFEATURESX86 *pFeatures, bool fHasArchCap, uint64_t fArchVal)
+{
     Assert(fHasArchCap || fArchVal == 0);

trunk/src/VBox/VMM/VMMR0/CPUMR0.cpp

-              r107703
+              r107854
     /*
      * Get MSR_IA32_ARCH_CAPABILITIES and expand it into the host feature structure.
+     *
+     * AMD CPUs doesn't have this register, similar info is available in EBX in
+     * CPUID leaf 0x80000008
      */
     if (ASMHasCpuId())
+    {
-        /** @todo Should add this MSR to CPUMMSRS and expose it via SUPDrv... */
-        g_CpumHostFeatures.s.fArchRdclNo             = 0;
-        g_CpumHostFeatures.s.fArchIbrsAll            = 0;
-        g_CpumHostFeatures.s.fArchRsbOverride        = 0;
-        g_CpumHostFeatures.s.fArchVmmNeedNotFlushL1d = 0;
-        g_CpumHostFeatures.s.fArchMdsNo              = 0;
         uint32_t const cStdRange = ASMCpuId_EAX(0);
         if (   RTX86IsValidStdRange(cStdRange)
 …
             if (   (fStdExtFeaturesEdx & X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP)
                 && (fStdFeaturesEdx    & X86_CPUID_FEATURE_EDX_MSR))
+            {
+                uint64_t fArchVal = ASMRdMsr(MSR_IA32_ARCH_CAPABILITIES);
+                g_CpumHostFeatures.s.fArchRdclNo             = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_RDCL_NO);
+                g_CpumHostFeatures.s.fArchIbrsAll            = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_IBRS_ALL);
+                g_CpumHostFeatures.s.fArchRsbOverride        = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_RSBO);
+                g_CpumHostFeatures.s.fArchVmmNeedNotFlushL1d = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_VMM_NEED_NOT_FLUSH_L1D);
+                g_CpumHostFeatures.s.fArchMdsNo              = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_MDS_NO);
+            }
+            else
+                g_CpumHostFeatures.s.fArchCap = 0;
+                cpumCpuIdExplodeArchCapabilities(&g_CpumHostFeatures.s, true, ASMRdMsr(MSR_IA32_ARCH_CAPABILITIES));
+        }
+    }
 …
          * Note! We assume this happens after the CPUMR3Init is done, so CPUID bits are settled.
          */
+        uint64_t       fHostArchVal = 0;
+        bool           fHasArchCap  = false;
+        uint32_t const cStdRange    = ASMCpuId_EAX(0);
+        /** @todo Should add this MSR to CPUMMSRS and expose it via SUPDrv... */
+        uint32_t const cStdRange = ASMCpuId_EAX(0);
         if (   RTX86IsValidStdRange(cStdRange)
             && cStdRange >= 7)
 …
             if (   (fEdxFeatures & X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP)
                 && (fFeatures & X86_CPUID_FEATURE_EDX_MSR))
+            {
+                fHostArchVal = ASMRdMsr(MSR_IA32_ARCH_CAPABILITIES);
+                fHasArchCap  = true;
+            }
+        }
+        CPUMCpuIdApplyX86HostArchCapabilities(pVM, fHasArchCap, fHostArchVal);
+                CPUMCpuIdApplyX86HostArchCapabilities(pVM, true, ASMRdMsr(MSR_IA32_ARCH_CAPABILITIES));
+        }
         /*

trunk/src/VBox/VMM/VMMR0/HMR0.cpp

-              r106061
+              r107854
      * Configure defences against spectre and other CPU bugs.
      */
+    /* Determin the flags: */
     uint32_t fWorldSwitcher = 0;
+    uint32_t cLastStdLeaf   = ASMCpuId_EAX(0);
+    if (cLastStdLeaf >= 0x00000007 && RTX86IsValidStdRange(cLastStdLeaf))
+    {
+        uint32_t uEdx = 0;
+        ASMCpuIdExSlow(0x00000007, 0, 0, 0, NULL, NULL, NULL, &uEdx);
+        if (uEdx & X86_CPUID_STEXT_FEATURE_EDX_IBRS_IBPB)
+        {
+            if (pVM->hm.s.fIbpbOnVmExit)
+                fWorldSwitcher |= HM_WSF_IBPB_EXIT;
+            if (pVM->hm.s.fIbpbOnVmEntry)
+                fWorldSwitcher |= HM_WSF_IBPB_ENTRY;
+        }
+        if (uEdx & X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD)
+        {
+            if (pVM->hm.s.fL1dFlushOnVmEntry)
+                fWorldSwitcher |= HM_WSF_L1D_ENTRY;
+            else if (pVM->hm.s.fL1dFlushOnSched)
+                fWorldSwitcher |= HM_WSF_L1D_SCHED;
+        }
+        if (uEdx & X86_CPUID_STEXT_FEATURE_EDX_MD_CLEAR)
+        {
+            if (pVM->hm.s.fMdsClearOnVmEntry)
+                fWorldSwitcher |= HM_WSF_MDS_ENTRY;
+            else if (pVM->hm.s.fMdsClearOnSched)
+                fWorldSwitcher |= HM_WSF_MDS_SCHED;
+        }
+    }
+    if (g_CpumHostFeatures.s.fIbpb)
+    {
+        if (pVM->hm.s.fIbpbOnVmExit)
+            fWorldSwitcher |= HM_WSF_IBPB_EXIT;
+        if (pVM->hm.s.fIbpbOnVmEntry)
+            fWorldSwitcher |= HM_WSF_IBPB_ENTRY;
+    }
+    if (g_CpumHostFeatures.s.fFlushCmd)
+    {
+        if (pVM->hm.s.fL1dFlushOnVmEntry)
+            fWorldSwitcher |= HM_WSF_L1D_ENTRY;
+        else if (pVM->hm.s.fL1dFlushOnSched)
+            fWorldSwitcher |= HM_WSF_L1D_SCHED;
+    }
+    if (g_CpumHostFeatures.s.fMdsClear)
+    {
+        if (pVM->hm.s.fMdsClearOnVmEntry)
+            fWorldSwitcher |= HM_WSF_MDS_ENTRY;
+        else if (pVM->hm.s.fMdsClearOnSched)
+            fWorldSwitcher |= HM_WSF_MDS_SCHED;
+    }
+    if (g_CpumHostFeatures.s.fSpecCtrlMsr)
+    {
+        /** @todo this may be too early for intel? */
+        if (pVM->cpum.ro.GuestFeatures.fSpecCtrlMsr)
+            fWorldSwitcher |= HM_WSF_SPEC_CTRL;
+    }
+    /* Distribute the flags. */
     for (VMCPUID idCpu = 0; idCpu < pVM->cCpus; idCpu++)
+    {
 …
+    }
     pVM->hm.s.ForR3.fWorldSwitcher = fWorldSwitcher;
     /*

