儲存庫 vbox 的更動 76678

時間撮記:

2019-1-7 下午01:48:16 (6 年 以前)

作者:

vboxsync

svn:sync-xref-src-repo-rev:

127984

訊息:

Port r124260, r124263, r124271, r124273, r124277, r124278, r124279, r124284, r124285, r124286, r124287, r124288, r124289 and r124290 (Ported fixes over from 5.2, see bugref:9179 for more information)

位置:

trunk

檔案:

• . (修改) (1 屬性更動)
• doc/manual/en_US/user_BasicConcepts.xml (修改) (1 筆差異)
• doc/manual/en_US/user_Security.xml (修改) (1 筆差異)
• doc/manual/en_US/user_Technical.xml (修改) (1 筆差異)
• doc/manual/en_US/user_VBoxManage.xml (修改) (1 筆差異)
• include/VBox/settings.h (修改) (1 筆差異)
• include/VBox/vmm/cpum.h (修改) (3 筆差異)
• include/VBox/vmm/cpum.mac (修改) (1 筆差異)
• include/VBox/vmm/cpumctx.h (修改) (1 筆差異)
• include/iprt/x86.h (修改) (2 筆差異)
• include/iprt/x86.mac (修改) (2 筆差異)
• src/VBox (修改) (1 屬性更動)
• src/VBox/Frontends (修改) (1 屬性更動)
• src/VBox/Frontends/VBoxManage/VBoxManageHelp.cpp (修改) (1 筆差異)
• src/VBox/Frontends/VBoxManage/VBoxManageModifyVM.cpp (修改) (3 筆差異)
• src/VBox/Main/idl/VirtualBox.xidl (修改) (1 筆差異)
• src/VBox/Main/include/MachineImpl.h (修改) (1 筆差異)
• src/VBox/Main/src-client/ConsoleImpl2.cpp (修改) (1 筆差異)
• src/VBox/Main/src-server/MachineImpl.cpp (修改) (5 筆差異)
• src/VBox/Main/xml/Settings.cpp (修改) (5 筆差異)
• src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp (修改) (3 筆差異)
• src/VBox/VMM/VMMR0/CPUMR0.cpp (修改) (2 筆差異)
• src/VBox/VMM/VMMR0/HMR0A.asm (修改) (3 筆差異)
• src/VBox/VMM/VMMR0/HMVMXR0.cpp (修改) (3 筆差異)
• src/VBox/VMM/VMMR3/CPUMR3CpuId.cpp (修改) (13 筆差異)
• src/VBox/VMM/VMMR3/CPUMR3Db.cpp (修改) (1 筆差異)
• src/VBox/VMM/VMMR3/HM.cpp (修改) (4 筆差異)
• src/VBox/VMM/include/CPUMInternal.h (修改) (1 筆差異)
• src/VBox/VMM/include/HMInternal.h (修改) (1 筆差異)

trunk

@@ -8 +8 @@
 /branches/VBox-5.0:104445,104938,104943,104950,104952-104953,104987-104988,104990,106453
 /branches/VBox-5.1:112367,115992,116543,116550,116568,116573
-/branches/VBox-5.2:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,125768,125779-125780,125812
+/branches/VBox-5.2:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124260,124263,124271,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812
 /branches/andy/draganddrop:90781-91268
 /branches/andy/guestctrl20:78916,78930

@@ -8 +8 @@
 /branches/VBox-5.0:104445,104938,104943,104950,104952-104953,104987-104988,104990,106453
 /branches/VBox-5.1:112367,115992,116543,116550,116568,116573
-/branches/VBox-5.2:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,125768,125779-125780,125812
+/branches/VBox-5.2:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124260,124263,124271,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812
 /branches/andy/draganddrop:90781-91268
 /branches/andy/guestctrl20:78916,78930

trunk/doc/manual/en_US/user_BasicConcepts.xml

@@ -1490 +1490 @@
                 paging in addition to hardware virtualization. For
                 technical details, see <xref linkend="nestedpaging" />.
+                For Intel EPT security recommendations, see
+                <xref linkend="sec-rec-cve-2018-3646" />.
               </para>
             </listitem>

trunk/doc/manual/en_US/user_Security.xml

@@ -515 +515 @@
   -->
 
+  <sect1 id="security-recommendations">
+    <title>Security Recommendations</title>
+
+    <para>This section contains security recommendations for specific issues.
+    By default VirtualBox will configure the VMs to run in a secure manner,
+    however this may not always be possible without additional user actions (e.g.
+    host OS / firmware configuration changes).</para>
+
+    <sect2 id="sec-rec-cve-2018-3646">
+      <title>CVE-2018-3646</title>
+
+      <para>This security issue affect a range of Intel CPUs with nested paging.
+      AMD CPUs are expected not to be impacted (pending direct confirmation by AMD).
+      Also the issue does not affect VMs running with hardware virtualization
+      disabled or with nested paging disabled.</para>
+
+      <para>For more information about nested paging, see <xref linkend="nestedpaging" />.</para>
+
+      <para>Mitigation options:</para>
+
+      <sect3>
+        <title>Disable nested paging</title>
+
+        <para>By disabling nested paging (EPT), the VMM will construct page tables
+        shadowing the ones in the guest.  It is no possible for the guest to insert
+        anything fishy into the page tables, since the VMM carefully validates each
+        entry before shadowing it.</para>
+
+        <para>As a side effect of disabling nested paging, several CPU features
+        will not be made available to the guest.  Among these features are AVX,
+        AVX2, XSAVE, AESNI, and POPCNT.  Not all guests may be able to cope with
+        dropping these features after installation.  Also, for some guests,
+        especially in SMP configurations, there could be stability issues arrising
+        from disabling nested paging.  Finally, some workloads may experience a
+        performance degradation.</para>
+      </sect3>
+
+      <sect3>
+        <title>Flushing the level 1 data cache</title>
+
+        <para>This aims at removing potentially sensitive data from the level 1
+        data cache when running guest code.  However, it is made difficult by
+        hyper-threading setups sharing the level 1 cache and thereby potentially
+        letting the other thread in a pair refill the cache with data the user
+        does not want the guest to see.  In addition, flushing the level 1 data
+        cache is usually not without performance side effects.</para>
+
+        <para>Up to date CPU microcode is a prerequisite for the cache flushing
+        mitigations.  Some host OSes may install these automatically, though it
+        has traditionally been a task best performed by the system firmware.  So,
+        please check with your system / mainboard manufacturer for the latest
+        firmware update.</para>
+
+        <para>We recommend disabling hyper threading on the host.  This is
+        traditionally done from the firmware setup, but some OSes also offers
+        ways disable HT.  In some cases it may be disabled by default, but please
+        verify as the effectiveness of the mitigation depends on it.</para>
+
+        <para>The default action taken by VirtualBox is to flush the level 1
+        data cache when a thread is scheduled to execute guest code, rather
+        than on each VM entry.  This reduces the performance impact, while
+        making the assumption that the host OS will not handle security
+        sensitive data from interrupt handlers and similar without taking
+        precautions.</para>
+
+        <para>A more aggressive flushing option is provided via the VBoxManage
+        modifyvm option <computeroutput>--l1d-flush-on-vm-entry</computeroutput>.
+        When enabled the level 1 data cache will be flushed on every VM entry.
+        The performance impact is greater than with the default option, though
+        this of course depends on the workload.  Workloads producing a lot of
+        VM exits (like networking, VGA access, and similiar) will probably be
+        most impacted.</para>
+
+        <para>For users not concerned by this security issue, the default
+        mitigation can be disabled using</para>
+        <para><computeroutput>VBoxManage modifyvm name --l1d-flush-on-sched off</computeroutput></para>
+      </sect3>
+
+    </sect2>
+
+  </sect1>
+
 </chapter>

