Changeset 74633 in vbox for trunk/src/VBox/VMM

Timestamp:

Oct 6, 2018 6:29:16 AM (6 years ago)

Author:

vboxsync

Message:

VMM/IEM: Nested VMX: bugref:9180 VM-exit bits; Add Mov-to-cr8 and mov-from-cr8 intercepts and TPR virtualization for TPR-below threshold VM-exit.

Location:

trunk/src/VBox/VMM/VMMAll

Files:

• IEMAllCImpl.cpp.h (modified) (3 diffs)
• IEMAllCImplVmxInstr.cpp.h (modified) (6 diffs)

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h

@@ -5203 +5203 @@
                 /*
                  * If the Mov-from-CR8 doesn't cause a VM-exit, bits 7:4 of the VTPR is copied
-                 * to bits 0:3 of the destination operand and bits 63:4 are cleared.
+                 * to bits 0:3 of the destination operand. Bits 63:4 of the destination operand
+                 * are cleared.
                  *
-                 * See Intel Spec. 25.3 "Changes To Instruction Behavior In VMX Non-root Operation".
+                 * See Intel Spec. 29.3 "Virtualizing CR8-based TPR Accesses"
                  */
                 if (IEM_VMX_IS_PROCCTLS_SET(pVCpu, VMX_PROC_CTLS_USE_TPR_SHADOW))
@@ -5725 +5726 @@
             }
 
+#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
+            if (   IEM_VMX_IS_NON_ROOT_MODE(pVCpu)
+                && IEM_VMX_IS_PROCCTLS_SET(pVCpu, VMX_PROC_CTLS_USE_TPR_SHADOW))
+            {
+                /*
+                 * If the Mov-to-CR8 doesn't cause a VM-exit, bits 0:3 of the source operand
+                 * is copied to bits 7:4 of the VTPR. Bits 0:3 and bits 31:8 of the VTPR are
+                 * cleared. Following this the processor performs TPR virtualization.
+                 *
+                 * See Intel Spec. 29.3 "Virtualizing CR8-based TPR Accesses"
+                 */
+                uint32_t const uVTpr = (uNewCrX & 0xf) << 4;
+                iemVmxVirtApicWriteRaw32(pVCpu, uVTpr, XAPIC_OFF_TPR);
+                rcStrict = iemVmxVmexitTprVirtualization(pVCpu, cbInstr);
+                if (rcStrict != VINF_VMX_INTERCEPT_NOT_ACTIVE)
+                    return rcStrict;
+                rcStrict = VINF_SUCCESS;
+                break;
+            }
+#endif
+
 #ifdef VBOX_WITH_NESTED_HWVIRT_SVM
             if (CPUMIsGuestInSvmNestedHwVirtMode(IEM_GET_CTX(pVCpu)))
@@ -5795 +5817 @@
         {
             case 0:
-            case 4:
-                rcStrict = iemVmxVmexitInstrMovToCr0Cr4(pVCpu, iCrReg, &uNewCrX, iGReg, cbInstr);
-                break;
-            case 3:
-                rcStrict = iemVmxVmexitInstrMovToCr3(pVCpu, uNewCrX, iGReg, cbInstr);
-                break;
-            default:
-                break;
-        }
-
+            case 4: rcStrict = iemVmxVmexitInstrMovToCr0Cr4(pVCpu, iCrReg, &uNewCrX, iGReg, cbInstr);   break;
+            case 3: rcStrict = iemVmxVmexitInstrMovToCr3(pVCpu, uNewCrX, iGReg, cbInstr);               break;
+            case 8: rcStrict = iemVmxVmexitInstrMovToCr8(pVCpu, iGReg, cbInstr);                        break;
+        }
         if (rcStrict != VINF_VMX_INTERCEPT_NOT_ACTIVE)
                 return rcStrict;

trunk/src/VBox/VMM/VMMAll/IEMAllCImplVmxInstr.cpp.h

@@ -910 +910 @@
 {
     Assert(idxCr3Target < VMX_V_CR3_TARGET_COUNT);
-
     uint8_t  const  uWidth         = VMX_VMCS_ENC_WIDTH_NATURAL;
     uint8_t  const  uType          = VMX_VMCS_ENC_TYPE_CONTROL;
@@ -935 +934 @@
 {
     Assert(offReg <= VMX_V_VIRT_APIC_SIZE - sizeof(uint32_t));
-
     uint8_t  const *pbVirtApic = (const uint8_t *)pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pvVirtApicPage);
     Assert(pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pvVirtApicPage));
-    uint32_t const uValue      = *(const uint32_t *)(pbVirtApic + offReg);
-    return uValue;
+    uint32_t const uReg = *(const uint32_t *)(pbVirtApic + offReg);
+    return uReg;
+}
+
+
+/**
+ * Writes a 32-bit register to the virtual-APIC page at the given offset.
+ *
+ * @param   pVCpu       The cross context virtual CPU structure.
+ * @param   uReg        The register value to write.
+ * @param   offReg      The offset of the register being written.
+ */
+DECLINLINE(void) iemVmxVirtApicWriteRaw32(PVMCPU pVCpu, uint32_t uReg, uint8_t offReg)
+{
+    Assert(offReg <= VMX_V_VIRT_APIC_SIZE - sizeof(uint32_t));
+    uint8_t *pbVirtApic = (uint8_t *)pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pvVirtApicPage);
+    Assert(pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pvVirtApicPage));
+    *(uint32_t *)(pbVirtApic + offReg) = uReg;
 }
 
