Changeset 74630 in vbox

Timestamp:

Oct 5, 2018 4:54:25 PM (7 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

125520

Message:

VMM/IEM: Nested VMX: bugref:9180 VM-exit bits; Added Mov from CR8 intercept.

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h (modified) (3 diffs)
• src/VBox/VMM/VMMAll/IEMAllCImplVmxInstr.cpp.h (modified) (5 diffs)

trunk/include/VBox/err.h

@@ -2107 +2107 @@
  *  nested-guest execution mode. */
 #define VINF_VMX_INTERCEPT_NOT_ACTIVE               4035
+/** The behavior of the instruction/operation is modified/needs modification
+ *  in VMX non-root mode. */
+#define VINF_VMX_MODIFIES_BEHAVIOR                  4036
 /** @} */
 

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h

@@ -5187 +5187 @@
         {
             IEM_CTX_ASSERT(pVCpu, CPUMCTX_EXTRN_APIC_TPR);
+#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
+            if (IEM_VMX_IS_NON_ROOT_MODE(pVCpu))
+            {
+                VBOXSTRICTRC rcStrict = iemVmxVmexitInstrMovFromCr8(pVCpu, iGReg, cbInstr);
+                if (rcStrict != VINF_VMX_INTERCEPT_NOT_ACTIVE)
+                    return rcStrict;
+
+                /*
+                 * If the Mov-from-CR8 doesn't cause a VM-exit, bits 7:4 of the VTPR is copied
+                 * to bits 0:3 of the destination operand and bits 63:4 are cleared.
+                 *
+                 * See Intel Spec. 25.3 "Changes To Instruction Behavior In VMX Non-root Operation".
+                 */
+                if (IEM_VMX_IS_PROCCTLS_SET(pVCpu, VMX_PROC_CTLS_USE_TPR_SHADOW))
+                {
+                    uint32_t const uVTpr = iemVmxVirtApicReadRaw32(pVCpu, XAPIC_OFF_TPR);
+                    crX = (uVTpr << 4) & 0xf;
+                    break;
+                }
+            }
+#endif
 #ifdef VBOX_WITH_NESTED_HWVIRT_SVM
             if (CPUMIsGuestInSvmNestedHwVirtMode(IEM_GET_CTX(pVCpu)))
@@ -5831 +5852 @@
 
     IEM_CTX_ASSERT(pVCpu, CPUMCTX_EXTRN_CR0);
+    uint64_t uNewCr0 = pVCpu->cpum.GstCtx.cr0;
+    uNewCr0 &= ~X86_CR0_TS;
 
 #ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-    /* Check nested-guest VMX intercept. */
     if (IEM_VMX_IS_NON_ROOT_MODE(pVCpu))
     {
         VBOXSTRICTRC rcStrict = iemVmxVmexitInstrClts(pVCpu, cbInstr);
-        if (rcStrict == VINF_PERMISSION_DENIED)
-        {
-            iemRegAddToRipAndClearRF(pVCpu, cbInstr);
-            return VINF_SUCCESS;
-        }
+        if (rcStrict == VINF_VMX_MODIFIES_BEHAVIOR)
+            uNewCr0 |= (pVCpu->cpum.GstCtx.cr0 & X86_CR0_TS);
         else if (rcStrict != VINF_VMX_INTERCEPT_NOT_ACTIVE)
             return rcStrict;
@@ -5847 +5866 @@
 #endif
 
-    uint64_t uNewCr0 = pVCpu->cpum.GstCtx.cr0;
-    uNewCr0 &= ~X86_CR0_TS;
     return IEM_CIMPL_CALL_4(iemCImpl_load_CrX, /*cr*/ 0, uNewCr0, IEMACCESSCRX_CLTS, UINT8_MAX /* iGReg */);
 }

trunk/src/VBox/VMM/VMMAll/IEMAllCImplVmxInstr.cpp.h

@@ -927 +927 @@
 
 /**
+ * Reads a 32-bit register from the virtual-APIC page at the given offset.
+ *
+ * @returns The register from the virtual-APIC page.
+ * @param   pVCpu       The cross context virtual CPU structure.
+ * @param   offReg      The offset of the register being read.
+ */
+DECLINLINE(uint32_t) iemVmxVirtApicReadRaw32(PVMCPU pVCpu, uint8_t offReg)
+{
+    Assert(offReg <= VMX_V_VIRT_APIC_SIZE - sizeof(uint32_t));
+
+    uint8_t  const *pbVirtApic = (const uint8_t *)pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pvVirtApicPage);
+    Assert(pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pvVirtApicPage));
+    uint32_t const uValue      = *(const uint32_t *)(pbVirtApic + offReg);
+    return uValue;
+}
+
+
+/**
  * Masks the nested-guest CR0/CR4 mask subjected to the corresponding guest/host
  * mask and the read-shadow (CR0/CR4 read).
@@ -2925 +2943 @@
  *
  * @returns Strict VBox status code.
- * @retval VINF_PERMISSION_DENIED if the CLTS instruction did not cause a VM-exit
- *         but must not modify the guest CR0.TS bit.
+ * @retval VINF_VMX_MODIFIES_BEHAVIOR if the CLTS instruction did not cause a
+ *         VM-exit but must not modify the guest CR0.TS bit.
  * @retval VINF_VMX_INTERCEPT_NOT_ACTIVE if the CLTS instruction did not cause a
- *         VM-exit but modification to the guest CR0.TS bit is allowed (subject to
+ *         VM-exit and modification to the guest CR0.TS bit is allowed (subject to
  *         CR0 fixed bits in VMX operation).
- *
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   cbInstr         The instruction length in bytes.
+ * @param   pVCpu       The cross context virtual CPU structure.
+ * @param   cbInstr     The instruction length in bytes.
  */
 IEM_STATIC VBOXSTRICTRC iemVmxVmexitInstrClts(PVMCPU pVCpu, uint8_t cbInstr)
@@ -2945 +2962 @@
      * If CR0.TS is owned by the host:
      *   - If CR0.TS is set in the read-shadow, we must cause a VM-exit.
-     *   - If CR0.TS is cleared in the read-shadow, no VM-exit is caused, however
-     *     the CLTS instruction is not allowed to modify CR0.TS.
+     *   - If CR0.TS is cleared in the read-shadow, no VM-exit is caused and the
+     *     CLTS instruction completes without clearing CR0.TS.
      *
      * See Intel spec. 25.1.3 "Instructions That Cause VM Exits Conditionally".
@@ -2966 +2983 @@
         }
 
-        return VINF_PERMISSION_DENIED;
+        return VINF_VMX_MODIFIES_BEHAVIOR;
     }
 
@@ -3133 +3150 @@
             }
         }
+    }
+
+    return VINF_VMX_INTERCEPT_NOT_ACTIVE;
+}
+
+
+/**
+ * VMX VM-exit handler for VM-exits due to 'Mov GReg,CR8' (CR8 read).
+ *
+ * @returns VBox strict status code.
+ * @param   pVCpu       The cross context virtual CPU structure.
+ * @param   iGReg       The general register to which the CR8 value is being stored.
+ * @param   cbInstr     The instruction length in bytes.
+ */
+IEM_STATIC VBOXSTRICTRC iemVmxVmexitInstrMovFromCr8(PVMCPU pVCpu, uint8_t iGReg, uint8_t cbInstr)
+{
+    PCVMXVVMCS pVmcs = pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pVmcs);
+    Assert(pVmcs);
+
+    /*
+     * If the CR8-store exiting control is set, we must cause a VM-exit.
+     * See Intel spec. 25.1.3 "Instructions That Cause VM Exits Conditionally".
+     */
+    if (pVmcs->u32ProcCtls & VMX_PROC_CTLS_CR8_STORE_EXIT)
+    {
+        Log2(("mov_Rd_Cr: (CR8) Guest intercept -> VM-exit\n"));
+
+        VMXVEXITINFO ExitInfo;
+        RT_ZERO(ExitInfo);
+        ExitInfo.uReason = VMX_EXIT_MOV_CRX;
+        ExitInfo.cbInstr = cbInstr;
+
+        ExitInfo.u64Qual = RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_REGISTER, 8) /* CR8 */
+                         | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_ACCESS,   VMX_EXIT_QUAL_CRX_ACCESS_READ)
+                         | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_GENREG,   iGReg);
+        return iemVmxVmexitInstrWithInfo(pVCpu, &ExitInfo);
     }