trunk/doc/manual/en_US/user_Technical.xml

@@ -1332 +1332 @@
           command. See <xref linkend="vboxmanage-modifyvm" />.
         </para>
+
+        <para>
+          If you have an Intel CPU with EPT, please consult
+          <xref linkend="sec-rec-cve-2018-3646" /> for security concerns
+          regarding EPT.
+        </para>
       </listitem>
 

trunk/doc/manual/en_US/user_VBoxManage.xml

@@ -1004 +1004 @@
             the processor of your host system. See
             <xref
-            linkend="hwvirt" />.
+            linkend="hwvirt" /> and <xref linkend="sec-rec-cve-2018-3646" />.
           </para>
         </listitem>

trunk/include/VBox/settings.h

@@ -1032 +1032 @@
     bool                fSpecCtrl;              //< added out of cycle, after 1.16 was out.
     bool                fSpecCtrlByHost;        //< added out of cycle, after 1.16 was out.
+    bool                fL1DFlushOnSched ;      //< added out of cycle, after 1.16 was out.
+    bool                fL1DFlushOnVMEntry ;    //< added out of cycle, after 1.16 was out.
     bool                fNestedHWVirt;          //< requires settings version 1.17 (VirtualBox 6.0)
     typedef enum LongModeType { LongMode_Enabled, LongMode_Disabled, LongMode_Legacy } LongModeType;

trunk/include/VBox/vmm/cpum.h

@@ -733 +733 @@
     kCpumMsrWrFn_Ia32SpecCtrl,
     kCpumMsrWrFn_Ia32PredCmd,
+    kCpumMsrWrFn_Ia32FlushCmd,
 
     kCpumMsrWrFn_Amd64Efer,
@@ -1061 +1062 @@
     /** Supports IA32_SPEC_CTRL.STIBP. */
     uint32_t        fStibp : 1;
+    /** Supports IA32_FLUSH_CMD. */
+    uint32_t        fFlushCmd : 1;
     /** Supports IA32_ARCH_CAP. */
     uint32_t        fArchCap : 1;
@@ -1101 +1104 @@
     uint32_t        fVmx : 1;
 
-    /** Indicates that speculative execution control CPUID bits and
-     *  MSRs are exposed. The details are different for Intel and
-     * AMD but both have similar functionality. */
+    /** Indicates that speculative execution control CPUID bits and MSRs are exposed.
+     * The details are different for Intel and AMD but both have similar
+     * functionality. */
     uint32_t        fSpeculationControl : 1;
 
+    /** MSR_IA32_ARCH_CAPABILITIES: RDCL_NO (bit 0).
+     * @remarks Only safe use after CPUM ring-0 init! */
+    uint32_t        fArchRdclNo : 1;
+    /** MSR_IA32_ARCH_CAPABILITIES: IBRS_ALL (bit 1).
+     * @remarks Only safe use after CPUM ring-0 init! */
+    uint32_t        fArchIbrsAll : 1;
+    /** MSR_IA32_ARCH_CAPABILITIES: RSB Override (bit 2).
+     * @remarks Only safe use after CPUM ring-0 init! */
+    uint32_t        fArchRsbOverride : 1;
+    /** MSR_IA32_ARCH_CAPABILITIES: RSB Override (bit 3).
+     * @remarks Only safe use after CPUM ring-0 init! */
+    uint32_t        fArchVmmNeedNotFlushL1d : 1;
+
     /** Alignment padding / reserved for future use. */
-    uint32_t        fPadding : 15;
+    uint32_t        fPadding : 10;
 
     /** SVM: Supports Nested-paging. */

trunk/include/VBox/vmm/cpum.mac

@@ -290 +290 @@
 %define CPUMCTX_WSF_IBPB_EXIT           RT_BIT_32(0)
 %define CPUMCTX_WSF_IBPB_ENTRY          RT_BIT_32(1)
+%define CPUMCTX_WSF_L1D_ENTRY           RT_BIT_32(2)
+
 
 %define CPUMSELREG_FLAGS_VALID      0x0001

trunk/include/VBox/vmm/cpumctx.h

@@ -943 +943 @@
 /** Touch IA32_PRED_CMD.IBPB on VM entry. */
 #define CPUMCTX_WSF_IBPB_ENTRY          RT_BIT_32(1)
+/** Touch IA32_FLUSH_CMD.L1D on VM entry. */
+#define CPUMCTX_WSF_L1D_ENTRY           RT_BIT_32(2)
 /** @} */
 

trunk/include/iprt/x86.h

@@ -619 +619 @@
 /** EDX Bit 27 - IBRS & IBPB - Supports the STIBP flag in IA32_SPEC_CTRL. */
 #define X86_CPUID_STEXT_FEATURE_EDX_STIBP             RT_BIT_32(27)
-
+/** EDX Bit 28 - FLUSH_CMD - Supports IA32_FLUSH_CMD MSR. */
+#define X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD         RT_BIT_32(28)
 /** EDX Bit 29 - ARCHCAP - Supports the IA32_ARCH_CAPABILITIES MSR. */
 #define X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP           RT_BIT_32(29)
@@ -1242 +1243 @@
 #define MSR_IA32_MTRR_CAP                   0xFE
 
