msft-jlange
commented
1 month ago The current #HV handler checks EFLAGS.IF=1 at the start of the handler and immediately processes the #HV events if enabled without performing checks to see if RIP is within the VMPL switch or the iret window. The RIP windows are only checked if EFLAGS.IF=0. This means that if interrupts are enabled during either of these windows and a #HV occurs then the behaviour is undefined.
Roy, the current behavior is explicitly by design, since those code paths are always executed with interrupts disabled, and thus there should be no point in RIP checks when interrupts are enabled. Can you explain what problem you're trying to fix?
roy-hopkins
When testing restricted injection using an APIC timer firing into VMPL0 I experienced errors reported by the GHCB.rs in the code that detects whether the switch to VMPL2 was successful. This was down to a couple of separate issues. One of which is fixed by this PR.
The current #HV handler checks EFLAGS.IF=1 at the start of the handler and immediately processes the #HV events if enabled without performing checks to see if RIP is within the VMPL switch or the iret window. The RIP windows are only checked if EFLAGS.IF=0. This means that if interrupts are enabled during either of these windows and a #HV occurs then the behaviour is undefined.