background image

Vol. 3C 25-11

VMX NON-ROOT OPERATION

c. If CALL or JMP accesses a TSS descriptor directly in IA-32e mode, a general-protection exception occurs.
d. If CALL or JMP accesses a TSS descriptor directly outside IA-32e mode, privilege levels are checked on the 

TSS descriptor.

e. If a non-maskable interrupt (NMI), an exception, or an external interrupt accesses a task gate in the IDT in 

IA-32e mode, a general-protection exception occurs.

f.

If a non-maskable interrupt (NMI), an exception other than breakpoint exceptions (#BP) and overflow 
exceptions (#OF), or an external interrupt accesses a task gate in the IDT outside IA-32e mode, no 
privilege checks are performed.

g. If IRET is executed with RFLAGS.NT = 1 in IA-32e mode, a general-protection exception occurs.
h. If IRET is executed with RFLAGS.NT = 1 outside IA-32e mode, a TSS descriptor is accessed directly and no 

privilege checks are made.

2. Checks are made on the new TSS selector (for example, that is within GDT limits).
3. The new TSS descriptor is read. (A page fault results if a relevant GDT page is not present).
4. The TSS descriptor is checked for proper values of type (depends on type of task switch), P bit, S bit, and limit.
Only if checks 1–4 all pass (do not generate faults) might a VM exit occur. However, the ordering between a VM exit 
due to a task switch and a page fault resulting from accessing the old TSS or the new TSS is implementation-
specific. Some processors may generate a page fault (instead of a VM exit due to a task switch) if accessing either 
TSS would cause a page fault. Other processors may generate a VM exit due to a task switch even if accessing 
either TSS would cause a page fault.
If an attempt at a task switch through a task gate in the IDT causes an exception (before generating a VM exit due 
to the task switch) and that exception causes a VM exit, information about the event whose delivery that accessed 
the task gate is recorded in the IDT-vectoring information fields and information about the exception that caused 
the VM exit is recorded in the VM-exit interruption-information fields. See Section 27.2. The fact that a task gate 
was being accessed is not recorded in the VMCS.
If an attempt at a task switch through a task gate in the IDT causes VM exit due to the task switch, information 
about the event whose delivery accessed the task gate is recorded in the IDT-vectoring fields of the VMCS. Since 
the cause of such a VM exit is a task switch and not an interruption, the valid bit for the VM-exit interruption infor-
mation field is 0. See Section 27.2.

25.5 

FEATURES SPECIFIC TO VMX NON-ROOT OPERATION

Some VM-execution controls support features that are specific to VMX non-root operation. These are the VMX-
preemption timer (Section 25.5.1) and the monitor trap flag (Section 25.5.2), translation of guest-physical 
addresses (Section 25.5.3), VM functions (Section 25.5.5), and virtualization exceptions (Section 25.5.6).

25.5.1 VMX-Preemption 

Timer

If the last VM entry was performed with the 1-setting of “activate VMX-preemption timer” VM-execution control, 
the VMX-preemption timer counts down (from the value loaded by VM entry; see Section 26.6.4) in VMX non-
root operation. When the timer counts down to zero, it stops counting down and a VM exit occurs (see Section 
25.2).
The VMX-preemption timer counts down at rate proportional to that of the timestamp counter (TSC). Specifically, 
the timer counts down by 1 every time bit X in the TSC changes due to a TSC increment. The value of X is in the 
range 0–31 and can be determined by consulting the VMX capability MSR IA32_VMX_MISC (see Appendix A.6).
The VMX-preemption timer operates in the C-states C0, C1, and C2; it also operates in the shutdown and wait-for-
SIPI states. If the timer counts down to zero in any state other than the wait-for SIPI state, the logical processor 
transitions to the C0 C-state and causes a VM exit; the timer does not cause a VM exit if it counts down to zero in 
the wait-for-SIPI state. The timer is not decremented in C-states deeper than C2.
Treatment of the timer in the case of system management interrupts (SMIs) and system-management mode 
(SMM) depends on whether the treatment of SMIs and SMM: