I'm trying to figure out if there is a way to establish and then lock VT-d settings created by the BIOS. I found the VTGENCTRL register and I see that is has a lock bit at bit . The question though is, can't the OS simply reset that bit to '0' and change the settings, assuming there is no VMM trapping on such events? Is there a mechanism available wherein the VT-d setting can be established and then locked down until the next re-boot?
You'll need to be a little more explicit - when you say "can't the OS simply reset the bit" - do you mean the Host or Guest OS?
If you meant "can't the guest OS simply reset the bit", then yes. If you don't trap on MSR access, then yes you create a situation in which a guest OS can change the state of an MSR. I forget the name of the field in the VMCS, but the way you would prevent such access would be exactly to Exit on MSR access.
What is the purpose of the lock bit, then? I was given to understand that lock bits on Intel processors, or at least this one, is a one-time set bit. In this way, once the bit is set to set the VT-d BAR as read-only, all access based off the VT-d BAR would then be read-only as well until the next power cycle. However, I haven't been able to confirm or deny that information. Is your assertion then that the OS actually IS able to reset that bit without a power cycle? If so, do you know if there is any documentation to support this claim? I'm not questioning it; I just really need some evidence to back up the trust, whatever it may be.
Got it worked out. The lock-bit does in fact work and is NOT resettable by the OS. So once BIOS initializes the VT-d setting, it can set the bit in the VTGENCTRL register that will prohibit modification of the register without a processor reset. Thanks!