On Sun, Apr 27, 2014 at 04:29:25PM +0200, Paolo Bonzini wrote: > Il 27/04/2014 14:22, Marcel Apfelbaum ha scritto: > >On Sat, 2014-04-26 at 11:06 +0200, Paolo Bonzini wrote: > >>KVM computes the CPL as follows: > >> > >>if (CR0.PE == 0) > >> return 0; > >> > >>if (!EFER.LMA && EFLAGS.VM) > >> return 3; > >> > >>return CS.selector & 3; > > > >The above algorithm is correct only for the protected mode, right? > > The CR0.PE == 0 case is for real mode. > > You're right that for the real->protected transition time > CS.selector's low 3 bits can be anything, while CR0.PE is already 1 > *and* CPL is still zero. Kevin's patch should handle this right for > TCG, but there may be indeed a KVM bug looming.
I was wondering about that as well. The Intel docs state that the CPL is bits 0-1 of the CS.selector register, and that protected mode starts immediately after setting the PE bit. The CS.selector field should be the value of %cs in real mode, which is the value added to eip (after shifting right by 4). I guess that means that the real mode code that enables the PE bit must run with a code segment aligned to a value of 4. (Which effectively means code alignment of 64 bytes because of the segment shift.) -Kevin