trunk/src/VBox/VMM/VMMR0/HMR0A.asm

-              r106061
+              r107854
+;
 ; @note Important that this does not modify cbFrame or rsp.
+; @note HM_WSF_SPEC_CTRL is handled differently here at the moment.
 %macro RESTORE_STATE_VMX 4
         ; Restore base and limit of the IDTR & GDTR.
 …
  %endif
  %if %3 & HM_WSF_IBPB_EXIT
+ %if (%3) & HM_WSF_IBPB_EXIT
         ; Fight spectre (trashes rax, rdx and rcx).
   %if %1 = 0 ; Skip this in failure branch (=> guru)
 …
         mov     eax, [rsi + GVMCPU.hmr0 + HMR0PERVCPU.fWorldSwitcher]
         and     eax, HM_WSF_IBPB_ENTRY | HM_WSF_L1D_ENTRY | HM_WSF_MDS_ENTRY | HM_WSF_IBPB_EXIT
         cmp     eax, %3
+        and     eax, HM_WSF_IBPB_ENTRY | HM_WSF_L1D_ENTRY | HM_WSF_MDS_ENTRY | HM_WSF_IBPB_EXIT ; | HM_WSF_SPEC_CTRL
+        cmp     eax, (%3)
         mov     eax, VERR_VMX_STARTVM_PRECOND_1
         jne     NAME(RT_CONCAT(hmR0VmxStartVmHostRIP,%1).precond_failure_return)
 …
         ; Fight spectre and similar. Trashes rax, rcx, and rdx.
+        ;
  %if %3 & (HM_WSF_IBPB_ENTRY | HM_WSF_L1D_ENTRY)  ; The eax:edx value is the same for the first two.
+ %if (%3) & (HM_WSF_IBPB_ENTRY | HM_WSF_L1D_ENTRY)  ; The eax:edx value is the same for the first two.
         AssertCompile(MSR_IA32_PRED_CMD_F_IBPB == MSR_IA32_FLUSH_CMD_F_L1D)
         mov     eax, MSR_IA32_PRED_CMD_F_IBPB
         xor     edx, edx
  %endif
  %if %3 & HM_WSF_IBPB_ENTRY             ; Indirect branch barrier.
+ %if (%3) & HM_WSF_IBPB_ENTRY             ; Indirect branch barrier.
         mov     ecx, MSR_IA32_PRED_CMD
         wrmsr
  %endif
  %if %3 & HM_WSF_L1D_ENTRY              ; Level 1 data cache flush.
+ %if (%3) & HM_WSF_L1D_ENTRY              ; Level 1 data cache flush.
         mov     ecx, MSR_IA32_FLUSH_CMD
         wrmsr
  %elif %3 & HM_WSF_MDS_ENTRY            ; MDS flushing is included in L1D_FLUSH
+ %elif (%3) & HM_WSF_MDS_ENTRY            ; MDS flushing is included in L1D_FLUSH
         mov     word [rbp + frm_MDS_seg], ds
         verw    word [rbp + frm_MDS_seg]
 …
  %endif  ; %4 != 0
+.return_with_restored_preserved_registers:
         lea     rsp, [rbp + frm_fRFlags]
         popf
 …
    %error Bad frame size value: cbFrame, expected cbBaseFrame
   %endif
         jmp     .vmstart64_end
+        jmp     .return_with_restored_preserved_registers
  %endif
 …
 ; @param    1   The suffix of the variation.
 ; @param    2   fLoadSaveGuestXcr0 value
 ; @param    3   The HM_WSF_IBPB_ENTRY + HM_WSF_IBPB_EXIT value.
+; @param    3   The HM_WSF_IBPB_ENTRY + HM_WSF_IBPB_EXIT + HM_WSF_SPEC_CTRL value.
 ; @param    4   The SSE saving/restoring: 0 to do nothing, 1 to do it manually, 2 to use xsave/xrstor.
 ;               Drivers shouldn't use AVX registers without saving+loading:
 …
         SEH64_SET_FRAME_xBP 0
         pushf
   %assign cbFrame            30h
+  %assign cbFrame            40h
  %if %4 != 0
   %assign cbFrame            cbFrame + 16 * 11  ; Reserve space for 10x 128-bit XMM registers and MXCSR (32-bit)
 …
  %define frm_pGstCtx         -028h              ; Where we stash guest CPU context for use after the vmrun.
  %define frm_HCPhysVmcbHost  -030h              ; Where we stash HCPhysVmcbHost for the vmload after vmrun.
+ %define frm_uHostSpecCtrl   -040h              ; Saved IA32_MSR_SPEC_CTRL value.
  %if %4 != 0
   %define frm_saved_xmm6     -040h
   %define frm_saved_xmm7     -050h
   %define frm_saved_xmm8     -060h
   %define frm_saved_xmm9     -070h
   %define frm_saved_xmm10    -080h
   %define frm_saved_xmm11    -090h
   %define frm_saved_xmm12    -0a0h
   %define frm_saved_xmm13    -0b0h
   %define frm_saved_xmm14    -0c0h
   %define frm_saved_xmm15    -0d0h
   %define frm_saved_mxcsr    -0e0h
+  %define frm_saved_xmm6     -050h
+  %define frm_saved_xmm7     -060h
+  %define frm_saved_xmm8     -070h
+  %define frm_saved_xmm9     -080h
+  %define frm_saved_xmm10    -090h
+  %define frm_saved_xmm11    -0a0h
+  %define frm_saved_xmm12    -0b0h
+  %define frm_saved_xmm13    -0c0h
+  %define frm_saved_xmm14    -0d0h
+  %define frm_saved_xmm15    -0e0h
+  %define frm_saved_mxcsr    -0f0h
  %endif
 …
         mov     eax, [rsi + GVMCPU.hmr0 + HMR0PERVCPU.fWorldSwitcher]
         and     eax, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT
         cmp     eax, %3
+        and     eax, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT | HM_WSF_SPEC_CTRL
+        cmp     eax, (%3)
         mov     eax, VERR_SVM_VMRUN_PRECOND_1
         jne     .failure_return
 …
  %endif
+ %if (%3) & HM_WSF_SPEC_CTRL
+        ; Save host MSR_IA32_SPEC_CTRL and load the guest one (trashes rax, rdx, rcx, rbx).
+        ; HACK ALERT! Boldly ASSUMES that CPUMCTXMSRS follows immediately after GstCtx (CPUMCTX).
+        mov     rbx, [rsi + VMCPU.cpum.GstCtx + CPUMCTX_size + CPUMCTXMSRS.msr.SpecCtrl] ; rbx = guest IA32_SPEC_CTRL
+        mov     ecx, MSR_IA32_SPEC_CTRL
+        rdmsr                               ; edx:eax = host IA32_SPEC_CTRL value
+        shl     rdx, 32
+        or      rdx, rax                    ; rdx = host IA32_SPEC_CTRL value
+        mov     [rbp + frm_uHostSpecCtrl], rdx
+        cmp     rdx, rbx                    ; avoid wrmsr if we can.
+        je      .skip_spec_ctrl_load
+        mov     eax, ebx
+        mov     rdx, rbx
+        shr     rdx, 32
+        wrmsr
+.skip_spec_ctrl_load:
+ %endif
         ; Save host fs, gs, sysenter msr etc.
         mov     rax, [rsi + GVMCPU.hmr0 + HMR0PERVCPU.svm + HMR0CPUSVM.HCPhysVmcbHost]
 …
         vmsave
  %if %3 & HM_WSF_IBPB_ENTRY
+ %if (%3) & HM_WSF_IBPB_ENTRY
         ; Fight spectre (trashes rax, rdx and rcx).
         mov     ecx, MSR_IA32_PRED_CMD
 …
         mov     r15, [rbp + frm_saved_r15]
  %if %4 != 0
         ; Set r8 = &pVCpu->cpum.GstCtx; for use below when saving and restoring SSE state.
+ %if %4 != 0 || ((%3) & HM_WSF_SPEC_CTRL)
+        ; Set r8 = &pVCpu->cpum.GstCtx; for use below when saving and restoring SSE state as well as for IA32_SPEC_CTRL.
         mov     r8, rcx
  %endif
  %if %3 & HM_WSF_IBPB_EXIT
+ %if (%3) & HM_WSF_IBPB_EXIT
         ; Fight spectre (trashes rax, rdx and rcx).
         mov     ecx, MSR_IA32_PRED_CMD
 …
         mov     rax, [rbp + frm_uHostXcr0]
         xsetbv
+ %endif
+ %if (%3) & HM_WSF_SPEC_CTRL
+        ; Save guest MSR_IA32_SPEC_CTRL and load the host one (trashes rax, rdx, rcx, r10).
+        mov     r10, [rbp + frm_uHostSpecCtrl] ; r10 = host IA32_SPEC_CTRL
+        mov     ecx, MSR_IA32_SPEC_CTRL
+        rdmsr                               ; edx:eax = guest IA32_SPEC_CTRL value
+        shl     rdx, 32
+        or      rdx, rax                    ; rdx = guest IA32_SPEC_CTRL value
+        ; HACK ALERT! Boldly ASSUMES that CPUMCTXMSRS follows immediately after GstCtx (CPUMCTX).
+        mov     [r8 + CPUMCTX_size + CPUMCTXMSRS.msr.SpecCtrl], rdx ; saved guest IA32_SPEC_CTRL
+        cmp     rdx, r10                    ; avoid wrmsr if we can.
+        je      .skip_spec_ctrl_restore
+        mov     eax, r10d
+        mov     rdx, r10
+        shr     rdx, 32
+        wrmsr
+.skip_spec_ctrl_restore:
  %endif
 …
 ; Instantiate the hmR0SvmVmRun various variations.
+;
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit,           0, 0,                                    0
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit,           1, 0,                                    0
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit,           0, HM_WSF_IBPB_ENTRY,                    0
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit,           1, HM_WSF_IBPB_ENTRY,                    0
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit,           0, HM_WSF_IBPB_EXIT,                     0
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit,           1, HM_WSF_IBPB_EXIT,                     0
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit,           0, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 0
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit,           1, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 0
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl,           0, 0,                                                       0
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl,           1, 0,                                                       0
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl,           0, HM_WSF_IBPB_ENTRY,                                       0
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl,           1, HM_WSF_IBPB_ENTRY,                                       0
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl,           0, HM_WSF_IBPB_EXIT,                                        0
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl,           1, HM_WSF_IBPB_EXIT,                                        0
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl,           0, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT,                    0
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl,           1, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT,                    0
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl,           0, HM_WSF_SPEC_CTRL,                                        0
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl,           1, HM_WSF_SPEC_CTRL,                                        0
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl,           0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY,                    0
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl,           1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY,                    0
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl,           0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_EXIT,                     0
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl,           1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_EXIT,                     0
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl,           0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 0
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl,           1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 0
 %ifdef VBOX_WITH_KERNEL_USING_XMM
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_SseManual, 0, 0,                                    1
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_SseManual, 1, 0,                                    1
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_SseManual, 0, HM_WSF_IBPB_ENTRY,                    1
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_SseManual, 1, HM_WSF_IBPB_ENTRY,                    1
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_SseManual, 0, HM_WSF_IBPB_EXIT,                     1
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_SseManual, 1, HM_WSF_IBPB_EXIT,                     1
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_SseManual, 0, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 1
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_SseManual, 1, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 1
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_SseXSave,  0, 0,                                    2
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_SseXSave,  1, 0,                                    2
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_SseXSave,  0, HM_WSF_IBPB_ENTRY,                    2
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_SseXSave,  1, HM_WSF_IBPB_ENTRY,                    2
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_SseXSave,  0, HM_WSF_IBPB_EXIT,                     2
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_SseXSave,  1, HM_WSF_IBPB_EXIT,                     2
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_SseXSave,  0, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 2
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_SseXSave,  1, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 2
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl_SseManual, 0, 0,                                                       1
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl_SseManual, 1, 0,                                                       1
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl_SseManual, 0, HM_WSF_IBPB_ENTRY,                                       1
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl_SseManual, 1, HM_WSF_IBPB_ENTRY,                                       1
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl_SseManual, 0, HM_WSF_IBPB_EXIT,                                        1
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl_SseManual, 1, HM_WSF_IBPB_EXIT,                                        1
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl_SseManual, 0, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT,                    1
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl_SseManual, 1, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT,                    1
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl_SseManual, 0, HM_WSF_SPEC_CTRL,                                        1
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl_SseManual, 1, HM_WSF_SPEC_CTRL,                                        1
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl_SseManual, 0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY,                    1
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl_SseManual, 1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY,                    1
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl_SseManual, 0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_EXIT,                     1
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl_SseManual, 1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_EXIT,                     1
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl_SseManual, 0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 1
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl_SseManual, 1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 1
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl_SseXSave,  0, 0,                                                       2
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl_SseXSave,  1, 0,                                                       2
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl_SseXSave,  0, HM_WSF_IBPB_ENTRY,                                       2
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl_SseXSave,  1, HM_WSF_IBPB_ENTRY,                                       2
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl_SseXSave,  0, HM_WSF_IBPB_EXIT,                                        2
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl_SseXSave,  1, HM_WSF_IBPB_EXIT,                                        2
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl_SseXSave,  0, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT,                    2
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl_SseXSave,  1, HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT,                    2
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl_SseXSave,  0, HM_WSF_SPEC_CTRL,                                        2
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl_SseXSave,  1, HM_WSF_SPEC_CTRL,                                        2
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl_SseXSave,  0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY,                    2
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl_SseXSave,  1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY,                    2
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl_SseXSave,  0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_EXIT,                     2
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl_SseXSave,  1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_EXIT,                     2
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl_SseXSave,  0, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 2
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl_SseXSave,  1, HM_WSF_SPEC_CTRL | HM_WSF_IBPB_ENTRY | HM_WSF_IBPB_EXIT, 2
 %endif

trunk/src/VBox/VMM/VMMR0/HMSVMR0.cpp

-              r107113
+              r107854
     static const struct CLANGWORKAROUND { PFNHMSVMVMRUN pfn; } s_aHmR0SvmVmRunFunctions[] =
+    {
+        { hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit },
+        { hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit },
+        { hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit },
+        { hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit },
+        { hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit },
+        { hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit },
+        { hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit },
+        { hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit },
+        { hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl },
+        { hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl },
+        { hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl },
+        { hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl },
+        { hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl },
+        { hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl },
     };
     uintptr_t const idx = (pVCpu->hmr0.s.fLoadSaveGuestXcr0                 ? 1 : 0)
                         | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_IBPB_ENTRY ? 2 : 0)
+                        | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_IBPB_EXIT  ? 4 : 0);
+                        | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_IBPB_EXIT  ? 4 : 0)
+                        | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_SPEC_CTRL  ? 8 : 0);
     PFNHMSVMVMRUN const pfnVMRun = s_aHmR0SvmVmRunFunctions[idx].pfn;
     if (pVCpu->hmr0.s.svm.pfnVMRun != pfnVMRun)

trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp

-              r107731
+              r107854
      * #GP), but we don't currently do so for performance raisins/laziness.
      */
     if (pVM->cpum.ro.GuestFeatures.fIbpb)
+    if (pVM->cpum.ro.GuestFeatures.fIbpb /*    && g_CpumHostFeatures.s.fIbpb*/)
         hmR0VmxSetMsrPermission(pVCpu, pVmcsInfo, false, MSR_IA32_PRED_CMD,  VMXMSRPM_ALLOW_RD_WR);
     if (pVM->cpum.ro.GuestFeatures.fFlushCmd)
+    if (pVM->cpum.ro.GuestFeatures.fFlushCmd && g_CpumHostFeatures.s.fFlushCmd)
         hmR0VmxSetMsrPermission(pVCpu, pVmcsInfo, false, MSR_IA32_FLUSH_CMD, VMXMSRPM_ALLOW_RD_WR);
     if (pVM->cpum.ro.GuestFeatures.fIbrs)
+    if (pVM->cpum.ro.GuestFeatures.fIbrs     && g_CpumHostFeatures.s.fIbrs)
         hmR0VmxSetMsrPermission(pVCpu, pVmcsInfo, false, MSR_IA32_SPEC_CTRL, VMXMSRPM_ALLOW_RD_WR);
 …
         /* Speculation Control (R/W). */
         HMVMX_CPUMCTX_ASSERT(pVCpu, HM_CHANGED_GUEST_OTHER_MSRS);
         if (pVM->cpum.ro.GuestFeatures.fIbrs)
+        if (pVM->cpum.ro.GuestFeatures.fIbrs && g_CpumHostFeatures.s.fIbrs)
+        {
             int rc = hmR0VmxAddAutoLoadStoreMsr(pVCpu, pVmxTransient, MSR_IA32_SPEC_CTRL, CPUMGetGuestSpecCtrl(pVCpu),

