Chapter 24 virtual-machine control structures

Document directory

• 24.4.1 guest register state
• 24.4.2 guest non-register state
• 24.6.1 pin-based VM-execution controls
• 24.6.2 processor-based VM-execution controls
• 24.6.3 exception Bitmap (0-31)
• 24.6.4 I/O-bitmap addresses
• 24.6.6 guest/host masks and read shadows for Cr0 and Cr4
• 24.6.9 msr-bitmap address
• 24.6.11 extended-page-Table pointer (eptp)
• 24.6.12 virtual-processor identifier (vpid)
• 24.7.1 VM-Exit Controls
• 24.7.2 VM-exit controls for MSRs
• 24.8.1 VM-entry controls
• 24.8.2 VM-entry controls for MSRs
• 24.8.3 VM-entry controls for event Injection
• 24.9.1 basic VM-exit Information
• 24.9.2 information for VM exits due to vectored events
• 24.9.3 information for VM exits that occur during event delivery
• 24.9.4 information for VM exits due to instruction execution
• 24.11.2 vmread, vmwrite, and encodings of vmcs Fields

24.4 guest-state area 24.4.1 guest register state

Control registers Cr0, H6, and Cr4
Debug register dr7
RSP, Rip, and rflags
CS, SS, DS, es, FS, GS, ldtr, and tr
GDTR and idtr
MSRs

24.4.2 guest non-register state

Activity state
-0: active. The logical processor is executing instructions normally.
-1: hlt. The logical processor is inactive because it executed the HLT instruction.
-2: shutdown. The logical processor is inactive because it incurred a triple fault or some other serious error.
-3: Wait-for-sipi. The logical processor is inactive because it is waiting for a startup-IPI (SIPI ).
Interruptibility state
Pending debug exceptions
Vmcs link pointer
Vmx-preemption timer Value
Page-directory-pointer-table entries (pdptes; 64 bits each ).
These four (4) fields (pdpte0, pdpte1, pdpte2, and pdpte3) are supported only on processors that support the 1-setting of the "enable EPT" VM-
Execution control. They correspond to the pdptes referenced by 330when PAE paging is in use. They are used only if
The "enable EPT" VM-execution control is 1.
Guest interrupt status

24.5 host-state area

Cr0, H6, and Cr4
RSP and rip
CS, SS, DS, es, FS, GS, and TR.
GDTR, and idtr
MSRs

24.6 VM-EXECUTION control fields 24.6.1 pin-based VM-execution controls

External-interrupt exiting (32-255)
If EIE = 1 External Interrupt --> VM exit (whatever guest. rflags. If = 0 or guest. rflags. If = 1)
If EIE = 0 and guest. rflags. If = 0 externel interrupt --> discard
If EIE = 0 and guest. rflags. If = 1 externel interrupt --> delivered normally through the guest IDT
Activate vmx-preemption Timer
If this control is 1, the vmx-preemption timer counts down in vmx non-root operation;

24.6.2 processor-based VM-execution controls

Primary processor-based VM-execution controls
Interrupt-window exiting
If iwe = 1 Set guest. rflgas. If = 1 ==> VM exit at once
Use MSR bitmaps
This control determines whether MSR bitmaps are used to control execution of the rdmsr and wrmsr instructions
For this control, "0" means "do not use MSR bitmaps" and "1" means "Use MSR bitmaps." If
MSR bitmaps are not used, all executions of the rdmsr and wrmsr instructions cause VM exits.

Secondary processor-based VM-execution controls
Virtualize APIC accesses
Enable EPT
Descriptor-Table exiting
This control determines whether executions of lgdt, LIDT, lldt, LTr, sgdt, sidt, sldt, and STR cause VM exits.
Virtualize x2apic Mode
Enable vpid
Virtual-interrupt delivery
...
...

