List of x86 virtualization instructions

Last updated

Instruction set extensions that have been added to the x86 instruction set in order to support hardware virtualization. These extensions provide instructions for entering and leaving a virtualized execution context and for loading virtual-machine control structures (VMCSs), which hold the state of the guest and host, along with fields which control processor behavior within the virtual machine.

Contents

AMD-V instructions

InstructionOpcodeInstruction DescriptionUsed byAdded in
Basic SVM (Secure Virtual Machine) instructions [1]
INVLPGA rAX,ECX [lower-alpha 1] 0F 01 DFInvalidate TLB mappings for the virtual page specified in rAX and the ASID (Address Space IDentifier) specified in ECX. VMM K8 [lower-alpha 2]
VMRUN rAX [lower-alpha 1] 0F 01 D8Run virtual machine managed by the VMCB (Virtual Machine Control Block) specified by physical address in rAX.
VMLOAD rAX [lower-alpha 1] 0F 01 DALoad a specific subset of processor state from the VMCB specified by the physical address in the rAX register. [lower-alpha 3] Usually the VMM [lower-alpha 4]
VMSAVE rAX [lower-alpha 1] 0F 01 DBSave a specific subset of processor state to the VMCB specified by the physical address in the rAX register. [lower-alpha 3]
STGI0F 01 DCSet GIF (Global Interrupt Flag).Usually the VMM [lower-alpha 5]
CLGI0F 01 DDClear GIF.
VMMCALLNFx 0F 01 D9Call to VM monitor from guest by causing a VMEXIT.Guest
SKINIT EAX0F 01 DESecure Init and Jump with Attestation.
Initializes CPU to known state, designates a 64 Kbyte memory area specified by EAX as an SLB ("Secure Loader Block"), submits a copy of the memory area to the system TPM for validation using a digital signature, then jumps into the SLB.		VMM Turion "Lion", [2]
Opteron "Shanghai" ,
Phenom II
Secure Encrypted Virtualization (SEV): Encrypted State (SEV-ES) instructions
VMGEXITF2/F3 0F 01 D9SEV-ES Exit to VMM.
Explicit communication with the VMM for SEV-ES VMs. [lower-alpha 6] 		Guest Zen 1
Secure Nested Paging (SEV-SNP): Reverse-Map Table (RMP) instructions
PSMASHF3 0F 01 FFPage Smash: expands a 2MB-page RMP entry into a corresponding set of contiguous 4KB-page RMP entries. The 2 MB page's system physical address is specified in the RAX register.VMM Zen 3
RMPUPDATEF2 0F 01 FEWrite a new RMP entry. The system physical address of a page whose RMP entry is modified is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure which contains the new RMP state.
PVALIDATEF2 0F 01 FFValidate or rescind validation of a guest page's RMP entry. The guest virtual address is specified in the register operand rAX. [lower-alpha 1] Guest
RMPADJUSTF3 0F 01 FEAdjust RMP permissions for a guest page. The guest virtual address is specified in the RAX register. The page size is specified in RCX[0]. The target VMPL (Virtual Machine Privilege Level) and its permissions are specified in the RDX register.
RMPQUERYF3 0F 01 FDReads an RMP permission mask for a guest page. The guest virtual address is specified in the RAX register. The target VMPL is specified in RDX[7:0]. RMP permissions for the specified VMPL are returned in RDX[63:8] and the RCX register.Guest Zen 4
RMPREADF2 0F 01 FDRead an RMP entry. The system physical address of the page whose RMP entry is to be read is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure that the RMP entry will be written to.VMM(Zen 5)
  1. 1 2 3 4 5 For the rAX argument to the VMRUN, VMLOAD, VMSAVE, INVLPGA and PVALIDATE instructions, the choice of AX/EAX/RAX depends on address-size, which can be overridden with the 67h prefix.
  2. Support for AMD-V was added in stepping F of the AMD K8, and is not available on earlier steppings.
  3. 1 2 The VMRUN instruction will load only a limited subset of CPU state - VMLOAD should be run before VMRUN to load additional state.
    Similarly, #VMEXIT will store only a limited amount of guest state to the VMCB, and VMSAVE is needed to store additional state.
    For simple intercept conditions where the VMM doesn't need to make use of the state items handled by VMSAVE/VMLOAD, the VMM may improve performance by abstaining from performing VMSAVE/VMLOAD before re-entering the virtual machine with VMRUN.
  4. On CPUs that support VMLOAD/VMSAVE virtualization (Excavator and later), the VMLOAD and VMSAVE instructions can be executed in guest mode as well.
  5. On CPUs that support Virtual GIF (Excavator and later), the STGI and CLGI instructions can be executed in guest mode as well.
  6. VMGEXIT is executed as VMMCALL if not executed by a SEV-ES guest.

Intel VT-x instructions

Intel virtualization instructions. VT-x is also supported on some processors from VIA and Zhaoxin.

InstructionOpcodeInstruction DescriptionUsed by [lower-alpha 1] Added in
Basic VMX (Virtual Machine Extensions) instructions
VMXON m64 [lower-alpha 2] F3 0F C7 /6Enter VMX Operation – enters hardware supported virtualisation environment. [lower-alpha 3] VMM Prescott 2M ,
Yonah,
Centerton,
Nano 3000
VMXOFFNP 0F 01 C4Leave VMX Operation – stops hardware supported virtualisation environment.
VMPTRLD m64 [lower-alpha 2] NP 0F C7 /6Load pointer to Virtual-Machine Control Structure (VMCS) from memory and mark it valid.
VMPTRST m64 [lower-alpha 2] NP 0F C7 /7Store pointer to current VMCS to memory.
VMCLEAR m64 [lower-alpha 2] 66 0F C7 /6Flush VMCS data from CPU to VMCS region in memory. If the specified VMCS is the current VMCS, then the current-VMCS is marked as invalid.
VMLAUNCHNP 0F 01 C2Launch virtual machine managed by current VMCS.
VMRESUMENP 0F 01 C3Resume virtual machine managed by current VMCS.
VMREAD r/m,regNP 0F 78 /rRead a specified field from the current-VMCS. The reg argument specifies which field to read – the result is stored to r/m.Usually the VMM [lower-alpha 4]
VMWRITE reg,r/mNP 0F 79 /rWrite to specified field of current-VMCS. The reg argument specifies which field to write, and the r/m argument provides the data item to write to the field.
VMCALLNP 0F 01 C1Call to VM monitor from guest by causing a VMEXIT.Usually the guest [lower-alpha 5]
Extended Page Tables (EPT) instructions
INVEPT reg,m12866 0F 38 80 /rInvalidates EPT-derived entries in the TLBs and paging-structure caches. The reg argument specifies an invalidation type, the memory argument specifies a 128-bit descriptor. [lower-alpha 6] VMM Nehalem,
Centerton, [3]
ZhangJiang
INVVPID reg,m12866 0F 38 81 /rInvalidates entries in the TLBs and paging-structure caches based on VPID (Virtual Processor ID). The reg argument specifies an invalidation type, the memory argument specifies a 128-bit descriptor. [lower-alpha 7]
VMFUNCNP 0F 01 D4Invoke VM function specified in EAX. [lower-alpha 8] Guest Haswell,
Silvermont,
LuJiaZui
Trust Domain Extensions (TDX): Secure Arbitration Mode (SEAM) instructions [5]
SEAMOPS66 0F 01 CEInvoke SEAM specific operations. Operation to perform is specified in RAX. [lower-alpha 9] SEAM
root		(Sapphire Rapids [6] ),
Emerald Rapids [7]
SEAMRET66 0F 01 CDReturn to legacy VMX root operation from SEAM VMX root operation.
SEAMCALL66 0F 01 CFCall to SEAM VMX root operation from legacy VMX root operation.VMM
TDCALL66 0F 01 CCCall to VM monitor from TD guest by causing a VMEXIT.TD Guest
  1. Executing any of the VT-x VMM instructions while within the VM guest will cause a VMEXIT.
    If VMX operation has not been entered through VMXON, then all of the VT-x instructions (except VMXON) will cause #UD.
  2. 1 2 3 4 The m64 argument to VMPTRLD, VMPTRST, VMCLEAR and VMXON is a 64-bit physical address.
  3. The m64 argument to VMXON is the 64-bit physical address to a "VMXON region", which is a 4Kbyte region that must be 4 Kbyte aligned. This region may be used by the processor to support VMX operation in an implementation-dependent manner and should never be accessed by software until the processor has left VMX operation through the VMXOFF instruction.
  4. If "VMCS Shadowing" is enabled (available on Haswell and later), the VMREAD and VMWRITE instructions can be executed by the guest as well.
  5. The VMCALL instruction can be executed by the VMM as well – doing so will cause a special SMM VM exit.
  6. The invalidation types available for the reg argument of INVEPT are:
    ValueFunction
    1Single-context invalidation: invalidate all mappings associated with EPT-pointer in bits 63:0 of descriptor.
    2Global invalidation: invalidate all mappings associated with all EPT-pointers.
  7. The invalidation types available for the reg argument of INVVPID are:
    ValueFunction
    0Invalidate mapping for linear address and VPID specified in descriptor.
    (Unlike INVLPG, INVVPID will fail when used with non-canonical addresses. [4] )
    1Invalidate all mappings for VPID specified in descriptor.
    2All-contexts invalidation: invalidate all mappings for all VPIDs except VPID 0.
    3Invalidate all mappings for VPID specified in descriptor, except global translations.
  8. The functions available for VMFUNC in the EAX register are:
    EAXFunction
    0EPTP switching: switch extended page table pointer to one of up to 512 table pointers prepared in advance by the VM host.
    ECX specifies which one of the 512 pointers to use.
    1-63(Reserved, will cause VMEXIT)
    ≥64Invalid, will cause #UD.
  9. The operations available for SEAMOPS in the RAX register are:
    RAXOperation
    0 (CAPABILITIES)Return bitmap of supported SEAMOPS leaves in RAX.
    1 (SEAMREPORT)Generate SEAMREPORT structure.
    Any unsupported value in RAX will cause a #GP(0) exception.