trunk/src/VBox/VMM/VMMR3/CPUMR3CpuId.cpp

-              r107749
+              r107854
  *                      insert.
  */
 static int cpumR3CpuIdInsert(PVM pVM, PCPUMCPUIDLEAF *ppaLeaves, uint32_t *pcLeaves, PCPUMCPUIDLEAF pNewLeaf)
+static int cpumR3CpuIdInsert(PVM pVM, PCPUMCPUIDLEAF *ppaLeaves, uint32_t *pcLeaves, PCCPUMCPUIDLEAF pNewLeaf)
+{
     /*
 …
     bool            fForceVme;
     bool            fNestedHWVirt;
+    bool            fSpecCtrl;
     CPUMISAEXTCFG   enmCmpXchg16b;
 …
      * currently not doing the apic id assignments in a compatible manner.
      */
+    bool fAmdGstSupIbpb = false; /* Used below. */
     uSubLeaf = 0;
     while ((pCurLeaf = cpumR3CpuIdGetExactLeaf(pCpum, UINT32_C(0x80000008), uSubLeaf)) != NULL)
 …
+        {
             /* Expose XSaveErPtr aka RstrFpErrPtrs to guest. */
+            pCurLeaf->uEbx &= X86_CPUID_AMD_EFEID_EBX_XSAVE_ER_PTR;  /* reserved - [12] == IBPB */
+            pCurLeaf->uEbx &= 0
+                           //| X86_CPUID_AMD_EFEID_EBX_CLZERO
+                           //| X86_CPUID_AMD_EFEID_EBX_IRPERF
+                           //| X86_CPUID_AMD_EFEID_EBX_XSAVE_ER_PTR
+                           //| X86_CPUID_AMD_EFEID_EBX_INVLPGB
+                           //| X86_CPUID_AMD_EFEID_EBX_RDPRU
+                           //| X86_CPUID_AMD_EFEID_EBX_BE
+                           //| X86_CPUID_AMD_EFEID_EBX_MCOMMIT
+                           | (pConfig->fSpecCtrl || PASSTHRU_FEATURE(pConfig->enmFlushCmdMsr, pHstFeat->fFlushCmd, true)
+                              ? X86_CPUID_AMD_EFEID_EBX_IBPB : 0)
+                           //| X86_CPUID_AMD_EFEID_EBX_INT_WBINVD
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_IBRS : 0)
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_STIBP : 0)
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_IBRS_ALWAYS_ON : 0)
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_STIBP_ALWAYS_ON : 0)
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_IBRS_PREFERRED : 0)
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_IBRS_SAME_MODE : 0)
+                           //| X86_CPUID_AMD_EFEID_EBX_NO_EFER_LMSLE
+                           //| X86_CPUID_AMD_EFEID_EBX_INVLPGB_NESTED_PAGES
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_SPEC_CTRL_SSBD : 0)
+                           /// @todo | X86_CPUID_AMD_EFEID_EBX_VIRT_SPEC_CTRL_SSBD
+                           | X86_CPUID_AMD_EFEID_EBX_SSBD_NOT_REQUIRED
+                           //| X86_CPUID_AMD_EFEID_EBX_CPPC
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_PSFD : 0)
+                           | X86_CPUID_AMD_EFEID_EBX_BTC_NO
+                           | (pConfig->fSpecCtrl ? X86_CPUID_AMD_EFEID_EBX_IBPB_RET : 0);
+            PORTABLE_DISABLE_FEATURE_BIT_CFG(3, pCurLeaf->uEbx, IBPB, X86_CPUID_AMD_EFEID_EBX_IBPB, pConfig->enmFlushCmdMsr);
+            /* Sharing this forced setting with intel would maybe confuse guests... */
+            if (pConfig->enmFlushCmdMsr == CPUMISAEXTCFG_ENABLED_ALWAYS)
+                pCurLeaf->uEbx |= X86_CPUID_AMD_EFEID_EBX_IBPB;
+            fAmdGstSupIbpb = RT_BOOL(pCurLeaf->uEbx & X86_CPUID_AMD_EFEID_EBX_IBPB);
+        }
         else
 …
+    }
+    /* Cpuid 0x8000001f...0x8ffffffd: Unknown.
+    /* Cpuid 0x80000020: Platform Quality of Service (PQOS), may have subleaves.
+     * For now we just zero it.  */
+    pCurLeaf = cpumR3CpuIdGetExactLeaf(pCpum, UINT32_C(0x80000020), 0);
+    if (pCurLeaf)
+    {
+        pCurLeaf = cpumR3CpuIdMakeSingleLeaf(pCpum, pCurLeaf);
+        cpumR3CpuIdZeroLeaf(pCpum, UINT32_C(0x80000020));
+    }
+    /* Cpuid 0x80000021: Extended Feature 2 (Zen3+?).
+     *
+     */
+    pCurLeaf = cpumR3CpuIdGetExactLeaf(pCpum, UINT32_C(0x80000021), 0);
+    if (pCurLeaf)
+    {
+        /** @todo sanitize these bits! */
+        pCurLeaf->uEax = 0;
+        pCurLeaf->uEbx = 0;
+        pCurLeaf->uEcx = 0;
+        pCurLeaf->uEdx = 0;
+    }
+    /* Linux expects us as a hypervisor to insert this leaf for Zen 1 & 2 CPUs
+       iff IBPB is available to the guest. This is also documented by AMD in
+       "TECHNICAL UPDATE REGARDING SPECULATIVE RETURN STACK OVERFLOW" rev 2.0
+       dated 2024-02-00. */
+    else if (   fAmdGstSupIbpb
+             && (   pCpum->GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_AMD
+                 || pCpum->GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_HYGON)
+             && (pExtFeatureLeaf = cpumR3CpuIdGetExactLeaf(pCpum, UINT32_C(0x80000001), 0)) != NULL
+             && RTX86GetCpuFamily(pExtFeatureLeaf->uEax) == 0x17)
+    {
+        static CPUMCPUIDLEAF const s_NewLeaf =
+        {
+            /* .uLeaf =*/           UINT32_C(0x80000021),
+            /* .uSubLeaf = */       0,
+            /* .fSubLeafMask = */   0,
+            /* .uEax = */           X86_CPUID_AMD_21_EAX_IBPB_BRTYPE,
+            /* .uEbx = */           0,
+            /* .uEcx = */           0,
+            /* .uEdx = */           0,
+            /* .fFlags = */         0,
+        };
+        int const rc2 = cpumR3CpuIdInsert(NULL, &pCpum->GuestInfo.paCpuIdLeavesR3, &pCpum->GuestInfo.cCpuIdLeaves, &s_NewLeaf);
+        AssertRC(rc2);
+        pCurLeaf = cpumR3CpuIdGetExactLeaf(pCpum, UINT32_C(0x80000000), 0);
+        if (pCurLeaf && pCurLeaf->uEax < UINT32_C(0x80000021))
+            pCurLeaf->uEax = UINT32_C(0x80000021);
+    }
+    /* Cpuid 0x80000022...0x8ffffffd: Unknown.
      * We don't know these and what they mean, so remove them. */
     cpumR3CpuIdRemoveRange(pCpum->GuestInfo.paCpuIdLeavesR3, &pCpum->GuestInfo.cCpuIdLeaves,
                            UINT32_C(0x8000001f), UINT32_C(0x8ffffffd));
+                           UINT32_C(0x80000022), UINT32_C(0x8ffffffd));
     /* Cpuid 0x8ffffffe: Mystery AMD K6 leaf.
 …
      * leaf are removed.  The default is set to what we're able to sanitize.
      */
     rc = CFGMR3QueryU32Def(pCpumCfg, "MaxExtLeaf", &pConfig->uMaxExtLeaf, UINT32_C(0x8000001e));
+    rc = CFGMR3QueryU32Def(pCpumCfg, "MaxExtLeaf", &pConfig->uMaxExtLeaf, UINT32_C(0x80000021));
     AssertLogRelRCReturn(rc, rc);
 …
     rc = CFGMR3QueryU32Def(pCpumCfg, "MaxCentaurLeaf", &pConfig->uMaxCentaurLeaf, UINT32_C(0xc0000004));
     AssertLogRelRCReturn(rc, rc);
+    /** @cfgm{/CPUM/SpecCtrl, bool, false}
+     * Enables passing thru IA32_SPEC_CTRL and associated CPU bugfixes.
+     */
+    rc = CFGMR3QueryBoolDef(pCpumCfg, "SpecCtrl", &pConfig->fSpecCtrl, false);
+    AssertRCReturn(rc, rc);
 #ifdef RT_ARCH_AMD64 /** @todo next VT-x/AMD-V on non-AMD64 hosts */
 …
              */
             if (RT_SUCCESS(rc))
                 rc = cpumR3MsrReconcileWithCpuId(pVM);
+                rc = cpumR3MsrReconcileWithCpuId(pVM, false, false);
             /*
              * MSR fudging.
 …
                 /* Check if speculation control is enabled. */
+                rc = CFGMR3QueryBoolDef(pCpumCfg, "SpecCtrl", &fEnable, false);
+                AssertRCReturn(rc, rc);
+                if (fEnable)
+                if (Config.fSpecCtrl)
                     CPUMR3SetGuestCpuIdFeature(pVM, CPUMCPUIDFEATURE_SPEC_CTRL);
                 else
 …
                         if (pLeaf)
+                        {
                             pLeaf->uEbx |= X86_CPUID_AMD_EFEID_EBX_NO_SSBD_REQUIRED;
+                            pLeaf->uEbx |= X86_CPUID_AMD_EFEID_EBX_SSBD_NOT_REQUIRED;
                             LogRel(("CPUM: Set SSBD not required flag for AMD to work around some buggy Linux kernels!\n"));
+                        }
 …
          */
         case CPUMCPUIDFEATURE_SPEC_CTRL:
+        {
+            AssertReturnVoid(!pVM->cpum.s.GuestFeatures.fSpeculationControl); /* should only be done once! */
+#ifdef RT_ARCH_AMD64
+            if (!pVM->cpum.s.HostFeatures.s.fIbpb && !pVM->cpum.s.HostFeatures.s.fIbrs)
+            {
+                LogRel(("CPUM: WARNING! Can't turn on Speculation Control when the host doesn't support it!\n"));
+                return;
+            }
+#endif
+            bool fForceSpecCtrl = false;
+            bool fForceFlushCmd = false;
+            /*
