Join Log in
Score:3
avatar Server

If KVM is working, why does VMX show as disabled?

bq flag
Reinderien

I have VT-x enabled in the BIOS. I'm running qemu/kvm/Manjaro. lscpu says

$ lscpu
Architecture:            x86_64
  Model name:            Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Flags: ... vmx ... 
Virtualization features:
  Virtualization:        VT-x
Vulnerabilities:         
  Itlb multihit:         KVM: Mitigation: VMX disabled

In addition,

$ sudo rdmsr -f 2:0 0x3A
5

which means that

  • The VMX configuration is locked
  • VMX is disabled in the SMX (“Safer Mode Extensions”) state
  • VMX is enabled outside of the SMX state

This answer gives me hope: if kvm loads, then VMX is working. Indeed, qemu with kvm as its accelerator works just fine (or at least seems to). So then why does it show VMX as being disabled for the purposes of the multihit vulnerability?

An example qemu run:

$ qemu-system-x86_64 -nographic -vga none -net none -nodefaults -machine q35 -accel kvm -cpu host -smp sockets=1,dies=1,cores=2,threads=2 -m 512M ...

QEMU 6.0.0 monitor - type 'help' for more information
(qemu) info kvm
info kvm
kvm support: enabled

The guest (pfSense, in this case) is running fine so far.

1318
0 + 6
in flag
NiKiZe
My initial response would be that there is a difference between VT-d and VT-x but from what you found and from what I gathered that might not be the case. https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html But I would still say that KVM works with VT-d, VT-x is not required. but double check dmesg?
0
Reply
bq flag
Reinderien
@NiKiZe VT-d and VT-x are certainly different; but here I've attempted to focus on VT-x. Where does VT-d come into play?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
You'll almost certainly need to direct this question to the developers.
0
Reply
in flag
NiKiZe
Indeed so it seems. will delete incorrect information. what does dmesg say, and what does trying to run a KVM enabled machine give you ex: `qemu-system-x86_64 -enable-kvm -M q35 -m 1024 -cpu host` ?
0
Reply
bq flag
Reinderien
@NiKiZe I've edited to show some information on an example qemu run. What specifically are you looking for in dmesg; and are you interested in the host or the guest?
0
Reply
br flag
Simon Richter
simplified: VT-x is support for a second layer of page tables in the MMU attached to the CPU, and VT-d is support for page tables in the MMU attached to the PCIe root complex. You need the latter for transparently passing down devices to VMs, as they program guest physical addresses into DMA capable devices, and these need to be translated during DMA operations.
0
Reply
cn flag
E. T.
I just wanted to say I'm seeing the same thing happen with a Skylake CPU and Fedora Linux. All hardware virtualization enabled in BIOS, yet `lscpu` claims "Vulnerability Itlb multihit: KVM: Mitigation: VMX disabled". Very confusing. I wonder if it's a kernel bug?
0
Reply
Score:0
VSYS Host avatar Server
cu flag
VSYS Host

In short, even though the multihit vulnerability mitigation may temporarily disable VMX, your system's VT-x is still enabled and working fine. The successful operation of KVM and your virtual machine indicates that VT-x is being utilized for hardware acceleration as expected. So, there is no need to be concerned about the reported VMX disablement for the multihit vulnerability.

+ 0
Score:0
Hex avatar Server
de flag
Hex

Thank you for a question... It was interesting for me too... So, after reading this, and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html it's become clear: vmx looks present and not disabled by bios. Vulnerability present, but now vmx is not in use, thus is just disabled. when some kvm is run and use vmx, situations changed:

 $ cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit 
 KVM: Mitigation: Split huge pages

meaning, that vulnerability present, but mitigated by kvm by splitting pages.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.