![]() | This article may be too technical for most readers to understand.(July 2024) |
Part of a series on |
x86 instruction listings |
---|
|
Instruction set extensions that have been added to the x86 instruction set in order to support hardware virtualization.
Instruction | Opcode | Instruction Description | Used by | Added in |
---|---|---|---|---|
Basic SVM (Secure Virtual Machine) instructions [1] | ||||
INVLPGA rAX,ECX [lower-alpha 1] | 0F 01 DF | Invalidate TLB mappings for the virtual page specified in rAX and the ASID (Address Space IDentifier) specified in ECX. | VMM | K8 [lower-alpha 2] |
VMRUN rAX [lower-alpha 1] | 0F 01 D8 | Run virtual machine managed by the VMCB (Virtual Machine Control Block) specified by physical address in rAX. | ||
VMLOAD rAX [lower-alpha 1] | 0F 01 DA | Load a specific subset of processor state from the VMCB specified by the physical address in the rAX register. [lower-alpha 3] | Usually the VMM [lower-alpha 4] | |
VMSAVE rAX [lower-alpha 1] | 0F 01 DB | Save a specific subset of processor state to the VMCB specified by the physical address in the rAX register. [lower-alpha 3] | ||
STGI | 0F 01 DC | Set GIF (Global Interrupt Flag). | Usually the VMM [lower-alpha 5] | |
CLGI | 0F 01 DD | Clear GIF. | ||
VMMCALL | NFx 0F 01 D9 | Call to VM monitor from guest by causing a VMEXIT. | Guest | |
SKINIT EAX | 0F 01 DE | Secure Init and Jump with Attestation. Initializes CPU to known state, designates a 64 Kbyte memory area specified by EAX as an SLB ("Secure Loader Block"), submits a copy of the memory area to the system TPM for validation using a digital signature, then jumps into the SLB. | VMM | Turion "Lion", [2] Opteron "Shanghai" , Phenom II |
Secure Encrypted Virtualization (SEV): Encrypted State (SEV-ES) instructions | ||||
VMGEXIT | F2/F3 0F 01 D9 | SEV-ES Exit to VMM. Explicit communication with the VMM for SEV-ES VMs. [lower-alpha 6] | Guest | Zen 1 |
Secure Nested Paging (SEV-SNP): Reverse-Map Table (RMP) instructions | ||||
PSMASH | F3 0F 01 FF | Page Smash: expands a 2MB-page RMP entry into a corresponding set of contiguous 4KB-page RMP entries. The 2 MB page's system physical address is specified in the RAX register. | VMM | Zen 3 |
RMPUPDATE | F2 0F 01 FE | Write a new RMP entry. The system physical address of a page whose RMP entry is modified is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure which contains the new RMP state. | ||
PVALIDATE | F2 0F 01 FF | Validate or rescind validation of a guest page's RMP entry. The guest virtual address is specified in the register operand rAX. [lower-alpha 1] | Guest | |
RMPADJUST | F3 0F 01 FE | Adjust RMP permissions for a guest page. The guest virtual address is specified in the RAX register. The page size is specified in RCX[0]. The target VMPL (Virtual Machine Privilege Level) and its permissions are specified in the RDX register. | ||
RMPQUERY | F3 0F 01 FD | Reads an RMP permission mask for a guest page. The guest virtual address is specified in the RAX register. The target VMPL is specified in RDX[7:0]. RMP permissions for the specified VMPL are returned in RDX[63:8] and the RCX register. | Guest | Zen 4 |
RMPREAD | F2 0F 01 FD | Read an RMP entry. The system physical address of the page whose RMP entry is to be read is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure that the RMP entry will be written to. | VMM | (Zen 5) |
VMRUN
, VMLOAD
, VMSAVE
, INVLPGA
and PVALIDATE
instructions, the choice of AX/EAX/RAX depends on address-size, which can be overridden with the 67h prefix.VMRUN
instruction will load only a limited subset of CPU state - VMLOAD
should be run before VMRUN
to load additional state.VMSAVE
is needed to store additional state.VMSAVE
/VMLOAD
, the VMM may improve performance by abstaining from performing VMSAVE
/VMLOAD
before re-entering the virtual machine with VMRUN
.VMLOAD
and VMSAVE
instructions can be executed in guest mode as well.STGI
and CLGI
instructions can be executed in guest mode as well.VMGEXIT
is executed as VMMCALL
if not executed by a SEV-ES guest.Intel virtualization instructions. VT-x is also supported on some processors from VIA and Zhaoxin.
