Nested Virtualization of Hyper-V on Xen Not Working

Nested Virtualization of Hyper-V on Xen Not Working

[Xentrigued]

RATIONALE: Features in recent versions of Windows now REQUIRE Hyper-V
support to work.  In particular, Windows Containers, Sandbox, Docker Desktop
and the Windows Subsystem for Linux version 2 (WSL2).  Running Windows in a
VM as a development and test platform is currently a common requirement for
various user segments and will likely become necessary for production in the
future.  Nested virtualization of Hyper-V currently works on VMware ESXi,
Microsoft Hyper-V and KVM-based hypervisors.  This puts Xen and its
derivatives at a disadvantage when choosing a hypervisor.

WHAT IS NOT WORKING?  Provided the requirements set forth in:
https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen have been met,
an hvm guest running Windows 10 PRO Version 21H1 x64 shows that all four
requirements for running Hyper-V are available using the msinfo32.exe or
systeminfo.exe commands.  More granular knowledge of the CPU capabilities
exposed to the guest can be observed using the Sysinternals Coreinfo64.exe
command.  CPUID flags present appear to mirror those on other working nested
hypervisor configurations.

Enabling Windows Features for Hyper-V, Virtual Machine Platform, etc. all
appear to work without error.  However, after the finishing reboot, Hyper-V
is simply not active.  This--despite the fact that vmcompute.exe (Hyper-V
host compute service) is running and there are no errors in the logs.  In
addition, all four Hyper-V prerequisites continue to show as available.

By contrast, after the finishing reboot of an analogous Windows VM running
on ESXi, the four prerequisites are reversed:  hypervisor is now active;
vmx, ept and urg (unrestricted guest) are all off as viewed with the
Coreinfo64.exe -v command.  Furthermore, all functions requiring Hyper-V are
now active and working as expected.

This deficiency has been observed in two test setups running Xen 4.15 from
source and XCP-ng 8.2, both running on Intel with all of the latest,
generally available patches.  We presume that the same behavior is present
on Citrix Hypervisor 8.2 as well.
    
SUMMATION:
Clearly, much effort has already been expended to support the Viridian
enlightenments that optimize running Windows on Xen.  It also looks like a
significant amount of effort has been put forth to advance nested
virtualization in general.

Therefore, if it would be helpful, I am willing to perform testing and
provide feedback and logs as appropriate in order to help get this working.

While my day job is managing a heterogeneous collection of systems running
on various hypervisors, I have learned the rudiments of integrating patches
and rebuilding Xen from source so could no doubt be useful in assisting you
with this worthwhile endeavor.

Re: Nested Virtualization of Hyper-V on Xen Not Working

[Rob Townley]

[-- Attachment #1: Type: text/plain, Size: 6224 bytes --]

I encourage you to run the Windows Hardware Lab Kit 11/02/2018
<https://docs.microsoft.com/en-us/windows-hardware/test/hlk/> or HLK or
maybe try the VHLK.  The VHLK
<https://docs.microsoft.com/en-us/windows-hardware/test/hlk/getstarted/getstarted-vhlk>is
a free VHD file download of win2016 that has all the tests necessary
built-in.  So you could manually download the test kit on your existing
Windows VM or attempt the VHD.   "*Default login credentials are
HLKAdminUser with password Testpassword,1"   *

Please post the results.   Citrix 8.1 and 8.2 are listed as validated
<https://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=2185&avc=0&ava=0&avt=0&avq=0&OR=1&PGS=25>
and so would be very interesting to see any differences in test results
running XCP-ng 8.2 and Citrix 8.2.

Why run the hardware lab kit in a virtualized environment and directly on
the underlying hardware?  Because those tests are used to validate for the
SVVP <https://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm>.
Microsoft has something similar to their Hardware Compatibility List, aka
HCL.   SVVP
<https://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm> is
Microsoft's Server Virtualization Validation Program.   SVVP validates that
Windows Operating Systems and APPS run on top of other hypervisors and once
validated will receive technical support.  SVVP has been around for over a
decade but has of course changed over the years.   Recently,  it has been
making news because Win11 / Win2022 requires a TPM 2.0 chip, but XCP-NG XEN
does not yet support that <https://github.com/xcp-ng/xcp/issues/471>.    If
the hypervisor is SVVP certified, then running MS Hyper-V Windows on top of
any validated hypervisor would be much more likely to work and possibly
supported directly by MS and tsanet.org.  Canonical and RedHat are in
tsanet, but would like to see the Linux Foundation or Vates itself.
<https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/non-microsoft-hardware-virtualization-software>