Related Research Articles

x86 Family of instruction set architectures

x86 is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. The 8086 was introduced in 1978 as a fully 16-bit extension of 8-bit Intel's 8080 microprocessor, with memory segmentation as a solution for addressing more memory than can be covered by a plain 16-bit address. The term "x86" came into being because the names of several successors to Intel's 8086 processor end in "86", including the 80186, 80286, 80386 and 80486. Colloquially, their names were "186", "286", "386" and "486".

x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.

x86-64 64-bit version of x86 architecture

x86-64 is a 64-bit version of the x86 instruction set, first announced in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mode.

In computing, Physical Address Extension (PAE), sometimes referred to as Page Address Extension, is a memory management feature for the x86 architecture. PAE was first introduced by Intel in the Pentium Pro, and later by AMD in the Athlon processor. It defines a page table hierarchy of three levels (instead of two), with table entries of 64 bits each instead of 32, allowing these CPUs to directly access a physical address space larger than 4 gigabytes (232 bytes).

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

In the 80386 microprocessor and later, virtual 8086 mode allows the execution of real mode applications that are incapable of running directly in protected mode while the processor is running a protected mode operating system. It is a hardware virtualization technique that allowed multiple 8086 processors to be emulated by the 386 chip. It emerged from the painful experiences with the 80286 protected mode, which by itself was not suitable to run concurrent real-mode applications well. John Crawford developed the Virtual Mode bit at the register set, paving the way to this environment.

x86 virtualization is the use of hardware-assisted virtualization capabilities on an x86/x86-64 CPU.

<span class="mw-page-title-main">Protection ring</span> Layer of protection in computer systems

In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.

In the x86 architecture, the CPUID instruction is a processor supplementary instruction allowing software to discover details of the processor. It was introduced by Intel in 1993 with the launch of the Pentium and SL-enhanced 486 processors.

The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of CPU cycles since its reset. The instruction RDTSC returns the TSC in EDX:EAX. In x86-64 mode, RDTSC also clears the upper 32 bits of RAX and RDX. Its opcode is 0F 31. Pentium competitors such as the Cyrix 6x86 did not always have a TSC and may consider RDTSC an illegal instruction. Cyrix included a Time Stamp Counter in their MII.

SSE4 is a SIMD CPU instruction set used in the Intel Core microarchitecture and AMD K10 (K8L). It was announced on September 27, 2006, at the Fall 2006 Intel Developer Forum, with vague details in a white paper; more precise details of 47 instructions became available at the Spring 2007 Intel Developer Forum in Beijing, in the presentation. SSE4 extended the SSE3 instruction set which was released in early 2004. All software using previous Intel SIMD instructions are compatible with modern microprocessors supporting SSE4 instructions. All existing software continues to run correctly without modification on microprocessors that incorporate SSE4, as well as in the presence of existing and new applications that incorporate SSE4.

In computing, PSE-36 refers to a feature of x86 processors that extends the physical memory addressing capabilities from 32 bits to 36 bits, allowing addressing to up to 64 GB of memory. Compared to the Physical Address Extension (PAE) method, PSE-36 is a simpler alternative to addressing more than 4 GB of memory. It uses the Page Size Extension (PSE) mode and a modified page directory table to map 4 MB pages into a 64 GB physical address space. PSE-36's downside is that, unlike PAE, it doesn't have 4-KB page granularity above the 4 GB mark.

Advanced Vector Extensions are SIMD extensions to the x86 instruction set architecture for microprocessors from Intel and Advanced Micro Devices (AMD). They were proposed by Intel in March 2008 and first supported by Intel with the Sandy Bridge microarchitecture shipping in Q1 2011 and later by AMD with the Bulldozer microarchitecture shipping in Q4 2011. AVX provides new features, new instructions, and a new coding scheme.

<span class="mw-page-title-main">Virtualization</span> Methods for dividing computing resources

In computing, virtualization (v12n) is a series of technologies that allows dividing of physical computing resources into a series of virtual machines, operating systems, processes or containers.

Second Level Address Translation (SLAT), also known as nested paging, is a hardware-assisted virtualization technology which makes it possible to avoid the overhead associated with software-managed shadow page tables.

<span class="mw-page-title-main">Westmere (microarchitecture)</span> CPU microarchitecture by Intel

Westmere is the code name given to the 32 nm die shrink of Nehalem. While sharing the same CPU sockets, Westmere included Intel HD Graphics, while Nehalem did not.

Bit manipulation instructions sets are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD. The purpose of these instruction sets is to improve the speed of bit manipulation. All the instructions in these sets are non-SIMD and operate only on general-purpose registers.

Sapphire Rapids is a codename for Intel's server and workstation processors based on the Golden Cove microarchitecture and produced using Intel 7. It features up to 60 cores and an array of accelerators, and it is the first generation of Intel server and workstation processors to use a chiplet design.

Intel Trust Domain Extensions (TDX) is a CPU-level technology proposed by Intel in May 2021 for implementing a trusted execution environment in which virtual machines are hardware-isolated from the host's Virtual Machine Monitor (VMM), hypervisor, and other software on the host. This hardware isolation is intended to prevent threat actors with administrative access or physical access to the virtual machine host from compromising aspects of the TD virtual machine's confidentiality and integrity. TDX also supports a remote attestation feature which allows users to determine that a remote system has TDX protections enabled prior to sending it sensitive data.

References

  1. AMD, AMD64 Virtualization Codenamed “Pacifica” Technology, publication no. 33407, rev 3.01, May 2005. Archived on Jun 13, 2011.
  2. CPU-World, CPUID for AMD Turion 64 X2 RM-75, 2022-03-05. Archived on Apr 19, 2023.
  3. Intel, Intel® Atom™ Processor S1200 Product Family for Microserver Datasheet, Volume 1 of 2, order no. 328194-001, dec 2012, page 44
  4. Vulners, VMX: intercept issue with INVLPG on non-canonical address, 20 Jan 2016.
  5. Intel, Trust Domain CPU Architectural Extensions, order no. 343754-002, may 2021.
  6. SecurityWeek, Intel Adds TDX to Confidential Computing Portfolio With Launch of 4th Gen Xeon Processors, 10 jan 2023
  7. Intel, What Intel Xeon Processors Support for Intel Trust Domain Extensions (Intel TDX)?, 11 Jun 2024 - indicates general market availability of TDX on Emerald Rapids CPUs but limited availability on Sapphire Rapids CPUs. Archived on 13 Jun 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.