24.4 GUEST-STATE AREA
24.4.1 Guest Register State
Control registers CR0, CR3, and CR4Debug register DR7
RSP, RIP, and RFLAGS
CS, SS, DS, ES, FS, GS, LDTR, and TR
GDTR and IDTR
MSRs
24.4.2 Guest Non-Register State
Activity state— 0: Active. The logical processor is executing instructions normally.
— 1: HLT. The logical processor is inactive because it executed the HLT instruction.
— 2: Shutdown. The logical processor is inactive because it incurred a triple fault or some other serious error.
— 3: Wait-for-SIPI. The logical processor is inactive because it is waiting for a startup-IPI (SIPI).
Interruptibility state
Pending debug exceptions
VMCS link pointer
VMX-preemption timer value
Page-directory-pointer-table entries (PDPTEs; 64 bits each).
These four (4) fields (PDPTE0, PDPTE1, PDPTE2, and PDPTE3) are supported only on processors that support the 1-setting of the “enable EPT” VM-
execution control. They correspond to the PDPTEs referenced by CR3 when PAE paging is in use . They are used only if
the “enable EPT” VM-execution control is 1.
Guest interrupt status
24.5 HOST-STATE AREA
CR0, CR3, and CR4RSP and RIP
CS, SS, DS, ES, FS, GS, and TR.
GDTR, and IDTR
MSRs
24.6 VM-EXECUTION CONTROL FIELDS
24.6.1 Pin-Based VM-Execution Controls
External-interrupt exiting (32 - 255)if EIE = 1 external interrupt --> vm exit (whatever guest.RFLAGS.IF = 0 OR guest.RFLAGS.IF = 1)
If EIE = 0 and guest.RFLAGS.IF = 0 externel interrupt --> discard
If EIE = 0 and guest.RFLAGS.IF = 1 externel interrupt --> delivered normally through the guest IDT
Activate VMX-preemption timer
If this control is 1, the VMX-preemption timer counts down in VMX non-root operation;
24.6.2 Processor-Based VM-Execution Controls
Primary Processor-Based VM-Execution ControlsInterrupt-window exiting
if IWE = 1 set guest.RFLGAS.IF = 1 ==> vm exit at once
Use MSR bitmaps
This control determines whether MSR bitmaps are used to control execution of the RDMSR and WRMSR instructions
For this control, “0” means “do not use MSR bitmaps” and “1” means “use MSR bitmaps.” If the
MSR bitmaps are not used, all executions of the RDMSR and WRMSR instructions cause VM exits.
Secondary Processor-Based VM-Execution Controls
Virtualize APIC accesses
Enable EPT
Descriptor-table exiting
This control determines whether executions of LGDT, LIDT, LLDT, LTR, SGDT, SIDT, SLDT, and STR cause VM exits.
Virtualize x2APIC mode
Enable VPID
Virtual-interrupt delivery
...
...
24.6.3 Exception Bitmap (0-31)
The exception bitmap is a 32-bit field that contains one bit for each exception. When an exception occurs, itsvector is used to select a bit in this field. If the bit is 1, the exception causes a VM exit. If the bit is 0, the exception
is delivered normally through the IDT, using the descriptor corresponding to the exception’s vector.
If bit = 1 exception ==> VM exit
If bit = 0 exception ==> guest.IDT.vector
24.6.4 I/O-Bitmap Addresses
对哪些 16 位的 I/O 端口的访问触发 VM exit24.6.6 Guest/Host Masks and Read Shadows for CR0 and CR4
24.6.9 MSR-Bitmap Address
On processors that support the 1-setting of the “use MSR bitmaps” VM-execution control, the VM-execution controlfields include the 64-bit physical address of four contiguous MSR bitmaps, which are each 1-KByte in size. This
field does not exist on processors that do not support the 1-setting of that control. The four bitmaps are:
• Read bitmap for low MSRs (located at the MSR-bitmap address). This contains one bit for each MSR address
in the range 00000000H to 00001FFFH. The bit determines whether an execution of RDMSR applied to that
MSR causes a VM exit.
