# **VMware, Inc.** 3401 Hillview Ave, Palo Alto, CA 94304, USA, www.vmware.com

# TOE Design (ADV\_TDS.3): VMM Subsystem VMware ESXi 8.0

| Author:  | VMware     |
|----------|------------|
| Version: | 1.0        |
| Date:    | 2022-08-10 |
| Cert-ID: |            |
|          |            |

Company: VMware, Inc.

Version 1.0

# **M**Ware<sup>®</sup>

VMware, Inc. 3401 Hillview Ave Palo Alto, CA 94304 United States of America

http://www.vmware.com

Copyright © 1998 - 2022 VMware, Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as by international treaties. VMware products are covered by one or more patents listed at <a href="http://www.vmware.com/go/patents">http://www.vmware.com/go/patents</a>.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

# **Revision History**

| Version | Description of changes | Modified by    | Date       |
|---------|------------------------|----------------|------------|
| 1.0     | Initial Draft Version  | Nicholas Leuci | 2022-08-10 |
|         |                        |                |            |
|         |                        |                |            |
|         |                        |                |            |

#### **Table of Contents**

#### Contents

| R | evisio                                                                                                                              | on History                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | . 3                                                                                                                                          |
|---|-------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Intr                                                                                                                                | oduction                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | . 6                                                                                                                                          |
| 2 | Sul                                                                                                                                 | bsystems of the TOE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | . 7                                                                                                                                          |
|   | 2.1                                                                                                                                 | Interaction between sub-systems                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                                              |
|   | 2.2                                                                                                                                 | Subsystem AAA                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                              |
|   | 2.3                                                                                                                                 | Subsystem BBB                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                              |
|   | 2.4                                                                                                                                 | Subsystem CCC                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                              |
|   |                                                                                                                                     | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                                                              |
| 4 |                                                                                                                                     | ual Machine Monitor (VMM) Subsystem                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                              |
|   | 4.1.2<br>4.1.3<br>4.1.4<br>4.1.4<br>4.1.4<br>4.1.5<br>4.1.6<br>4.1.7<br>4.1.8<br>4.2.7<br>4.2.2<br>4.2.4<br>4.2.8<br>4.2.6<br>4.2.7 | VMM Hardware Virtualization (SFR-ENFORCING)         1 Security Functionality (SF)         2 Security Functional Requirement (SFR)         3. Provided TSFI         1.4.1 Internal Interfaces (Context-switching between VMM and VM)         1.4.2 Internal Interfaces (Sensitive host fields for context-switch)         1.4.3 Internal Interfaces (Sensitive host field for posted interrupts)         1.4.4 Internal Interfaces (Controls determining circumstances causing HV exits)         5 Used interfaces of other modules.         6 Mapping to the Source Code         7 Appendix A: Bibliography for the Intel VT References.         8 Appendix B: Navigating HV module code         VMM HV Memory Management (SFR-ENFORCING)         1 Security Functionality (SF)         2 Security Functional Requirement (SFR)         2.3 Provided TSFI         2.4.1 Internal Interfaces of the Module (General execution)         2.4.2 Internal Interfaces of the Module (VNPT, for nested guest memory virtualization)         5 Used interfaces of other modules.         6 Mapping to the Source Code | 13<br>13<br>14<br>16<br>17<br>18<br>20<br>21<br>22<br>23<br>23<br>26<br>26<br>26<br>26<br>26<br>26<br>26<br>26<br>26<br>26<br>26<br>26<br>26 |
|   | 4.3.2<br>4.3.2<br>4.3.4<br>4.3.4<br>4.3.5<br>4.3.6<br><b>4.4</b>                                                                    | VMM Host Interrupts IDT, APIC, MAP (SFR-ENFORCING)         1 Security Functionality (SF)         2 Security Functional Requirement (SFR)         3 Provided TSFI         3.4.1 Internal Interfaces of the Module         4 Used interfaces of other modules         5 Mapping to the Source Code         6 Appendix A: Navigating Interrupt Optimization Module Code         VMM Hot Path (SFR-NON-INTERFERING)         1 Mapping to the Source Code                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 37<br>37<br>37<br>37<br>38<br>38<br>38<br>39<br><b>40</b>                                                                                    |
|   | 4.5                                                                                                                                 | VMM Instruction Emulation (SFR-NON-INTERFERING)<br>1 Mapping to the Source Code                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 41                                                                                                                                           |

| 4.5.2 Appendix A: Published Technical Research Bibliography                                                                                              | 42       |
|----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| 4.6 VMM Guest Interrupts (SFR-NON-INTERFERING)                                                                                                           |          |
| <ul> <li>4.7 VMM Timekeeping (SFR-NON-INTERFERING)</li></ul>                                                                                             |          |
| 4.8 [vmKernel] VMM-VMK (SFR- ENFORCING)                                                                                                                  |          |
| <ul> <li>4.8.1 Security Functionality (SF)</li> <li>4.8.2 Security Functional Requirement (SFR)</li> <li>4.8.3 Provided TSFI</li> </ul>                  | 46       |
| 4.8.4.1 Internal Interfaces of the Module (World-Switch: Model-Specific Registers)<br>4.8.4.2 Internal Interfaces of the Module (World-Switch: VT State) | 47       |
| 4.8.4.3 Internal Interfaces of the Module (VMKCall: State Flushing)<br>4.8.5 Used interfaces of other modules                                            | 50<br>51 |
| 4.8.6 Mapping to the Source Code<br>4.8.7 Appendix A: Navigating VMM-VMK Entry Module Code                                                               |          |
| 4.9 VMM SGX (SFR-NON-INTERFERING)                                                                                                                        | 55       |
| <ul><li>4.9.1 Mapping to the Source Code (Interpreter support)</li><li>4.9.2 Appendix A: Bibliography for the Intel SGX References</li></ul>             | 56       |

# 1 Introduction

This document contains a description of the TOE Design, which is required by ADV\_TDS.3. Thereby the TOE is subdivided in terms of subsystems and modules,

# 2 Subsystems of the TOE

Subsystem: High-Level Description of the different parts oft he TOE. It needs to be described what the main purpose of the subsystem and how.

Module: Additional subdivision of the subsystems and a More detailed description about their Implementation (e.g., based on libraries)

For each sub system (all are at high level):

- High level Subsystem description
  - Near source code level description
    - Need to write SFRs security enforcing, supporting and non-interfering
    - Not in near source code level detail for parts of subsystem that are related to non-interfering SFRs
    - Modules that are non-interfering, don't need to be described in near-source code level detail.

The TOE can be subdivided into the following subsystems:

- Subsystem AAA Here a short description about the purpose of the subsystem should be entered.
- Subsystem BBB Here a short description about the purpose of the subsystem should be entered.
- Subsystem CCC Here a short description about the purpose of the subsystem should be entered.
- ...

The figure below gives an overview about the architecture of the TOE and how the TOE can be subdivided into Subsystems and modules

Put the detailed figures of the overall TOE. Put the low-level-ESXI architecture document. How we draw the boundaries of modules in the sub-system is up to us. Multiple images will be supplied.



#### 2.1 Interaction between sub-systems

Figure 1: TOE Subsystems and Modules

Please give a short explanation of Figure 1. Thereby especially the purpose and the interactions between the subsystems should be explained.

#### 2.2 Subsystem AAA

Detailed Description of the purpose and content of subsystem AAA. Each group adds their own subsystem section.

Still high-level description – half a page to one-to-two page level. Overview of which modules are in the subsystem; how the modules relate to each other. Overview of APIs of modules, i.e., communication between VMkernel and Monitor.

#### 2.3 Subsystem BBB.

Detailed Description of the purpose and content of subsystem BBB. Each group adds their own subsystem section.

### 2.4 Subsystem CCC

Detailed Description of the purpose and content of subsystem CCC. Each group adds their own subsystem section.

# 4 Virtual Machine Monitor (VMM) Subsystem

#### A. Subsystem Diagram



| SFR Color | Red –    | Enforcing modules       |
|-----------|----------|-------------------------|
| Encoding  | Yellow - | Supporting modules      |
| Legend:   | Green –  | Non-Interfering modules |

#### B. High Level Summary

The Virtual Machine Monitor (hereafter "VMM") is a kernel-mode program responsible for execution of virtual CPUs. One VMM program instance exists per VM. One VMM world (thread) exists for each virtual CPU in a VM.

VMM presents virtual hardware to the virtual machine and causes its virtual CPUs to make progress in execution, in a high-performance manner, with proper isolation and security. VMM relies on hardware virtualization (via Intel's VT) and, to a lesser extent, instruction emulation for this purpose.

VMM exposes virtual hardware to VM software and handles the edges of this interaction, including virtual interrupts and virtualized device access. VMM exposes memory to a VM as well. As such, VMM is responsible for managing views of memory.

VMM also implements and supports various virtualization features. Some features include nested virtualization (such that a VM can, internally, run a nested VM) and virtualization of CPU features such as secure enclave execution via Intel's SGX.

VMM interacts with other software in the TOE by switching to the vmKernel when required. VMM cooperates with the vmKernel (vmKernel RM CPU Subsystem) to share the host CPU Version 1.0 10 (as both pieces of software are kernel-mode, privileged software). VMM is largely subordinate to the vmKernel, as the vmKernel RM CPU Subsystem decides scheduling of host worlds such as those worlds running VMM.

#### C. List of Modules

| Module Name                | Brief Description                                                                                                                                                                                                    | Security Type       |
|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Hardware<br>Virtualization | Support for Intel's VT CPU virtualization support, both for regular VMs and those containing nested VMs. Manages and executes context-switching between VMM software in the TOE and the Virtual Machine domain (VM). | SFR-ENFORCING       |
| HV Memory<br>Management    | Virtualization of guest memory including presentation of vmKernel-provided memory to the VM and any nested VMs run inside.                                                                                           | SFR-ENFORCING       |
| VMM/VMK<br>Entry           | Context-switching between VMM and the vmKernel and associated optimizations.                                                                                                                                         | SFR-ENFORCING       |
| Host<br>Interrupt/IDT      | Optimized Inter-Processor Interrupt support for fast synchronous signaling between VCPUs of a single VM.                                                                                                             | SFR-ENFORCING       |
| SGX                        | Virtualization of Intel Software Guard Extensions support for secure enclaves.                                                                                                                                       | SFR-NON-INTERFERING |
| Guest Interrupts           | VM-internal virtual interrupt support, including delivery of virtual interrupts to virtual VCPUs for consumption in the VM.                                                                                          | SFR-NON-INTERFERING |
| Instruction<br>Emulation   | Correct emulation of instructions, as a fallback when fast<br>handling of a VT exit is impossible, or emulation is<br>otherwise required.                                                                            | SFR-NON-INTERFERING |
| Hot Path                   | Fast handling of VT exits from the Hardware Virtualization module.                                                                                                                                                   | SFR-NON-INTERFERING |
| Timekeeping                | Management of VM-perceived time.                                                                                                                                                                                     | SFR-NON-INTERFERING |

#### 4.1 VMM Hardware Virtualization (SFR-ENFORCING)

The VMM Hardware Virtualization (hereafter "HV") module runs as part of the Virtual Machine Monitor (part of the TOE, a kernel-mode program with one instance per VM, hereafter "VMM"). The HV module implements execution of the virtual machine domain (guest OS, hereafter "VM" or "guest") by use of Hardware Virtualization ("HV") provided by the Intel CPU Virtualization Technology (known by Intel as "VMX" but hereafter referred to by the VMware term, "VT"). The HV module manages CPU and VT state, and handles switches to and from VM execution, for various reasons.

Once initialized, the HV module runs in a loop:

1. enter VM execution (hereafter known as an "HV resume"),

- 2. wait for the CPU to exit VM execution and return to VMM (hereafter known as an "HV exit"),
- 3. determine from exit description what handler to run,
- 4. call that handler,
- 5. and likely return to the first step: HV resume.

The HV module is responsible for isolating the VM from the VMM (and other host software). This isolation is implemented two ways: (1) by careful constraint of and description of VM execution using VT state and (2) by careful context-switching of CPU state, avoiding undesirable effects upon VMM (and other host software).

VT contains a Virtual Machine Control Structure (hereafter "VMCS") which defines state for the CPU to load upon HV resume and HV exit, as well as controls constraining VM execution and under what conditions HV exits shall occur. The HV module programs the VMCS accordingly. Intel describes the VMCS, VT and related information in Intel Software Developers Manual, Volume 3C: System Programming Guide, Part 3, Chapters 23-27 and 30 (See 4.1,7 Appendix A below).

The HV module is responsible for context-switching of VM state. This context-switching occurs in different ways, at different points in code: at HV resume and HV exit (automatically via VT), in code paths immediately before HV resume and after HV exit (in software, via the HV module), and in deferred code paths transitioning between pieces of software in the TOE (in the VMM/VMK Entry Module, 4.8).

Because the VMCS defines when the VM may cause HV exits, and because the HV module must context-switch VM CPU state (which could, unswitched, affect other software in the TOE), the HV module is SFR-enforcing for FPT\_VIV\_EXT.1.1. Because the handling of HV exits (which could, handled incorrectly, affect other software in the TOE) is implemented in the HV module, it is SFR-enforcing for FPT\_VIV\_EXT.1.2.

The HV module implements nested virtualization support, allowing a VM run encapsulated VMs of its own. The module implements Virtualized Hardware Virtualization (hereafter "VHV") and specifically for Intel, it implements Virtual VT (hereafter "VVT"). VHV is supported for Microsoft Windows guests using Hyper-V, which rely upon an implementation of VT (here, our VVT) for the Microsoft implementation of Virtualization-Based Security.

When VVT is in use, the guest software is split conceptually into two parts: the inner hypervisor (which programs and uses VVT via VT semantics) and the inner guest (which runs under control of the HV module, with additional description and constraints added by the inner hypervisor). For performance, the HV module uses two VMCS structures when running with VVT: a standard VMCS and a nested VMCS. The standard VMCS describes and constrains the inner hypervisor, while the nested VMCS describes and constrains the inner guest. Only one VMCS is active at a given time, with transitions and management of VMCS state optimized carefully.



When a VMCS is not in active use, its values may be modified by live execution (e.g. the inner hypervisor writing new configuration to the nested VMCS to constrain the inner guest).

The HV module maintains an in-memory cache of nested VMCS state and tracks dirty subportions of this cache, deferring recomposition of the nested VMCS until just before its live use.

When switching between executing the inner hypervisor and the inner guest, HV controls must be updated in the VMCS that is about to become active. This update carefully composes as safe VMCS. When transitioning to executing the inner guest, the VMCS combines the wishes of the inner hypervisor (as described in the nested VMCS) and the requirements of the HV module (as described in the standard VMCS).

For performance reasons, some VMCS fields allow the guest (be it the inner hypervisor or the inner guest) to access certain CPU resources directly, without exiting to the HV module. Such resources are those which are either inherently harmless to the TOE (e.g. guest general-purpose registers) or those which are context-switched carefully shortly after HV exit (e.g. side-channel mitigation model-specific registers which do no harm to execution of the TOE during the brief moment between HV exit and context-switching).

VT's VMCS contains controls and structures related to guest-visible memory. That state and its management is handled by The VMM HV Memory Module (4.2).

HV exit handling in the HV module will call into other modules, depending upon the exit condition.

The HV module cannot be disabled and is always used in the running of VMs.

#### 4.1.1 Security Functionality (SF)

See the table in Section 4.1.2.

#### 4.1.2 Security Functional Requirement (SFR)

| Security Function (SF)         Security Function<br>Requirement (SFR)           SF6.Protection of the TSF<br>(FPT)         FPT_VIV_EXT.1.1 |                 | Rationale                                                                                                                                                                                                                |
|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                                                                                            |                 | The TSF shall maintain a security domain for the execution of each virtual machine that protects the virtual machine from interference and tampering by untrusted subjects or subjects from outside the scope of the VM. |
| SF6.Protection of the TSF (FPT)                                                                                                            | FPT_VIV_EXT.1.2 | The TSF shall enforce separation between the security domains of VMs in the TSC.                                                                                                                                         |

#### 4.1.3. Provided TSFI

This module has no TSFI as it is an internal module and has no exposure to outside the TOE.

### 4.1.4.1 Internal Interfaces (Context-switching between VMM and VM).

| Module Function                 | Security<br>Function(s)               | SFR(s)          | Parameters | Return Value                                                                      | Rationale                                                                                                                                                      |
|---------------------------------|---------------------------------------|-----------------|------------|-----------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HVResume                        | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None       | None. Does not<br>return to caller.<br>Exits at VMCS<br>HOST_RIP.                 | Main entry<br>point to HV<br>resume<br>functionality<br>in VMM.                                                                                                |
| HV_StepToSafePointAndRes<br>ume | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None       | <b>None</b> . Does not<br>return to caller.<br>Exits at VMCS<br>HOST_RIP.         | Alternate<br>path to call<br>VMM<br>Instruction<br>Emulation<br>Module (see<br>4.5), then<br>program<br>VMCS with<br>VMM state<br>and<br>proceed to<br>resume. |
| HVVendorSpecificResume          | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None       | <b>None</b> . Does not<br>return to caller.<br>Exits at VMCS<br>HOST_RIP.         | Program<br>VMCS with<br>VM state<br>(program<br>counter,<br>stack<br>pointer,<br>CPU flags,<br>pending<br>interrupt<br>information<br>if any)                  |
| HVMSR_VMEnter                   | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None       | <b>None</b> . (void<br>function).                                                 | Reload any<br>software-<br>switched<br>Model-<br>Specific<br>Registers to<br>VM values.                                                                        |
| HVResumeLowLevel                | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None       | <b>None</b> . (Assembly function taking no arguments). Does not return to caller. | Load VM<br>general-<br>purpose<br>register<br>state into<br>CPU,<br>execute VT<br>"vmresume"<br>instruction<br>to actuate<br>switch from<br>VMM to VM          |

VMware, Inc.

| Module Function      | Security<br>Function(s)               | SFR(s)                              | Parameters                                                                                                                | Parameters Return Value                             |                                                                                                                                                                                                                                                   |
|----------------------|---------------------------------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HVExitLowLevel       | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1,<br>FPT_VIV_EXT.1.2 | None None. (Assemb<br>function entered<br>directly by<br>hardware). Doe<br>not return to cal<br>as there is no<br>caller. |                                                     | Main exit<br>point from<br>VM back to<br>VMM.<br>Saves VM<br>general-<br>purpose<br>register<br>state from<br>CPU and<br>immediately<br>loads<br>zeroes into<br>most such<br>registers.<br>VMM<br>software is<br>now in<br>control of<br>the CPU. |
| HVVendorSpecificExit | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1,                    | None                                                                                                                      | <b>None</b> . Does not return to caller.            | Saves more<br>VM state,<br>reloads<br>more VMM<br>state.                                                                                                                                                                                          |
| HVMSR_VMExit         | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1                     | None                                                                                                                      | <b>None</b> . (void function).                      | Reloads<br>any<br>software-<br>switched<br>Model-<br>Specific<br>Registers<br>back to<br>VMM<br>values.                                                                                                                                           |
| HVExit               | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1                     | reason - VT<br>exit reason,<br>idtVecInfo -<br>VT-provided<br>IDT<br>vectoring<br>information                             | <b>None</b> (void<br>function), does not<br>return. | Processes<br>exit cause<br>provided by<br>VT, calling<br>various<br>other code<br>to handle<br>each type of<br>exit. (TBD:<br>explain<br>more/better)                                                                                             |

| Module Function | Security<br>Function(s)               | SFR(s)          | Parameters                                                                                                                                                                                                                        | Return Value                                                                                                                                   | Rationale                                                                                                             |
|-----------------|---------------------------------------|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| VVT_VMENTER     | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | launch -<br>whether<br>launching<br>(the first<br>entry,<br>before<br>having<br>resumed) or<br>resuming<br>instrLen -<br>the length<br>of the<br>instruction<br>attempting<br>the launch<br>(to advance<br>past, upon<br>success) | An x86fault<br>object pointer,<br>representing<br>either a specific<br>failure, or<br>successful VM<br>entry<br>(X86Fault_None<br>or similar). | Switch to<br>the nested<br>guest<br>VMCS,<br>ready for<br>HV resume<br>into the<br>nested<br>guest, if<br>successful. |

#### 4.1.4.2 Internal Interfaces (Sensitive host fields for context-switch)

| Module Function            | Security<br>Function(s)                | SFR(s)              | VMCS fields<br>protected                                                                                                                                                                                | Parameters | Return<br>Value                            | Rationale                                                                                                                                                                                                                                                                                                                                                   |
|----------------------------|----------------------------------------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|--------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HVVTInitVMCSH<br>ostFields | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EX<br>T.1.1 | HOST_CS,<br>HOST_ES,<br>HOST_DS,<br>HOST_DS,<br>HOST_TR,<br>HOST_PAT,<br>HOST_CR3,<br>HOST_CR3,<br>HOST_CR3,<br>HOST_GDTRB<br>ASE,<br>HOST_GDTRBA<br>SE,<br>HOST_IDTRBA<br>SE,<br>HOST_RSP,<br>HOST_RIP | None       | None.<br>(void<br>functio<br>n).           | Basic host register<br>state loaded upon HV<br>exit. Static after<br>initialization. Provides<br>program counter<br>(HOST_RIP) to execute<br>HVExitLowLevel, stack<br>pointer (HOST_RSP)<br>and other basic state,<br>automatically switched<br>by VT support in the<br>CPU. Ensures<br>fundamental register<br>state in VMM<br>unaffected by VM<br>values. |
| HV_SetHostCR0              | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EX<br>T.1.1 | HOST_CR0                                                                                                                                                                                                | None       | hostC<br>R0 -<br>value<br>to set<br>in cr0 | Another fundamental<br>control register loaded<br>upon HV exit.                                                                                                                                                                                                                                                                                             |
| HV_SetHostCR4              | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EX<br>T.1.1 | HOST_CR4                                                                                                                                                                                                | None       | hostC<br>R4 -<br>value<br>to set<br>in cr4 | Another fundamental<br>control register loaded<br>upon HV exit.                                                                                                                                                                                                                                                                                             |

| Module Function            | Security<br>Function(s)                | SFR(s)              | VMCS fields<br>protected | Parameters                                                  | Return<br>Value                  | Rationale                                                                                                            |
|----------------------------|----------------------------------------|---------------------|--------------------------|-------------------------------------------------------------|----------------------------------|----------------------------------------------------------------------------------------------------------------------|
| HV_SetNestedPa<br>gingRoot | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EX<br>T.1.1 | EPTP                     | I4MPN -<br>MPN<br>correspondi<br>ng to EPTP<br>to populate. | None.<br>(void<br>functio<br>n). | Sets the VT nested<br>paging root (VMCS<br>field EPTP) to a given<br>value. (See module<br>4.2: VMM guest<br>memory) |

#### 4.1.4.3 Internal Interfaces (Sensitive host field for posted interrupts)

| Module Function          | Security<br>Function(s)               | SFR(s)              | VMCS fields<br>protected   | Parameters | Return<br>Value              | Rationale                                                                                                                                                                                                                                                                                                                                                 |
|--------------------------|---------------------------------------|---------------------|----------------------------|------------|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HVVTInitPostedInterrupts | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.<br>1.1 | PI_NOTIFY,<br>PI_DESC_ADDR | None       | None.<br>(void<br>function). | Allow VT<br>operation<br>to use<br>posted<br>interrupts<br>without<br>incurring<br>an HV exit<br>when the<br>notification<br>vector is<br>used to<br>raise an<br>inter-<br>processor<br>interrupt<br>from<br>another<br>CPU. If the<br>vector were<br>mis-<br>programme<br>d,<br>interrupts<br>could be<br>dropped,<br>resulting in<br>host<br>stability. |

# 4.1.4.4 Internal Interfaces (Controls determining circumstances causing HV exits)

|                      | -                                      |                     |                                           |            |                                   |                                                                                                                                                                                                                                                                                                                                              |
|----------------------|----------------------------------------|---------------------|-------------------------------------------|------------|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Module<br>Function   | Security<br>Function(s)                | SFR(s)              | VMCS<br>fields<br>protected               | Parameters | Return Value                      | Rationale                                                                                                                                                                                                                                                                                                                                    |
| HVSetVMCSP<br>inCtl  | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | PIN_VME<br>XEC_CTL                        | None       | <b>None</b> . (void<br>function). | Configures handling (whether<br>to HV exit) of asynchronous<br>events such as interrupts<br>(including host interrupts<br>unrelated to the currently-<br>running VM). Careful<br>programming of these<br>controls guarantees VM<br>interruptibility and allows host<br>software in the TOE (VMM,<br>the vmkernel) to operate<br>effectively. |
| HVSetVMCSC<br>PUCtl  | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | CPU_VME<br>XEC_CTL,<br>2ND_VME<br>XEC_CTL | None       | <b>None</b> . (void<br>function). | Configures handling (whether<br>to HV exit) of synchronous<br>processor events (mostly<br>execution of specific<br>instructions and related<br>circumstances). Used to<br>inhibit direct access to<br>sensitive host resources (e.g.<br>port I/O instructions on the<br>physical CPU) and to<br>otherwise constrain VM<br>execution.         |
| HVSetVMCSE<br>xitCtl | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | VMEXIT_C<br>TL                            | None       | <b>None</b> . (void<br>function). | Configured automatic actions<br>performed by the CPU at VT<br>exit, such as entering long<br>mode (64-bit execution, as<br>requited by the TOE – see<br>VT_REQUIRED_EXIT_CTLS)                                                                                                                                                               |
| HVSetVMCS2<br>ndCtl  | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | 2ND_VME<br>XIT_CTL                        | None       | <b>None</b> . (void function).    | Configured automatic actions<br>performed by the CPU at VT<br>exit (secondary list). For<br>example, whether EPT is<br>enabled (used by module 4.2:<br>VMM HV Memory<br>Management).                                                                                                                                                         |
| HVSetVMCSX<br>CPCtl  | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | XCP_BITM<br>AP                            | None       | <b>None</b> . (void<br>function). | Force #AC exceptions to HV<br>exit. Without this, a CPU can<br>be caught in an infinite #AC<br>loop due to a malicious VM.<br>Force machine checks to exit,<br>to be reported to the host<br>kernel. See also<br>HV_XCP_MASK. Allows<br>other forcing of exceptions to<br>exit, as well.                                                     |

| Module<br>Function       | Security<br>Function(s)                | SFR(s)              | VMCS<br>fields<br>protected  | Parameters                                                                                                                                         | Return Value                      | Rationale                                                                                                                                                                                    |
|--------------------------|----------------------------------------|---------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HVSetMSRBit<br>map       | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | MSRBITM<br>AP                | None                                                                                                                                               | <b>None</b> . (void function).    | Enables bitmap allowing for<br>non-exiting access to specific<br>Model-Specific Registers,<br>which are in turn context-<br>switched in<br>HVExit/HVResume when<br>made accessible this way. |
| HV_SetMSRIn<br>tercept   | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | MSRBITM<br>AP                | bitmap - the<br>bitmap<br>address,<br>msrNum -<br>the MSR to<br>intercept,<br>accessMod<br>e - the<br>read/write<br>access to<br>intercept         | <b>None</b> . (void<br>function). | Denies non-exiting access to<br>a specific Model-Specific<br>Register.                                                                                                                       |
| HV_ClearMSR<br>Intercept | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | MSRBITM<br>AP                | bitmap - the<br>bitmap<br>address,<br>msrNum -<br>the MSR not<br>to intercept,<br>accessMod<br>e - the<br>read/write<br>access not<br>to intercept | <b>None</b> . (void<br>function). | Allows non-exiting access to<br>a specific Model-Specific<br>Register.                                                                                                                       |
| HVSetVMCSE<br>nclsBitmap | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | ENCLS_E<br>XITING_BI<br>TMAP | None                                                                                                                                               | <b>None</b> . (void<br>function). | Enables bitmap allowing for<br>non-exiting execution of<br>ENCLS instruction for some<br>situations. See module 4.8:<br>SGX.                                                                 |
| HVSetVMCSE<br>nclvBitmap | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_E<br>XT.1.1 | ENCLV_E<br>XITING_BI<br>TMAP | None                                                                                                                                               | <b>None</b> . (void<br>function). | Enables bitmap allowing for<br>non-exiting execution of<br>ENCLV instruction for some<br>situations. See module 4.8:<br>SGX.                                                                 |

4.1.5 Used interfaces of other modules

| Module Function     | Module                          | Description                                                                                                                                                                                     | Parameters                                                                                                                                                                    | Return<br>Value                                                      | File                                       |
|---------------------|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|--------------------------------------------|
| HVTryFastExit       | 4.4 Fast<br>Path                | Attempts to<br>handle VT exit<br>information<br>quickly                                                                                                                                         | <b>reason</b> - VT<br>exit reason                                                                                                                                             | None<br>(void<br>function)<br>, does<br>not<br>return if<br>handled. | vmcore/monitor/vmm/hv/vt/hv-<br>common.h   |
| HVTryFastNestedExit | 4.4 Fast<br>Path                | Attempts to<br>handle VT exit<br>information<br>quickly, for<br>inner guest<br>execution                                                                                                        | reason - VT<br>exit reason,<br>idtVecInfo -<br>VT-provided<br>IDT<br>vectoring<br>information                                                                                 | None<br>(void<br>function)<br>, does<br>not<br>return if<br>handled. | vmcore/monitor/vmm/hv/vt/hv-<br>common.h   |
| Interp_Step         | 4.5<br>Instruction<br>Emulation | Emulates one<br>guest<br>instruction,<br>delivering any<br>resulting faults<br>to the guest.<br>Run-time<br>entrypoint to<br>the interpreter.                                                   | None.                                                                                                                                                                         | <b>None</b><br>(void<br>function)                                    | vmcore/monitor/common/cpu/x86/int<br>erp.c |
| MonMSR_SetMSR       | 4.8<br>VMM/VMK<br>interface     | Communicates<br>to switching<br>interface<br>properties of<br>the given MSR<br>(whether it<br>must be<br>reloaded and<br>with what<br>value, when<br>entering/exiting<br>VMM)                   | msr -<br>Model-<br>Specific<br>Register<br>(from short<br>list of<br>allowed<br>values),<br>newVal -<br>new value<br>for MSR,<br>flags -<br>switching<br>reload<br>properties | <b>None</b><br>(void<br>function)                                    | vmcore/public/monMSR.h                     |
| MonMSR_SetMSRUnused | 4.8<br>VMM/VMK<br>interface     | Communicates<br>to the<br>switching<br>interface that<br>the given MSR<br>does not need<br>to be reloaded<br>when entering<br>VMM (VMM<br>can run with<br>any value,<br>without ill<br>effect). | msr -<br>Model-<br>Specific<br>Register<br>(from short<br>list of<br>allowed<br>values)                                                                                       | <b>None</b><br>(void<br>function)                                    | vmcore/public/monMSR.h                     |

# 4.1.6 Mapping to the Source Code

| Function                                               | Description                                                                        | File                                 |
|--------------------------------------------------------|------------------------------------------------------------------------------------|--------------------------------------|
| HVResume                                               | Entry point for HV resume flow.                                                    | vmcore/monitor/vmm/hv/common/hv.c    |
| HV_StepToSafePointAndResume                            | Corner case for emulation before HV resume.                                        | vmcore/monitor/vmm/hv/common/hv.c    |
| HVVendorSpecificResume                                 | VT-specific HV resume, next step after HVResume                                    | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVMSR_VMEnter                                          | Model-Specific Register switch                                                     | vmcore/monitor/vmm/hv/common/hvMSR.c |
| HVResumeLowLevel                                       | Final switch of state and actual transition to VM execution                        | vmcore/monitor/vmm/hv/vt/vtasm.S     |
| HVExitLowLevel                                         | Initial switch from VM execution, save of VM state                                 | vmcore/monitor/vmm/hv/vt/vtasm.S     |
| HVVendorSpecificExit                                   | VT-specific HV exit                                                                | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVMSR_VMExit                                           | Model-Specific Register switch                                                     | vmcore/monitor/vmm/hv/common/hvMSR.c |
| HVExit                                                 | General HV exit path, calls out to various handlers for exit reasons               | vmcore/monitor/vmm/hv/common/hv.c    |
| (VMCS field table in VMW notation, no named functions) | Tokens naming VMCS fields<br>used in VMW code and<br>definitions via preprocessing | vmcore/public/x86vt-vmcs-fields.h    |
| HVVTInitVMCSHostFields                                 | Set initial/static VMCS host fields to reload from at HV exit                      | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HV_SetHostCR0                                          | Set host VMCS %cr0 register field to reload at HV exit                             | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HV_SetHostCR4                                          | Set host VMCS %cr4 register field to reload at HV exit                             | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVVTInitPostedInterrupts                               | Initialize posted interrupt state in VMCS, if enabled.                             | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVSetVMCSPinCtl                                        | Set asynchronous event ("PIN") controls.                                           | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVSetVMCSCPUCtl                                        | Set synchronous CPU event controls.                                                | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVSetVMCS2ndCtl                                        | Set secondary synchronous CPU event controls.                                      | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVSetVMCSExitCtl                                       | Set VM exit behaviors.                                                             | vmcore/monitor/vmm/hv/vt/hv-vt.c     |
| HVSetVMCSXCPCtl                                        | Set exception exiting controls.                                                    | vmcore/monitor/vmm/hv/vt/hv-vt.c     |

| Function               | Description                                                                                                                                                                                 | File                                   |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------|
| HVSetMSRBitmap         | Set bitmap of Model-Specific<br>Registers used to determine<br>whether read/write MSR<br>instructions cause VM exits or<br>write to CPU state (requiring<br>context-switching in software). | vmcore/monitor/vmm/hv/vt/hv-vt.c       |
| HV_SetMSRIntercept     | Set access VMM interception<br>(force HV exit) in given MSR<br>bitmap for given MSR and<br>access type.                                                                                     | vmcore/monitor/vmm/public/hvPlatform.h |
| HV_ClearMSRIntercept   | Clear access VMM interception<br>(avoid HV exit) in given MSR<br>bitmap for given MSR and<br>access type.                                                                                   | vmcore/monitor/vmm/public/hvPlatform.h |
| HVSetVMCSEnclsBitmap   | Set bitmap for ENCLS-instruction exiting (see module 4.9: SGX)                                                                                                                              | vmcore/monitor/vmm/hv/vt/hv-vt.c       |
| HVSetVMCSEnclvBitmap   | Set bitmap for ENCLV-instruction exiting (see module 4.9: SGX)                                                                                                                              | vmcore/monitor/vmm/hv/vt/hv-vt.c       |
| HV_SetNestedPagingRoot | Sets the VT nested paging root<br>(VMCS field EPTP) to a given<br>value. (See module 4.2: VMM<br>guest memory)                                                                              | vmcore/monitor/vmm/hv/vt/hv-vt.c       |
| VVT_VMENTER            | Effects a VM entry managed by the current VMCS.                                                                                                                                             | vmcore/monitor/common/hv/vt/vvt.c      |

# 4.1.7 Appendix A: Bibliography for the Intel VT References

| Document                                                                                                           | Author / Company                   | Date       | Notes                                                                                                                                                                                           |
|--------------------------------------------------------------------------------------------------------------------|------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Intel® 64 and IA-32 Architectures<br>Software Developer's Manual<br>Volume 3C: System Programming<br>Guide, Part 3 | Intel Corporation<br>www.intel.com | 06/30/2022 | Specific citations are in the<br>detail table below. <b>Note:</b><br>Intel renumbers resources<br>over time. These chapters<br>and the SDM volume<br>number are correct as of<br>June 30, 2022. |
| Chapter name                                                                                                       | Content                            |            |                                                                                                                                                                                                 |
| (23) Introduction to Virtual Machine<br>Extensions                                                                 | "VMX" / VT overview                |            |                                                                                                                                                                                                 |
| (24) Virtual Machine Control<br>Structures                                                                         | VMCS definitions                   |            |                                                                                                                                                                                                 |
| (25) VMX Non-Root Operation                                                                                        | Guest operation                    |            |                                                                                                                                                                                                 |
| (26) VM Entries                                                                                                    | Transitions from VMM to VM         |            |                                                                                                                                                                                                 |
| (27) VM Exits                                                                                                      | Transitions from VM to VMM         |            |                                                                                                                                                                                                 |

**vm**ware<sup>®</sup>

#### 4.1.8 Appendix B: Navigating HV module code

The code and header files implementing the HV module are used across multiple products and CPU architectures. Only a subset of the code is of relevance to the TOE. This table endeavors to simplify reading code and header files by explaining what is included and excluded from the TOE. Terminology clarifying the above documentation is also provided.

| Term or token            | Meaning                                                              | Included in TOE? |
|--------------------------|----------------------------------------------------------------------|------------------|
| vmx86_server             | Set to 1 if building ESX                                             | Yes              |
| VMX86_SERVER (CPP token) | #defined if building ESX                                             | Yes              |
| SERVER_ONLY()            | Macro contents defined if building ESX                               | Yes              |
| HOSTED_ONLY()            | Not relevant to ESX, enclosed contents omitted                       | No               |
| vmx86_vmm                | Set to 1 if building VMM                                             | Yes              |
| vmx86_ulm                | Set to 0 if building VMM                                             | No               |
| ULM_ONLY()               | Not relevant to ESX, enclosed contents omitted                       | No               |
| vmx86_release            | Set to 1 if building for releases to customers                       | Yes              |
| vmx86_debug              | Set to 1 if building for debug builds                                | No               |
| vmx86_devel              | Set to 1 if building for internal developers                         | No               |
| vmx86_vt                 | Set to 1 if building for VT support                                  | Yes              |
| vmx86_svm                | Not relevant to VT support (AMD-specific)                            | No               |
| VCPU_InGuestOperation()  | Returns TRUE if the VCPU is running or<br>emulating the nested guest | Yes              |

#### 4.2 VMM HV Memory Management (SFR-ENFORCING)

The VMM HV Memory Management (hereafter "guest memory") module implements management of memory pages accessible to the virtual machine domain (guest OS, hereafter "VM") while it executes in HV (via module 4.1: VMM Hardware Virtualization) or emulation (via module 4.5: VMM Instruction Emulation).

# **vm**ware<sup>®</sup>

Intel provides a technology for Second Level Address Translation ("SLAT") known as Extended Page Tables (hereafter "EPT"). EPT is a hierarchical system of translation via page tables: 4 kilobyte pages of 512 64-bit Extended Page Table Entries (hereafter "EPTEs") apiece, from a root known as the Extended Page Table Pointer (hereafter "EPTP") on to some terminal EPTE. ETPEs also encode access permissions. Intel describes EPT in the Intel Software Developers Manual, Volume 3C: System Programming Guide, Part 3, Chapter 28 (See 4.2.7 Appendix A below).

The guest memory module manages views of guest physical memory using EPT. When the VM executes via Intel's VT (see 4.1: VMM Hardware Virtualization), the guest memory module provides this view of guest physical memory for a given VCPU via an EPTP. The EPT tree translates between guest Physical Page Numbers (hereafter "PPNs") and host Machine Page Numbers (hereafter "MPNs") or non-present entries. When in VT, a memory access will obey the programmed EPT tree and result in either a successful, fast memory access or an HV exit to VMM.



Because the guest domain can directly access host memory (as provided, constrained and prescribed by the TOE), this module is SFR-enforcing. The module must provide only the correct pages of host memory, and guarantee that access is correctly constrained.

The guest memory module programs the EPT tree with pages of memory and permissions. The guest memory module interfaces with the host memory allocator (see 9.5: "VM Volatile Memory Virtualization") to acquire the correct page and any constraining page permissions.

Version 1.0

The memory allocator module may also request that the guest memory module relinquish access to a page.

The guest memory module, vmKernel memory modules and other virtualization modules use an intermediate representation of memory known as the "memory bus" (or "BusMem") to prioritize what type of resource is visible for a given PPN. It is possible, for example, to layer a virtual device (e.g. SVGA) on top of non-volatile memory, such that an access to a particular PPN should exit to VMM and be handled by SVGA device code. The BusMem system denominates pages in BusMem Page Numbers (hereafter "BPNs"). In the conversion of a PPN to an MPN, the memory bus is traversed.

For efficiency, contiguous, aligned sets of PPNs of size 512 or 512 \* 512 with identical permissions may be promoted to a larger page size. Thus 512 aligned, contiguous 4 kilobyte pages mapped at level 1 of EPT may be replaced with one 2 megabyte page at level 2 of EPT, and 512 aligned, contiguous 2 megabyte pages mapped at level 2 of EPT may be replaced with one 1 gigabyte page at level 3 of EPT. If permissions on a subpage of any larger (2 megabyte, 1 gigabyte) page are then modified, the larger page is invalidated. Such optimizations add complexity to the module, but do not violate its security guarantees, as protections are always enforced conservatively and correctly for every page.

EPT uses Translation Lookaside Buffers (EPT "TLBs" hereafter) in the CPU to ensure high performance. These caches are tagged with Virtual Process Identifiers (hereafter "VPIDs"). As such, the module must follow cache coherency protocols when unmapping or modifying mappings in EPTEs. The guest memory module coordinates with the VMM-VMK Entry module (see 4.8) to ensure proper switching and flushing of EPT TLBs and VPIDs when switching between VMs.

The HV module (see 4.1: VMM Hardware Virtualization) implements virtualization of Hardware Virtualization (VHV) via virtualization of Intel's VT technology (VVT). The guest memory module provides complementary technology to virtualize guest memory via virtualization of Intel's EPT, implemented as Virtualization of Nested Page Tables (hereafter VNPT). When a VM uses VVT, its inner hypervisor describes execution of its inner guests via VT semantics. When a VM uses VVT, its inner hypervisor may use VNPT, describing inner guest memory via EPT semantics. VNPT converts inner hypervisor description of inner guest memory to a host-level EPT tree known as a VNPT shadow, for efficient execution. VNPT shadows are composed of strict subsets of a VM's primary EPT tree, with page protections at least as restrictive. Thus each VCPU can either run with the VM-global EPT tree or one of its subsets, a VNPT shadow.



The guest memory module also maintains parallel x86 page table trees used to enable fast emulation of guest memory accesses. These trees, known as the trace tree and no-trace tree, map views of guest physical memory into VMM. These trees are not SFR-enforcing as they do not directly expose memory to the guest, but they are noteworthy in support of other modules (e.g. 4.5: VMM Instruction Emulation).

#### 4.2.1 Security Functionality (SF)

See the table in Section 4.2.2.

#### 4.2.2 Security Functional Requirement (SFR)

| Security Function (SF)             | Security Function Requirement (SFR) | Rationale                                                                                                                                                                                                                            |
|------------------------------------|-------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SF6.Protection of the TSF<br>(FPT) | FPT_VIV_EXT.1.1                     | The TSF shall maintain a security domain for<br>the execution of each virtual machine that<br>protects the virtual machine from interference<br>and tampering by untrusted subjects or<br>subjects from outside the scope of the VM. |

#### 4.2.3 Provided TSFI

This module has no TSFI as it is an internal module and has no exposure to outside the TOE.

#### 4.2.4.1 Internal Interfaces of the Module (General execution)

| Module Function | Security<br>Function (s)               | SFR(s)              | Parameters                                                                                                                                                                               | Return<br>Value                                            | Rationale                                                                                                                                        |
|-----------------|----------------------------------------|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|
| GPhysSetPTE     | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | dest - pointer<br>to PTE to set,<br>newVal -<br>value to set in                                                                                                                          | <b>None</b> (void function).                               | Sets a PTE in a<br>GPhysTree (EPT tree).                                                                                                         |
| GPhysClearPTE   | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | PTE<br>dest - pointer<br>to PTE to<br>clear,<br>pa - physical<br>address<br>represented<br>by this PTE<br>level - level in<br>page table<br>hierarchy at<br>which this<br>entry is wired | <b>GPhysPTE</b> -<br>the previous<br>value of this<br>PTE. | Clears a PTE in a<br>GPhysTree (EPT tree).<br>Also clears VMM software<br>mapping ("NPTMap") of<br>the EPT subtree wired by<br>the previous PTE. |

| Module Function                 | Security<br>Function (s)               | SFR(s)              | Parameters                                                                                                     | Return<br>Value                                                                   | Rationale                                                                                                                                                                                                                                                  |  |
|---------------------------------|----------------------------------------|---------------------|----------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
|                                 |                                        |                     | <b>bpn</b> -<br>(argument not<br>used)                                                                         |                                                                                   |                                                                                                                                                                                                                                                            |  |
|                                 |                                        |                     | <b>ppn</b> - page to<br>protect                                                                                |                                                                                   |                                                                                                                                                                                                                                                            |  |
| GPhysProtectPPN                 | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | trace -<br>software<br>callback<br>pointer to<br>apply, if any                                                 | <b>None</b> (void function).                                                      | Applies new protections<br>to the BPN specified, if it<br>could be translated to a<br>PPN. Flushes TLBs as<br>necessary. Effectively,<br>updates the EPT tree to                                                                                           |  |
|                                 |                                        |                     | flushReq -<br>description of<br>flush (level of<br>PTE, PTE,<br>count)                                         |                                                                                   | reflect new protections for a page.                                                                                                                                                                                                                        |  |
|                                 |                                        |                     | flags - new<br>protection<br>flags                                                                             |                                                                                   |                                                                                                                                                                                                                                                            |  |
|                                 |                                        |                     | paddr -<br>physical<br>address in                                                                              |                                                                                   |                                                                                                                                                                                                                                                            |  |
|                                 |                                        |                     | page<br>errorCode -<br>page fault<br>error code<br>resulting in<br>validation<br>attempt                       | <b>Bool</b> -<br>whether<br>validation<br>succeeded.                              | Main function to "validate"<br>(create a new <b>PA (PPN)</b><br>=> <b>MPN</b> mapping in the<br>active EPT tree).<br>Translates from PA to<br>PPN to BPN to MPN,<br>respecting and applying<br>permissions at all levels.<br>If all goes well, inserts the |  |
| GPhys_Validate                  | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | guestAccess<br>- whether the<br>fault resulting<br>in validation<br>was incurred<br>while running<br>the guest | If true, a<br>mapping in<br>the EPT tree<br>now exists<br>for the given<br>paddr. | new translation into the<br>EPT tree. Otherwise,<br>fails and returns.<br>Attempts to validate at the<br>largest size/highest level<br>applicable (to allow an                                                                                             |  |
|                                 |                                        |                     | respectTrace<br>s - whether to<br>fire software<br>callbacks for<br>the page<br>access                         |                                                                                   | invalidated set of small<br>pages to become a<br>singular large page<br>thereafter).                                                                                                                                                                       |  |
| GPhysInvalidateMappi<br>ngRange | SF6.Protectio<br>n of the TSF          | FPT_VIV_EXT         | startPPN -<br>first PPN in<br>range                                                                            | <b>None</b> (void function).                                                      | Invalidates all PPNs in<br>the range at all relevant<br>levels in the EPT tree.                                                                                                                                                                            |  |
|                                 | (FPT) .1.1                             |                     | <b>endPPN</b> - last<br>PPN in range                                                                           |                                                                                   | (Clears mappings for all<br>PPNs specified)                                                                                                                                                                                                                |  |

| Module Function              | Security<br>Function (s)               | SFR(s)              | Parameters                                                                                                                                                                                                                                                                                                              | Return<br>Value                                             | Rationale                                                                                                                                                                                              |
|------------------------------|----------------------------------------|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| GPhys_InvalidatePag<br>eList | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | pageList - list<br>of pages to<br>invalidate<br>numEntries –<br>list length (or<br>1)<br>isLargePages<br>- does the list<br>represent 4KB<br>pages or<br>larger?                                                                                                                                                        | <b>None</b> (void function).                                | Invalidates a list of pages<br>but does not flush the<br>TLB. TLB flushing is the<br>caller's responsibility.                                                                                          |
| GPhys_InvalidateBPN          | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | <b>bpn</b> - BPN to<br>invalidate<br><b>toLargeFlush</b><br><b>Req</b> - should<br>this flush be<br>added to an<br>ongoing large<br>flush request<br>(for later TLB<br>flush)?                                                                                                                                          | <b>None</b> (void function).                                | Invalidates the specified<br>BPN in the EPT tree but<br>does not flush TLBs<br>(allowing more efficient<br>batching of TLB flushes).<br>TLB flushing is the caller's<br>responsibility.                |
| BusMemInvalidateCac<br>he    | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | <pre>pageList - list<br/>of pages to<br/>invalidate<br/>req - zap<br/>request<br/>structure<br/>describing<br/>pages and<br/>release<br/>isMPNIist -<br/>zap one entry<br/>or a list?<br/>numEntries -<br/>list length (or<br/>1)<br/>isLargePages<br/>- does the list<br/>represent 4KB<br/>pages or<br/>larger?</pre> | <b>None</b> (void<br>function).                             | Invalidates list of pages<br>(calls both<br>GPhys_InvalidatePageLis<br>t() and<br>VNPT_InvalidatePageList<br>()) and causes VM-wide<br>TLB flushes by invoking<br>BusMemZapPageListCC<br>on all VCPUs. |
| GPhys_ConvertToLar<br>geOne  | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | <ul> <li><b>ppn</b> - the PPN to be converted</li> <li><b>bpn</b> - the BPN expected to be visible at this PPN</li> </ul>                                                                                                                                                                                               | 0 or 1: the<br>number of<br>pages<br>converted to<br>large. | Converts 512 aligned 4<br>kilobyte pages with<br>identical permissions to a<br>single 2 megabyte<br>mapping, or fails and<br>does no harm.                                                             |

| Module Function                | Security<br>Function (s)               | SFR(s)              | Parameters                                                                      | Return<br>Value              | Rationale                                                                                                                                                            |
|--------------------------------|----------------------------------------|---------------------|---------------------------------------------------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| GPhys_FlushAllTLBs             | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | None                                                                            | <b>None</b> (void function). | Synchronously flushes all<br>TLBs on all VCPUs in the<br>VM. Slow,<br>comprehensive.                                                                                 |
| GPhysOpenLargeFlus<br>hReq     | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | None                                                                            | <b>None</b> (void function). | Opens a large flush<br>request, which will<br>contain a set of one or<br>more PPNs to flush from<br>the TLB. Used to<br>efficiently batch flushing<br>of many pages. |
| GPhys_AddToLargeFl<br>ushReq   | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | flushReq -<br>request to add<br>to set<br>(either one<br>PPN or "flush<br>all") | <b>None</b> (void function). | Adds one PPN (or "flush<br>all" command) to the<br>current to-be-flushed set.                                                                                        |
| GPhys_CloseLargeFl<br>ushReq   | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | None                                                                            | <b>None</b> (void function). | Closes a large flush<br>request.                                                                                                                                     |
| GPhys_ProcessLarge<br>FlushReq | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | None                                                                            | <b>None</b> (void function). | Processes a large flush<br>request, flushing either all<br>PPNs in the set or the<br>entire TLB, on the current<br>CPU.                                              |
| HV_FlushNestedMap<br>pings     | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT<br>.1.1 | None                                                                            | <b>None</b> (void function). | Invalidates the EPTP on the current CPU.                                                                                                                             |

# 4.2.4.2 Internal Interfaces of the Module (VNPT, for nested guest memory virtualization)

| Module Function | Security<br>Function(s)               | SFR(s)          | Parameters                                                                                                                                                                      | Return Value                    | Rationale                                                                                      |
|-----------------|---------------------------------------|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------|------------------------------------------------------------------------------------------------|
| VNPTSetNPTE     | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | <ul> <li>snpte -<br/>shadow</li> <li>nested page<br/>table entry to<br/>update</li> <li>val - value to<br/>set</li> <li>level - page<br/>table level in<br/>EPT tree</li> </ul> | <b>None</b> (void<br>function). | Sets an EPTE<br>in an NPT<br>shadow<br>(nested EPT<br>tree). Also<br>used to clear<br>entries. |

| Module Function         | Security<br>Function(s)               | SFR(s)          | Parameters                                                                                                                                                                                                                                                                                                                    | Return Value                                                       | Rationale                                                                                                                                                                                        |
|-------------------------|---------------------------------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| VNPT_Update             | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | startBPN -<br>first (possibly<br>only) BPN to<br>update<br>action -<br>description of<br>update action<br>(invalidate,<br>add or remove<br>software<br>callback<br>hooks for<br>page)<br>isLargePage<br>- act on one 4<br>kilobyte page<br>or an aligned<br>region of 512<br>4 kilobyte<br>pages (one 2<br>megabyte<br>page)? | <b>Bool</b> - whether<br>a flush is<br>needed after<br>the update. | Updates an<br>existing entry<br>in a VNPT<br>shadow, for<br>either a 4<br>kilobyte or 2<br>megabyte<br>page. Callers<br>must flush the<br>TLB in the<br>relevant ASID<br>if TRUE is<br>returned. |
| VNPT_InvalidatePageList | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | <ul> <li>pageList - list<br/>of pages to<br/>invalidate</li> <li>numEntries –<br/>list length (or<br/>1)</li> <li>isLargePages<br/>- does the list<br/>represent 4KB<br/>pages or<br/>larger?</li> </ul>                                                                                                                      | <b>None</b> (void<br>function).                                    | Invalidates a<br>list of pages in<br>an NPT<br>shadow but<br>does not flush<br>the TLB. TLB<br>flushing is the<br>caller's<br>responsibility.                                                    |

| Module Function    | Security<br>Function(s)               | SFR(s)          | Parameters                                                                                                                                                                                                                                                                                                                                               | Return Value                                                                                                                                                           | Rationale                                                                                                                                                              |
|--------------------|---------------------------------------|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| VNPT_HandleNPF     | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | <ul> <li>la - linear<br/>address being<br/>accessed<br/>when the<br/>nested page<br/>fault was<br/>incurred</li> <li>pal - input<br/>physical<br/>address: the<br/>physical<br/>address<br/>causing the<br/>fault</li> <li>flags -<br/>description of<br/>the type of<br/>memory<br/>access (e.g.<br/>read, write,<br/>page table<br/>access)</li> </ul> | An x86fault<br>object pointer,<br>representing<br>either a specific<br>failure, or<br>successful<br>validation in the<br>VNPT shadow<br>(X86Fault_None<br>or similar). | Attempts to<br>handle a<br>nested page<br>fault while in<br>nested guest<br>execution via<br>VVT. When<br>successful,<br>updates the<br>VNPT shadow<br>for the access. |
| HVFlushAllASIDs    | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None                                                                                                                                                                                                                                                                                                                                                     | <b>None</b> (void function).                                                                                                                                           | Invalidates all<br>VPIDs on the<br>current CPU.                                                                                                                        |
| VVTProcessVPID     | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None                                                                                                                                                                                                                                                                                                                                                     | <b>Bool</b> - TRUE if<br>a non-zero<br>VPID was set or<br>if the VPID<br>control was<br>disabled.                                                                      | Sets the VPID<br>field in the<br>virtual CPU<br>(based upon<br>nested VMCS<br>state), for<br>future use in<br>VT execution.                                            |
| VNPT_FlushPhysical | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | None                                                                                                                                                                                                                                                                                                                                                     | <b>None</b> (void function).                                                                                                                                           | Flushes all<br>shadow nested<br>page table<br>mappings from<br>current CPU.                                                                                            |

#### 4.2.5 Used interfaces of other modules

| Module Function          | Module                                         | Description                                                                                                                                    | Parameters                                                                                                                                                        | Return<br>Value                                                                   | File                                                |
|--------------------------|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|-----------------------------------------------------|
| HV_SetNestedPagingRoot   | 4.1 VMM<br>Hardware<br>Virtualization          | Sets nested paging root<br>(EPTP) in VMCS for use in<br>VT execution.                                                                          | I4MPN - MPN<br>corresponding<br>to EPTP to<br>populate.                                                                                                           | <b>None</b> .<br>(void<br>function).                                              | vmcore/mo<br>nitor/vmm/h<br>v/vt/hv-<br>common.h    |
| VmMemPf_GetPFrameMP<br>N | 9.5 VM<br>volatile<br>memory<br>virtualization | Request the MPN backing<br>the given BPN from the<br>vmkernel, for memory-<br>backed BusMem regions.<br>(Called via 4.8: VMM/VMK<br>interface) | <b>bpn</b> - BusMem<br>page to<br>translate to a<br>machine page<br><b>mpn</b> - pointer<br>to return the<br>translated<br>MPN (or<br>INVALID_MP<br>N on failure) | VMKCall<br>return:<br>VMK_OK<br>on<br>success,<br>a failure<br>code<br>otherwise. | vmkernel/m<br>em/vmmem<br>pf.c                      |
| VMKCall_GetPFrameMPN     | 4.8<br>VMM/VMK<br>interface                    | Switch to the vmkernel and<br>call<br>VmMemPf_GetPFrameMP<br>N()                                                                               | <b>bpn</b> - BusMem<br>page to<br>translate to a<br>machine page<br><b>mpn</b> - pointer<br>to return the<br>translated<br>MPN (or<br>INVALID_MP<br>N on failure) | VMKCall<br>return:<br>VMK_OK<br>on<br>success,<br>a failure<br>code<br>otherwise. | vmcore/pub<br>lic/x86/vmk<br>ernelVmcor<br>eFuncs.h |