Instruction | Opcode | Instruction Description | Used by [lower-alpha 1] | Added in |
---|---|---|---|---|
Basic VMX (Virtual Machine Extensions) instructions | ||||
VMXON m64 [lower-alpha 2] | F3 0F C7 /6 | Enter VMX Operation – enters hardware supported virtualisation environment. [lower-alpha 3] | VMM | Prescott 2M , Yonah, Centerton, Nano 3000 |
VMXOFF | NP 0F 01 C4 | Leave VMX Operation – stops hardware supported virtualisation environment. | ||
VMPTRLD m64 [lower-alpha 2] | NP 0F C7 /6 | Load pointer to Virtual-Machine Control Structure (VMCS) from memory and mark it valid. | ||
VMPTRST m64 [lower-alpha 2] | NP 0F C7 /7 | Store pointer to current VMCS to memory. | ||
VMCLEAR m64 [lower-alpha 2] | 66 0F C7 /6 | Flush VMCS data from CPU to VMCS region in memory. If the specified VMCS is the current VMCS, then the current-VMCS is marked as invalid. | ||
VMLAUNCH | NP 0F 01 C2 | Launch virtual machine managed by current VMCS. | ||
VMRESUME | NP 0F 01 C3 | Resume virtual machine managed by current VMCS. | ||
VMREAD r/m,reg | NP 0F 78 /r | Read a specified field from the current-VMCS. The reg argument specifies which field to read – the result is stored to r/m . | Usually the VMM [lower-alpha 4] | |
VMWRITE reg,r/m | NP 0F 79 /r | Write to specified field of current-VMCS. The reg argument specifies which field to write, and the r/m argument provides the data item to write to the field. | ||
VMCALL | NP 0F 01 C1 | Call to VM monitor from guest by causing a VMEXIT. | Usually the guest [lower-alpha 5] | |
Extended Page Tables (EPT) instructions | ||||
INVEPT reg,m128 | 66 0F 38 80 /r | Invalidates EPT-derived entries in the TLBs and paging-structure caches. The reg argument specifies an invalidation type, the memory argument specifies a 128-bit descriptor. [lower-alpha 6] | VMM | Nehalem, Centerton, [3] ZhangJiang |
INVVPID reg,m128 | 66 0F 38 81 /r | Invalidates entries in the TLBs and paging-structure caches based on VPID (Virtual Processor ID). The reg argument specifies an invalidation type, the memory argument specifies a 128-bit descriptor. [lower-alpha 7] | ||
VMFUNC | NP 0F 01 D4 | Invoke VM function specified in EAX. [lower-alpha 8] | Guest | Haswell, Silvermont, LuJiaZui |
Trust Domain Extensions (TDX): Secure Arbitration Mode (SEAM) instructions [5] | ||||
SEAMOPS | 66 0F 01 CE | Invoke SEAM specific operations. Operation to perform is specified in RAX. [lower-alpha 9] | SEAM root | (Sapphire Rapids [6] ), Emerald Rapids [7] |
SEAMRET | 66 0F 01 CD | Return to legacy VMX root operation from SEAM VMX root operation. | ||
SEAMCALL | 66 0F 01 CF | Call to SEAM VMX root operation from legacy VMX root operation. | VMM | |
TDCALL | 66 0F 01 CC | Call to VM monitor from TD guest by causing a VMEXIT. | TD Guest |
VMXON
, then all of the VT-x instructions (except VMXON
) will cause #UD.VMPTRLD
, VMPTRST
, VMCLEAR
and VMXON
is a 64-bit physical address.VMXON
is the 64-bit physical address to a "VMXON region", which is a 4Kbyte region that must be 4 Kbyte aligned. This region may be used by the processor to support VMX operation in an implementation-dependent manner and should never be accessed by software until the processor has left VMX operation through the VMXOFF
instruction.VMREAD
and VMWRITE
instructions can be executed by the guest as well.VMCALL
instruction can be executed by the VMM as well – doing so will cause a special SMM VM exit.reg
argument of INVEPT
are: Value | Function |
---|---|
1 | Single-context invalidation: invalidate all mappings associated with EPT-pointer in bits 63:0 of descriptor. |
2 | Global invalidation: invalidate all mappings associated with all EPT-pointers. |
reg
argument of INVVPID
are: Value | Function |
---|---|
0 | Invalidate mapping for linear address and VPID specified in descriptor. (Unlike INVLPG , INVVPID will fail when used with non-canonical addresses. [4] ) |
1 | Invalidate all mappings for VPID specified in descriptor. |
2 | All-contexts invalidation: invalidate all mappings for all VPIDs except VPID 0. |
3 | Invalidate all mappings for VPID specified in descriptor, except global translations. |
VMFUNC
in the EAX register are: EAX | Function |
---|---|
0 | EPTP switching: switch extended page table pointer to one of up to 512 table pointers prepared in advance by the VM host. ECX specifies which one of the 512 pointers to use. |
1-63 | (Reserved, will cause VMEXIT) |
≥64 | Invalid, will cause #UD. |
SEAMOPS
in the RAX register are: RAX | Operation |
---|---|
0 (CAPABILITIES) | Return bitmap of supported SEAMOPS leaves in RAX. |
1 (SEAMREPORT) | Generate SEAMREPORT structure. |
x86 is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. The 8086 was introduced in 1978 as a fully 16-bit extension of 8-bit Intel's 8080 microprocessor, with memory segmentation as a solution for addressing more memory than can be covered by a plain 16-bit address. The term "x86" came into being because the names of several successors to Intel's 8086 processor end in "86", including the 80186, 80286, 80386 and 80486. Colloquially, their names were "186", "286", "386" and "486".
x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.
x86-64 is a 64-bit version of the x86 instruction set, first announced in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mode.
