what are the reasons for virtualising these instructions?

Question

why is it the below instructions has to be virtualised. How is failing to virtualise this can cause problem.

1. sgdt,sldt,sidt,smsw
2. fcall,longjump,srt
3. lar,verr,verw,lsl
4. pushf, popf, iret

Answer 1

When Intel VMX mode is used for virtualization, which is the case for current virtualization solutions on Intel platforms, none of these instructions need to be virtualized by the VMM, because they do not access or change the protected machine state.

The VMM is allowed (but not required) to request a VM exit for sgdt, sldt, sidt, and str. Other than these, none of the instructions listed ever cause a VM exit.

The processor itself performs minor virtualization of two of these instructions:

• The behavior of SMSW is changed in the guest so that the guest sees the value the VMM wants it to.

• The behavior of the IRET instruction is changed in the guest to clear NMI blocking.

Answer 2

Modifying the machine state (segment bases / limits, disabling interrupts, etc.) obviously can't be allowed, or the guest could break out of the VM or at least hang it. (E.g. by running an infinite loop with interrupts disabled.)

pushf/popf are slightly subtle: remember that IF (the interrupts-enabled bit which cli/sti flip) is one of the bits in EFLAGS.

You want the physical machine to have interrupts enabled while the guest disables interrupts. But you also want the guest to see IF=0 when it has interrupts disabled on the virtual x86 that it's running on. So you need to virtualize pushf as well as popf.