KVM: x86: document limitations of MSR filtering

MSR filtering requires an exit to userspace that is hard to implement and would be very slow in the case of nested VMX vmexit and vmentry MSR accesses. Document the limitation. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Paolo Bonzini <pbonzini@redhat.com> 2022-03-15 18:17:15 -0400
committer: Paolo Bonzini <pbonzini@redhat.com> 2022-04-02 05:34:47 -0400
commit: ce2f72e26c1a352f5f2d1cda19bcafeff6c3b4fc (patch)
tree: 7be9dc75f3fdd933b1279eaf41d96cf88eab42f7
parent: ac8d6cad3c7b39633d5899dc2fa9abec7135e83e (diff)
download: net-ce2f72e26c1a352f5f2d1cda19bcafeff6c3b4fc.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index 04b26c2a715962..d210a4e8dce3ca 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -4081,6 +4081,11 @@ x2APIC MSRs are always allowed, independent of the ``default_allow`` setting,
 and their behavior depends on the ``X2APIC_ENABLE`` bit of the APIC base
 register.
 
+.. warning::
+   MSR accesses coming from nested vmentry/vmexit are not filtered.
+   This includes both writes to individual VMCS fields and reads/writes
+   through the MSR lists pointed to by the VMCS.
+
 If a bit is within one of the defined ranges, read and write accesses are
 guarded by the bitmap's value for the MSR index if the kind of access
 is included in the ``struct kvm_msr_filter_range`` flags.  If no range
author	Paolo Bonzini <pbonzini@redhat.com>	2022-03-15 18:17:15 -0400
committer	Paolo Bonzini <pbonzini@redhat.com>	2022-04-02 05:34:47 -0400
commit	ce2f72e26c1a352f5f2d1cda19bcafeff6c3b4fc (patch)
tree	7be9dc75f3fdd933b1279eaf41d96cf88eab42f7
parent	ac8d6cad3c7b39633d5899dc2fa9abec7135e83e (diff)
download	net-ce2f72e26c1a352f5f2d1cda19bcafeff6c3b4fc.tar.gz