3

I have VT-x enabled in the BIOS. I'm running qemu/kvm/Manjaro. lscpu says

$ lscpu
Architecture:            x86_64
  Model name:            Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Flags: ... vmx ... 
Virtualization features:
  Virtualization:        VT-x
Vulnerabilities:         
  Itlb multihit:         KVM: Mitigation: VMX disabled

In addition,

$ sudo rdmsr -f 2:0 0x3A
5

which means that

  • The VMX configuration is locked
  • VMX is disabled in the SMX (“Safer Mode Extensions”) state
  • VMX is enabled outside of the SMX state

This answer gives me hope: if kvm loads, then VMX is working. Indeed, qemu with kvm as its accelerator works just fine (or at least seems to). So then why does it show VMX as being disabled for the purposes of the multihit vulnerability?

An example qemu run:

$ qemu-system-x86_64 -nographic -vga none -net none -nodefaults -machine q35 -accel kvm -cpu host -smp sockets=1,dies=1,cores=2,threads=2 -m 512M ...

QEMU 6.0.0 monitor - type 'help' for more information
(qemu) info kvm
info kvm
kvm support: enabled

The guest (pfSense, in this case) is running fine so far.

Reinderien
  • 202
  • 2
  • 13
  • My initial response would be that there is a difference between VT-d and VT-x but from what you found and from what I gathered that might not be the case. https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html But I would still say that KVM works with VT-d, VT-x is not required. but double check dmesg? – NiKiZe Aug 01 '21 at 21:19
  • @NiKiZe VT-d and VT-x are certainly different; but here I've attempted to focus on VT-x. Where does VT-d come into play? – Reinderien Aug 01 '21 at 21:23
  • You'll almost certainly need to direct this question to the developers. – Michael Hampton Aug 01 '21 at 21:36
  • Indeed so it seems. will delete incorrect information. what does dmesg say, and what does trying to run a KVM enabled machine give you ex: `qemu-system-x86_64 -enable-kvm -M q35 -m 1024 -cpu host` ? – NiKiZe Aug 01 '21 at 21:36
  • @NiKiZe I've edited to show some information on an example qemu run. What specifically are you looking for in dmesg; and are you interested in the host or the guest? – Reinderien Aug 02 '21 at 14:11
  • simplified: VT-x is support for a second layer of page tables in the MMU attached to the CPU, and VT-d is support for page tables in the MMU attached to the PCIe root complex. You need the latter for transparently passing down devices to VMs, as they program guest physical addresses into DMA capable devices, and these need to be translated during DMA operations. – Simon Richter Aug 02 '21 at 14:35
  • I just wanted to say I'm seeing the same thing happen with a Skylake CPU and Fedora Linux. All hardware virtualization enabled in BIOS, yet `lscpu` claims "Vulnerability Itlb multihit: KVM: Mitigation: VMX disabled". Very confusing. I wonder if it's a kernel bug? – E. T. Sep 16 '21 at 18:01

0 Answers0