-/** Architecture capabilities (bugfixes).
- * @note May move  */
+/** Architecture capabilities (bugfixes). */
 #define MSR_IA32_ARCH_CAPABILITIES          UINT32_C(0x10a)
-/** CPU is no subject to spectre problems. */
-#define MSR_IA32_ARCH_CAP_F_SPECTRE_FIX     RT_BIT_32(0)
+/** CPU is no subject to meltdown problems. */
+#define MSR_IA32_ARCH_CAP_F_RDCL_NO         RT_BIT_32(0)
 /** CPU has better IBRS and you can leave it on all the time. */
-#define MSR_IA32_ARCH_CAP_F_BETTER_IBRS     RT_BIT_32(1)
+#define MSR_IA32_ARCH_CAP_F_IBRS_ALL        RT_BIT_32(1)
+/** CPU has return stack buffer (RSB) override. */
+#define MSR_IA32_ARCH_CAP_F_RSBO            RT_BIT_32(2)
+/** Virtual machine monitors need not flush the level 1 data cache on VM entry.
+ * This is also the case when MSR_IA32_ARCH_CAP_F_RDCL_NO is set. */
+#define MSR_IA32_ARCH_CAP_F_VMM_NEED_NOT_FLUSH_L1D RT_BIT_32(3)
+
+/** Flush command register. */
+#define MSR_IA32_FLUSH_CMD                  UINT32_C(0x10b)
+/** Flush the level 1 data cache when this bit is written. */
+#define MSR_IA32_FLUSH_CMD_F_L1D            RT_BIT_32(0)
 
 /** Cache control/info. */

trunk/include/iprt/x86.mac

@@ -185 +185 @@
 %define X86_CPUID_STEXT_FEATURE_EDX_IBRS_IBPB         RT_BIT_32(26)
 %define X86_CPUID_STEXT_FEATURE_EDX_STIBP             RT_BIT_32(27)
+%define X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD         RT_BIT_32(28)
 %define X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP           RT_BIT_32(29)
 %define X86_CPUID_EXT_FEATURE_ECX_LAHF_SAHF     RT_BIT_32(0)
@@ -432 +433 @@
 %define MSR_IA32_MTRR_CAP                   0xFE
 %define MSR_IA32_ARCH_CAPABILITIES          0x10a
-%define MSR_IA32_ARCH_CAP_F_SPECTRE_FIX     RT_BIT_32(0)
-%define MSR_IA32_ARCH_CAP_F_BETTER_IBRS     RT_BIT_32(1)
+%define MSR_IA32_ARCH_CAP_F_RDCL_NO         RT_BIT_32(0)
+%define MSR_IA32_ARCH_CAP_F_IBRS_ALL        RT_BIT_32(1)
+%define MSR_IA32_ARCH_CAP_F_RSBO            RT_BIT_32(2)
+%define MSR_IA32_ARCH_CAP_F_VMM_NEED_NOT_FLUSH_L1D RT_BIT_32(3)
+%define MSR_IA32_FLUSH_CMD                  0x10b
+%define MSR_IA32_FLUSH_CMD_F_L1D            RT_BIT_32(0)
 %define MSR_BBL_CR_CTL3                     0x11e
 %ifndef MSR_IA32_SYSENTER_CS

trunk/src/VBox

@@ -8 +8 @@
 /branches/VBox-5.0/src/VBox:104938,104943,104950,104987-104988,104990,106453
 /branches/VBox-5.1/src/VBox:112367,116543,116550,116568,116573
-/branches/VBox-5.2/src/VBox:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,125768,125779-125780,125812
+/branches/VBox-5.2/src/VBox:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124263,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812
 /branches/andy/draganddrop/src/VBox:90781-91268
 /branches/andy/guestctrl20/src/VBox:78916,78930

@@ -8 +8 @@
 /branches/VBox-5.0/src/VBox:104938,104943,104950,104987-104988,104990,106453
 /branches/VBox-5.1/src/VBox:112367,116543,116550,116568,116573
-/branches/VBox-5.2/src/VBox:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,125768,125779-125780,125812
+/branches/VBox-5.2/src/VBox:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124263,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812
 /branches/andy/draganddrop/src/VBox:90781-91268
 /branches/andy/guestctrl20/src/VBox:78916,78930

trunk/src/VBox/Frontends

@@ -7 +7 @@
 /branches/VBox-4.3/src/VBox/Frontends:91223
 /branches/VBox-4.3/trunk/src/VBox/Frontends:91223
-/branches/VBox-5.2/src/VBox/Frontends:120213
+/branches/VBox-5.2/src/VBox/Frontends:120213,124288
 /branches/andy/draganddrop/src/VBox/Frontends:90781-91268
 /branches/andy/guestctrl20/src/VBox/Frontends:78916,78930

@@ -7 +7 @@
 /branches/VBox-4.3/src/VBox/Frontends:91223
 /branches/VBox-4.3/trunk/src/VBox/Frontends:91223
-/branches/VBox-5.2/src/VBox/Frontends:120213
+/branches/VBox-5.2/src/VBox/Frontends:120213,124288
 /branches/andy/draganddrop/src/VBox/Frontends:90781-91268
 /branches/andy/guestctrl20/src/VBox/Frontends:78916,78930

trunk/src/VBox/Frontends/VBoxManage/VBoxManageHelp.cpp

@@ -517 +517 @@
                      "                            [--ibpb-on-vm-entry on|off]\n"
                      "                            [--spec-ctrl on|off]\n"
+                     "                            [--l1d-flush-on-sched on|off]\n"
+                     "                            [--l1d-flush-on-vm-entry on|off]\n"
                      "                            [--nested-hw-virt on|off]\n"
                      "                            [--cpu-profile \"host|Intel 80[86|286|386]\"]\n"

trunk/src/VBox/Frontends/VBoxManage/VBoxManageModifyVM.cpp

@@ -78 +78 @@
     MODIFYVM_IBPB_ON_VM_ENTRY,
     MODIFYVM_SPEC_CTRL,
+    MODIFYVM_L1D_FLUSH_ON_SCHED,
+    MODIFYVM_L1D_FLUSH_ON_VM_ENTRY,
     MODIFYVM_NESTED_HW_VIRT,
     MODIFYVM_CPUS,
@@ -264 +266 @@
     { "--ibpb-on-vm-entry",         MODIFYVM_IBPB_ON_VM_ENTRY,          RTGETOPT_REQ_BOOL_ONOFF },
     { "--spec-ctrl",                MODIFYVM_SPEC_CTRL,                 RTGETOPT_REQ_BOOL_ONOFF },
+    { "--l1d-flush-on-sched",       MODIFYVM_L1D_FLUSH_ON_SCHED,        RTGETOPT_REQ_BOOL_ONOFF },
+    { "--l1d-flush-on-vm-entry",    MODIFYVM_L1D_FLUSH_ON_VM_ENTRY,     RTGETOPT_REQ_BOOL_ONOFF },
     { "--nested-hw-virt",           MODIFYVM_NESTED_HW_VIRT,            RTGETOPT_REQ_BOOL_ONOFF },
     { "--cpuid-set",                MODIFYVM_SETCPUID,                  RTGETOPT_REQ_UINT32_OPTIONAL_PAIR | RTGETOPT_FLAG_HEX },
@@ -798 +802 @@
                 break;
 
+            case MODIFYVM_L1D_FLUSH_ON_SCHED:
+                CHECK_ERROR(sessionMachine, SetCPUProperty(CPUPropertyType_L1DFlushOnEMTScheduling, ValueUnion.f));
+                break;
+
+            case MODIFYVM_L1D_FLUSH_ON_VM_ENTRY:
+                CHECK_ERROR(sessionMachine, SetCPUProperty(CPUPropertyType_L1DFlushOnVMEntry, ValueUnion.f));
+                break;
+
             case MODIFYVM_NESTED_HW_VIRT:
                 CHECK_ERROR(sessionMachine, SetCPUProperty(CPUPropertyType_HWVirt, ValueUnion.f));

trunk/src/VBox/Main/idl/VirtualBox.xidl

@@ -1055 +1055 @@
         If set, the speculation controls are managed by the host. This is intended
         for guests which do not set the speculation controls themselves.
+        Note! This has not yet been implemented beyond leaving everything to the host OS.
+      </desc>
+    </const>
+    <const name="L1DFlushOnEMTScheduling" value="11">
+      <desc>
+        If set and the host is affected by CVE-2018-3646, flushes the level 1 data
+        cache when the EMT is scheduled to do ring-0 guest execution.  There could
+        be a small performance penalty for certain typs of workloads.
+        For security reasons this setting will be enabled by default.
+      </desc>
+    </const>
+    <const name="L1DFlushOnVMEntry"     value="12">
+      <desc>
+        If set and the host is affected by CVE-2018-3646, flushes the level 1 data
+        on every VM entry.  This setting may significantly slow down workloads
+        causing many VM exits, so it is only recommended for situation where there
+        is a real need to be paranoid.
       </desc>
     </const>

trunk/src/VBox/Main/include/MachineImpl.h

@@ -288 +288 @@
         BOOL                mSpecCtrl;
         BOOL                mSpecCtrlByHost;
+        BOOL                mL1DFlushOnSched;
+        BOOL                mL1DFlushOnVMEntry;
         BOOL                mNestedHWVirt;
         ULONG               mCPUCount;

trunk/src/VBox/Main/src-client/ConsoleImpl2.cpp

@@ -1183 +1183 @@
         hrc = pMachine->GetCPUProperty(CPUPropertyType_SpecCtrlByHost, &fSpecCtrlByHost); H();
         InsertConfigInteger(pHM, "SpecCtrlByHost", fSpecCtrlByHost);
+
+        BOOL fL1DFlushOnSched = true;
+        hrc = pMachine->GetCPUProperty(CPUPropertyType_L1DFlushOnEMTScheduling, &fL1DFlushOnSched); H();
+        InsertConfigInteger(pHM, "L1DFlushOnSched", fL1DFlushOnSched);
+
+        BOOL fL1DFlushOnVMEntry = false;
+        hrc = pMachine->GetCPUProperty(CPUPropertyType_L1DFlushOnVMEntry, &fL1DFlushOnVMEntry); H();
+        InsertConfigInteger(pHM, "L1DFlushOnVMEntry", fL1DFlushOnVMEntry);
 
         /* Reset overwrite. */

trunk/src/VBox/Main/src-server/MachineImpl.cpp

@@ -196 +196 @@
     mSpecCtrl = false;
     mSpecCtrlByHost = false;
+    mL1DFlushOnSched = true;
+    mL1DFlushOnVMEntry = false;
     mNestedHWVirt = false;
     mHPETEnabled = false;
@@ -2025 +2027 @@
             break;
 
+        case CPUPropertyType_L1DFlushOnEMTScheduling:
+            *aValue = mHWData->mL1DFlushOnSched;
+            break;
+
+        case CPUPropertyType_L1DFlushOnVMEntry:
+            *aValue = mHWData->mL1DFlushOnVMEntry;
+            break;
+
         default:
             return E_INVALIDARG;
@@ -2102 +2112 @@
             mHWData.backup();
             mHWData->mNestedHWVirt = !!aValue;
+            break;
+
+        case CPUPropertyType_L1DFlushOnEMTScheduling:
+            i_setModified(IsModified_MachineData);
+            mHWData.backup();
+            mHWData->mL1DFlushOnSched = !!aValue;
+            break;
+
+        case CPUPropertyType_L1DFlushOnVMEntry:
+            i_setModified(IsModified_MachineData);
+            mHWData.backup();
+            mHWData->mL1DFlushOnVMEntry = !!aValue;
             break;
 
@@ -8836 +8858 @@
         mHWData->mSpecCtrl                    = data.fSpecCtrl;
         mHWData->mSpecCtrlByHost              = data.fSpecCtrlByHost;
+        mHWData->mL1DFlushOnSched             = data.fL1DFlushOnSched;
+        mHWData->mL1DFlushOnVMEntry           = data.fL1DFlushOnVMEntry;
         mHWData->mNestedHWVirt                = data.fNestedHWVirt;
         mHWData->mCPUCount                    = data.cCPUs;
@@ -10157 +10181 @@
         data.fSpecCtrl              = !!mHWData->mSpecCtrl;
         data.fSpecCtrlByHost        = !!mHWData->mSpecCtrlByHost;
+        data.fL1DFlushOnSched       = !!mHWData->mL1DFlushOnSched;
+        data.fL1DFlushOnVMEntry     = !!mHWData->mL1DFlushOnVMEntry;
         data.fNestedHWVirt          = !!mHWData->mNestedHWVirt;
         data.cCPUs                  = mHWData->mCPUCount;