• Read bitmap for high MSRs (located at the MSR-bitmap address plus 1024). This contains one bit for each
MSR address in the range C0000000H toC0001FFFH. The bit determines whether an execution of RDMSR
applied to that MSR causes a VM exit.
• Write bitmap for low MSRs (located at the MSR-bitmap address plus 2048). This contains one bit for each
MSR address in the range 00000000H to 00001FFFH. The bit determines whether an execution of WRMSR
applied to that MSR causes a VM exit.
• Write bitmap for high MSRs (located at the MSR-bitmap address plus 3072). This contains one bit for each
MSR address in the range C0000000H toC0001FFFH. The bit determines whether an execution of WRMSR
applied to that MSR causes a VM exit.
每个 MSR 寄存器都有一组“读”的位图掩码和一组“写”的位图掩码
24.6.11 Extended-Page-Table Pointer (EPTP)
The extended-page-table pointer (EPTP) contains the address of the base of EPT PML4 table, as well as other EPT configuration information.24.6.12 Virtual-Processor Identifier (VPID)
24.7 VM-EXIT CONTROL FIELDS
24.7.1 VM-Exit Controls
24.7.2 VM-Exit Controls for MSRs
VM-exit MSR-store count (32 bits).his field specifies the number of MSRs to be stored on VM exit.
VM-exit MSR-store address (64 bits).
This field contains the physical address of the VM-exit MSR-store area.
The area is a table of entries, 16 bytes per entry, where the number of entries is given by the VM-exit MSR-store count.
VM-exit MSR-load count (32 bits).
This field contains the number of MSRs to be loaded on VM exit.
VM-exit MSR-load address (64 bits).
24.8 VM-ENTRY CONTROL FIELDS
24.8.1 VM-Entry Controls
24.8.2 VM-Entry Controls for MSRs
VM-entry MSR-load countVM-entry MSR-load address
24.8.3 VM-Entry Controls for Event Injection
VM entry can be configured to conclude by delivering an event through the IDT (after all guest state and MSRs havebeen loaded). This process is called event injection and is controlled by the following three VM-entry control fields:
VM-entry interruption-information field (32 bits).
VM-entry exception error code (32 bits).
VM-entry instruction length (32 bits).
For injection of events whose type is software interrupt, software exception, or privileged software exception,
this field is used to determine the value of RIP that is pushed on the stack.
24.9 VM-EXIT INFORMATION FIELDS
24.9.1 Basic VM-Exit Information
Exit reasonThis field encodes the reason for the VM exit
Exception or non-maskable interrupt (NMI)
External interrupt
Triple fault
INIT signal
Start-up IPI (SIPI)
I/O system-management interrupt (SMI)
...
NMI window
Task switch
CPUID
...
VMCALL
...
VMCLEAR
VMLAUNCH
VMPTRLD
VMPTRST
VMREAD
VMRESUME
VMWRITE
VMXOFF
VMXON
Control-register accesses. Guest software attempted to access CR0, CR3, CR4, or CR8
I/O instruction
RDMSR
WRMSR
...
...
Exit qualification
Guest-linear address
Guest-physical address
24.9.2 Information for VM Exits Due to Vectored Events
VM-exit interruption informationVM-exit interruption error code
24.9.3 Information for VM Exits That Occur During Event Delivery
IDT-vectoring informationIDT-vectoring error code
24.9.4 Information for VM Exits Due to Instruction Execution
VM-exit instruction lengthVM-exit instruction information
24.10 VMCS TYPES: ORDINARY AND SHADOW
24.11 SOFTWARE USE OF THE VMCS AND RELATED STRUCTURES
24.11.2 VMREAD, VMWRITE, and Encodings of VMCS Fields
Every field of the VMCS is associated with a 32-bit value that is its encoding. The encoding is provided in anoperand to VMREAD and VMWRITE when software wishes to read or write that field.