The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.
In the 80386 microprocessor and later, virtual 8086 mode allows the execution of real mode applications that are incapable of running directly in protected mode while the processor is running a protected mode operating system. It is a hardware virtualization technique that allowed multiple 8086 processors to be emulated by the 386 chip. It emerged from the painful experiences with the 80286 protected mode, which by itself was not suitable to run concurrent real-mode applications well. John Crawford developed the Virtual Mode bit at the register set, paving the way to this environment.
x86 virtualization is the use of hardware-assisted virtualization capabilities on an x86/x86-64 CPU.
The Intel Core microarchitecture is a multi-core processor microarchitecture launched by Intel in mid-2006. It is a major evolution over the Yonah, the previous iteration of the P6 microarchitecture series which started in 1995 with Pentium Pro. It also replaced the NetBurst microarchitecture, which suffered from high power consumption and heat intensity due to an inefficient pipeline designed for high clock rate. In early 2004 the new version of NetBurst (Prescott) needed very high power to reach the clocks it needed for competitive performance, making it unsuitable for the shift to dual/multi-core CPUs. On May 7, 2004 Intel confirmed the cancellation of the next NetBurst, Tejas and Jayhawk. Intel had been developing Merom, the 64-bit evolution of the Pentium M, since 2001, and decided to expand it to all market segments, replacing NetBurst in desktop computers and servers. It inherited from Pentium M the choice of a short and efficient pipeline, delivering superior performance despite not reaching the high clocks of NetBurst.
Yonah is the code name of Intel's first generation 65 nm process CPU cores, based on cores of the earlier Banias / Dothan Pentium M microarchitecture. Yonah CPU cores were used within Intel's Core Solo and Core Duo mobile microprocessor products. SIMD performance on Yonah improved through the addition of SSE3 instructions and improvements to SSE and SSE2 implementations; integer performance decreased slightly due to higher latency cache. Additionally, Yonah included support for the NX bit.
In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.
In the x86 architecture, the CPUID instruction is a processor supplementary instruction allowing software to discover details of the processor. It was introduced by Intel in 1993 with the launch of the Pentium and SL-enhanced 486 processors.
The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of CPU cycles since its reset. The instruction RDTSC
returns the TSC in EDX:EAX. In x86-64 mode, RDTSC
also clears the upper 32 bits of RAX and RDX. Its opcode is 0F 31
. Pentium competitors such as the Cyrix 6x86 did not always have a TSC and may consider RDTSC
an illegal instruction. Cyrix included a Time Stamp Counter in their MII.
In computing, hardware-assisted virtualization is a platform virtualization approach that enables efficient full virtualization using help from hardware capabilities, primarily from the host processors. A full virtualization is used to emulate a complete hardware environment, or virtual machine, in which an unmodified guest operating system effectively executes in complete isolation. Hardware-assisted virtualization was added to x86 processors in 2005, 2006 and 2010 (respectively).
Oracle VM VirtualBox is a hosted hypervisor for x86 virtualization developed by Oracle Corporation. VirtualBox was originally created by InnoTek Systemberatung GmbH, which was acquired by Sun Microsystems in 2008, which was in turn acquired by Oracle in 2010.
In computing, PSE-36 refers to a feature of x86 processors that extends the physical memory addressing capabilities from 32 bits to 36 bits, allowing addressing to up to 64 GB of memory. Compared to the Physical Address Extension (PAE) method, PSE-36 is a simpler alternative to addressing more than 4 GB of memory. It uses the Page Size Extension (PSE) mode and a modified page directory table to map 4 MB pages into a 64 GB physical address space. PSE-36's downside is that, unlike PAE, it doesn't have 4-KB page granularity above the 4 GB mark.
Second Level Address Translation (SLAT), also known as nested paging, is a hardware-assisted virtualization technology which makes it possible to avoid the overhead associated with software-managed shadow page tables.
Westmere is the code name given to the 32 nm die shrink of Nehalem. While sharing the same CPU sockets, Westmere included Intel HD Graphics, while Nehalem did not.
Bit manipulation instructions sets are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD. The purpose of these instruction sets is to improve the speed of bit manipulation. All the instructions in these sets are non-SIMD and operate only on general-purpose registers.
Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.
Intel Trust Domain Extensions (TDX) is a CPU-level technology proposed by Intel in May 2021 for implementing a trusted execution environment in which virtual machines are hardware-isolated from the host's Virtual Machine Monitor (VMM), hypervisor, and other software on the host. This hardware isolation is intended to prevent threat actors with administrative access or physical access to the virtual machine host from compromising aspects of the TD virtual machine's confidentiality and integrity. TDX also supports a remote attestation feature which allows users to determine that a remote system has TDX protections enabled prior to sending it sensitive data.