26-2 Vol. 3C
VM ENTRIES
26.1 BASIC
VM-ENTRY
CHECKS
Before a VM entry commences, the current state of the logical processor is checked in the following order:
1. If the logical processor is in virtual-8086 mode or compatibility mode, an invalid-opcode exception is
generated.
2. If the current privilege level (CPL) is not zero, a general-protection exception is generated.
3. If there is no current VMCS, RFLAGS.CF is set to 1 and control passes to the next instruction.
4. If there is a current VMCS but the current VMCS is a shadow VMCS (see Section 24.10), RFLAGS.CF is set to 1
and control passes to the next instruction.
5. If there is a current VMCS that is not a shadow VMCS, the following conditions are evaluated in order; any of
these cause VM entry to fail:
a. if there is MOV-SS blocking (see Table 24-3)
b. if the VM entry is invoked by VMLAUNCH and the VMCS launch state is not clear
c. if the VM entry is invoked by VMRESUME and the VMCS launch state is not launched
If any of these checks fail, RFLAGS.ZF is set to 1 and control passes to the next instruction. An error number
indicating the cause of the failure is stored in the VM-instruction error field. See Chapter 30 for the error
numbers.
26.2
CHECKS ON VMX CONTROLS AND HOST-STATE AREA
If the checks in Section 26.1 do not cause VM entry to fail, the control and host-state areas of the VMCS are
checked to ensure that they are proper for supporting VMX non-root operation, that the VMCS is correctly config-
ured to support the next VM exit, and that, after the next VM exit, the processor’s state is consistent with the Intel
64 and IA-32 architectures.
VM entry fails if any of these checks fail. When such failures occur, control is passed to the next instruction,
RFLAGS.ZF is set to 1 to indicate the failure, and the VM-instruction error field is loaded with an error number that
indicates whether the failure was due to the controls or the host-state area (see Chapter 30).
These checks may be performed in any order. Thus, an indication by error number of one cause (for example, host
state) does not imply that there are not also other errors. Different processors may thus give different error
numbers for the same VMCS. Some checks prevent establishment of settings (or combinations of settings) that are
currently reserved. Future processors may allow such settings (or combinations) and may not perform the corre-
sponding checks. The correctness of software should not rely on VM-entry failures resulting from the checks docu-
mented in this section.
The checks on the controls and the host-state area are presented in Section 26.2.1 through Section 26.2.4. These
sections reference VMCS fields that correspond to processor state. Unless otherwise stated, these references are
to fields in the host-state area.
26.2.1
Checks on VMX Controls
This section identifies VM-entry checks on the VMX control fields.
26.2.1.1 VM-Execution Control Fields
VM entries perform the following checks on the VM-execution control fields:
1
•
Reserved bits in the pin-based VM-execution controls must be set properly. Software may consult the VMX
capability MSRs to determine the proper settings (see Appendix A.3.1).
1. If the “activate secondary controls” primary processor-based VM-execution control is 0, VM entry operates as if each secondary pro-
cessor-based VM-execution control were 0.