port-amd64/55596: nvmm BIOS lock may not be granular enough

[billc%warped.com@localhost]

>Number:         55596
>Category:       port-amd64
>Synopsis:       nvmm BIOS lock may not be granular enough
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    port-amd64-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 22 01:55:00 +0000 2020
>Originator:     William Coldwell
>Release:        netbsd-9
>Organization:
The NetBSD Foundation
>Environment:
NetBSD agamemnon.local 9.0_STABLE NetBSD 9.0_STABLE (GENERIC) #0: Thu Aug 13 01:40:53 UTC 2020  root@agamemnon.local:/tmp/netbsd-9/build/objdir/sys/arch/amd64/compile/GENERIC amd64

>Description:
modload nvmm

[ 638963.560892] NVMM: VMX disabled in BIOS
[ 638963.560892] autoconfiguration error: nvmm: cpu not supported
[ 638963.560892] WARNING: module error: modcmd(CMD_INIT) failed for `nvmm', error 86


cpuctl identify 0

cpu0: features1 0x7ffefbff<SSE3,PCLMULQDQ,DTES64,MONITOR,DS-CPL,VMX,SMX,EST>

So the cpu is advertising this, but nvmm says no because of:


        msr = rdmsr(MSR_IA32_FEATURE_CONTROL);
        if ((msr & IA32_FEATURE_CONTROL_LOCK) == 0) {
                printf("NVMM: VMX disabled in BIOS\n");
                return false;
        }
        if ((msr & IA32_FEATURE_CONTROL_OUT_SMX) == 0) {
                printf("NVMM: VMX disabled in BIOS\n");
                return false;
        }


However, I can run VMs/KVM on Linux with this machine, and it, too, is reporting those cpu flags.

Bigger question: Should cpu flags not report flags that are unavailable to the system/VM like we do with MDS/TAA, etc?








>How-To-Repeat:
Have a bios from a manufacturer that wants to sell their little BMC manager adapter, otherwise locks the bios apparently.

modload nvmm
get rejected.

>Fix:
Questionably ignore bios locking, because vendors don't necessarily know best?

Find out why Linux (possibly FreeBSD Bhyve too) works and we don't with native hypervisor.