trunk/src/VBox/Main/xml/Settings.cpp

@@ -3068 +3068 @@
     fSpecCtrl(false),
     fSpecCtrlByHost(false),
+    fL1DFlushOnSched(true),
+    fL1DFlushOnVMEntry(false),
     fNestedHWVirt(false),
     enmLongMode(HC_ARCH_BITS == 64 ? Hardware::LongMode_Enabled : Hardware::LongMode_Disabled),
@@ -3201 +3203 @@
             && fSpecCtrl                 == h.fSpecCtrl
             && fSpecCtrlByHost           == h.fSpecCtrlByHost
+            && fL1DFlushOnSched          == h.fL1DFlushOnSched
+            && fL1DFlushOnVMEntry        == h.fL1DFlushOnVMEntry
             && fNestedHWVirt             == h.fNestedHWVirt
             && cCPUs                     == h.cCPUs
@@ -4221 +4225 @@
             if (pelmCPUChild)
                 pelmCPUChild->getAttributeValue("enabled", hw.fSpecCtrlByHost);
+            pelmCPUChild = pelmHwChild->findChildElement("L1DFlushOn");
+            if (pelmCPUChild)
+            {
+                pelmCPUChild->getAttributeValue("scheduling", hw.fL1DFlushOnSched);
+                pelmCPUChild->getAttributeValue("vmentry", hw.fL1DFlushOnVMEntry);
+            }
             pelmCPUChild = pelmHwChild->findChildElement("NestedHWVirt");
             if (pelmCPUChild)
@@ -5581 +5591 @@
                 pelmChild->setAttribute("vmentry", hw.fIBPBOnVMEntry);
         }
-    }
-    if (m->sv >= SettingsVersion_v1_16 && hw.fSpecCtrl)
-        pelmCPU->createChild("SpecCtrl")->setAttribute("enabled", hw.fSpecCtrl);
-    if (m->sv >= SettingsVersion_v1_16 && hw.fSpecCtrlByHost)
-        pelmCPU->createChild("SpecCtrlByHost")->setAttribute("enabled", hw.fSpecCtrlByHost);
+        if (hw.fSpecCtrl)
+            pelmCPU->createChild("SpecCtrl")->setAttribute("enabled", hw.fSpecCtrl);
+        if (hw.fSpecCtrlByHost)
+            pelmCPU->createChild("SpecCtrlByHost")->setAttribute("enabled", hw.fSpecCtrlByHost);
+        if (!hw.fL1DFlushOnSched || hw.fL1DFlushOnVMEntry)
+        {
+            xml::ElementNode *pelmChild = pelmCPU->createChild("L1DFlushOn");
+            if (!hw.fL1DFlushOnSched)
+                pelmChild->setAttribute("scheduling", hw.fL1DFlushOnSched);
+            if (hw.fL1DFlushOnVMEntry)
+                pelmChild->setAttribute("vmentry", hw.fL1DFlushOnVMEntry);
+        }
+    }
     if (m->sv >= SettingsVersion_v1_17 && hw.fNestedHWVirt)
         pelmCPU->createChild("NestedHWVirt")->setAttribute("enabled", hw.fNestedHWVirt);
@@ -7346 +7364 @@
             || hardwareMachine.fIBPBOnVMEntry
             || hardwareMachine.fSpecCtrl
-            || hardwareMachine.fSpecCtrlByHost)
+            || hardwareMachine.fSpecCtrlByHost
+            || !hardwareMachine.fL1DFlushOnSched
+            || hardwareMachine.fL1DFlushOnVMEntry)
         {
             m->sv = SettingsVersion_v1_16;

trunk/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp

@@ -1521 +1521 @@
 
 
-
-
-
-
-
-
-
+/** @callback_method_impl{FNCPUMWRMSR} */
+static DECLCALLBACK(VBOXSTRICTRC) cpumMsrWr_Ia32FlushCmd(PVMCPU pVCpu, uint32_t idMsr, PCCPUMMSRRANGE pRange, uint64_t uValue, uint64_t uRawValue)
+{
+    RT_NOREF_PV(pVCpu); RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue);
+    if ((uValue & ~MSR_IA32_FLUSH_CMD_F_L1D) == 0)
+        return VINF_SUCCESS;
+    Log(("CPUM: Invalid MSR_IA32_FLUSH_CMD_ bits (trying to write %#llx)\n", uValue));
+    return VERR_CPUM_RAISE_GP_0;
+}
 
 
@@ -5337 +5339 @@
     cpumMsrWr_Ia32SpecCtrl,
     cpumMsrWr_Ia32PredCmd,
+    cpumMsrWr_Ia32FlushCmd,
 
     cpumMsrWr_Amd64Efer,
@@ -6043 +6046 @@
     CPUM_ASSERT_WR_MSR_FN(Ia32SpecCtrl);
     CPUM_ASSERT_WR_MSR_FN(Ia32PredCmd);
+    CPUM_ASSERT_WR_MSR_FN(Ia32FlushCmd);
 
     CPUM_ASSERT_WR_MSR_FN(Amd64Efer);

trunk/src/VBox/VMM/VMMR0/CPUMR0.cpp

@@ -214 +214 @@
         uint32_t u32CpuVersion;
         uint32_t u32Dummy;
-        uint32_t fFeatures;
+        uint32_t fFeatures; /* (Used further down to check for MSRs, so don't clobber.) */
         ASMCpuId(1, &u32CpuVersion, &u32Dummy, &u32Dummy, &fFeatures);
         uint32_t const u32Family   = u32CpuVersion >> 8;
@@ -264 +264 @@
                 }
             }
+        }
+
+        /*
+         * Copy MSR_IA32_ARCH_CAPABILITIES bits over into the host feature structure.
+         */
+        pVM->cpum.s.HostFeatures.fArchRdclNo             = 0;
+        pVM->cpum.s.HostFeatures.fArchIbrsAll            = 0;
+        pVM->cpum.s.HostFeatures.fArchRsbOverride        = 0;
+        pVM->cpum.s.HostFeatures.fArchVmmNeedNotFlushL1d = 0;
+        uint32_t const cStdRange = ASMCpuId_EAX(0);
+        if (   ASMIsValidStdRange(cStdRange)
+            && cStdRange >= 7)
+        {
+            uint32_t fEdxFeatures = ASMCpuId_EDX(7);
+            if (   (fEdxFeatures & X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP)
+                && (fFeatures & X86_CPUID_FEATURE_EDX_MSR))
+            {
+                uint64_t const fArchVal = ASMRdMsr(MSR_IA32_ARCH_CAPABILITIES);
+                pVM->cpum.s.HostFeatures.fArchRdclNo             = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_RDCL_NO);
+                pVM->cpum.s.HostFeatures.fArchIbrsAll            = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_IBRS_ALL);
+                pVM->cpum.s.HostFeatures.fArchRsbOverride        = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_RSBO);
+                pVM->cpum.s.HostFeatures.fArchVmmNeedNotFlushL1d = RT_BOOL(fArchVal & MSR_IA32_ARCH_CAP_F_VMM_NEED_NOT_FLUSH_L1D);
+            }
+            else
+                pVM->cpum.s.HostFeatures.fArchCap = 0;
         }
 

trunk/src/VBox/VMM/VMMR0/HMR0A.asm

@@ -252 +252 @@
     wrmsr
 %%no_indirect_branch_barrier:
+%endmacro
+
+;;
+; Creates an indirect branch prediction and L1D barrier on CPUs that need and supports that.
+; @clobbers eax, edx, ecx
+; @param    1   How to address CPUMCTX.
+; @param    2   Which IBPB flag to test for (CPUMCTX_WSF_IBPB_ENTRY or CPUMCTX_WSF_IBPB_EXIT)
+; @param    3   Which FLUSH flag to test for (CPUMCTX_WSF_L1D_ENTRY)
+%macro INDIRECT_BRANCH_PREDICTION_AND_L1_CACHE_BARRIER 3
+    ; Only one test+jmp when disabled CPUs.
+    test    byte [%1 + CPUMCTX.fWorldSwitcher], (%2 | %3)
+    jz      %%no_barrier_needed
+
+    ; The eax:edx value is the same for both.
+    AssertCompile(MSR_IA32_PRED_CMD_F_IBPB == MSR_IA32_FLUSH_CMD_F_L1D)
+    mov     eax, MSR_IA32_PRED_CMD_F_IBPB
+    xor     edx, edx
+
+    ; Indirect branch barrier.
+    test    byte [%1 + CPUMCTX.fWorldSwitcher], %2
+    jz      %%no_indirect_branch_barrier
+    mov     ecx, MSR_IA32_PRED_CMD
+    wrmsr
+%%no_indirect_branch_barrier:
+
+    ; Level 1 data cache flush.
+    test    byte [%1 + CPUMCTX.fWorldSwitcher], %3
+    jz      %%no_cache_flush_barrier
+    mov     ecx, MSR_IA32_FLUSH_CMD
+    wrmsr
+%%no_cache_flush_barrier:
+
+%%no_barrier_needed:
 %endmacro
 
@@ -1454 +1487 @@
     ; Don't mess with ESP anymore!!!
 
-    ; Fight spectre.
-    INDIRECT_BRANCH_PREDICTION_BARRIER xSI, CPUMCTX_WSF_IBPB_ENTRY
+    ; Fight spectre and similar.
+    INDIRECT_BRANCH_PREDICTION_AND_L1_CACHE_BARRIER xSI, CPUMCTX_WSF_IBPB_ENTRY, CPUMCTX_WSF_L1D_ENTRY
 
     ; Load guest general purpose registers.
@@ -1763 +1796 @@
     ; Don't mess with ESP anymore!!!
 
-    ; Fight spectre.
-    INDIRECT_BRANCH_PREDICTION_BARRIER xSI, CPUMCTX_WSF_IBPB_ENTRY
+    ; Fight spectre and similar.
+    INDIRECT_BRANCH_PREDICTION_AND_L1_CACHE_BARRIER xSI, CPUMCTX_WSF_IBPB_ENTRY, CPUMCTX_WSF_L1D_ENTRY
 
     ; Load guest general purpose registers.

trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp

@@ -2529 +2529 @@
 #endif
         /*
-         * The IA32_PRED_CMD MSR is write-only and has no state associated with it. We never need to intercept
-         * access (writes need to be executed without exiting, reds will #GP-fault anyway).
+         * The IA32_PRED_CMD and IA32_FLUSH_CMD MSRs are write-only and has no state
+         * associated with then. We never need to intercept access (writes need to
+         * be executed without exiting, reads will #GP-fault anyway).
          */
         if (pVM->cpum.ro.GuestFeatures.fIbpb)
             hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_PRED_CMD,     VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
+        if (pVM->cpum.ro.GuestFeatures.fFlushCmd)
+            hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_FLUSH_CMD,    VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
 
         /* Though MSR_IA32_PERF_GLOBAL_CTRL is saved/restored lazily, we want intercept reads/write to it for now. */
@@ -8057 +8060 @@
         pVCpu->hm.s.fLeaveDone = false;
         Log4Func(("Activated Vmcs. HostCpuId=%u\n", RTMpCpuId()));
+
+        /*
+         * Do the EMT scheduled L1D flush here if needed.
+         */
+        if (pVCpu->CTX_SUFF(pVM)->hm.s.fL1dFlushOnSched)
+            ASMWrMsr(MSR_IA32_FLUSH_CMD, MSR_IA32_FLUSH_CMD_F_L1D);
     }
     return rc;
@@ -8135 +8144 @@
             }
             pVCpu->hm.s.fLeaveDone = false;
+
+            /* Do the EMT scheduled L1D flush if needed. */
+            if (pVCpu->CTX_SUFF(pVM)->hm.s.fL1dFlushOnSched)
+                ASMWrMsr(MSR_IA32_FLUSH_CMD, MSR_IA32_FLUSH_CMD_F_L1D);
 
             /* Restore longjmp state. */

trunk/src/VBox/VMM/VMMR3/CPUMR3CpuId.cpp

@@ -1870 +1870 @@
             pFeatures->fIbrs                = pFeatures->fIbpb;
             pFeatures->fStibp               = RT_BOOL(pSxfLeaf0->uEdx & X86_CPUID_STEXT_FEATURE_EDX_STIBP);
-#if 0   // Disabled until IA32_ARCH_CAPABILITIES support can be tested
+            pFeatures->fFlushCmd            = RT_BOOL(pSxfLeaf0->uEdx & X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD);
             pFeatures->fArchCap             = RT_BOOL(pSxfLeaf0->uEdx & X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP);
-#endif
         }
 
@@ -1878 +1877 @@
         PCCPUMCPUIDLEAF const pMWaitLeaf = cpumR3CpuIdFindLeaf(paLeaves, cLeaves, 5);
         if (pMWaitLeaf)
-        {
             pFeatures->fMWaitExtensions = (pMWaitLeaf->uEcx & (X86_CPUID_MWAIT_ECX_EXT | X86_CPUID_MWAIT_ECX_BREAKIRQIF0))
-                                                           == (X86_CPUID_MWAIT_ECX_EXT | X86_CPUID_MWAIT_ECX_BREAKIRQIF0);
-        }
+                                        ==                    (X86_CPUID_MWAIT_ECX_EXT | X86_CPUID_MWAIT_ECX_BREAKIRQIF0);
 
         /* Extended features. */
@@ -2473 +2470 @@
     CPUMISAEXTCFG   enmPcid;
     CPUMISAEXTCFG   enmInvpcid;
+    CPUMISAEXTCFG   enmFlushCmdMsr;
 
