Commit ce2f72e2 authored by Paolo Bonzini's avatar Paolo Bonzini

KVM: x86: document limitations of MSR filtering

MSR filtering requires an exit to userspace that is hard to implement and
would be very slow in the case of nested VMX vmexit and vmentry MSR
accesses.  Document the limitation.
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent ac8d6cad
...@@ -4081,6 +4081,11 @@ x2APIC MSRs are always allowed, independent of the ``default_allow`` setting, ...@@ -4081,6 +4081,11 @@ x2APIC MSRs are always allowed, independent of the ``default_allow`` setting,
and their behavior depends on the ``X2APIC_ENABLE`` bit of the APIC base and their behavior depends on the ``X2APIC_ENABLE`` bit of the APIC base
register. register.
.. warning::
MSR accesses coming from nested vmentry/vmexit are not filtered.
This includes both writes to individual VMCS fields and reads/writes
through the MSR lists pointed to by the VMCS.
If a bit is within one of the defined ranges, read and write accesses are If a bit is within one of the defined ranges, read and write accesses are
guarded by the bitmap's value for the MSR index if the kind of access guarded by the bitmap's value for the MSR index if the kind of access
is included in the ``struct kvm_msr_filter_range`` flags. If no range is included in the ``struct kvm_msr_filter_range`` flags. If no range
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment