Index: sys/amd64/vmm/intel/vmx.c
===================================================================
--- sys/amd64/vmm/intel/vmx.c	(revision 266086)
+++ sys/amd64/vmm/intel/vmx.c	(working copy)
@@ -68,6 +68,8 @@
 #include "x86.h"
 #include "vmx_controls.h"
 
+#define	USE_IO_BITMAP	1
+
 #define	PINBASED_CTLS_ONE_SETTING					\
 	(PINBASED_EXTINT_EXITING	|				\
 	 PINBASED_NMI_EXITING		|				\
@@ -526,6 +528,10 @@
 		vmxon(vmxon_region[curcpu]);
 }
 
+#ifdef USE_IO_BITMAP
+static char io_bitmap[PAGE_SIZE * 2] __aligned(PAGE_SIZE);
+#endif
+
 static int
 vmx_init(int ipinum)
 {
@@ -563,6 +569,21 @@
 
 	/* Clear the processor-based ctl bits that are set on demand */
 	procbased_ctls &= ~PROCBASED_CTLS_WINDOW_SETTING;
+#ifdef USE_IO_BITMAP
+	{
+		int use_io_bitmap = 0;
+		TUNABLE_INT_FETCH("hw.vmm.vmx.use_io_bitmap", &use_io_bitmap);
+		if (use_io_bitmap) {
+			procbased_ctls |= PROCBASED_IO_BITMAPS;
+			memset(io_bitmap, 0xff, PAGE_SIZE * 2);
+			/*
+			 * Allow direct access to ports [0x7ff0-0x7fff]
+			 */
+			io_bitmap[0x7ff0 / 8] = 0;
+			io_bitmap[0x7ff8 / 8] = 0;
+		}
+	}
+#endif
 
 	/* Check support for secondary processor-based VM-execution controls */
 	error = vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS2,
@@ -912,6 +933,10 @@
 
 		VMPTRLD(vmcs);
 		error = 0;
+#ifdef USE_IO_BITMAP
+		error += vmwrite(VMCS_IO_BITMAP_A, vtophys(io_bitmap));
+		error += vmwrite(VMCS_IO_BITMAP_B, vtophys(io_bitmap) + 4096);
+#endif
 		error += vmwrite(VMCS_HOST_RSP, (u_long)&vmx->ctx[i]);
 		error += vmwrite(VMCS_EPTP, vmx->eptp);
 		error += vmwrite(VMCS_PIN_BASED_CTLS, pinbased_ctls);