[Bug 49221] Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs instruction emulation for querying VMX capabilities via MSR 0x480..0x490
WineHQ Bugzilla
wine-bugs at winehq.org
Fri May 22 15:38:02 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=49221
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello Fabian,
--- quote ---
I'm assuming this is only for Intel CPUs. Is there a similar issue with AMD?
--- quote ---
regarding VMX MSRs one would assume Intel only. I don't have an AMD processor
so I can only simulate the code paths in the driver.
--- snip ---
<preceding code collects basic cpuid(0), cpuid(1) information>
r9b = flag(1) = "GenuineIntel" detected
r14b = flag(1) = "AuthenticAMD" detected
...
00000001400088AA | xor ecx,ecx |
00000001400088AC | mov eax,1 |
00000001400088B1 | cpuid |
00000001400088B3 | mov eax,edx |
00000001400088B5 | shr eax,5 |
00000001400088B8 | and al,1 |
00000001400088BA | mov byte ptr ds:[rdi+4C],al | RDMSR/WRMSR support?
00000001400088BD | mov eax,edx |
00000001400088BF | shr eax,C |
00000001400088C2 | and al,1 |
00000001400088C4 | mov byte ptr ds:[rdi+4D],al | MTRR support?
00000001400088C7 | mov eax,edx |
00000001400088C9 | shr eax,6 |
00000001400088CC | and al,1 |
00000001400088CE | mov byte ptr ds:[rdi+4E],al | phys addr extensions?
00000001400088D1 | mov eax,edx |
00000001400088D3 | shr eax,10 |
00000001400088D6 | and al,1 |
00000001400088D8 | shr edx,1C |
00000001400088DB | mov byte ptr ds:[rdi+4B],al | page attribute table?
00000001400088DE | and dl,1 |
00000001400088E1 | mov eax,ecx |
00000001400088E3 | mov byte ptr ds:[rdi+49],dl | hyper-threading?
00000001400088E6 | shr eax,1F |
00000001400088E9 | and al,1 |
00000001400088EB | mov byte ptr ds:[rdi+50],al | hypervisor present?
00000001400088EE | test r9b,r9b | flag for vendor Intel
00000001400088F1 | je denuvo-anti-cheat.1400088F8 | ZF -> not Intel
00000001400088F3 | shr ecx,5 | has msr?
00000001400088F6 | jmp denuvo-anti-cheat.140008909 |
00000001400088F8 | test r14b,r14b | flag for vendor AMD
00000001400088FB | je denuvo-anti-cheat.140008921 | ZF -> not AMD
00000001400088FD | xor ecx,ecx |
00000001400088FF | mov eax,80000001 | Extended Processor Info
0000000140008904 | cpuid |
0000000140008906 | shr ecx,2 | AMD SVM enabled ?
0000000140008909 | and cl,1 |
000000014000890C | mov eax,7 | Extended Features
0000000140008911 | mov byte ptr ds:[rdi+4F],cl | has SVM or MSR support
0000000140008914 | xor ecx,ecx |
0000000140008916 | cpuid |
0000000140008918 | shr ebx,12 |
000000014000891B | and bl,1 | RDSEED support?
000000014000891E | mov byte ptr ds:[rdi+4A],bl | 1 = has RDSEED support
0000000140008921 | cmp byte ptr ds:[rdi+4C],1 | MSR support?
0000000140008925 | jne denuvo-anti-cheat.140008956 |
0000000140008927 | test r9b,r9b | flag for vendor Intel
000000014000892A | je denuvo-anti-cheat.14000893A | ZF -> not Intel
000000014000892C | cmp byte ptr ds:[rdi+4F],1 | SVM or MSR support?
0000000140008930 | jne denuvo-anti-cheat.14000893A |
0000000140008932 | mov rcx,rdi |
0000000140008935 | call denuvo-anti-cheat.140008AC0 | read VMX MSRs
000000014000893A | cmp byte ptr ds:[rdi+4D],1 |
...
--- snip ---
If I'm not mistaken it seems possible to enter the code path that reads the VMX
MSRs (subroutine 0x140008935) even on AMD cpus.
https://www.amd.com/system/files/TechDocs/25481.pdf
if CPUID Fn0000_0001_EDX Bit 5 = MSR: AMD model-specific registers
_and_
if CPUID Fn8000_0001_ECX Bit 2 = SVM: secure virtual machine.
Not sure how this can work. I know that Hypervisors/VMMs intercept all kinds of
instructions, including RDMSR. But it would be strange to advertise VMX
features on AMD by emulating these Intel MSRs. Maybe I'm wrong here and the
code path can't be entered.
Could someone check what happens on AMD:
--- snip ---
$ sudo rdmsr -x 0x480
--- snip ---
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list