Bug #12916


bhyve should be able to limit vmx capabilities

Added by Patrick Mooney over 3 years ago. Updated over 3 years ago.

Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:
External Bug:


Presently, bhyve detects certain the availability of certain CPU capabilities such as APICv during loading. If it fines any of these capabilities, it enables them globally for all VMs. It does so in a way that makes it challenging to create a VM which does not use those capabilities. Being able to test various combinations, or the total absence of those capabilities when running on a CPU that features them all would be useful. We should start splitting up how the capabilities are detected and then later activated.

Actions #1

Updated by Electric Monk over 3 years ago

  • Gerrit CR set to 767
Actions #2

Updated by Patrick Mooney over 3 years ago

With this patch applied, I can see the VMX capabilities properly populated on an Ivy Bridge test system:

> vmx_capabilities::print

I can zero out the global vmx_capabilities without affecting the operation of existing guests, as they have a local copy which represents the capability state at the time of their creation.

By toggling bits in vmx_capabilities via mdb -kw, emulation logic which doesn't rely on those CPU features can be tested on a machine which is nonetheless capable. With the default capabilities on that machine, calls to vmx_post_intr() can be seen (using APICv posted-interrupts). With it disabled (vmx_capabilities = 0x7), the posted interrupt calls disappear, but @vmx_set_intr_ready() calls are still prevalent, as the remaining APICv functionality is still used. With all but TPR-shadowing disabled, the APICv calls disappear, but we can see vlapic_get_cr8 calls during VMX entry setup as that state is synchronized into the VMCS. With vmx_capabilities zeroed out, the guest still runs fine, but bhyve uses all of the in-kernel APIC emulation, rather than the advanced VMX features.

Actions #3

Updated by Patrick Mooney over 3 years ago

I fired this up on an older (and less capable) Westmere machine to make sure it properly detected and enabled the available VMX features:

> vmx_capabilities::print

It booted and ran a Linux guest just as it had prior to the change.

Actions #4

Updated by Electric Monk over 3 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit c3ae3afa3e57b39e29577c4b791adbe511bb7e3f

commit  c3ae3afa3e57b39e29577c4b791adbe511bb7e3f
Author: Patrick Mooney <>
Date:   2020-07-28T19:43:29.000Z

    12916 bhyve should be able to limit vmx capabilities
    12917 bhyve should always use Unrestricted Guest
    Reviewed by: Mike Zeller <>
    Approved by: Dan McDonald <>


Also available in: Atom PDF