### 4.2.6 Mapping to the Source Code

| Function        | Description                                                                                                                                                                                             | File                                    |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|
| GPhysSetPTE     | Sets a PTE in a GPhysTree<br>(EPT tree).                                                                                                                                                                | vmcore/monitor/vmm/gphys/common/gphys.c |
| GPhysClearPTE   | Clears a PTE in a GPhysTree<br>(EPT tree). Also clears VMM<br>software mapping ("NPTMap")<br>of the EPT subtree wired by<br>the previous PTE.                                                           | vmcore/monitor/vmm/gphys/common/gphys.c |
| GPhysProtectPPN | Applies new protections to the<br>BPN specified, if it could be<br>translated to a PPN. Flushes<br>TLBs as necessary.<br>Effectively, updates the EPT<br>tree to reflect new protections<br>for a page. | vmcore/monitor/vmm/gphys/common/gphys.c |

| Function                    | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | File                                    |
|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|
| GPhys_Validate              | Main function to "validate"<br>(create a new <b>PA (PPN)</b> =><br><b>MPN</b> mapping in the active<br>EPT tree). Translates from PA<br>to PPN to BPN to MPN,<br>respecting and applying<br>permissions at all levels. If all<br>goes well, inserts the new<br>translation into the EPT tree.<br>Otherwise, fails and returns.<br>Attempts to validate at the<br>largest size/highest level<br>applicable (to allow an<br>invalidated set of small pages<br>to become a singular large<br>page thereafter). | vmcore/monitor/vmm/gphys/common/gphys.c |
| GPhysInvalidateMappingRange | Invalidates all PPNs in the<br>range at all relevant levels in<br>the EPT tree. (Clears<br>mappings for all PPNs<br>specified)                                                                                                                                                                                                                                                                                                                                                                              | vmcore/monitor/vmm/gphys/common/gphys.c |
| GPhys_InvalidatePageList    | Invalidates a list of pages but<br>does not flush the TLB. TLB<br>flushing is the caller's<br>responsibility.                                                                                                                                                                                                                                                                                                                                                                                               | vmcore/monitor/vmm/gphys/common/gphys.c |
| GPhys_InvalidateBPN         | Invalidates the specified BPN<br>in the EPT tree but does not<br>flush TLBs (allowing more<br>efficient batching of TLB<br>flushes).<br>TLB flushing is the caller's<br>responsibility.                                                                                                                                                                                                                                                                                                                     | vmcore/monitor/vmm/gphys/common/gphys.c |
| BusMemInvalidateCache       | Invalidates list of pages (calls<br>both<br>GPhys_InvalidatePageList()<br>and<br>VNPT_InvalidatePageList())<br>and causes VM-wide TLB<br>flushes by invoking<br>BusMemZapPageListCC on<br>all VCPUs.                                                                                                                                                                                                                                                                                                        | vmcore/monitor/vmm/main/busmem.c        |
| GPhys_ConvertToLargeOne     | Converts 512 aligned 4<br>kilobyte pages with identical<br>permissions to a single 2<br>megabyte mapping, or fails<br>and does no harm.                                                                                                                                                                                                                                                                                                                                                                     | vmcore/monitor/vmm/gphys/common/gphys.c |
| GPhys_FlushAllTLBs          | Synchronously flushes all<br>TLBs on all VCPUs in the VM.<br>Slow, comprehensive.                                                                                                                                                                                                                                                                                                                                                                                                                           | vmcore/monitor/vmm/gphys/common/gphys.c |

| Function                   | Description                                                                                                                                                                 | File                                           |
|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|
| GPhysOpenLargeFlushReq     | Opens a large flush request,<br>which will contain a set of one<br>or more PPNs to flush from<br>the TLB. Used to efficiently<br>batch flushing of many pages.              | vmcore/monitor/vmm/gphys/common/gphys.c        |
| GPhys_AddToLargeFlushReq   | Adds one PPN (or "flush all"<br>command) to the current to-<br>be-flushed set.                                                                                              | vmcore/monitor/vmm/gphys/common/gphys.c        |
| GPhys_CloseLargeFlushReq   | Closes a large flush request.                                                                                                                                               | vmcore/monitor/vmm/gphys/common/gphys.c        |
| GPhys_ProcessLargeFlushReq | Processes a large flush<br>request, flushing either all<br>PPNs in the set or the entire<br>TLB, on the current CPU.                                                        | vmcore/monitor/vmm/gphys/common/gphys.c        |
| HV_FlushNestedMappings     | Invalidates the EPTP on the current CPU.                                                                                                                                    | vmcore/monitor/vmm/hv/vt/hv-vt.c               |
| VNPTSetNPTE                | Sets an EPTE in an NPT<br>shadow (nested EPT tree).<br>Also used to clear entries.                                                                                          | vmcore/monitor/vmm/hv/common/vnpt-<br>common.h |
| VNPT_Update                | Updates an existing entry in a<br>VNPT shadow, for either a 4<br>kilobyte or 2 megabyte page.<br>Callers must flush the TLB in<br>the relevant ASID if TRUE is<br>returned. | vmcore/monitor/vmm/hv/common/vnpt-<br>common.h |
| VNPT_InvalidatePageList    | Invalidates a list of pages in<br>an NPT shadow but does not<br>flush the TLB. TLB flushing is<br>the caller's responsibility.                                              | vmcore/monitor/vmm/hv/common/vnpt-<br>common.h |
| VNPT_HandleNPF             | Attempts to handle a nested<br>page fault while in nested<br>guest execution via VVT.<br>When successful, updates the<br>VNPT shadow for the access.                        | vmcore/monitor/vmm/hv/common/vnpt-<br>common.h |
| HVFlushAllASIDs            | Invalidates all VPIDs on the current CPU.                                                                                                                                   | vmcore/monitor/vmm/hv/vt/hv-vt.c               |
| VVTProcessVPID             | Sets the VPID field in the<br>virtual CPU (based upon<br>nested VMCS state), for future<br>use in VT execution.                                                             | vmcore/monitor/common/hv/vt/vvt.c              |
| VNPT_FlushPhysical         | Flushes all shadow nested<br>page table mappings from<br>current CPU.                                                                                                       | vmcore/monitor/vmm/hv/common/vnpt-<br>common.h |

#### 4.2.7 Appendix A: Bibliography for Intel Documentation References (EPT)

| Document                                                                                                        | Author / Company                            | Date       | Notes                                                                                                                                                                                                                      |
|-----------------------------------------------------------------------------------------------------------------|---------------------------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Intel® 64 and IA-32 Architectures Software<br>Developer's Manual Volume 3C: System<br>Programming Guide, Part 3 | Intel Corporation<br>www.intel.com          | 06/30/2022 | Specific<br>citations are<br>in the detail<br>table below.<br><b>Note:</b> Intel<br>renumbers<br>resources<br>over time.<br>These<br>chapters<br>and the<br>SDM volume<br>number are<br>correct as of<br>June 30,<br>2022. |
| Chapter name                                                                                                    | Content                                     |            |                                                                                                                                                                                                                            |
| (28) VMX Support for Address Translation                                                                        | Explanation of EPT and related technologies |            |                                                                                                                                                                                                                            |

#### 4.2.7 Appendix B: Navigating Guest Memory Module Code

The code and header files implementing the module are used across multiple products and CPU architectures. Only a subset of the code is of relevance to the TOE. This table endeavors to simplify reading code and header files by explaining what is included and excluded from the TOE. Terminology clarifying the above documentation is also provided.

| Term or token            | Meaning                                        | Included in TOE? |
|--------------------------|------------------------------------------------|------------------|
| vmx86_server             | Set to 1 if building ESX                       | Yes              |
| VMX86_SERVER (CPP token) | #defined if building ESX                       | Yes              |
| SERVER_ONLY()            | Macro contents defined if building ESX         | Yes              |
| HOSTED_ONLY()            | Not relevant to ESX, enclosed contents omitted | No               |
| vmx86_vmm                | Set to 1 if building VMM                       | Yes              |
| vmx86_ulm                | Set to 0 if building VMM                       | No               |
| ULM_ONLY()               | Not relevant to ESX, enclosed contents omitted | No               |
| vmx86_release            | Set to 1 if building for releases to customers | Yes              |
| vmx86_debug              | Set to 1 if building for debug builds          | No               |
| vmx86_devel              | Set to 1 if building for internal developers   | No               |
| vmx86_vt                 | Set to 1 if building for VT support            | Yes              |

| Term or token           | Meaning                                                                                 | Included in TOE? |
|-------------------------|-----------------------------------------------------------------------------------------|------------------|
| vmx86_svm               | Not relevant to VT support (AMD-specific)                                               | No               |
| vmx86_ept               | Set to 1 if building for VT support                                                     | Yes              |
| vmx86_npt               | Set to 0 if building for VT support (AMD-specific)                                      | No               |
| VCPU_InGuestOperation() | Returns TRUE if the VCPU is running or emulating the nested guest                       | Yes              |
| GPhys_HWMMUTreeInVMK()  | FALSE for the TOE. Ignore any code in which this must be TRUE.                          | No               |
| GPHYS_TREE_HWMMU        | The 'GPhysTree' in code relevant to EPT. Other trees are used for supporting emulation. | Yes              |

#### 4.3 VMM Host Interrupts IDT, APIC, MAP (SFR-ENFORCING)

The VMM Host Interrupts IDT APIC Map module (hereafter, "interrupt optimization module") implements optimized interrupt handling and inter-thread communication within a virtual machine. The module implements direct control and use of CPU interrupt controller hardware in a manner cooperative with the vmKernel (which normally controls CPU interrupt controller hardware).

A VM is comprised of virtual CPUs, each of which is implemented by a thread (hereafter a "world"). The Virtual Machine Monitor ("VMM") is a kernel-mode program which implements execution of a VM. A VM contains one VMM world per virtual CPU, and often the VMM worlds within a VM run concurrently, on different host PCPUs.

When the vmKernel's CPU scheduler (see 8.1: CPU Dispatcher) runs a VMM world, that VMM world takes control of the Interrupt Descriptor Table Register (hereafter "IDTR") in the CPU, causing subsequent interrupt activity to run VMM interrupt handler code instead of vmKernel interrupt handler code. When a VMM world is run, a thread-local variable is updated to contain the APIC Identifier of the physical CPU running the world. With direct control of the IDTR and awareness of the APIC Identifiers of each VMM world, VMM worlds within a VM can directly send Inter-Processor Interrupts (hereafter "IPIs") to one another, and VMM handler code will execute in response. When a VMM world discontinues running, it relinquishes control of the IDTR to the vmKernel.

Because the vmKernel and the VMM cooperatively share use of the IDTR and the interrupt controllers of physical CPUs, the two must implement a careful protocol to avoid non-interference. Hence, the interrupt optimization module is SFR-enforcing because it must carefully avoid allowing VMM (which runs proximate to the guest domain) instances from interfering with one another or other host software.

IPIs, as with all interrupts on x86 CPUs, are targeted via 8-bit vector numbers. The vmKernel and VMM dedicate specific vectors to specific purposes. Two vectors are reserved for VMM IPI use: the posted interrupt vector, and the general monitor IPI vector. The exact vectors for these purposes must be carefully communicated by the vmKernel to VMM and respected by both pieces of software.

## 4.3.1 Security Functionality (SF)

See the table in Section 4.3.2.

## 4.3.2 Security Functional Requirement (SFR)

| Security Function (SF)       | Security Function<br>Requirement (SFR) | Rationale                                                                                                                                                                                                                |
|------------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SF6.Protection of the TSF (F | PT) FPT_VIV_EXT.1.1                    | The TSF shall maintain a security domain for the execution of each virtual machine that protects the virtual machine from interference and tampering by untrusted subjects or subjects from outside the scope of the VM. |

#### 4.3.3 Provided TSFI

This module has no TSFI as it is an internal module and has no exposure to outside the TOE.

#### 4.3.4.1 Internal Interfaces of the Module

| Module Function                  | Security<br>Function(s)                | SFR(s)              | Parameters                                                                                                            | Return Value                                       | Rationale                                                                                                         |
|----------------------------------|----------------------------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|
| ApicMap_InterruptVcpuid          | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | v - the<br>Vcpuid of the<br>VCPU to<br>interrupt<br>ipiVec - the<br>Inter-<br>Processor<br>Interrupt<br>Vector to use | <b>None</b> (void<br>function).                    | Interrupts a<br>specified VCPU<br>within this VM<br>using the vector<br>given.                                    |
| Platform_GetMonitorIPIVe<br>ctor | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | None                                                                                                                  | An interrupt vector                                | Gets the IPI<br>vector reserved<br>by the platform<br>(vmKernel) for<br>general monitor<br>use.                   |
| Platform_GetHVIPIVector          | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | None                                                                                                                  | An interrupt vector                                | Gets the IPI<br>vector reserved<br>by the platform<br>(vmKernel) for<br>posted<br>interrupt/HV use.               |
| VMKCall_VMKGetIntInfo            | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | inData -<br>return<br>pointer for<br>kernel<br>interrupt<br>information                                               | A VMKCall return<br>status (VMK_OK on<br>success). | Acquires<br>interrupt<br>information from<br>the vmKernel,<br>including IPI<br>vectors for the<br>monitor to use. |

VMware, Inc.