VMCS
VMM 和 Guest OS 共享底层的处理器资源,因此硬件需要一个物理内存区域来自动保存或恢复彼此执行的上下文。这个区域称为虚拟机控制块(VMCS),包括客户机状态区(Guest State Area),主机状态区(Host State Area)和执行控制区。VM entry 时,硬件自动从客户机状态区加载 Guest OS 的上下文。并不需要保存 VMM 的上下文,原因与中断处理程序类似,因为 VMM 如果开始运行,就不会受到 Guest OS的干扰,只有 VMM 将工作彻底处理完毕才可能自行切换到 Guest OS。而 VMM 的下次运行必然是处理一个新的事件,因此每次 VMM entry 时, VMM 都从一个通用事件处理函数开始执行;VM exit 时,硬件自动将 Guest OS 的上下文保存在客户机状态区,从主机状态区中加载 VMM 的通用事件处理函数的地址,VMM 开始执行。而执行控制区存放的则是可以操控 VM entry 和 exit 的标志位,例如标记哪些事件可以导致 VM exit,VM entry 时准备自动给 Guest OS “塞”入哪种中断等等。
客户机状态区和主机状态区都应该包含部分物理寄存器的信息,例如控制寄存器 CR0,CR3,CR4;ESP 和 EIP(如果处理器支持 64 位扩展,则为 RSP,RIP);CS,SS,DS,ES,FS,GS 等段寄存器及其描述项;TR,GDTR,IDTR 寄存器;IA32_SYSENTER_CS,IA32_SYSENTER_ESP,IA32_SYSENTER_EIP 和 IA32_PERF_GLOBAL_CTRL 等 MSR 寄存器。客户机状态区并不包括通用寄存器的内容,VMM 自行决定是否在 VM exit 的时候保存它们,从而提高了系统性能。客户机状态区还包括非物理寄存器的内容,比如一个 32 位的 Active State 值表明 Guest OS 执行时处理器所处的活跃状态,如果正常执行指令就是处于 Active 状态,如果触发了三重故障(Triple Fault)或其它严重错误就处于 Shutdown 状态,等等。
前文已经提过,执行控制区用于存放可以操控 VM entry 和 VM exit 的标志位,包括:
- External-interrupt exiting:用于设置是否外部中断可以触发 VM exit,而不论 Guest OS 是否屏蔽了中断。
- Interrupt-window exiting:如果设置,当 Guest OS 解除中断屏蔽时,触发 VM exit。
- Use TPR shadow:通过 CR8 访问 Task Priority Register(TPR)的时候,使用 VMCS 中的影子 TPR,可以避免触发 VM exit。同时执行控制区还有一个 TPR 阈值的设置,只有当 Guest OS 设置的 TR 值小于该阈值时,才触发 VM exit。
- CR masks and shadows:每个控制寄存器的每一位都有对应的掩码,控制 Guest OS 是否可以直接写相应的位,或是触发 VM exit。同时 VMCS 中包括影子控制寄存器,Guest OS 读取控制寄存器时,硬件将影子控制寄存器的值返回给 Guest OS。
VMCS 还包括一组位图以提供更好的适应性:
- Exception bitmap:选择哪些异常可以触发 VM exit,
- I/O bitmap:对哪些 16 位的 I/O 端口的访问触发 VM exit。
- MSR bitmaps:与控制寄存器掩码相似,每个 MSR 寄存器都有一组“读”的位图掩码和一组“写”的位图掩码。
每次发生 VM exit时,硬件自动在 VMCS 中存入丰富的信息,方便 VMM 甄别事件的种类和原因。VM entry 时,VMM 可以方便地为 Guest OS 注入事件(中断和异常),因为 VMCS 中存有 Guest OS 的中断描述表(IDT)的地址,因此硬件能够自动地调用 Guest OS 的处理程序。
630
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
