If KVM is working, why does VMX show as disabled?

Question

I have VT-x enabled in the BIOS. I'm running qemu/kvm/Manjaro. lscpu says

$ lscpu
Architecture:            x86_64
  Model name:            Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Flags: ... vmx ... 
Virtualization features:
  Virtualization:        VT-x
Vulnerabilities:         
  Itlb multihit:         KVM: Mitigation: VMX disabled

In addition,

$ sudo rdmsr -f 2:0 0x3A
5

which means that

• The VMX configuration is locked
• VMX is disabled in the SMX (“Safer Mode Extensions”) state
• VMX is enabled outside of the SMX state

This answer gives me hope: if kvm loads, then VMX is working. Indeed, qemu with kvm as its accelerator works just fine (or at least seems to). So then why does it show VMX as being disabled for the purposes of the multihit vulnerability?

An example qemu run:

$ qemu-system-x86_64 -nographic -vga none -net none -nodefaults -machine q35 -accel kvm -cpu host -smp sockets=1,dies=1,cores=2,threads=2 -m 512M ...
QEMU 6.0.0 monitor - type 'help' for more information
(qemu) info kvm
info kvm
kvm support: enabled

The guest (pfSense, in this case) is running fine so far.

Answer 1

Thank you for a question... It was interesting for me too... So, after reading this, and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html it's become clear: vmx looks present and not disabled by bios. Vulnerability present, but now vmx is not in use, thus is just disabled. when some kvm is run and use vmx, situations changed:

 $ cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit 
 KVM: Mitigation: Split huge pages

meaning, that vulnerability present, but mitigated by kvm by splitting pages.

Answer 2

In short, even though the multihit vulnerability mitigation may temporarily disable VMX, your system's VT-x is still enabled and working fine. The successful operation of KVM and your virtual machine indicates that VT-x is being utilized for hardware acceleration as expected. So, there is no need to be concerned about the reported VMX disablement for the multihit vulnerability.