# **vm**ware<sup>®</sup>

| Module Function                 | Security<br>Function(s)                | SFR(s)              | Parameters                                                                                                     | Return Value                                                                               | Rationale                                                                                                                                  |
|---------------------------------|----------------------------------------|---------------------|----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| IDT_NullGate                    | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | regs -<br>exception<br>frame<br>provided<br>when<br>hardware<br>raises an<br>interrupt<br>(including<br>IPIs). | <b>None</b> (void function).                                                               | Monitor handler<br>quickly called<br>when an IPI is<br>sent to a CPU<br>running a VMM<br>world.                                            |
| WorldSaveApicMap                | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | w - world<br>that is<br>transitioning<br>from running<br>to not<br>running                                     | <b>None</b> (void<br>function).                                                            | Unsets apicMap<br>variable for this<br>VMM world, as it<br>is no longer<br>running and thus<br>cannot receive<br>IPIs.                     |
| WorldRestoreApicMap             | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | w - world<br>that is<br>transitioning<br>from running<br>to not<br>running                                     | <b>None</b> (void<br>function).                                                            | Sets apicMap<br>variable to the<br>physical CPU's<br>APIC Id for this<br>VMM world, as it<br>about to run and<br>can thus receive<br>IPIs. |
| WorldArchSharedAreaVcp<br>ulnit | SF6.Protectio<br>n of the TSF<br>(FPT) | FPT_VIV_EXT.1.<br>1 | world - VMM<br>world being<br>initialized.                                                                     | VMK_ReturnStatus<br>- VMK_OK on<br>successful<br>initialization, or an<br>error otherwise. | Initializes pointer<br>to world's<br>apicMap variable<br>for later<br>population when<br>the VMM world is<br>run or finishes<br>running.   |

## 4.3.4 Used interfaces of other modules

None.

## 4.3.5 Mapping to the Source Code

| Function                     | Description                                                                               | File                                        |
|------------------------------|-------------------------------------------------------------------------------------------|---------------------------------------------|
| ApicMap_InterruptVcpuid      | Interrupts a specified<br>VCPU within this VM using<br>the vector given.                  | vmcore/monitor/vmm/main/apicmap.c           |
| Platform_GetMonitorIPIVector | Gets the IPI vector<br>reserved by the platform<br>(vmKernel) for general<br>monitor use. | vmcore/monitor/common/public/platform_vmk.h |

| Function                    | Description                                                                                                                       | File                                        |
|-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
| Platform_GetHVIPIVector     | Gets the IPI vector<br>reserved by the platform<br>(vmKernel) for posted<br>interrupt/HV use.                                     | vmcore/monitor/common/public/platform_vmk.h |
| VMKCall_VMKGetIntInfo       | Acquires interrupt<br>information from the<br>vmKernel, including IPI<br>vectors for the monitor to<br>use.                       | vmcore/public/x86/vmKernelVmcoreFuncs.h     |
| IDT_NullGate                | Monitor handler quickly<br>called when an IPI is sent<br>to a CPU running a VMM<br>world.                                         | vmcore/monitor/vmm/cpu/idt.c                |
| WorldSaveApicMap            | Unsets apicMap variable<br>for this VMM world, as it is<br>no longer running and thus<br>cannot receive IPIs.                     | vmKernel/main/x86/world_int_arch.h          |
| WorldRestoreApicMap         | Sets apicMap variable to<br>the physical CPU's APIC Id<br>for this VMM world, as it<br>about to run and can thus<br>receive IPIs. | vmKernel/main/x86/world_int_arch.h          |
| WorldArchSharedAreaVcpuInit | Initializes pointer to world's<br>apicMap variable for later<br>population when the VMM<br>world is run or finishes<br>running.   | vmKernel/main/x86/world.c                   |

## 4.3.6 Appendix A: Navigating Interrupt Optimization Module Code

The code and header files implementing the module are used across multiple products and CPU architectures. Only a subset of the code is of relevance to the TOE. This table endeavors to simplify reading code and header files by explaining what is included and excluded from the TOE. Terminology clarifying the above documentation is also provided.

| Term or token            | Meaning                                        | Included in TOE? |
|--------------------------|------------------------------------------------|------------------|
| vmx86_server             | Set to 1 if building ESX                       | Yes              |
| VMX86_SERVER (CPP token) | #defined if building ESX                       | Yes              |
| SERVER_ONLY()            | Macro contents defined if building ESX         | Yes              |
| HOSTED_ONLY()            | Not relevant to ESX, enclosed contents omitted | No               |
| vmx86_vmm                | Set to 1 if building VMM                       | Yes              |
| vmx86_ulm                | Set to 0 if building VMM                       | No               |

| Term or token                          | Meaning                                            | Included in TOE? |
|----------------------------------------|----------------------------------------------------|------------------|
| ULM_ONLY()                             | Not relevant to ESX, enclosed contents omitted     | No               |
| vmx86_release                          | Set to 1 if building for releases to customers Yes |                  |
| vmx86_debug                            | Set to 1 if building for debug builds              | No               |
| vmx86_devel                            | Set to 1 if building for internal developers       | No               |
| VMM_BOOTSTRAP                          | Set to 0 for general VMM run-time                  | No               |
| Files and directories containing arm64 | Not relevant to Intel/x86 product                  | No               |

## 4.4 VMM Hot Path (SFR-NON-INTERFERING)

The Virtual Machine Monitor (hereafter "VMM") in the TOE executes the guest domain (hereafter "VM") using Intel's VT via the VMM Hardware Virtualization module (see 4.2: VMM Hardware Virtualization, hereafter the "HV module"). The HV module tends to run in a loop, entering guest execution via an "HV resume" followed by the guest execution exiting and returning to VMM, in the HV module's "HV exit" code path. The VMM Hot Path module (hereafter "Hot Path module") attempts to optimize handling of HV exit reasons and qualifications and quick return to HV resume.

The Hot Path module quickly checks for various common and easily-handled exit causes. For example, if a guest operating writes to the Virtual CPU's interrupt controller (the Advanced Programmable Interrupt Controller, known as the APIC), the exit qualification describes this write, and the hot path module calls virtual APIC update code to quickly update APIC state in the virtual CPU, then returns such that the HV module can HV resume. If the Hot Path module fails to quickly handle an HV exit (whether because it was an uncommon exit, or because handling failed due to some uncommon circumstance), the Hot Path module calls what is known as the "slow path", relying upon software emulation (see 4.5: VMM Instruction Emulation, hereafter "Instruction Emulation module") to handle the exit and return.

The Hot Path module implements separate functionality for handling HV exits while in nested guest execution (see 4.2 for an explanation of nested virtualization). Special cases for nested guest execution and its optimization necessitate different handling, both for functional correctness and performance reasons. Some common code is used in handlers for both the non-nested and nested guest fast paths for HV exit handling.

The Hot Path module uses various portions of VMM in support of its fast handling of HV exits, as well as the instruction emulation module.

Because the Hot Path module does not act upon state relevant to SFR enforcement and manipulates software state in service of handling HV exits, it is SFR-NON-INTERFERING. It is essentially glue between modules within VMM, optimized for performance.

## 4.4.1 Mapping to the Source Code

| Function            | Description                                                                                                                                                                                                                                          | File                                 |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
| HVTryFastExit       | Attempts to quickly handle an HV exit. If<br>the exit can be quickly handled, finishes<br>with HV Resume. If the exit cannot be<br>handled, returns, such that the caller<br>(HVExit) can call the slow path.                                        | vmcore/monitor/vmm/hv/vt/hv-common.h |
| HVTryFastNestedExit | Attempts to quickly handle an HV exit<br>raised while running a nested guest. If<br>the exit can be quickly handled, finishes<br>with HV Resume. If the exit cannot be<br>handled, returns, such that the caller<br>(HVExit) can call the slow path. | vmcore/monitor/vmm/hv/vt/hv-common.h |

## 4.5 VMM Instruction Emulation (SFR-NON-INTERFERING)

The Virtual Machine Monitor (hereafter "VMM") implements Virtual CPUs to run Virtual Machines. Virtual CPUs are implemented in accordance with Intel specifications for CPUs. Execution of a Virtual Machine is performed via the VMM Hardware Virtualization module (see 4.2, hereafter "HV module") utilizing Intel's VT. HV implements much of a correct and fast virtual CPU. Occasionally, VMM must emulate an instruction (as HV might otherwise infinitely loop, blocked by some attribute imposed upon VM execution by VMM). For example, if VMM requests a software callback before VM access to a particular page of memory, Intel's VT will exit to VMM (via an HV exit), and re-entry (via an HV resume) would simply result in another, identical exit. The Virtual CPU would not move forward. To unblock such instances, VMM contains an instruction emulation engine.

The VMM Instruction Emulation module (hereafter "Emulation module") implements the capability to emulate any valid instruction in any valid situation with any valid arguments, within a virtual CPU. Instruction emulation is slow, as it is a software implementation of all steps a CPU would perform to run an instruction (including complex instructions), and emulation also causes all correct results, effects and side-effects of the instruction's effective execution. Emulating a single instruction might take 1000 times as long in software emulation as in HV execution. The Emulation module implements decoding of an instruction including all instruction prefixes, execution of the instruction including emulation of any relevant guest register or memory accesses, potential faulting if execution dictates a fault be raised and possible indirect software side-effects.

To decode an instruction, the Emulation module contains an x86 instruction decoder aware of all possible instructions and their encodings and meanings. The Emulation module contains code called the interpreter which can "interpret" a single instruction, once decoded. The interpreter implements emulation of every valid instruction encoding. Memory accessed by instructions is handled by accesses to the VMM-mapped view of guest memory provided 4.2: VMM HV Memory Management. Software state of the virtual CPU, from general-purpose to special-purpose registers may be read or updated by the interpreter. The interpreter may call out to supporting functionality related to, for example, privileged instruction state (i.e., instructions which run in the more privileged guest kernel mode, as opposed to guest user

mode). As many instructions use different parts of the virtual CPU, various different functions provided by different code files may be called.

The Emulation module also contains a fast emulation engine known as HVSimulate. HVSimulate is a system to more quickly emulate one or more instructions (up to a maximum of twelve) from a small lexicon of simple and well-defined instructions. HVSimulate creates and manages a cache of instructions at which HV exits repeatedly occur, and at the third occurrence of such an exit, HVSimulate creates a "translation" of the instruction. This translation allows the Emulation module to amortize the cost of decoding an instruction, and to create an executable equivalent portion of emulation code to re-use when such an instruction is encountered again. HVSimulate then potentially builds chains of consecutive instructions (from its limited lexicon, with various simplifying constraints) to create larger translations. The HVSimulate engine within the Emulation module is the entrypoint to the Emulation module from the VMM Fast Path module. If HVSimulate lacks a translation (as the instruction may never have been seen before, or it is invalid for translation), it falls back to the interpreter, which is guaranteed to succeed in instruction emulation.

The Emulation module operates purely on software, virtual CPU state within the VMM program, to ensure forward progress of the virtual CPU as part of "slow path" operation. As such, it is SFR-NON-INTERFERING.

| Function             | Description                                                                                                                                                    | File                                           |
|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|
| HVSim_Try            | Attempts to emulate one or<br>more instructions efficiently<br>instructions using HVSimulate.<br>Run-time entrypoint to<br>HVSimulate.                         | vmcore/monitor/common/hv/hvsimulate.c          |
| Interp_Step          | Emulates one guest instruction,<br>delivering any resulting faults to<br>the guest. Run-time entrypoint<br>to the interpreter.                                 | vmcore/monitor/common/cpu/x86/interp.c         |
| Decoder_DecodeAtVCPU | Decodes the next guest<br>instruction at the VCPU's<br>current program counter. Run-<br>time entrypoint to the interpreter<br>for emulation of an instruction. | vmcore/monitor/common/cpu/x86/decoderMonitor.c |

## 4.5.1 Mapping to the Source Code

## 4.5.2 Appendix A: Published Technical Research Bibliography

| Document                                                             | Author / Company                                                                 | Date | Notes                                                                                                                                                                                                                |
|----------------------------------------------------------------------|----------------------------------------------------------------------------------|------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Software Techniques for<br>Avoiding Hardware<br>Virtualization Exits | Ole Agesen, Jim Mattson,<br>Radu Rugina, Jeffrey<br>Sheldon, VMM team,<br>VMware |      | Describes the techniques used in<br>HVSimulate for workloads of relevance<br>in the year 2012. Workloads have<br>changed but much of the paper is still<br>accurate and applicable to HVSimulate<br>code in the TOE. |

## 4.6 VMM Guest Interrupts (SFR-NON-INTERFERING)

Virtual guest interrupts (hereafter "virtual interrupts") are a software construct implemented in virtual hardware. The Virtual Machine Monitor (hereafter "VMM") implements virtual interrupts in the VMM Guest Interrupt module (hereafter "Interrupt module"). A virtual machine (hereafter "VM") uses a virtual interrupt controller (hereafter "virtual APIC" or "VAPIC") to program interrupt behavior in a virtual CPU. The Interrupt module implements the virtual interrupt controller interrupts to the VM.

Virtual interrupts are asynchronous events which alter execution within a VM's software under various conditions. A virtual device, for example, may raise a virtual interrupt for delivery. One VCPU may request, via the virtual interrupt, an Inter-Processor Interrupt (hereafter "IPI") on another VCPU within the same VM. Regardless of the interrupt source, the Interrupt module implements VAPIC as well as interrupt delivery to the VM.

When entering VT execution (see 4.2: VMM Hardware Virtualization, hereafter "HV module"), the VMCS contains an interrupt state for the VCPU. If the interrupt state encodes that an interrupt is to be raised, VT will accordingly alter VM execution, such that the VCPU appropriately reacts to the interrupt and can handle it. The VM's software likely then interacts with the CPU and APIC to acknowledge, handle and end handling of the interrupt. The HV module also allows for an optimized form of external interrupt injection without the need to exit from VT execution, via "posted interrupts". The Interrupt module relies upon the HV module for this functionality.

All virtual interrupt controller state, all virtual devices capable of raising virtual interrupts and all CPU functionality related to virtual interrupts is VM-local, software-implemented and self-contained within a VMM instance. As such, the Interrupt module is SFR-NON-INTERFERING.

| Function          | Description                                                                                                                                                         | File                                  |
|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
| APICSendInterrupt | Cause a virtual interrupt to be delivered to the a specified Virtual CPU.                                                                                           | vmcore/monitor/common/intr/x86/apic.c |
| APIC_PostIntr     | Delivers a virtual interrupt to a remote Virtual<br>CPU using posted interrupts (such that the<br>remote VCPU may not exit VT at all to<br>receive this interrupt). | vmcore/public/x86/apic_shared.h       |

## 4.6.1 Mapping to the Source Code

## 4.7 VMM Timekeeping (SFR-NON-INTERFERING)

The perception of time is important in operating system and application software, whether run on a physical machine or in a virtual machine. While physical CPUs and platforms implement rigid, precise timekeeping, virtual CPUs and platforms run with additional

overhead, due to both virtualization overheads and time-shared scheduling. Operating systems and application software nonetheless have requirements and expectations, regardless of whether run physically or virtually.

