Enabling Virtual Machine support

[Michael ODonnell]

On this busy morning I've only had time to glance at some docs for SVM
(Secure Virtual Machine) support but it does appear that in some cases
external hardware (in the form of a TPM - the dread Trusted Platform
Module) can be involved in the prep and execution of the Secure Loader
and, therefore, any subsequent use of (some? all?) VM capabilities.

They (AMD Sys Prog Manual circa 2006) also show some pseudocode that
seems to indicate that the BIOS (by means I don't yet understand) does
have the ability to prevent later use of (some? all?) VM capabilities,
with or without a TPM:

   15.4 Enabling SVM

   The VMRUN, VMLOAD, VMSAVE, CLGI, VMMCALL, and INVLPGA instructions can
   be used when the EFER.SVME is set to 1; otherwise, these instructions
   generate a #UD exception.  The SKINIT and STGI instructions can be
   used when either the EFER.SVME bit is set to 1 or the ECX.SKINIT bit,
   as returned by CPUID function 8000_0001h, is set to 1; otherwise,
   these instructions generate a #UD exception.

   Before enabling SVM, software should detect whether SVM can be enabled
   using the following algorithm:

   if (CPUID 8000_0001.ECX[SVM] == 0)
       return SVM_NOT_AVAIL;
   if (VM_CR.SVMDIS == 0)
       return SVM_ALLOWED;
   if (CPUID 8000_000A.EDX[SVM_LOCK]==0)
       return SVM_DISABLED_AT_BIOS_NOT_UNLOCKABLE
   // the user must change a BIOS setting to enable SVM
   else
       return SVM_DISABLED_WITH_KEY;
   // SVMLock may be unlockable; consult the BIOS or TPM to obtain the key.


So I've learned something: it appears that the BIOS can indeed have
the final word re: VM regardless of what any subsequent OS or would-be
hypervisor might wish, but I don't yet understand the details.