Microsoft server software and supported virtualization
environments 09/08/2020 6 minutes to read
<https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/microsoft-server-software-support-policy>
Support partners for non-Microsoft hardware virtualization software
<https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/non-microsoft-hardware-virtualization-software>
WindowsServerCatalog.com and then click on SVVP in the upper right and then
Products
<https://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=0&avc=0&ava=0&avq=0&OR=1&PGS=25>

<https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/non-microsoft-hardware-virtualization-software>
Design Session - Alternative vTPM 2.0 Backend to Comply with Upcoming SVVP
Changes <https://www.youtube.com/watch?v=abkRRcoYWCQ>
https://www.youtube.com/watch?v=abkRRcoYWCQ

Enabling UEFI Secure Boot on Xen - Robert Eshleman, Vates SAS
<https://www.youtube.com/watch?v=A_IhKjK7EgA>
https://www.youtube.com/watch?v=A_IhKjK7EgA&t=388s
Support vTPM for guests #471 https://github.com/xcp-ng/xcp/issues/471
<https://github.com/xcp-ng/xcp/issues/471>
https://github.com/xcp-ng/xcp/issues/471
https://docs.microsoft.com/en-us/windows-hardware/test/hlk/

On Tue, Jul 20, 2021 at 11:12 PM Xentrigued <xentrigued@comcast.net> wrote:

> RATIONALE: Features in recent versions of Windows now REQUIRE Hyper-V
> support to work.  In particular, Windows Containers, Sandbox, Docker
> Desktop
> and the Windows Subsystem for Linux version 2 (WSL2).  Running Windows in a
> VM as a development and test platform is currently a common requirement for
> various user segments and will likely become necessary for production in
> the
> future.  Nested virtualization of Hyper-V currently works on VMware ESXi,
> Microsoft Hyper-V and KVM-based hypervisors.  This puts Xen and its
> derivatives at a disadvantage when choosing a hypervisor.
>
> WHAT IS NOT WORKING?  Provided the requirements set forth in:
> https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen have been
> met,
> an hvm guest running Windows 10 PRO Version 21H1 x64 shows that all four
> requirements for running Hyper-V are available using the msinfo32.exe or
> systeminfo.exe commands.  More granular knowledge of the CPU capabilities
> exposed to the guest can be observed using the Sysinternals Coreinfo64.exe
> command.  CPUID flags present appear to mirror those on other working
> nested
> hypervisor configurations.
>
> Enabling Windows Features for Hyper-V, Virtual Machine Platform, etc. all
> appear to work without error.  However, after the finishing reboot, Hyper-V
> is simply not active.  This--despite the fact that vmcompute.exe (Hyper-V
> host compute service) is running and there are no errors in the logs.  In
> addition, all four Hyper-V prerequisites continue to show as available.
>
> By contrast, after the finishing reboot of an analogous Windows VM running
> on ESXi, the four prerequisites are reversed:  hypervisor is now active;
> vmx, ept and urg (unrestricted guest) are all off as viewed with the
> Coreinfo64.exe -v command.  Furthermore, all functions requiring Hyper-V
> are
> now active and working as expected.
>
> This deficiency has been observed in two test setups running Xen 4.15 from
> source and XCP-ng 8.2, both running on Intel with all of the latest,
> generally available patches.  We presume that the same behavior is present
> on Citrix Hypervisor 8.2 as well.
>
> SUMMATION:
> Clearly, much effort has already been expended to support the Viridian
> enlightenments that optimize running Windows on Xen.  It also looks like a
> significant amount of effort has been put forth to advance nested
> virtualization in general.
>
> Therefore, if it would be helpful, I am willing to perform testing and
> provide feedback and logs as appropriate in order to help get this working.
>
> While my day job is managing a heterogeneous collection of systems running
> on various hypervisors, I have learned the rudiments of integrating patches
> and rebuilding Xen from source so could no doubt be useful in assisting you
> with this worthwhile endeavor.
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 9226 bytes --]

RE: Nested Virtualization of Hyper-V on Xen Not Working

[Xentrigued]

[-- Attachment #1: Type: text/plain, Size: 7241 bytes --]

First and foremost, many thanks for your thoughtful and thorough response and also for providing a multitude of genuinely helpful information!

 

Secondly:  Wow, that’s quite a homework assignment!!

 

I will absolutely begin to work my way through the resources you cited and will report back once some of those tests have been completed.  You’ve given me an excellent starting point for further inquiry.