The VMM Timekeeping module (hereafter "Timekeeping module") accommodates the timeperception needs of software within a VM. VM software largely perceives time via reads of the CPU cycle clock (using the RDTSC instruction or variants thereof) and by the VM's interaction with virtual timer hardware.

A VM's cycle clock runs at a constant rate based upon the CPU clock rate evident to the VM at the time it powered on, based upon the underlying physical CPU's clock rate. Thereafter, even if the VM migrates to another host with a different physical CPU clock rate, the VM will maintain the perception of the original clock rating. This requires scaling of reads of the TSC, which the Timekeeping module must provide.

The virtual CPU cycle clock must also be monotonic across all VCPUs within a VM: successive reads must always yield increasing values. The Timekeeping module must provide this.

Ideally, virtualization overheads related to timekeeping should be minimized, for performance. Thus the Timekeeping module endeavors to avoid overheads when the VM reads the VCPU's cycle clock, by use of VT controls to automatically scale or offset RDTSC responses without incurring an HV exit. (For VT control and HV exit discussion, see 4.1: VMM Hardware Virtualization).

Operating system software programs hardware timers to fire either periodically or at fixed times in the future. Virtual hardware implementing such timers must overcome additional challenges as compared to a physical host, because virtualization incurs additional overheads and because it is possible that a timer for a VM would fire while the VM is not scheduled by the host operating system. It is the Timekeeping module's responsibility to mitigate virtualization overheads and to endeavor to cause virtual timer interrupts to fire with approximately the accuracy expected on physical hosts.

Virtual hardware which indirectly relies upon timers must also behave coherently with overtly VM-visible timers.

To satisfy a need for coherent timers and timer-based operations, both visible to the VM directly via virtual hardware timer devices and indirectly via other means, the Timekeeping module implements a system called TimeTracker. This system provides a virtual clock source and a notion of "apparent time" to the VM. Various clients draw upon this same clock source.

Because virtual time is entirely confined to an individual VM and not exposed to other VMs or host software, the Timekeeping module is SFR-NON-INTERFERING.

#### 4.7.1 Mapping to the Source Code

| Function                 | Description                                                                                                                                        | File                                         |
|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|
| TimeTracker_ApparentTime | Calculates and returns a<br>current "apparent time" in<br>units of CPU cycles. Used<br>by various devices and<br>other portions of<br>TimeTracker. | vmcore/monitor/common/main/x86/timeTracker.c |

## 4.8 [vmKernel] VMM-VMK (SFR- ENFORCING)

The VMM-VMK Entry module manages run-time edges between execution of one thread of the Virtual Machine Monitor (hereafter "VMM") and the vmKernel. Two types of switches are managed: the start and end of run of a VMM thread (hereafter "VMM world" in VMware nomenclature), and the switch within a VMM world between the vmKernel context and the VMM context.

The vmKernel's CPU dispatcher (see 8.1: CPU dispatcher) causes worlds to run. When a world is run or finishes running, a context switch is affected (hereafter, "world switch") between the previously-running world and the next world to run. World switching saves CPU state of the previous world into memory and then loads state from memory to the CPU for the next world. For performance and correctness, VMM worlds contain specialized state which must be switched in addition to regular world-switch. The VMM-VMK Entry module implements this extra world switching for VMM worlds. Not only is some state saved and loaded, but some state is also flushed. Some of this switched state is relevant to SFR-enforcement.

Within a VMM world, two contexts exist: the vmKernel context and the VMM context. The VMM context takes nearly full control of the CPU and cooperatively shares the CPU with the vmKernel context. The VMM context enters the vmKernel context by affecting a specialized form of call (hereafter "VMKCall"). The VMM is re-entered from the vmKernel when a VMKCall returns. The VMM-VMK Entry module implements VMKCalls and returns from VMKCalls.

The VMM-VMK Entry module optimizes performance by minimizing the frequency and timing of some necessary operations. World switches are far less common than VMKCalls and VMKCalls are less common than HV Exits (see 4.1: VMM Hardware Virtualization). Many operations must be performed before leaving the VMM context or before world-switching to another world. Such operations can potentially be deferred to less common code paths (e.g. VMKCall, world switch).

Intel CPUs implement some functionality by use of Model-Specific Registers (hereafter "MSRs"). Some MSRs are benign, regardless of value, in some contexts. For example, in kernel-level software, the MSRs related to user-level system call handling are not relevant and can contain any valid value. Only when the CPU may run user-level software is it important to ensure that such MSRs contain appropriate values. To optimize VMM performance (recall that VMM is a kernel-level program), the VM is sometimes allowed read/write access to such MSRs, and the MSR values stay loaded into the CPU until world-

switch, at which time appropriate values are loaded. This functionality is managed by the MonMSR portion of the module.

Intel CPUs also contain special state related to virtualization, which is only relevant while running VMM worlds. As such, non-VMM worlds do not need to flush or reload this state - it is benign during execution of non-VMM worlds. For performance reasons, some virtualization-related CPU state is not reload or flushed until a new VMM world runs on a CPU. In VMware nomenclature, a CPU is considered "tainted" if the last VMM world to run on the CPU is not the current VMM world. The VMM-VMK Entry module reloads and/or flushes relevant CPU resources before their use by a new VMM world, if the CPU is tainted. (Note that if a CPU runs a VMM world, followed by a non-VMM world, followed by the initial VMM world again, no tainting occurs and there is no need for reloading/flushing).

Because the benign CPU state is loaded while running VMM or other host software, the VMM-VMK Entry module is SFR-Enforcing. The module is responsible for guaranteeing that such CPU state is benign, and that reloads and/or flushes occur to shield other software in the TOE from interference.

The VMM-VMK Entry module indirectly facilitates calls from VMM to the VMX. The VMM contains a mechanism called a "UserCall" which causes the VMKCall "VMKCall\_SwitchToVCPU" which in turn requests that the vmkernel world-switch to a VMX world within the program.

## 4.8.1 Security Functionality (SF)

See the table in Section 4.8.2.

#### 4.8.2 Security Functional Requirement (SFR)

| Security<br>Function (SF)       | Security Function<br>Requirement (SFR) | Rationale                                                                                                                                                                                                                |
|---------------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SF6.Protection of the TSF (FPT) | FPT_VIV_EXT.1.1                        | The TSF shall maintain a security domain for the execution of each virtual machine that protects the virtual machine from interference and tampering by untrusted subjects or subjects from outside the scope of the VM. |

#### 4.8.3 Provided TSFI

This module has no TSFI as it is an internal module and has no exposure to outside the TOE.

| Module Function           | Security<br>Function(s)                | SFR(s)          | Parameters                                                                                                                                                                           | Return Value                    | Rationale                                                                                                               |
|---------------------------|----------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------|-------------------------------------------------------------------------------------------------------------------------|
| MonMSR_Init               | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | None                                                                                                                                                                                 | <b>None</b> (void function).    | Initializes<br>switchedMSR<br>s values to be<br>used during<br>world switch.<br>Loads initial<br>monitor MSR<br>values. |
| MonMSRInitSwitchedMSRs    | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | None                                                                                                                                                                                 | <b>None</b> (void<br>function). | Initializes<br>switchedMSR<br>s values to be<br>used during<br>world switch.                                            |
| MonMSR_SaveHostLoadMonito | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | None                                                                                                                                                                                 | <b>None</b> (void function).    | Loads initial<br>monitor MSR<br>values.                                                                                 |
| MonMSR_LoadMonitorState   | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | None                                                                                                                                                                                 | <b>None</b> (void function).    | Loads initial<br>monitor MSR<br>values.                                                                                 |
| MonMSR_LoadMonitorMSR     | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | msr - the<br>model-<br>specific<br>register to<br>write into<br>val - the<br>value to write                                                                                          | <b>None</b> (void function).    | Loads one<br>monitor MSR<br>value (if not<br>masked).                                                                   |
| MonMSRLoadMSR             | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | <ul> <li>msr - the model-specific register to load</li> <li>loadMask - mask determining whether a CPU load should be affected for MSRs.</li> <li>val - the value to write</li> </ul> | <b>None</b> (void<br>function). | Loads one<br>monitor MSR<br>value (if not<br>masked).                                                                   |

# 4.8.4.1 Internal Interfaces of the Module (World-Switch: Model-Specific Registers)

VMware, Inc.

## **vm**ware<sup>®</sup>

| Module Function     | Security<br>Function(s)                | SFR(s)          | Parameters                                                                                                                                                                | Return Value                    | Rationale                                                                                                                                                                                                                                                    |
|---------------------|----------------------------------------|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MonMSR_SetMSRUnused | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | <b>msr</b> - the<br>model-<br>specific<br>register to<br>mark as<br>unused                                                                                                | <b>None</b> (void<br>function). | Marks an<br>MSR as not<br>used by the<br>monitor (such<br>that the<br>monitor<br>considers any<br>value benign<br>and world<br>switch will not<br>reload<br>monitor<br>values for this<br>MSR).                                                              |
| MonMSR_SetMSR       | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | <ul> <li>msr - the model-specific register to set</li> <li>newVal - the monitor value to set in the MSR</li> <li>flags - flags related to switching of the MSR</li> </ul> | <b>None</b> (void<br>function). | Marks an<br>MSR as used<br>by the<br>monitor,<br>setting its<br>value and<br>flags related<br>to switching.<br>If the value or<br>flags have<br>changed or if<br>the flags<br>specify that<br>the MSR is<br>not<br>shadowed, its<br>value is also<br>loaded. |
| MonMSR_UpdateMSR    | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | msr - the<br>model-<br>specific<br>register to set<br>newVal - the<br>(new) monitor<br>value to set<br>in the MSR                                                         | <b>None</b> (void<br>function). | The value of<br>the specified<br>monitor-used<br>MSR is<br>updated (but<br>flags are left<br>unchanged).<br>If the existing<br>flags specify<br>that the MSR<br>is in use, the<br>new value is<br>loaded.                                                    |
| WorldSaveFastMSRs   | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | <b>save</b> - world<br>being saved<br>(transitioning<br>from running<br>to not<br>running)                                                                                | <b>None</b> (void<br>function). | Saves<br>monitor MSRs<br>according to<br>flags.                                                                                                                                                                                                              |

| Module Function             | Security<br>Function(s)                | SFR(s)          | Parameters                                                                                   | Return Value                                                                                      | Rationale                                                                                                  |
|-----------------------------|----------------------------------------|-----------------|----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|
| WorldRestoreFastMSRs        | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | restore -<br>world being<br>restored<br>(transitioning<br>from not<br>running to<br>running) | <b>None</b> (void<br>function).                                                                   | Loads monitor<br>MSRs<br>according to<br>flags.                                                            |
| WorldArchSharedAreaVcpuInit | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.1.1 | world - VMM<br>world being<br>initialized.                                                   | VMK_ReturnS<br>tatus -<br>VMK_OK on<br>successful<br>initialization, or<br>an error<br>otherwise. | Initializes<br>pointer to<br>world's<br>switchedMSR<br>variable for<br>later use<br>during world<br>switch |

## 4.8.4.2 Internal Interfaces of the Module (World-Switch: VT State)

| Module Function              | Security<br>Function(s)               | SFR(s)          | Parameters                                                                                   | Return<br>Value                    | Rationale                                                                                                          |
|------------------------------|---------------------------------------|-----------------|----------------------------------------------------------------------------------------------|------------------------------------|--------------------------------------------------------------------------------------------------------------------|
| WorldSaveControlRegisters    | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | <b>save</b> - world<br>being saved<br>(transitioning<br>from running<br>to not<br>running)   | None<br>(void<br>function).        | Saves CPU<br>control<br>registers and<br>"saves" VT<br>state (flushes<br>any active<br>VMCS).                      |
| WorldSaveVTState             | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | world -<br>world being<br>saved.                                                             | None<br>(void<br>function).        | "Saves" VT<br>state (flushes<br>any active<br>VMCS).                                                               |
| WorldRestoreControlRegisters | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | restore -<br>world being<br>restored<br>(transitioning<br>from not<br>running to<br>running) | None<br>(void<br>function).        | Restores CPU<br>control<br>registers and<br>restores VT<br>state.                                                  |
| WorldRestoreVTState          | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | world -<br>world being<br>restored.                                                          | None<br>(void<br>function).        | Restores VT<br>state (loads any<br>active VMCS).                                                                   |
| World_ArchExit               | SF6.Protection<br>of the TSF<br>(FPT) | FPT_VIV_EXT.1.1 | w - world<br>that is<br>transitioning<br>from running<br>to not<br>running                   | <b>None</b><br>(void<br>function). | "Saves" VT<br>state (flushes<br>any active<br>VMCS) one<br>final time<br>before the<br>world exits<br>permanently. |