     CPUMISAEXTCFG   enmAbm;
@@ -3274 +3272 @@
                                //| X86_CPUID_STEXT_FEATURE_EDX_IBRS_IBPB         RT_BIT(26)
                                //| X86_CPUID_STEXT_FEATURE_EDX_STIBP             RT_BIT(27)
+                               | (pConfig->enmFlushCmdMsr ? X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD : 0)
                                //| X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP           RT_BIT(29)
                                ;
@@ -3302 +3301 @@
                     PORTABLE_DISABLE_FEATURE_BIT(    1, pCurLeaf->uEbx, SHA,        X86_CPUID_STEXT_FEATURE_EBX_SHA);
                     PORTABLE_DISABLE_FEATURE_BIT(    1, pCurLeaf->uEcx, PREFETCHWT1, X86_CPUID_STEXT_FEATURE_ECX_PREFETCHWT1);
+                    PORTABLE_DISABLE_FEATURE_BIT_CFG(3, pCurLeaf->uEdx, FLUSH_CMD,  X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD, pConfig->enmFlushCmdMsr);
                 }
 
@@ -3315 +3315 @@
                 if (pConfig->enmInvpcid == CPUMISAEXTCFG_ENABLED_ALWAYS)
                     pCurLeaf->uEbx |= X86_CPUID_STEXT_FEATURE_EBX_INVPCID;
+                if (pConfig->enmFlushCmdMsr == CPUMISAEXTCFG_ENABLED_ALWAYS)
+                    pCurLeaf->uEdx |= X86_CPUID_STEXT_FEATURE_EDX_FLUSH_CMD;
                 break;
             }
@@ -4122 +4124 @@
                                   "|PCID"
                                   "|INVPCID"
+                                  "|FlushCmdMsr"
                                   "|ABM"
                                   "|SSE4A"
@@ -4277 +4280 @@
     AssertLogRelRCReturn(rc, rc);
 
+    /** @cfgm{/CPUM/IsaExts/FlushCmdMsr, isaextcfg, true}
+     * Whether to expose the IA32_FLUSH_CMD MSR to the guest.
+     */
+    rc = cpumR3CpuIdReadIsaExtCfg(pVM, pIsaExts, "FlushCmdMsr", &pConfig->enmFlushCmdMsr, CPUMISAEXTCFG_ENABLED_SUPPORTED);
+    AssertLogRelRCReturn(rc, rc);
+
 
     /* AMD: */
@@ -4419 +4428 @@
     }
 
+    /*
+     * Setup MSRs introduced in microcode updates or that are otherwise not in
+     * the CPU profile, but are advertised in the CPUID info we just sanitized.
+     */
+    if (RT_SUCCESS(rc))
+        rc = cpumR3MsrReconcileWithCpuId(pVM);
     /*
      * MSR fudging.
@@ -4831 +4846 @@
                     if (!pMsrRange)
                     {
+                        /** @todo incorrect fWrGpMask. */
                         static CPUMMSRRANGE const s_SpecCtrl =
                         {
@@ -4844 +4860 @@
                 }
 
-                if (pVM->cpum.s.HostFeatures.fArchCap) {
+                if (pVM->cpum.s.HostFeatures.fArchCap)
+                {
                     pLeaf->uEdx |= X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP;
 
@@ -5025 +5042 @@
             pLeaf = cpumR3CpuIdGetExactLeaf(&pVM->cpum.s, UINT32_C(0x00000007), 0);
             if (pLeaf)
-                /*pVM->cpum.s.aGuestCpuIdPatmStd[7].uEdx =*/ pLeaf->uEdx &= ~(X86_CPUID_STEXT_FEATURE_EDX_IBRS_IBPB | X86_CPUID_STEXT_FEATURE_EDX_STIBP | X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP);
+                pLeaf->uEdx &= ~(  X86_CPUID_STEXT_FEATURE_EDX_IBRS_IBPB | X86_CPUID_STEXT_FEATURE_EDX_STIBP
+                                 | X86_CPUID_STEXT_FEATURE_EDX_ARCHCAP);
             pVM->cpum.s.GuestFeatures.fSpeculationControl = 0;
             Log(("CPUM: ClearGuestCpuIdFeature: Disabled speculation control!\n"));
@@ -6342 +6360 @@
     DBGFREGSUBFIELD_RO("IBRS_IBPB\0"    "IA32_SPEC_CTRL.IBRS and IA32_PRED_CMD.IBPB",   26, 1, 0),
     DBGFREGSUBFIELD_RO("STIBP\0"        "Supports IA32_SPEC_CTRL.STIBP",                27, 1, 0),
+    DBGFREGSUBFIELD_RO("FLUSH_CMD\0"    "Supports IA32_FLUSH_CMD",                      28, 1, 0),
     DBGFREGSUBFIELD_RO("ARCHCAP\0"      "Supports IA32_ARCH_CAP",                       29, 1, 0),
     DBGFREGSUBFIELD_TERMINATOR()

trunk/src/VBox/VMM/VMMR3/CPUMR3Db.cpp

@@ -595 +595 @@
 
 /**
+ * Reconciles CPUID info with MSRs (selected ones).
+ *
+ * @returns VBox status code.
+ * @param   pVM                 The cross context VM structure.
+ */
+int cpumR3MsrReconcileWithCpuId(PVM pVM)
+{
+    PCCPUMMSRRANGE papToAdd[10];
+    uint32_t      cToAdd = 0;
+
+    /*
+     * The IA32_FLUSH_CMD MSR was introduced in MCUs for CVS-2018-3646 and associates.
+     */
+    if (pVM->cpum.s.GuestFeatures.fFlushCmd && !cpumLookupMsrRange(pVM, MSR_IA32_FLUSH_CMD))
+    {
+        static CPUMMSRRANGE const s_FlushCmd =
+        {
+            /*.uFirst =*/       MSR_IA32_FLUSH_CMD,
+            /*.uLast =*/        MSR_IA32_FLUSH_CMD,
+            /*.enmRdFn =*/      kCpumMsrRdFn_WriteOnly,
+            /*.enmWrFn =*/      kCpumMsrWrFn_Ia32FlushCmd,
+            /*.offCpumCpu =*/   UINT16_MAX,
+            /*.fReserved =*/    0,
+            /*.uValue =*/       0,
+            /*.fWrIgnMask =*/   0,
+            /*.fWrGpMask =*/    ~MSR_IA32_FLUSH_CMD_F_L1D,
+            /*.szName = */      "IA32_FLUSH_CMD"
+        };
+        papToAdd[cToAdd++] = &s_FlushCmd;
+    }
+
+    /*
+     * Do the adding.
+     */
+    for (uint32_t i = 0; i < cToAdd; i++)
+    {
+        PCCPUMMSRRANGE pRange = papToAdd[i];
+        LogRel(("CPUM: MSR/CPUID reconciliation insert: %#010x %s\n", pRange->uFirst, pRange->szName));
+        int rc = cpumR3MsrRangesInsert(NULL /* pVM */, &pVM->cpum.s.GuestInfo.paMsrRangesR3, &pVM->cpum.s.GuestInfo.cMsrRanges,
+                                       pRange);
+        if (RT_FAILURE(rc))
+            return rc;
+    }
+    return VINF_SUCCESS;
+}
+
+
+/**
  * Worker for cpumR3MsrApplyFudge that applies one table.
  *