+             * Intel spread feature info around a bit...
+             */
             if (pVM->cpum.s.GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_INTEL)
+            {
                 pLeaf = cpumR3CpuIdGetExactLeaf(&pVM->cpum.s, UINT32_C(0x00000007), 0);
+#ifdef RT_ARCH_AMD64
+                if (   !pLeaf
+                    || !(pVM->cpum.s.HostFeatures.s.fIbpb || pVM->cpum.s.HostFeatures.s.fIbrs))
+                if (!pLeaf)
+                {
                     LogRel(("CPUM: WARNING! Can't turn on Speculation Control when the host doesn't support it!\n"));
+                    LogRel(("CPUM: WARNING! Can't turn on Speculation Control on Intel CPUs without leaf 0x00000007!\n"));
                     return;
+                }
+#else
+                if (!pLeaf)
+                {
+                    LogRel(("CPUM: WARNING! Can't turn on Speculation Control without leaf 0x00000007!\n"));
+                    return;
+                }
+#endif
+                /* The feature can be enabled. Let's see what we can actually do. */
+                pVM->cpum.s.GuestFeatures.fSpeculationControl = 1;
+                /* Okay, the feature can be enabled. Let's see what we can actually do. */
 #ifdef RT_ARCH_AMD64
 …
                     pLeaf->uEdx |= X86_CPUID_STEXT_FEATURE_EDX_IBRS_IBPB;
                     pVM->cpum.s.GuestFeatures.fIbrs = 1;
+                    pVM->cpum.s.GuestFeatures.fIbpb = 1;
 #ifdef RT_ARCH_AMD64
                     if (pVM->cpum.s.HostFeatures.s.fStibp)
 …
                             pVM->cpum.s.GuestFeatures.fBhiCtrl = 1;
+                        }
+                        fForceSpecCtrl = true;
+                    }
+                    /* Make sure we have the speculation control MSR... */
+                    pMsrRange = cpumLookupMsrRange(pVM, MSR_IA32_SPEC_CTRL);
+                    if (!pMsrRange)
+                    {
+                        static CPUMMSRRANGE const s_SpecCtrl =
+                        {
+                            /*.uFirst =*/ MSR_IA32_SPEC_CTRL, /*.uLast =*/ MSR_IA32_SPEC_CTRL,
+                            /*.enmRdFn =*/ kCpumMsrRdFn_Ia32SpecCtrl, /*.enmWrFn =*/ kCpumMsrWrFn_Ia32SpecCtrl,
+                            /*.offCpumCpu =*/ UINT16_MAX, /*.fReserved =*/ 0, /*.uValue =*/ 0, /*.fWrIgnMask =*/ 0, /*.fWrGpMask =*/ 0,
+                            /*.szName = */ "IA32_SPEC_CTRL"
+                        };
+                        int rc = CPUMR3MsrRangesInsert(pVM, &s_SpecCtrl);
+                        AssertLogRelRC(rc);
+                    }
+                    /* ... and the predictor command MSR. */
+                    pMsrRange = cpumLookupMsrRange(pVM, MSR_IA32_PRED_CMD);
+                    if (!pMsrRange)
+                    {
+                        /** @todo incorrect fWrGpMask. */
+                        static CPUMMSRRANGE const s_SpecCtrl =
+                        {
+                            /*.uFirst =*/ MSR_IA32_PRED_CMD, /*.uLast =*/ MSR_IA32_PRED_CMD,
+                            /*.enmRdFn =*/ kCpumMsrRdFn_WriteOnly, /*.enmWrFn =*/ kCpumMsrWrFn_Ia32PredCmd,
+                            /*.offCpumCpu =*/ UINT16_MAX, /*.fReserved =*/ 0, /*.uValue =*/ 0, /*.fWrIgnMask =*/ 0, /*.fWrGpMask =*/ 0,
+                            /*.szName = */ "IA32_PRED_CMD"
+                        };
+                        int rc = CPUMR3MsrRangesInsert(pVM, &s_SpecCtrl);
+                        AssertLogRelRC(rc);
+                    }
+                }
+#ifdef RT_ARCH_AMD64
+                if (pVM->cpum.s.HostFeatures.s.fFlushCmd)
+#endif
+                {
+                    pLeaf->uEdx |= X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD;
+                    pVM->cpum.s.GuestFeatures.fFlushCmd = 1;
+                    fForceFlushCmd = true;
+                }
 …
 #endif
+                {
+                    /* Install the architectural capabilities MSR. */
+                    pMsrRange = cpumLookupMsrRange(pVM, MSR_IA32_ARCH_CAPABILITIES);
+                    if (!pMsrRange)
+                    {
+                        static CPUMMSRRANGE const s_ArchCaps =
+                        {
+                            /*.uFirst =*/ MSR_IA32_ARCH_CAPABILITIES, /*.uLast =*/ MSR_IA32_ARCH_CAPABILITIES,
+                            /*.enmRdFn =*/ kCpumMsrRdFn_Ia32ArchCapabilities, /*.enmWrFn =*/ kCpumMsrWrFn_ReadOnly,
+                            /*.offCpumCpu =*/ UINT16_MAX, /*.fReserved =*/ 0, /*.uValue =*/ 0, /*.fWrIgnMask =*/ 0, /*.fWrGpMask =*/ UINT64_MAX,
+                            /*.szName = */ "IA32_ARCH_CAPABILITIES"
+                        };
+                        int rc = CPUMR3MsrRangesInsert(pVM, &s_ArchCaps);
+                        AssertLogRelRC(rc);
+                    }
+                    pLeaf->uEdx |= X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP;
+                    pVM->cpum.s.GuestFeatures.fArchCap = 1;
                     /* Advertise IBRS_ALL if present at this point... */
 …
                         VMCC_FOR_EACH_VMCPU_STMT(pVM, pVCpu->cpum.s.GuestMsrs.msr.ArchCaps |= MSR_IA32_ARCH_CAP_F_IBRS_ALL);
+                }
+                LogRel(("CPUM: SetGuestCpuIdFeature: Enabled Speculation Control.\n"));
+                cpumCpuIdExplodeFeaturesX86SetSummaryBits(&pVM->cpum.s.GuestFeatures);
+            }
+            /*
+             * AMD does things in a different (better) way.  No MSR with info,
+             * it's all in various CPUID leaves.
+             */
             else if (   pVM->cpum.s.GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_AMD
                      || pVM->cpum.s.GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_HYGON)
+            {
                 /* The precise details of AMD's implementation are not yet clear. */
+                pLeaf = cpumR3CpuIdGetExactLeaf(&pVM->cpum.s, UINT32_C(0x80000008), 0);
+                if (!pLeaf)
+                {
+                    LogRel(("CPUM: WARNING! Can't turn on Speculation Control on AMD CPUs without leaf 0x80000008!\n"));
+                    return;
+                }
+                /* We passthru all the host cpuid bits on AMD, see cpumR3CpuIdSanitize,
+                   and there is no code to clear/unset the feature.  So, little to do.
+                   The only thing we could consider here, is to re-enable stuff
+                   suppressed for portability reasons. */
+            }
+            else
+                break;
+            LogRel(("CPUM: SetGuestCpuIdFeature: Enabled Speculation Control.\n"));
+            pVM->cpum.s.GuestFeatures.fSpeculationControl = 1;
+            cpumR3MsrReconcileWithCpuId(pVM, fForceFlushCmd, fForceSpecCtrl);
             break;
+        }
         default:
 …
     DBGFREGSUBFIELD_RO("EferLmsleUnsupported\0" "EFER.LMSLE is unsupported",            20, 1, 0),
     DBGFREGSUBFIELD_RO("INVLPGBnestedPages\0"   "INVLPGB for nested translation",       21, 1, 0),
+    DBGFREGSUBFIELD_RO("PPIN\0"         "Protected processor inventory number",         23, 1, 0),
     DBGFREGSUBFIELD_RO("SSBD\0"         "Speculative Store Bypass Disable",             24, 1, 0),
     DBGFREGSUBFIELD_RO("SsbdVirtSpecCtrl\0"     "Use VIRT_SPEC_CTL for SSBD",           25, 1, 0),
 …
 static void cpumR3CpuIdInfoVerboseCompareListU32(PCDBGFINFOHLP pHlp, uint32_t uVal1, uint32_t uVal2, PCDBGFREGSUBFIELD pDesc,
                                                  uint32_t cchWidth)
+                                                 const char *pszLeadIn, uint32_t cchWidth)
+{
+    if (pszLeadIn)
+        pHlp->pfnPrintf(pHlp,
+                        "%s\n"
+                        "  %-*s= guest (host)\n",
+                        pszLeadIn,
+                        cchWidth, "Mnemonic - Description");
     uint32_t uCombined = uVal1 | uVal2;
     for (uint32_t iBit = 0; iBit < 32; iBit++)
 …
         ASMCpuIdExSlow(1, 0, 0, 0, &Host.uEax, &Host.uEbx, &Host.uEcx, &Host.uEdx);
 #endif
+        pHlp->pfnPrintf(pHlp, "Features\n");
+        pHlp->pfnPrintf(pHlp, "  Mnemonic - Description                                  = guest (host)\n");
