25-8 Vol. 3C
VMX NON-ROOT OPERATION
— If PAE paging is being used, the instruction translates the guest-physical address through EPT and uses the
result to load the four (4) page-directory-pointer-table entries (PDPTEs). The instruction does not use the
guest-physical addresses the PDPTEs to access memory and it does not cause them to be translated
through EPT.
•
MOV to CR4. An execution of MOV to CR4 that does not cause a VM exit (see Section 25.1.3) leaves
unmodified any bit in CR4 corresponding to a bit set in the CR4 guest/host mask. Such an execution causes a
general-protection exception if it attempts to set any bit in CR4 (not corresponding to a bit set in the CR4
guest/host mask) to a value not supported in VMX operation (see Section 23.8).
•
MOV to CR8. If the MOV to CR8 instruction does not cause a VM exit (see Section 25.1.3), its behavior is
modified if the “use TPR shadow” VM-execution control is 1; see Section 29.3.
•
MWAIT. Behavior of the MWAIT instruction (which always causes an invalid-opcode exception—#UD—if
CPL > 0) is determined by the setting of the “MWAIT exiting” VM-execution control:
— If the “MWAIT exiting” VM-execution control is 1, MWAIT causes a VM exit.
— If the “MWAIT exiting” VM-execution control is 0, MWAIT operates normally if one of the following are true:
(1) ECX[0] is 0; (2) RFLAGS.IF = 1; or both of the following are true: (a) the “interrupt-window exiting” VM-
execution control is 0; and (b) the logical processor has not recognized a pending virtual interrupt (see
Section 29.2.1).
— If the “MWAIT exiting” VM-execution control is 0, ECX[0] = 1, and RFLAGS.IF = 0, MWAIT does not cause
the processor to enter an implementation-dependent optimized state if either the “interrupt-window
exiting” VM-execution control is 1 or the logical processor has recognized a pending virtual interrupt;
instead, control passes to the instruction following the MWAIT instruction.
•
RDMSR. Section 25.1.3 identifies when executions of the RDMSR instruction cause VM exits. If such an
execution causes neither a fault due to CPL > 0 nor a VM exit, the instruction’s behavior may be modified for
certain values of ECX:
— If ECX contains 10H (indicating the IA32_TIME_STAMP_COUNTER MSR), the value returned by the
instruction is determined by the setting of the “use TSC offsetting” VM-execution control:
•
If the control is 0, RDMSR operates normally, loading EAX:EDX with the value of the
IA32_TIME_STAMP_COUNTER MSR.
•
If the control is 1, the value returned is determined by the setting of the “use TSC scaling” VM-execution
control:
—
If the control is 0, RDMSR loads EAX:EDX with the sum of the value of the
IA32_TIME_STAMP_COUNTER MSR and the value of the TSC offset.
—
If the control is 1, RDMSR first computes the product of the value of the
IA32_TIME_STAMP_COUNTER MSR and the value of the TSC multiplier. It then shifts the value of
the product right 48 bits and loads EAX:EDX with the sum of that shifted value and the value of the
TSC offset.
The 1-setting of the “use TSC-offsetting” VM-execution control does not affect executions of RDMSR if ECX
contains 6E0H (indicating the IA32_TSC_DEADLINE MSR). Such executions return the APIC-timer deadline
relative to the actual timestamp counter without regard to the TSC offset.
— If ECX is in the range 800H–8FFH (indicating an APIC MSR), instruction behavior may be modified if the
“virtualize x2APIC mode” VM-execution control is 1; see Section 29.5.
•
RDPID. Behavior of the RDPID instruction is determined first by the setting of the “enable RDTSCP”
VM-execution control:
— If the “enable RDTSCP” VM-execution control is 0, RDPID causes an invalid-opcode exception (#UD).
— If the “enable RDTSCP” VM-execution control is 1, RDPID operates normally.
•
RDTSC. Behavior of the RDTSC instruction is determined by the settings of the “RDTSC exiting” and “use TSC
offsetting” VM-execution controls:
1. A logical processor uses PAE paging if CR0.PG = 1, CR4.PAE = 1 and IA32_EFER.LMA = 0. See Section 4.4 in the Intel® 64 and IA-32