24.6.3 exception Bitmap (0-31)

The exception bitmap is a 32-bit field that contains one bit for each exception. When an exception occurs, its
Vector is used to select a bit in this field. If the bit is 1, the exception causes a VM exit. If the bit is 0, the exception
Is delivered normally through the IDT, using the descriptor corresponding to the exception's vector.
If bit = 1 exception => VM exit
If bit = 0 exception => guest. IDT. Vector

24.6.4 I/O-bitmap addresses

Which 16-bit I/O port access triggers VM exit?

24.6.6 guest/host masks and read shadows for Cr0 and Cr4

24.6.9 msr-bitmap address

On processors that support the 1-setting of the "use MSR bitmaps" VM-execution control, the VM-execution control
Fields include the 64-bit physical address of four contiguous MSR bitmaps, which are each 1-kbyte in size. This
Field does not exist on processors that do not support the 1-setting of that control. The four bitmaps are:
• Read bitmap for low MSRs (located at the MSR-bitmap address). This contains one bit for each MSR address
In the range 00000000 h to limit 1fffh. The bit determines whether an execution of rdmsr applied to that
MSR causes a VM exit.
• Read bitmap for high MSRs (located at the MSR-bitmap address plus 1024). This contains one bit for each
MSR address in the range c0000000h toc0001fffh. The bit determines whether an execution of rdmsr
Applied to that MSR causes a VM exit.
• Write bitmap for low MSRs (located at the MSR-bitmap address plus 2048). This contains one bit for each
MSR address in the range 00000000 h to limit 1fffh. The bit determines whether an execution of wrmsr
Applied to that MSR causes a VM exit.
• Write bitmap for high MSRs (located at the MSR-bitmap address plus 3072). This contains one bit for each
MSR address in the range c0000000h toc0001fffh. The bit determines whether an execution of wrmsr
Applied to that MSR causes a VM exit.
Each MSR register has a set of "read" bitmap masks and a set of "write" bitmap masks.

24.6.11 extended-page-Table pointer (eptp)

The extended-page-Table pointer (eptp) contains the address of the base of EPT pml4 table, as well as other EPT configuration information.

24.6.12 virtual-processor identifier (vpid) 24.7 VM-EXIT control fields 24.7.1 VM-Exit Controls 24.7.2 VM-exit controls for MSRs

VM-exit msr-store count (32 bits ).
His field specifies the number of MSRs to be stored on VM exit.
VM-exit msr-store address (64 bits ).
This field contains the physical address of the VM-exit msr-store area.
The area is a table of entries, 16 bytes per entry, where the number of entries is given by the VM-exit msr-store count.
VM-exit msr-load count (32 bits ).
This field contains the number of MSRs to be loaded on VM exit.
VM-exit msr-load address (64 bits ).

24.8 VM-ENTRY control fields 24.8.1 VM-entry controls 24.8.2 VM-entry controls for MSRs

VM-entry msr-load count
VM-entry msr-load address
24.8.3 VM-entry controls for event Injection

VM entry can be configured to conclude by delivering an event through the IDT (after all guest state and MSRs have
Been loaded). This process is called event injection and is controlled by the following three VM-entry control fields:

VM-entry interruption-Information Field (32 bits ).
VM-entry Exception error code (32 bits ).
VM-entry instruction length (32 bits ).
For injection of events whose type is software interrupt, software exception, or privileged software exception,
This field is used to determine the value of rip that is pushed on the stack.

24.9 VM-EXIT information fields 24.9.1 basic VM-exit Information

Exit reason
This field encodes the reason for the VM exit
Exception or non-Maskable Interrupt (NMI)
External Interrupt
Triple fault
Init Signal
Start-up IPI (SIPI)
I/O system-Management Interrupt (SMI)
...
NMI window
Task Switch
Cpuid
...
Vmcall
...
Vmclear
Vmlaunch
Vmptrld
Vmptrst
Vmread
Vmresume
Vmwrite
Vmxoff
Vmxon
Control-register accesses. Guest software attempted to access Cr0, H6, Cr4, or cr8
I/O instruction
Rdmsr
Wrmsr
...
...