 

To be very honest, I wasn’t sure where to turn next in the event that no member of this august body had anything to say about this.  (It’s kind of intimidating and not unlike going before the Wizard of Oz.)

 

So again, thank you so much for all of the good information and also for your kindness in reaching out.

 

From: Rob Townley <rob.townley@gmail.com> 
Sent: Saturday, July 24, 2021 9:33 PM
To: Xentrigued <xentrigued@comcast.net>
Cc: xen-devel@lists.xenproject.org
Subject: Re: Nested Virtualization of Hyper-V on Xen Not Working

 

I encourage you to run the Windows Hardware Lab Kit 11/02/2018 <https://docs.microsoft.com/en-us/windows-hardware/test/hlk/>  or HLK or maybe try the VHLK.  The VHLK  <https://docs.microsoft.com/en-us/windows-hardware/test/hlk/getstarted/getstarted-vhlk> is a free VHD file download of win2016 that has all the tests necessary built-in.  So you could manually download the test kit on your existing Windows VM or attempt the VHD.   "Default login credentials are HLKAdminUser with password Testpassword,1"    

 

Please post the results.   Citrix 8.1 and 8.2 are listed as validated <https://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=2185&avc=0&ava=0&avt=0&avq=0&OR=1&PGS=25>  and so would be very interesting to see any differences in test results running XCP-ng 8.2 and Citrix 8.2.  

 

Why run the hardware lab kit in a virtualized environment and directly on the underlying hardware?  Because those tests are used to validate for the SVVP <https://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm> .   Microsoft has something similar to their Hardware Compatibility List, aka HCL.   SVVP <https://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm>  is Microsoft's Server Virtualization Validation Program.   SVVP validates that Windows Operating Systems and APPS run on top of other hypervisors and once validated will receive technical support.  SVVP has been around for over a decade but has of course changed over the years.   Recently,  it has been making news because Win11 / Win2022 requires a TPM 2.0 chip, but XCP-NG XEN does not yet support that <https://github.com/xcp-ng/xcp/issues/471> .    If the hypervisor is SVVP certified, then running MS Hyper-V Windows on top of any validated hypervisor would be much more likely to work and possibly supported directly by MS and tsanet.org <http://tsanet.org> .  Canonical and RedHat are in tsanet, but would like to see the Linux Foundation or Vates itself.  

 

 <https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/microsoft-server-software-support-policy> Microsoft server software and supported virtualization environments 09/08/2020 6 minutes to read


 <https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/non-microsoft-hardware-virtualization-software> Support partners for non-Microsoft hardware virtualization software


WindowsServerCatalog.com and then click on SVVP in the upper right and then Products <https://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=0&avc=0&ava=0&avq=0&OR=1&PGS=25> 

 <https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/non-microsoft-hardware-virtualization-software> 


Design Session - Alternative vTPM 2.0 Backend to Comply with Upcoming SVVP Changes <https://www.youtube.com/watch?v=abkRRcoYWCQ> 

https://www.youtube.com/watch?v=abkRRcoYWCQ

 

Enabling UEFI Secure Boot on Xen - Robert Eshleman, Vates SAS <https://www.youtube.com/watch?v=A_IhKjK7EgA> 

https://www.youtube.com/watch?v=A_IhKjK7EgA <https://www.youtube.com/watch?v=A_IhKjK7EgA&t=388s> &t=388s


Support vTPM for guests #471 https://github.com/xcp-ng/xcp/issues/471 <https://github.com/xcp-ng/xcp/issues/471> 


https://github.com/xcp-ng/xcp/issues/471

https://docs.microsoft.com/en-us/windows-hardware/test/hlk/

 

On Tue, Jul 20, 2021 at 11:12 PM Xentrigued <xentrigued@comcast.net <mailto:xentrigued@comcast.net> > wrote:

RATIONALE: Features in recent versions of Windows now REQUIRE Hyper-V
support to work.  In particular, Windows Containers, Sandbox, Docker Desktop
and the Windows Subsystem for Linux version 2 (WSL2).  Running Windows in a
VM as a development and test platform is currently a common requirement for
various user segments and will likely become necessary for production in the
future.  Nested virtualization of Hyper-V currently works on VMware ESXi,
Microsoft Hyper-V and KVM-based hypervisors.  This puts Xen and its
derivatives at a disadvantage when choosing a hypervisor.

