Vol. 3C 25-7
VMX NON-ROOT OPERATION
— If the “enable INVPCID” VM-execution control is 1, treatment is based on the setting of the “INVLPG
exiting” VM-execution control:
•
If the “INVLPG exiting” VM-execution control is 0, INVPCID operates normally.
•
If the “INVLPG exiting” VM-execution control is 1, INVPCID causes a VM exit.
•
IRET. Behavior of IRET with regard to NMI blocking (see Table 24-3) is determined by the settings of the “NMI
exiting” and “virtual NMIs” VM-execution controls:
— If the “NMI exiting” VM-execution control is 0, IRET operates normally and unblocks NMIs. (If the “NMI
exiting” VM-execution control is 0, the “virtual NMIs” control must be 0; see Section 26.2.1.1.)
— If the “NMI exiting” VM-execution control is 1, IRET does not affect blocking of NMIs. If, in addition, the
“virtual NMIs” VM-execution control is 1, the logical processor tracks virtual-NMI blocking. In this case,
IRET removes any virtual-NMI blocking.
The unblocking of NMIs or virtual NMIs specified above occurs even if IRET causes a fault.
•
LMSW. Outside of VMX non-root operation, LMSW loads its source operand into CR0[3:0], but it does not clear
CR0.PE if that bit is set. In VMX non-root operation, an execution of LMSW that does not cause a VM exit (see
Section 25.1.3) leaves unmodified any bit in CR0[3:0] corresponding to a bit set in the CR0 guest/host mask.
An attempt to set any other bit in CR0[3:0] to a value not supported in VMX operation (see Section 23.8)
causes a general-protection exception. Attempts to clear CR0.PE are ignored without fault.
•
MOV from CR0. The behavior of MOV from CR0 is determined by the CR0 guest/host mask and the CR0 read
shadow. For each position corresponding to a bit clear in the CR0 guest/host mask, the destination operand is
loaded with the value of the corresponding bit in CR0. For each position corresponding to a bit set in the CR0
guest/host mask, the destination operand is loaded with the value of the corresponding bit in the CR0 read
shadow. Thus, if every bit is cleared in the CR0 guest/host mask, MOV from CR0 reads normally from CR0; if
every bit is set in the CR0 guest/host mask, MOV from CR0 returns the value of the CR0 read shadow.
Depending on the contents of the CR0 guest/host mask and the CR0 read shadow, bits may be set in the
destination that would never be set when reading directly from CR0.
•
MOV from CR3. If the “enable EPT” VM-execution control is 1 and an execution of MOV from CR3 does not
cause a VM exit (see Section 25.1.3), the value loaded from CR3 is a guest-physical address; see Section
28.2.1.
•
MOV from CR4. The behavior of MOV from CR4 is determined by the CR4 guest/host mask and the CR4 read
shadow. For each position corresponding to a bit clear in the CR4 guest/host mask, the destination operand is
loaded with the value of the corresponding bit in CR4. For each position corresponding to a bit set in the CR4
guest/host mask, the destination operand is loaded with the value of the corresponding bit in the CR4 read
shadow. Thus, if every bit is cleared in the CR4 guest/host mask, MOV from CR4 reads normally from CR4; if
every bit is set in the CR4 guest/host mask, MOV from CR4 returns the value of the CR4 read shadow.
Depending on the contents of the CR4 guest/host mask and the CR4 read shadow, bits may be set in the
destination that would never be set when reading directly from CR4.
•
MOV from CR8. If the MOV from CR8 instruction does not cause a VM exit (see Section 25.1.3), its behavior
is modified if the “use TPR shadow” VM-execution control is 1; see Section 29.3.
•
MOV to CR0. An execution of MOV to CR0 that does not cause a VM exit (see Section 25.1.3) leaves
unmodified any bit in CR0 corresponding to a bit set in the CR0 guest/host mask. Treatment of attempts to
modify other bits in CR0 depends on the setting of the “unrestricted guest” VM-execution control:
— If the control is 0, MOV to CR0 causes a general-protection exception if it attempts to set any bit in CR0 to
a value not supported in VMX operation (see Section 23.8).
— If the control is 1, MOV to CR0 causes a general-protection exception if it attempts to set any bit in CR0
other than bit 0 (PE) or bit 31 (PG) to a value not supported in VMX operation. It remains the case,
however, that MOV to CR0 causes a general-protection exception if it would result in CR0.PE = 0 and
CR0.PG = 1 or if it would result in CR0.PG = 1, CR4.PAE = 0, and IA32_EFER.LME = 1.
•
MOV to CR3. If the “enable EPT” VM-execution control is 1 and an execution of MOV to CR3 does not cause a
VM exit (see Section 25.1.3), the value loaded into CR3 is treated as a guest-physical address; see Section
28.2.1.
— If PAE paging is not being used, the instruction does not use the guest-physical address to access memory
and it does not cause it to be translated through EPT.
1