+        cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aLeaf1EdxSubFields, 56);
+        cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aLeaf1EcxSubFields, 56);
+        cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aLeaf1EdxSubFields, "Features", 56);
+        cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aLeaf1EcxSubFields, NULL, 56);
+    }
     else
 …
                 if (fVerbose)
+                {
+                    pHlp->pfnPrintf(pHlp, " Sub-leaf 0\n");
+                    pHlp->pfnPrintf(pHlp, "  Mnemonic - Description                                  = guest (host)\n");
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEbx, Host.uEbx, g_aLeaf7Sub0EbxSubFields, 56);
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aLeaf7Sub0EcxSubFields, 56);
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEbx, Host.uEbx, g_aLeaf7Sub0EbxSubFields, "Sub-leaf 0", 56);
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aLeaf7Sub0EcxSubFields, NULL, 56);
                     if (pCurLeaf->uEdx || Host.uEdx)
                         cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aLeaf7Sub0EdxSubFields, 56);
+                        cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aLeaf7Sub0EdxSubFields, NULL, 56);
+                }
                 else
 …
                     pHlp->pfnPrintf(pHlp, "  Mnemonic - Description                                  = guest (host)\n");
                     if (pCurLeaf->uEbx || Host.uEbx)
                         cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEbx, Host.uEbx, g_aLeaf7Sub2EbxSubFields, 56);
+                        cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEbx, Host.uEbx, g_aLeaf7Sub2EbxSubFields, NULL, 56);
                     if (pCurLeaf->uEcx || Host.uEcx)
                         cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aLeaf7Sub2EcxSubFields, 56);
                     cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aLeaf7Sub2EdxSubFields, 56);
+                        cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aLeaf7Sub2EcxSubFields, NULL, 56);
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aLeaf7Sub2EdxSubFields, NULL, 56);
+                }
                 else
 …
                 ASMCpuIdExSlow(0x80000001, 0, 0, 0, &Host.uEax, &Host.uEbx, &Host.uEcx, &Host.uEdx);
 #endif
+                pHlp->pfnPrintf(pHlp, "Ext Features\n");
+                pHlp->pfnPrintf(pHlp, "  Mnemonic - Description                                  = guest (host)\n");
+                cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aExtLeaf1EdxSubFields, 56);
+                cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aExtLeaf1EcxSubFields, 56);
+                cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aExtLeaf1EdxSubFields, "Ext Features", 56);
+                cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEcx, Host.uEcx, g_aExtLeaf1EcxSubFields, NULL, 56);
                 if (Host.uEcx & X86_CPUID_AMD_FEATURE_ECX_SVM)
+                {
-                    pHlp->pfnPrintf(pHlp, "SVM Feature Identification (leaf A):\n");
 #if defined(RT_ARCH_X86) || defined(RT_ARCH_AMD64)
                     ASMCpuIdExSlow(0x8000000a, 0, 0, 0, &Host.uEax, &Host.uEbx, &Host.uEcx, &Host.uEdx);
 …
                     pCurLeaf = cpumCpuIdGetLeafInt(paLeaves, cLeaves, UINT32_C(0x8000000a), 0);
                     uint32_t const uGstEdx = pCurLeaf ? pCurLeaf->uEdx : 0;
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, uGstEdx, Host.uEdx, g_aExtLeafAEdxSubFields, 56);
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, uGstEdx, Host.uEdx, g_aExtLeafAEdxSubFields,
+                                                         "SVM Feature Identification (leaf A)", 56);
+                }
+            }
 …
                     cpumR3CpuIdInfoMnemonicListU32(pHlp, pCurLeaf->uEdx, g_aExtLeaf7EdxSubFields, "APM Features EDX:", 34);
                 else
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aExtLeaf7EdxSubFields, 56);
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEdx, Host.uEdx, g_aExtLeaf7EdxSubFields,
+                                                         "APM Features EDX", 56);
+            }
+        }
 …
                     cpumR3CpuIdInfoMnemonicListU32(pHlp, pCurLeaf->uEbx, g_aExtLeaf8EbxSubFields, "Ext Features ext IDs EBX:", 34);
                 else
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEbx, Host.uEbx, g_aExtLeaf8EbxSubFields, 56);
+                    cpumR3CpuIdInfoVerboseCompareListU32(pHlp, pCurLeaf->uEbx, Host.uEbx, g_aExtLeaf8EbxSubFields,
+                                                         "Ext Features ext IDs EBX", 56);
+            }
             if (iVerbosity)
+            {
+                uint32_t uEAX = pCurLeaf->uEax;
+                uint32_t uECX = pCurLeaf->uEcx;
+                /** @todo 0x80000008:EAX[23:16] is only defined for AMD. We'll get 0 on Intel. On
+                 *        AMD if we get 0, the guest physical address width should be taken from
+                 *        0x80000008:EAX[7:0] instead. Guest Physical address width is relevant
+                 *        for guests using nested paging. */
+                uint32_t const uEAX = pCurLeaf->uEax;
                 pHlp->pfnPrintf(pHlp,
                                 "Physical Address Width:          %d bits\n"
+                                "Virtual Address Width:           %d bits\n"
+                                "Guest Physical Address Width:    %d bits\n",
+                                "Virtual Address Width:           %d bits\n",
                                 (uEAX >> 0) & 0xff,
+                                (uEAX >> 8) & 0xff,
+                                (uEAX >> 16) & 0xff);
+                /** @todo 0x80000008:ECX is reserved on Intel (we'll get incorrect physical core
+                 *        count here). */
+                pHlp->pfnPrintf(pHlp,
+                                "Physical Core Count:             %d\n",
+                                ((uECX >> 0) & 0xff) + 1);
+                                (uEAX >> 8) & 0xff);
+                if (   ((uEAX >> 16) & 0xff) != 0
+                    || pVM->cpum.s.GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_AMD
+                    || pVM->cpum.s.GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_HYGON)
+                    pHlp->pfnPrintf(pHlp, "Guest Physical Address Width:    %d bits%s\n",
+                                    (uEAX >> 16) & 0xff ? (uEAX >> 16) & 0xff : (uEAX >> 0) & 0xff,
+                                    (uEAX >> 16) & 0xff ? "" : " (0)");
+                uint32_t const uECX = pCurLeaf->uEcx;
+                if (   ((uECX >> 0) & 0xff) != 0
+                    || pVM->cpum.s.GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_AMD
+                    || pVM->cpum.s.GuestFeatures.enmCpuVendor == CPUMCPUVENDOR_HYGON)
+                {
+                    uint32_t const cPhysCoreCount = ((uECX >> 0) & 0xff) + 1;
+                    uint32_t const cApicIdSize    = (uECX >> 12) & 0xf ? RT_BIT_32((uECX >> 12) & 0xf) : cPhysCoreCount;
+                    pHlp->pfnPrintf(pHlp,
+                                    "Physical Core Count:             %d\n"
+                                    "APIC ID size:                    %u (%#x)\n"
+                                    "Performance TSC size:            %u bits\n",
+                                    cPhysCoreCount,
+                                    cApicIdSize, cApicIdSize,
+                                    (((uECX >> 16) & 0x3) << 3) + 40);
+                }
+                uint32_t const uEDX = pCurLeaf->uEax;
+                if (uEDX)
+                    pHlp->pfnPrintf(pHlp,
+                                    "Max page count for INVLPGB:      %#x\n"
+                                    "Max ECX for RDPRU:               %#x\n",
+                                    (uEDX & 0xffff), uEDX >> 16);
+            }
+        }