## 4.8.4.3 Internal Interfaces of the Module (VMKCall: State Flushing)

| Module Function                 | Security<br>Function(s)                | SFR(s)              | Parameters                                                                                                                                                                                                             | Return Value                                                                                                                                   | Rationale                                                                                                                                                                                                                               |
|---------------------------------|----------------------------------------|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| VMKCallWork                     | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.<br>1.1 | fnNum -<br>function<br>number<br>specifying<br>which<br>VMKCall to<br>execute in<br>the vmKernel<br>context<br>args - a<br>pointer to<br>arguments to<br>the VMKCall                                                   | VMK_ReturnStat<br>us - a return<br>status for a<br>VMKCall.<br>Generally<br>VMK_OK on<br>success and a<br>different error<br>value on failure. | Switches from<br>the VMM<br>context to the<br>vmKernel<br>context to<br>request the<br>specified call.                                                                                                                                  |
| SwitchRootAndBackTo<br>vmKernel | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.<br>1.1 | fnNum -<br>function<br>number<br>specifying<br>which<br>VMKCall to<br>execute in<br>the vmKernel<br>context<br>args - a<br>pointer to<br>arguments to<br>the VMKCall<br>eflags - CPU<br>flags register<br>value in VMM | VMK_ReturnStat<br>us - a return<br>status for a<br>VMKCall.<br>Generally<br>VMK_OK on<br>success and a<br>different error<br>value on failure. | Inner function<br>that switches<br>from the VMM<br>context to the<br>vmKernel<br>context to<br>request the<br>specified call.<br>May never<br>return, and may<br>also return<br>running on a<br>new CPU (with<br>'pcpuTainted'<br>set). |
| HV_EnterMonitor                 | SF6.Protecti<br>on of the<br>TSF (FPT) | FPT_VIV_EXT.<br>1.1 | pcpuTainted<br>- is the<br>current CPU<br>tainted (i.e.<br>this VMM<br>world was not<br>the last world<br>to run on the<br>CPU, and<br>flushing is<br>needed)?                                                         | <b>None</b> (void<br>function).                                                                                                                | Called upon re-<br>entry to the<br>monitor to<br>restore HV state<br>of relevance.If<br>pcpuTainted is<br>set, affects<br>flushes of the<br>TLB for VNPT,<br>EPTP and all<br>ASIDs (see 4.2:<br>VMM HV<br>Memory<br>Management).        |

4.8.5 Used interfaces of other modules

| Module Function            | Module                                     | Description                                                                       | Parameters | Return<br>Value                    | File                                           |
|----------------------------|--------------------------------------------|-----------------------------------------------------------------------------------|------------|------------------------------------|------------------------------------------------|
| HV_FlushNestedMa<br>ppings | 4.2: VMM<br>HV<br>Memory<br>Manageme<br>nt | Invalidates<br>the EPTP on<br>the current<br>CPU.                                 | None       | <b>None</b><br>(void<br>function). | vmcore/monitor/vmm/hv/vt/hv-<br>vt.c           |
| VNPT_FlushPhysic<br>al     | 4.2: VMM<br>HV<br>Memory<br>Manageme<br>nt | Flushes all<br>shadow<br>nested page<br>table<br>mappings<br>from current<br>CPU. | None       | <b>None</b><br>(void<br>function). | vmcore/monitor/vmm/hv/commo<br>n/vnpt-common.h |
| HVFlushAllASIDs            | 4.2: VMM<br>HV<br>Memory<br>Manageme<br>nt | Invalidates<br>all VPIDs on<br>the current<br>CPU.                                | None       | <b>None</b><br>(void<br>function). | vmcore/monitor/vmm/hv/vt/hv-<br>vt.c           |

None.

## 4.8.6 Mapping to the Source Code

| Function                        | Description                                                                                                            | File                             |
|---------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------|
| MonMSR_Init                     | Initializes<br>switchedMSRs<br>values to be<br>used during<br>world switch.<br>Loads initial<br>monitor MSR<br>values. | vmcore/monitor/vmm/main/monMSR.c |
| MonMSRInitSwitchedMSRs          | Initializes<br>switchedMSRs<br>values to be<br>used during<br>world switch.                                            | vmcore/monitor/vmm/main/monMSR.c |
| MonMSR_SaveHostLoadMonitorState | Loads initial<br>monitor MSR<br>values.                                                                                | vmcore/monitor/vmm/main/monMSR.c |
| MonMSR_LoadMonitorState         | Loads initial<br>monitor MSR<br>values.                                                                                | vmcore/monitor/vmm/main/monMSR.c |
| MonMSR_LoadMonitorMSR           | Loads one<br>monitor MSR<br>value (if not<br>masked).                                                                  | vmcore/monitor/vmm/main/monMSR.c |

| Function             | Description                                                                                                                                                                                                                                      | File                             |
|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
| MonMSRLoadMSR        | Loads one<br>monitor MSR<br>value (if not<br>masked).                                                                                                                                                                                            | vmcore/monitor/vmm/main/monMSR.c |
| MonMSR_SetMSRUnused  | Marks an MSR<br>as not used by<br>the monitor<br>(such that the<br>monitor<br>considers any<br>value benign<br>and world<br>switch will not<br>reload monitor<br>values for this<br>MSR).                                                        | vmcore/public/monMSR.h           |
| MonMSR_SetMSR        | Marks an MSR<br>as used by the<br>monitor, setting<br>its value and<br>flags related to<br>switching. If the<br>value or flags<br>have changed<br>or if the flags<br>specify that the<br>MSR is not<br>shadowed, its<br>value is also<br>loaded. | vmcore/public/monMSR.h           |
| MonMSR_UpdateMSR     | The value of the<br>specified<br>monitor-used<br>MSR is updated<br>(but flags are<br>left unchanged).<br>If the existing<br>flags specify<br>that the MSR is<br>in use, the new<br>value is loaded.                                              | vmcore/public/monMSR.h           |
| WorldSaveFastMSRs    | Saves monitor<br>MSRs<br>according to<br>flags.                                                                                                                                                                                                  | vmkernel/main/x86/world.c        |
| WorldRestoreFastMSRs | Loads monitor<br>MSRs<br>according to<br>flags.                                                                                                                                                                                                  | vmkernel/main/x86/world.c        |

| Function                     | Description                                                                                                                                                                                                                             | File                                          |
|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|
| WorldArchSharedAreaVcpuInit  | Initializes<br>pointer to<br>world's<br>switchedMSR<br>variable for later<br>use during<br>world switch                                                                                                                                 | vmkernel/main/x86/world.c                     |
| WorldSaveControlRegisters    | Saves CPU<br>control registers<br>and "saves" VT<br>state (flushes<br>any active<br>VMCS).                                                                                                                                              | vmkernel/main/x86/world.c                     |
| WorldSaveVTState             | "Saves" VT<br>state (flushes<br>any active<br>VMCS).                                                                                                                                                                                    | vmkernel/main/x86/world.c                     |
| WorldRestoreControlRegisters | Restores CPU<br>control registers<br>and restores VT<br>state.                                                                                                                                                                          | vmkernel/main/x86/world.c                     |
| WorldRestoreVTState          | Restores VT<br>state (loads any<br>active VMCS).                                                                                                                                                                                        | vmkernel/main/x86/world.c                     |
| World_ArchExit               | "Saves" VT<br>state (flushes<br>any active<br>VMCS) one final<br>time before the<br>world exits<br>permanently.                                                                                                                         | vmkernel/main/x86/world.c                     |
| VMKCallWork                  | Switches from<br>the VMM<br>context to the<br>vmKernel<br>context to<br>request the<br>specified call.                                                                                                                                  | vmcore/monitor/vmm/platform/vmkernel/vmk_if.c |
| SwitchRootAndBackTovmKernel  | Inner function<br>that switches<br>from the VMM<br>context to the<br>vmKernel<br>context to<br>request the<br>specified call.<br>May never<br>return, and may<br>also return<br>running on a<br>new CPU (with<br>'pcpuTainted'<br>set). | vmcore/monitor/vmm/platform/vmkernel/vmk_if.c |

| Function        | Description                                                                                                                                                                                                                       | File                             |
|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
| HV_EnterMonitor | Called upon re-<br>entry to the<br>monitor to<br>restore HV state<br>of relevance. If<br>pcpuTainted is<br>set, affects<br>flushes of the<br>TLB for VNPT,<br>EPTP and all<br>ASIDs (see 4.2:<br>VMM HV<br>Memory<br>Management). | vmcore/monitor/vmm/hv/vt/hv-vt.c |

## 4.8.7 Appendix A: Navigating VMM-VMK Entry Module Code

The code and header files implementing the module are used across multiple products and CPU architectures. Only a subset of the code is of relevance to the TOE. This table endeavors to simplify reading code and header files by explaining what is included and excluded from the TOE. Terminology clarifying the above documentation is also provided.

| Term or token                          | Meaning                                        | Included in TOE? |
|----------------------------------------|------------------------------------------------|------------------|
| vmx86_server                           | Set to 1 if building ESX                       | Yes              |
| VMX86_SERVER (CPP token)               | #defined if building ESX                       | Yes              |
| SERVER_ONLY()                          | Macro contents defined if building ESX         | Yes              |
| HOSTED_ONLY()                          | Not relevant to ESX, enclosed contents omitted | No               |
| vmx86_vmm                              | Set to 1 if building VMM                       | Yes              |
| vmx86_ulm                              | Set to 0 if building VMM                       | No               |
| ULM_ONLY()                             | Not relevant to ESX, enclosed contents omitted | No               |
| vmx86_release                          | Set to 1 if building for releases to customers | Yes              |
| vmx86_debug                            | Set to 1 if building for debug builds          | No               |
| vmx86_devel                            | Set to 1 if building for internal developers   | No               |
| VMM_BOOTSTRAP                          | Set to 0 for general VMM run-time              | No               |
| Files and directories containing arm64 | Not relevant to Intel/x86 product              | No               |
| World_IsVMMWorld()                     | True if the world is a VMM world               | Yes              |
| World_IsKLMWorld()                     | Always FALSE for TOE.                          | No               |

| Term or token       | Meaning                                                     | Included in<br>TOE? |
|---------------------|-------------------------------------------------------------|---------------------|
| HVMSR*              | An MSR-switching subsystem not used for the TOE.            | No                  |
| MonMSRLoadHostState | Not used in the TOE                                         | No                  |
| MonMSRSaveHostState | Not used in the TOE                                         | No                  |
| MonMSRLoadHostMSR   | Not used in the TOE                                         | No                  |
| switchedMSRs        | Variable referenced via shared memory: world-switched MSRs. | Yes                 |

## 4.9 VMM SGX (SFR-NON-INTERFERING)

SGX is a CPU feature provided by Intel enabling workloads to run within an execution context known as a Secure Enclave, provided by the CPU. Software outside a Secure Enclave (including operating system software, hypervisor software and even guest kernel and user mode software) cannot examine with or tamper with software or date inside the Enclave. SGX Enclaves run within encrypted, protected memory known as an Enclave Page Cache (EPC). SGX enclaves are created using EPC memory acquired via coordination with system firmware, and then bootstrapped and entered using SGX-specific instructions in the CPU.

The VMM provides Virtual SGX (hereafter "VSGX") to Virtual Machines. VSGX behaves as SGX, and is implemented using the same EPC memory and the same instruction-level interfaces provided by physical CPUs for SGX use. The SGX module implements VSGX.

To acquire EPC memory, the SGX module relies upon the VMM HV Memory Management module (see 4.2). EPC memory is separate from but largely handled in the same manner as non-volatile memory by the VMM HV Memory Management module. Virtual firmware exposes EPC memory to VM software much as physical firmware exposes EPC memory to operating system software on physical systems.

Most of the time, VSGX instructions and enclave code run directly on hardware without exiting to VMM, but occasionally it is necessary to emulate an SGX instruction. To emulate SGX instructions, the SGX module implements SGX-specific emulation functions which are in turn called by the VMM Instruction Emulation module (see 4.5) as necessary.

SGX-related CPU state is world-switched by 4.8 (VMM-VMK Entry module).

Because the SGX module uses EPC memory provided by the VMM HV Memory Management module and because this memory and SGX instructions are used for VMprivate execution (with no interaction with other VMs nor other host software), the SGX module is SFR-NON-INTERFERING.

## 4.9.1 Mapping to the Source Code (Interpreter support)

| Function     | Description                                                                  | File                                  |
|--------------|------------------------------------------------------------------------------|---------------------------------------|
| SGX_Init     | Initializes VMM's SGX functionality. Allows VSGX use by the VCPU thereafter. | vmcore/monitor/vmm/main/sgx_monitor.c |
| Interp_ENCLV | Interprets an ENCLV exit, emulating the requested leaf function.             | vmcore/monitor/vmm/cpu/interpSGX.c    |
| Interp_ENCLS | Interprets an ENCLS exit, emulating the requested leaf function.             | vmcore/monitor/vmm/cpu/interpSGX.c    |

## 4.9.2 Appendix A: Bibliography for the Intel SGX References

| Document                                                                                                     | Author / Company  | Date       | Notes                          |
|--------------------------------------------------------------------------------------------------------------|-------------------|------------|--------------------------------|
| Intel® 64 and IA-32 Architectures Software Developer's<br>Manual Volume 3D: System Programming Guide, Part 4 | Intel Corporation | 07/27/2022 | Describes SGX in great detail. |

# **Confluence Concordance (VMware internal use)**

| Section | Page Version | Page Link                                                                                                                                 |
|---------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------|
| 4       | 8-4-2022     | <u>VMM Subsystem - vSphere Certification - VMware Core Confluence - vSphere</u><br><u>Certification - VMware Core Confluence</u>          |
| 4.1     | 8-1-2022     | 4.1 VMM Hardware Virtualization - vSphere Certification - VMware Core<br>Confluence - vSphere Certification - VMware Core Confluence      |
| 4.2     | 8-4-2022     | 4.2 VMM HV Memory Management - vSphere Certification - VMware Core<br>Confluence - vSphere Certification - VMware Core Confluence         |
| 4.3     | 8-1-2022     | 4.3 VMM Host interrupts IDT APIC Map - vSphere Certification - VMware Core<br>Confluence - vSphere Certification - VMware Core Confluence |
| 4.4     | 8-1-2022     | 4.4 VMM Hot Path - vSphere Certification - VMware Core Confluence -<br>vSphere Certification - VMware Core Confluence                     |
| 4.5     | 8-2-2022     | 4.5 VMM Instruction Emulation - vSphere Certification - VMware Core<br>Confluence - vSphere Certification - VMware Core Confluence        |
| 4.6     | 8-3-2022     | 4.6 VMM Guest Interrupts - vSphere Certification - VMware Core Confluence -<br>vSphere Certification - VMware Core Confluence             |
| 4.7     | 8-3-2022     | 4.7 VMM Timekeeping - vSphere Certification - VMware Core Confluence -<br>vSphere Certification - VMware Core Confluence                  |
| 4.8     | 8-4-2022     | 4.8 [vmKernel] VMM-VMK Entry - vSphere Certification - VMware Core<br>Confluence - vSphere Certification - VMware Core Confluence         |
| 4.9     | 8-3-2022     | 4.9 VMM SGX - vSphere Certification - VMware Core Confluence - vSphere<br>Certification - VMware Core Confluence                          |