@@ -1386 +1400 @@
  * @param   pVCpu       The cross context virtual CPU structure.
  * @param   cbInstr     The VM-exit instruction length in bytes.
+ *
+ * @remarks Callers may clear this field to 0. Hence, this function does not check
+ *          the validity of the instruction length.
  */
 DECL_FORCE_INLINE(void) iemVmxVmcsSetExitInstrLen(PVMCPU pVCpu, uint32_t cbInstr)
@@ -2083 +2100 @@
      * Save guest RIP, RSP and RFLAGS.
      * See Intel spec. 27.3.3 "Saving RIP, RSP and RFLAGS".
-     */
+     *
+     * For trap-like VM-exits we must advance the RIP by the length of the instruction.
+     * Callers must pass the instruction length in the VM-exit instruction length
+     * field though it is undefined for such VM-exits. After updating RIP here, we clear
+     * the VM-exit instruction length field.
+     *
+     * See Intel spec. 27.1 "Architectural State Before A VM Exit"
+     */
+    if (HMVmxIsTrapLikeVmexit(uExitReason))
+    {
+        uint8_t const cbInstr = pVmcs->u32RoExitInstrLen;
+        AssertMsg(cbInstr >= 1 && cbInstr <= 15, ("uReason=%u cbInstr=%u\n", uExitReason, cbInstr));
+        iemRegAddToRipAndClearRF(pVCpu, cbInstr);
+        iemVmxVmcsSetExitInstrLen(pVCpu, 0 /* cbInstr */);
+    }
+
     /* We don't support enclave mode yet. */
     pVmcs->u64GuestRip.u    = pVCpu->cpum.GstCtx.rip;
@@ -3159 +3191 @@
  *
  * @returns VBox strict status code.
+ * @retval VINF_VMX_INTERCEPT_NOT_ACTIVE if the Mov instruction did not cause a
+ *         VM-exit.
  * @param   pVCpu       The cross context virtual CPU structure.
  * @param   iGReg       The general register to which the CR8 value is being stored.
@@ -3185 +3219 @@
                          | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_GENREG,   iGReg);
         return iemVmxVmexitInstrWithInfo(pVCpu, &ExitInfo);
+    }
+
+    return VINF_VMX_INTERCEPT_NOT_ACTIVE;
+}
+
+
+/**
+ * VMX VM-exit handler for VM-exits due to 'Mov CR8,GReg' (CR8 write).
+ *
+ * @returns VBox strict status code.
+ * @param   pVCpu       The cross context virtual CPU structure.
+ * @param   iGReg       The general register from which the CR8 value is being
+ *                      loaded.
+ * @param   cbInstr     The instruction length in bytes.
+ */
+IEM_STATIC VBOXSTRICTRC iemVmxVmexitInstrMovToCr8(PVMCPU pVCpu, uint8_t iGReg, uint8_t cbInstr)
+{
+    PCVMXVVMCS pVmcs = pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pVmcs);
+    Assert(pVmcs);
+
+    /*
+     * If the CR8-load exiting control is set, we must cause a VM-exit.
+     * See Intel spec. 25.1.3 "Instructions That Cause VM Exits Conditionally".
+     */
+    if (pVmcs->u32ProcCtls & VMX_PROC_CTLS_CR8_LOAD_EXIT)
+    {
+        Log2(("mov_Cr_Rd: (CR8) Guest intercept -> VM-exit\n"));
+
+        VMXVEXITINFO ExitInfo;
+        RT_ZERO(ExitInfo);
+        ExitInfo.uReason = VMX_EXIT_MOV_CRX;
+        ExitInfo.cbInstr = cbInstr;
+
+        ExitInfo.u64Qual = RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_REGISTER, 8) /* CR8 */
+                         | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_ACCESS,   VMX_EXIT_QUAL_CRX_ACCESS_WRITE)
+                         | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_GENREG,   iGReg);
+        return iemVmxVmexitInstrWithInfo(pVCpu, &ExitInfo);
+    }
+
+    return VINF_VMX_INTERCEPT_NOT_ACTIVE;
+}
+
+
+/**
+ * VMX VM-exit handler for TPR virtualization.
+ *
+ * @returns VBox strict status code.
+ * @param   pVCpu       The cross context virtual CPU structure.
+ * @param   cbInstr     The instruction length in bytes.
+ */
+IEM_STATIC VBOXSTRICTRC iemVmxVmexitTprVirtualization(PVMCPU pVCpu, uint8_t cbInstr)
+{
+    PCVMXVVMCS pVmcs = pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pVmcs);
+    Assert(pVmcs);
+
+    Assert(pVmcs->u32ProcCtls & VMX_PROC_CTLS_USE_TPR_SHADOW);
+    Assert(!(pVmcs->u32ProcCtls2 & VMX_PROC_CTLS2_VIRT_INT_DELIVERY));    /* We don't support virtual-interrupt delivery yet. */
+
+    uint32_t const uTprThreshold = pVmcs->u32TprThreshold;
+    uint32_t const uVTpr         = iemVmxVirtApicReadRaw32(pVCpu, XAPIC_OFF_TPR);
+
+    /*
+     * If the VTPR falls below the TPR threshold, we must cause a VM-exit.
+     * See Intel spec. 29.1.2 "TPR Virtualization".
+     */
+    if (((uVTpr >> 4) & 0xf) < uTprThreshold)
+    {
+        Log2(("tpr_virt: uVTpr=%u uTprThreshold=%u -> VM-exit\n", uVTpr, uTprThreshold));
+
+        /*
+         * This is a trap-like VM-exit. We pass the instruction length along in the VM-exit
+         * instruction length field and let the VM-exit handler update the RIP when appropriate.
+         * It will then clear the VM-exit instruction length field before completing the VM-exit.
+         */
+        iemVmxVmcsSetExitInstrLen(pVCpu, cbInstr);
+        return iemVmxVmexit(pVCpu, VMX_EXIT_TPR_BELOW_THRESHOLD);
     }