trunk/src/VBox/VMM/VMMR3/CPUMR3Db.cpp

-              r107778
+              r107854
  * @returns VBox status code.
  * @param   pVM                 The cross context VM structure.
+ */
+int cpumR3MsrReconcileWithCpuId(PVM pVM)
+{
+    PCCPUMMSRRANGE papToAdd[10];
+ * @param   fForceFlushCmd      Make sure MSR_IA32_FLUSH_CMD is present.
+ * @param   fForceSpecCtrl      Make sure MSR_IA32_SPEC_CTRL is present.
+ */
+DECLHIDDEN(int) cpumR3MsrReconcileWithCpuId(PVM pVM, bool fForceFlushCmd, bool fForceSpecCtrl)
+{
+    PCCPUMMSRRANGE apToAdd[10];
     uint32_t       cToAdd = 0;
 …
      * The IA32_FLUSH_CMD MSR was introduced in MCUs for CVS-2018-3646 and associates.
      */
+    if (pVM->cpum.s.GuestFeatures.fFlushCmd && !cpumLookupMsrRange(pVM, MSR_IA32_FLUSH_CMD))
+    if (   pVM->cpum.s.GuestFeatures.fFlushCmd
+        || fForceFlushCmd)
+    {
         static CPUMMSRRANGE const s_FlushCmd =
 …
             /*.szName = */      "IA32_FLUSH_CMD"
         };
+        papToAdd[cToAdd++] = &s_FlushCmd;
+        apToAdd[cToAdd++] = &s_FlushCmd;
+    }
+    /*
+     * The IA32_PRED_CMD MSR was introduced in MCUs for CVS-2018-3646 and associates.
+     */
+    if (   pVM->cpum.s.GuestFeatures.fIbpb
+        /** @todo || pVM->cpum.s.GuestFeatures.fSbpb*/)
+    {
+        static CPUMMSRRANGE const s_PredCmd =
+        {
+            /*.uFirst =*/       MSR_IA32_PRED_CMD,
+            /*.uLast =*/        MSR_IA32_PRED_CMD,
+            /*.enmRdFn =*/      kCpumMsrRdFn_WriteOnly,
+            /*.enmWrFn =*/      kCpumMsrWrFn_Ia32PredCmd,
+            /*.offCpumCpu =*/   UINT16_MAX,
+            /*.fReserved =*/    0,
+            /*.uValue =*/       0,
+            /*.fWrIgnMask =*/   0,
+            /*.fWrGpMask =*/    ~MSR_IA32_PRED_CMD_F_IBPB,
+            /*.szName = */      "IA32_PRED_CMD"
+        };
+        apToAdd[cToAdd++] = &s_PredCmd;
+    }
+    /*
+     * The IA32_SPEC_CTRL MSR was introduced in MCUs for CVS-2018-3646 and associates.
+     */
+    if (   pVM->cpum.s.GuestFeatures.fSpecCtrlMsr
+        || fForceSpecCtrl)
+    {
+        static CPUMMSRRANGE const s_SpecCtrl =
+        {
+            /*.uFirst =*/       MSR_IA32_SPEC_CTRL,
+            /*.uLast =*/        MSR_IA32_SPEC_CTRL,
+            /*.enmRdFn =*/      kCpumMsrRdFn_Ia32SpecCtrl,
+            /*.enmWrFn =*/      kCpumMsrWrFn_Ia32SpecCtrl,
+            /*.offCpumCpu =*/   UINT16_MAX,
+            /*.fReserved =*/    0,
+            /*.uValue =*/       0,
+            /*.fWrIgnMask =*/   0,
+            /*.fWrGpMask =*/    0,
+            /*.szName = */      "IA32_SPEC_CTRL"
+        };
+        apToAdd[cToAdd++] = &s_SpecCtrl;
+    }
 …
      * documented in relation to such.
      */
     if (pVM->cpum.s.GuestFeatures.fArchCap && !cpumLookupMsrRange(pVM, MSR_IA32_ARCH_CAPABILITIES))
+    if (pVM->cpum.s.GuestFeatures.fArchCap)
+    {
         static CPUMMSRRANGE const s_ArchCaps =
 …
             /*.szName = */      "IA32_ARCH_CAPABILITIES"
         };
         papToAdd[cToAdd++] = &s_ArchCaps;
+        apToAdd[cToAdd++] = &s_ArchCaps;
+    }
 …
      * Do the adding.
      */
+    Assert(cToAdd <= RT_ELEMENTS(apToAdd));
     for (uint32_t i = 0; i < cToAdd; i++)
+    {
+        PCCPUMMSRRANGE pRange = papToAdd[i];
+        LogRel(("CPUM: MSR/CPUID reconciliation insert: %#010x %s\n", pRange->uFirst, pRange->szName));
+        int rc = cpumR3MsrRangesInsert(NULL /* pVM */, &pVM->cpum.s.GuestInfo.paMsrRangesR3, &pVM->cpum.s.GuestInfo.cMsrRanges,
+                                       pRange);
+        if (RT_FAILURE(rc))
+            return rc;
+        PCCPUMMSRRANGE pRange = apToAdd[i];
+        Assert(pRange->uFirst == pRange->uLast);
+        if (!cpumLookupMsrRange(pVM, pRange->uFirst))
+        {
+            LogRel(("CPUM: MSR/CPUID reconciliation insert: %#010x %s\n", pRange->uFirst, pRange->szName));
+            int rc = cpumR3MsrRangesInsert(NULL /* pVM */, &pVM->cpum.s.GuestInfo.paMsrRangesR3,
+                                           &pVM->cpum.s.GuestInfo.cMsrRanges, pRange);
+            AssertRCReturn(rc, rc);
+        }
+    }
     return VINF_SUCCESS;

trunk/src/VBox/VMM/include/CPUMInternal.h

-              r107700
+              r107854
 # ifdef RT_ARCH_AMD64
 AssertCompileMemberAlignment(CPUMCPU, Host, 64);
+AssertCompileAdjacentMembers(CPUMCPU, Guest, GuestMsrs); /* HACK ALERT! HMR0A.asm makes this ASSUMPTION in the SVM RUN code! */
 # endif
 #endif
 …
 int                 cpumCpuIdExplodeFeaturesX86(PCCPUMCPUIDLEAF paLeaves, uint32_t cLeaves, PCCPUMMSRS pMsrs,
                                                 CPUMFEATURESX86 *pFeatures);
+void                cpumCpuIdExplodeFeaturesX86SetSummaryBits(CPUMFEATURESX86 *pFeatures);
+void                cpumCpuIdExplodeArchCapabilities(CPUMFEATURESX86 *pFeatures, bool fHasArchCap, uint64_t fArchVal);
 # endif /* defined(RT_ARCH_X86) || defined(RT_ARCH_AMD64) || defined(VBOX_VMM_TARGET_X86) */
 # if defined(RT_ARCH_ARM64) || defined(VBOX_VMM_TARGET_ARMV8)
 …
 #  ifdef VBOX_VMM_TARGET_X86
 int                 cpumR3MsrRangesInsert(PVM pVM, PCPUMMSRRANGE *ppaMsrRanges, uint32_t *pcMsrRanges, PCCPUMMSRRANGE pNewRange);
 int                 cpumR3MsrReconcileWithCpuId(PVM pVM);
+DECLHIDDEN(int)     cpumR3MsrReconcileWithCpuId(PVM pVM, bool fForceFlushCmd, bool fForceSpecCtrl);
 int                 cpumR3MsrApplyFudge(PVM pVM);
 int                 cpumR3MsrRegStats(PVM pVM);

trunk/src/VBox/VMM/include/HMInternal.h

-              r106061
+              r107854
 /** @addtogroup grp_hm_int_svm  SVM Internal
  * @{ */
 /** SVM VMRun function, see SVMR0VMRun(). */
+/** SVM VMRun function, see SVMR0VMRun().  */
 typedef DECLCALLBACKTYPE(int, FNHMSVMVMRUN,(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhysVMCB));
 /** Pointer to a SVM VMRun function. */
 …
 /** Flush MDS buffers on VM entry. */
 #define HM_WSF_MDS_ENTRY            RT_BIT_32(3)
+/** MSR_IA32_SPEC_CTRL needs to be replaced upon entry and exit.
+ * Save host value on entry, load guest value, run guest, save guest value on
+ * exit and restore the host value.
+ * @todo may not reliable for VT-x/Intel.  */
+#define HM_WSF_SPEC_CTRL            RT_BIT_32(4)
 /** Touch IA32_FLUSH_CMD.L1D on VM scheduling. */
 …
  * @{
  */
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit_SansSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit_WithSpecCtrl(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
 /** @} */

trunk/src/VBox/VMM/include/HMInternal.mac

r106061	r107854
276	276	%define HM_WSF_L1D_ENTRY RT_BIT_32(2)
277	277	%define HM_WSF_MDS_ENTRY RT_BIT_32(3)
278
	278	%define HM_WSF_SPEC_CTRL RT_BIT_32(4)
	279

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats:

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette