Reputation: 297
how to remove the ability of a guest VM to utilize the RDRAND instruction?
If a hypervisor wishes to remove the ability of a guest VM to utilize the RDRAND instruction, what steps must it take to achieve this
Upvotes: 0
Views: 972
Answers (1)
Reputation: 364338
Yes, Intel VMX hardware virtualization has hardware support for making rdrand and rdseed to a VM exit.
For example, see discussion on the Linux kernel mailing list about patching KVM (the hypervisor built-in to Linux):
A guest may not be configured to support
RDSEED, even when the host does. If the guest does not supportRDSEED, intercept the instruction and synthesize #UD. Also clear the "allowed-1" bit forRDSEEDexiting in theIA32_VMX_PROCBASED_CTLS2MSR.
The relevant VMX ctrls are SECONDARY_EXEC_RDRAND_EXITING and SECONDARY_EXEC_RDSEED_EXITING. (See this patch that renamed them in the KVM source code to match what Intel calls them in their x86 Software Development Manuals (SDM), where you should find further details of how to program VMX to do what you want.)
I just used links to KVM stuff because it's what came up first on Google when I was checking to see if there was HW support for this at all.
Upvotes: 3
Related Questions
- How to configure IOMMU protection for my hypervisor?
- qemu: prevent a guest from hogging CPU
- Rdrand instrucrtion SIGILL
- How can I force VirtualBox GuestOS CPUID to match HostOS?
- How to use Intel's RDRAND using inline assembly with .Net
- Intercept rdtsc instruction from guest vm userspace in KVM
- How to implement new instruction in linux KVM at unused x86 opcode
- Oracle VirtualBox "VT-x is disabled in the BIOS"
- How to enable VT-x for a windows 7 guest running on KVM on RHEL
- Allow guest OS to access graphics adapter directly