WHAT IS NOT WORKING?  Provided the requirements set forth in:
https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen have been met,
an hvm guest running Windows 10 PRO Version 21H1 x64 shows that all four
requirements for running Hyper-V are available using the msinfo32.exe or
systeminfo.exe commands.  More granular knowledge of the CPU capabilities
exposed to the guest can be observed using the Sysinternals Coreinfo64.exe
command.  CPUID flags present appear to mirror those on other working nested
hypervisor configurations.

Enabling Windows Features for Hyper-V, Virtual Machine Platform, etc. all
appear to work without error.  However, after the finishing reboot, Hyper-V
is simply not active.  This--despite the fact that vmcompute.exe (Hyper-V
host compute service) is running and there are no errors in the logs.  In
addition, all four Hyper-V prerequisites continue to show as available.

By contrast, after the finishing reboot of an analogous Windows VM running
on ESXi, the four prerequisites are reversed:  hypervisor is now active;
vmx, ept and urg (unrestricted guest) are all off as viewed with the
Coreinfo64.exe -v command.  Furthermore, all functions requiring Hyper-V are
now active and working as expected.

This deficiency has been observed in two test setups running Xen 4.15 from
source and XCP-ng 8.2, both running on Intel with all of the latest,
generally available patches.  We presume that the same behavior is present
on Citrix Hypervisor 8.2 as well.

SUMMATION:
Clearly, much effort has already been expended to support the Viridian
enlightenments that optimize running Windows on Xen.  It also looks like a
significant amount of effort has been put forth to advance nested
virtualization in general.

Therefore, if it would be helpful, I am willing to perform testing and
provide feedback and logs as appropriate in order to help get this working.

While my day job is managing a heterogeneous collection of systems running
on various hypervisors, I have learned the rudiments of integrating patches
and rebuilding Xen from source so could no doubt be useful in assisting you
with this worthwhile endeavor.





[-- Attachment #2: Type: text/html, Size: 13481 bytes --]

Re: Nested Virtualization of Hyper-V on Xen Not Working

[Rob Townley]

[-- Attachment #1: Type: text/plain, Size: 7668 bytes --]

Yes, definitely TooMuchInformation.

  I hope that single hardware test kit VHD download imports into xen, runs,
and gives us a starting point and clear work items.

On Sat, Jul 24, 2021 at 9:47 PM Xentrigued <xentrigued@comcast.net> wrote:

> First and foremost, many thanks for your thoughtful and thorough response
> and also for providing a multitude of genuinely helpful information!
>
>
>
> Secondly:  Wow, that’s quite a homework assignment!!
>
>
>
> I will absolutely begin to work my way through the resources you cited and
> will report back once some of those tests have been completed.  You’ve
> given me an excellent starting point for further inquiry.
>
>
>
> To be very honest, I wasn’t sure where to turn next in the event that no
> member of this august body had anything to say about this.  (It’s kind of
> intimidating and not unlike going before the Wizard of Oz.)
>
>
>
> So again, thank you so much for all of the good information and also for
> your kindness in reaching out.
>
>
>
> *From:* Rob Townley <rob.townley@gmail.com>
> *Sent:* Saturday, July 24, 2021 9:33 PM
> *To:* Xentrigued <xentrigued@comcast.net>
> *Cc:* xen-devel@lists.xenproject.org
> *Subject:* Re: Nested Virtualization of Hyper-V on Xen Not Working
>
>
>
> I encourage you to run the Windows Hardware Lab Kit 11/02/2018
> <https://docs.microsoft.com/en-us/windows-hardware/test/hlk/> or HLK or
> maybe try the VHLK.  The VHLK
> <https://docs.microsoft.com/en-us/windows-hardware/test/hlk/getstarted/getstarted-vhlk>is
> a free VHD file download of win2016 that has all the tests necessary
> built-in.  So you could manually download the test kit on your existing
> Windows VM or attempt the VHD.   "*Default login credentials are
> HLKAdminUser with password Testpassword,1"   *
>
>
>
> Please post the results.   Citrix 8.1 and 8.2 are listed as validated
> <https://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=2185&avc=0&ava=0&avt=0&avq=0&OR=1&PGS=25>
> and so would be very interesting to see any differences in test results
> running XCP-ng 8.2 and Citrix 8.2.
>
>
>
> Why run the hardware lab kit in a virtualized environment and directly on
> the underlying hardware?  Because those tests are used to validate for the
> SVVP <https://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm>.
> Microsoft has something similar to their Hardware Compatibility List, aka
> HCL.   SVVP
> <https://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm> is
> Microsoft's Server Virtualization Validation Program.   SVVP validates that
> Windows Operating Systems and APPS run on top of other hypervisors and once
> validated will receive technical support.  SVVP has been around for over a
> decade but has of course changed over the years.   Recently,  it has been
> making news because Win11 / Win2022 requires a TPM 2.0 chip, but XCP-NG
> XEN does not yet support that <https://github.com/xcp-ng/xcp/issues/471>.
>    If the hypervisor is SVVP certified, then running MS Hyper-V Windows on
> top of any validated hypervisor would be much more likely to work and
> possibly supported directly by MS and tsanet.org.  Canonical and RedHat
> are in tsanet, but would like to see the Linux Foundation or Vates itself.
>
>
>
> Microsoft server software and supported virtualization
> environments 09/08/2020 6 minutes to read
> <https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/microsoft-server-software-support-policy>
> Support partners for non-Microsoft hardware virtualization software
> <https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/non-microsoft-hardware-virtualization-software>
>
> WindowsServerCatalog.com and then click on SVVP in the upper right and
> then Products
> <https://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=0&avc=0&ava=0&avq=0&OR=1&PGS=25>
>
>
>
> <https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/non-microsoft-hardware-virtualization-software>
>
> Design Session - Alternative vTPM 2.0 Backend to Comply with Upcoming SVVP
> Changes <https://www.youtube.com/watch?v=abkRRcoYWCQ>
>
> https://www.youtube.com/watch?v=abkRRcoYWCQ
>
>
>
> Enabling UEFI Secure Boot on Xen - Robert Eshleman, Vates SAS
> <https://www.youtube.com/watch?v=A_IhKjK7EgA>
>
> https://www.youtube.com/watch?v=A_IhKjK7EgA&t=388s
> Support vTPM for guests #471 https://github.com/xcp-ng/xcp/issues/471
> <https://github.com/xcp-ng/xcp/issues/471>
>
> https://github.com/xcp-ng/xcp/issues/471
>
> https://docs.microsoft.com/en-us/windows-hardware/test/hlk/
>
>
>
> On Tue, Jul 20, 2021 at 11:12 PM Xentrigued <xentrigued@comcast.net>
> wrote:
>
> RATIONALE: Features in recent versions of Windows now REQUIRE Hyper-V
> support to work.  In particular, Windows Containers, Sandbox, Docker
> Desktop
> and the Windows Subsystem for Linux version 2 (WSL2).  Running Windows in a
> VM as a development and test platform is currently a common requirement for
> various user segments and will likely become necessary for production in
> the
> future.  Nested virtualization of Hyper-V currently works on VMware ESXi,
> Microsoft Hyper-V and KVM-based hypervisors.  This puts Xen and its
> derivatives at a disadvantage when choosing a hypervisor.
>
> WHAT IS NOT WORKING?  Provided the requirements set forth in:
> https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen have been
> met,
> an hvm guest running Windows 10 PRO Version 21H1 x64 shows that all four
> requirements for running Hyper-V are available using the msinfo32.exe or
> systeminfo.exe commands.  More granular knowledge of the CPU capabilities
> exposed to the guest can be observed using the Sysinternals Coreinfo64.exe
> command.  CPUID flags present appear to mirror those on other working
> nested
> hypervisor configurations.
>
> Enabling Windows Features for Hyper-V, Virtual Machine Platform, etc. all
> appear to work without error.  However, after the finishing reboot, Hyper-V
> is simply not active.  This--despite the fact that vmcompute.exe (Hyper-V
> host compute service) is running and there are no errors in the logs.  In
> addition, all four Hyper-V prerequisites continue to show as available.
>
> By contrast, after the finishing reboot of an analogous Windows VM running
> on ESXi, the four prerequisites are reversed:  hypervisor is now active;
> vmx, ept and urg (unrestricted guest) are all off as viewed with the
> Coreinfo64.exe -v command.  Furthermore, all functions requiring Hyper-V
> are
> now active and working as expected.
>
> This deficiency has been observed in two test setups running Xen 4.15 from
> source and XCP-ng 8.2, both running on Intel with all of the latest,
> generally available patches.  We presume that the same behavior is present
> on Citrix Hypervisor 8.2 as well.
>
> SUMMATION:
> Clearly, much effort has already been expended to support the Viridian
> enlightenments that optimize running Windows on Xen.  It also looks like a
> significant amount of effort has been put forth to advance nested
> virtualization in general.
>
> Therefore, if it would be helpful, I am willing to perform testing and
> provide feedback and logs as appropriate in order to help get this working.
>
> While my day job is managing a heterogeneous collection of systems running
> on various hypervisors, I have learned the rudiments of integrating patches
> and rebuilding Xen from source so could no doubt be useful in assisting you
> with this worthwhile endeavor.
>
>
>

[-- Attachment #2: Type: text/html, Size: 13211 bytes --]

Re: Nested Virtualization of Hyper-V on Xen Not Working

[Andrew Cooper]

On 21/07/2021 05:09, Xentrigued wrote:
> SUMMATION:
> Clearly, much effort has already been expended to support the Viridian
> enlightenments that optimize running Windows on Xen.  It also looks like a
> significant amount of effort has been put forth to advance nested
> virtualization in general.
>
> Therefore, if it would be helpful, I am willing to perform testing and
> provide feedback and logs as appropriate in order to help get this working.
>
> While my day job is managing a heterogeneous collection of systems running
> on various hypervisors, I have learned the rudiments of integrating patches
> and rebuilding Xen from source so could no doubt be useful in assisting you
> with this worthwhile endeavor.

Hello,

Thankyou for your interest and volunteering.

Nested virt under Xen is a disaster.  It has been bitrotting for 5
years, and was introduced in an ill-advised way to begin with.

With my Citrix Hypervisor hat on, getting Windows VBS working is a high
priority, but other security work keeps on taking priority.  The
non-security work I am managing to do is all about CPUID and MSR
handling at the toolstack level (rectifying some 15 years of accumulated
technical debt), which is a prerequisite to being able to support nested
virtualisation on Intel in a sustainable way.

There are two things which I know definitely don't work.
1) NMI Virtualisation isn't advertised (but is available if you ignore
the signs of its absence).  Most hypervisors refuse to function without it.
2) VMCS-based EFER loading/saving doesn't work on virtual vmentry/exit.

Fixing 1) is a online patch.

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index e9f94daf6493..4c80912368d5 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -2237,6 +2237,7 @@ int nvmx_msr_read_intercept(unsigned int msr, u64
*msr_content)
         /* 1-settings */
         data = PIN_BASED_EXT_INTR_MASK |
                PIN_BASED_NMI_EXITING |
+               PIN_BASED_VIRTUAL_NMIS |
                PIN_BASED_PREEMPT_TIMER;
         data = gen_vmx_msr(data, VMX_PINBASED_CTLS_DEFAULT1, host_data);
         break;


Fixing 2) is more tricky.  I "broke" it when I fixed a more serious bug
in Xen by making use of EFER-loading in the first place.  This patch
ought to revert to the old behaviour.

diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index f9f9bc18cdbc..e4c353202e2a 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -418,7 +418,7 @@ static int vmx_init_vmcs_config(bool bsp)
 
     min = VM_EXIT_ACK_INTR_ON_EXIT;
     opt = (VM_EXIT_SAVE_GUEST_PAT | VM_EXIT_LOAD_HOST_PAT |
-           VM_EXIT_LOAD_HOST_EFER | VM_EXIT_CLEAR_BNDCFGS);
+           VM_EXIT_CLEAR_BNDCFGS);
     min |= VM_EXIT_IA32E_MODE;
     _vmx_vmexit_control = adjust_vmx_controls(
         "VMExit Control", min, opt, MSR_IA32_VMX_EXIT_CTLS, &mismatch);
@@ -458,7 +458,7 @@ static int vmx_init_vmcs_config(bool bsp)
         _vmx_secondary_exec_control &=
~SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS;
 
     min = 0;
-    opt = (VM_ENTRY_LOAD_GUEST_PAT | VM_ENTRY_LOAD_GUEST_EFER |
+    opt = (VM_ENTRY_LOAD_GUEST_PAT |
            VM_ENTRY_LOAD_BNDCFGS);
     _vmx_vmentry_control = adjust_vmx_controls(
         "VMEntry Control", min, opt, MSR_IA32_VMX_ENTRY_CTLS, &mismatch);


For how, the most important thing is to get one other "modern"
hypervisor working under Xen.  Nested-virt is "just an emulation" of
VT-x (Intel) / SVM (AMD), so it doesn't matter very much what hypervisor
you use in the VM if you're trying to debug why Xen's nested virt is broken.

Furthermore, you stand a far better chance of getting something working
by picking an old version of Windows/HyperV first, as it will use fewer
"new" features in hardware.  The only way we're going to fix things is
incrementally.

~Andrew