trunk/src/VBox/VMM/VMMR3/HM.cpp

@@ -485 +485 @@
                               "|IBPBOnVMEntry"
                               "|SpecCtrlByHost"
+                              "|L1DFlushOnSched"
+                              "|L1DFlushOnVMEntry"
                               "|TPRPatchingEnabled"
                               "|64bitEnabled"
@@ -675 +677 @@
     rc = CFGMR3QueryBoolDef(pCfgHm, "IBPBOnVMEntry", &pVM->hm.s.fIbpbOnVmEntry, false);
     AssertLogRelRCReturn(rc, rc);
+
+    /** @cfgm{/HM/L1DFlushOnSched, bool, true}
+     * CVS-2018-3646 workaround, ignored on CPUs that aren't affected. */
+    rc = CFGMR3QueryBoolDef(pCfgHm, "L1DFlushOnSched", &pVM->hm.s.fL1dFlushOnSched, true);
+    AssertLogRelRCReturn(rc, rc);
+
+    /** @cfgm{/HM/L1DFlushOnVMEntry, bool}
+     * CVS-2018-3646 workaround, ignored on CPUs that aren't affected. */
+    rc = CFGMR3QueryBoolDef(pCfgHm, "L1DFlushOnVMEntry", &pVM->hm.s.fL1dFlushOnVmEntry, false);
+    AssertLogRelRCReturn(rc, rc);
+
+    /* Disable L1DFlushOnSched if L1DFlushOnVMEntry is enabled. */
+    if (pVM->hm.s.fL1dFlushOnVmEntry)
+        pVM->hm.s.fL1dFlushOnSched = false;
 
     /** @cfgm{/HM/SpecCtrlByHost, bool}
@@ -1293 +1309 @@
 
     /*
+     * Check if L1D flush is needed/possible.
+     */
+    if (   !pVM->cpum.ro.HostFeatures.fFlushCmd
+        || pVM->cpum.ro.HostFeatures.enmMicroarch <  kCpumMicroarch_Intel_Core7_Nehalem
+        || pVM->cpum.ro.HostFeatures.enmMicroarch >= kCpumMicroarch_Intel_Core7_End
+        || pVM->cpum.ro.HostFeatures.fArchVmmNeedNotFlushL1d
+        || pVM->cpum.ro.HostFeatures.fArchRdclNo)
+        pVM->hm.s.fL1dFlushOnSched = pVM->hm.s.fL1dFlushOnVmEntry = false;
+
+    /*
      * Sync options.
      */
@@ -1309 +1335 @@
                 pCpuCtx->fWorldSwitcher |= CPUMCTX_WSF_IBPB_ENTRY;
         }
+        if (pVM->cpum.ro.HostFeatures.fFlushCmd && pVM->hm.s.fL1dFlushOnVmEntry)
+            pCpuCtx->fWorldSwitcher |= CPUMCTX_WSF_L1D_ENTRY;
         if (iCpu == 0)
-            LogRel(("HM: fWorldSwitcher=%#x (fIbpbOnVmExit=%RTbool fIbpbOnVmEntry=%RTbool)\n",
-                    pCpuCtx->fWorldSwitcher, pVM->hm.s.fIbpbOnVmExit, pVM->hm.s.fIbpbOnVmEntry));
+            LogRel(("HM: fWorldSwitcher=%#x (fIbpbOnVmExit=%RTbool fIbpbOnVmEntry=%RTbool fL1dFlushOnVmEntry=%RTbool); fL1dFlushOnSched=%RTbool\n",
+                    pCpuCtx->fWorldSwitcher, pVM->hm.s.fIbpbOnVmExit, pVM->hm.s.fIbpbOnVmEntry, pVM->hm.s.fL1dFlushOnVmEntry,
+                    pVM->hm.s.fL1dFlushOnSched));
     }
 

trunk/src/VBox/VMM/include/CPUMInternal.h

@@ -543 +543 @@
 int                 cpumR3DbGetCpuInfo(const char *pszName, PCPUMINFO pInfo);
 int                 cpumR3MsrRangesInsert(PVM pVM, PCPUMMSRRANGE *ppaMsrRanges, uint32_t *pcMsrRanges, PCCPUMMSRRANGE pNewRange);
+int                 cpumR3MsrReconcileWithCpuId(PVM pVM);
 int                 cpumR3MsrApplyFudge(PVM pVM);
 int                 cpumR3MsrRegStats(PVM pVM);

trunk/src/VBox/VMM/include/HMInternal.h

@@ -437 +437 @@
     /** Set if indirect branch prediction barrier on VM entry. */
     bool                        fIbpbOnVmEntry;
+    /** Set if level 1 data cache should be flushed on VM entry. */
+    bool                        fL1dFlushOnVmEntry;
+    /** Set if level 1 data cache should be flushed on EMT scheduling. */
+    bool                        fL1dFlushOnSched;
     /** Set if host manages speculation control settings. */
     bool                        fSpecCtrlByHost;
-    /** Explicit padding. */
-    bool                        afPadding[2];
 
     /** Maximum ASID allowed. */

@@ -8 +8 @@
 /branches/VBox-5.0:104445,104938,104943,104950,104952-104953,104987-104988,104990,106453
 /branches/VBox-5.1:112367,115992,116543,116550,116568,116573
-/branches/VBox-5.2:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,125768,125779-125780,125812
+/branches/VBox-5.2:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124260,124263,124271,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812
 /branches/andy/draganddrop:90781-91268
 /branches/andy/guestctrl20:78916,78930

@@ -8 +8 @@
 /branches/VBox-5.0/src/VBox:104938,104943,104950,104987-104988,104990,106453
 /branches/VBox-5.1/src/VBox:112367,116543,116550,116568,116573
-/branches/VBox-5.2/src/VBox:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,125768,125779-125780,125812
+/branches/VBox-5.2/src/VBox:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124263,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812
 /branches/andy/draganddrop/src/VBox:90781-91268
 /branches/andy/guestctrl20/src/VBox:78916,78930

@@ -7 +7 @@
 /branches/VBox-4.3/src/VBox/Frontends:91223
 /branches/VBox-4.3/trunk/src/VBox/Frontends:91223
-/branches/VBox-5.2/src/VBox/Frontends:120213
+/branches/VBox-5.2/src/VBox/Frontends:120213,124288
 /branches/andy/draganddrop/src/VBox/Frontends:90781-91268
 /branches/andy/guestctrl20/src/VBox/Frontends:78916,78930