Exit Qualification
Guest-linear address
Guest-physical address

24.9.2 information for VM exits due to vectored events

VM-exit interruption Information
VM-exit interruption error code

24.9.3 information for VM exits that occur during event delivery

IDT-vectoring Information
IDT-vectoring error code

24.9.4 information for VM exits due to instruction execution

VM-exit instruction Length
VM-exit instruction information

24.10 vmcs types: ordinary and shadow 24.11 software use of the vmcs and related structures 24.11.2 vmread, vmwrite, and encodings of vmcs Fields

Every field of the vmcs is associated with a 32-bit value that is its encoding. The encoding is provided in

Operand to vmread and vmwrite when software wishes to read or write that field.

Vmcs

Vmm and Guest OS share the underlying processor resources. Therefore, the hardware requires a physical memory area to automatically save or restore the context of each other's execution. This region is called a virtual machine control block (vmcs), including the guest state area, host State area, and execution control area. During VM entry, the hardware automatically loads the guest OS context from the client state zone. You do not need to save the vmm context because it is similar to the interrupt processing program because if the vmm starts running, it will not be affected by the guest OS. Only after the vmm completes the work can it switch to the guest on its own.
OS. The next running of vmm is bound to process a new event. Therefore, every vmm entry is executed from a common event processing function; when the VM exits, the hardware automatically saves the upstream and downstream versions of guest OS to the client state zone, and loads the address of the common event processing function of vmm from the host State zone. The vmm starts execution. The execution control area stores the flags that can manipulate the VM entry and exit, for example, marking which events can cause VM exit, during VM entry, you must specify the interrupt to be automatically inserted to the guest OS.

Both the client and host status zones should contain information about some physical registers, such as the control registers Cr0, H6, CR4; esp and EIP (RSP if the processor supports 64-bit extension, rip); CS, SS, DS, es, FS, GS, and other segment registers and their descriptions; Tr, GDTR, idtr registers; ia32_sysenter_cs, ia32_sysenter_esp, and MSR registers such as limit and ia32_perf_global_ctrl. The client status zone does not include the content of general registers. The vmm determines whether to exit in the VM.
To improve system performance. The client status zone also contains non-physical registers. For example, a 32-bit active state value indicates the active state of the processor when the guest OS is executed. If the command is executed normally, it is in the active state, if a triplicate fault (triple fault) or other serious errors are triggered, the fault is shut down.

As mentioned above, the execution control area is used to store the flags that can control the VM entry and Vm exit, including:

1. External-interrupt exiting: Used to set whether an external interrupt can trigger VM exit, regardless of whether the guest OS shields the interrupt.
2. Interrupt-window exiting: If this parameter is set, Vm exit is triggered when the guest OS is unblocked.
3. Use TPR shadow: When you access task priority register (TPR) through cr8, use the shadow TPR in vmcs to avoid triggering VM exit. At the same time, the control area also has a TPR threshold. VM exit is triggered only when the tr value set by guest OS is smaller than this threshold.
4. Cr masks and shadows: each bit in each control register has a corresponding mask to control whether the guest OS can directly write the corresponding bit or trigger VM exit. Meanwhile, vmcs includes the shadow control register. When the guest OS reads the control register, the hardware returns the value of the Shadow control register to the guest OS.

Vmcs also includes a set of bitmaps to provide better adaptability:

1. Exception bitmap: which exceptions can trigger VM exit,
2. I/O bitmap: Which 16-bit I/O port access triggers VM exit.
3. MSR bitmaps: similar to the control register mask, each MSR register has a set of "read" bitmap masks and a set of "write" bitmaps.

Each time a VM exits, the hardware automatically stores a wealth of information in the vmcs to facilitate the vmm to identify the type and cause of the event. During VM entry, vmm can easily inject events (interruptions and exceptions) to the guest OS because the vmcs contains the address of the guest OS interrupt description table (IDT, therefore, the hardware can automatically call the guest OS processing program.