From: Paolo Bonzini <pbonzini@redhat.com>
To: Sean Christopherson <sean.j.christopherson@intel.com>,
Krish Sadhukhan <krish.sadhukhan@oracle.com>
Cc: Jim Mattson <jmattson@google.com>, kvm list <kvm@vger.kernel.org>
Subject: Re: [PATCH 1/2 v2] KVM: nVMX: KVM needs to unset "unrestricted guest" VM-execution control in vmcs02 if vmcs12 doesn't set it
Date: Sat, 18 Apr 2020 11:53:36 +0200 [thread overview]
Message-ID: <c37b9429-0cb8-6514-44a7-65544873dba0@redhat.com> (raw)
In-Reply-To: <20200418015545.GB15609@linux.intel.com>
On 18/04/20 03:55, Sean Christopherson wrote:
>
> static inline bool is_unrestricted_guest(struct kvm_vcpu *vcpu)
> {
> return enable_unrestricted_guest && (!is_guest_mode(vcpu) ||
> to_vmx(vcpu)->nested.unrestricted_guest);
> }
>
> Putting the flag in loaded_vmcs might be more performant? My guess is it'd
> be in the noise, at which point I'd rather have it be clear the override is
> only possible/necessary for nested guests.
Even better: you can use secondary_exec_controls_get, which does get the
flag from the loaded_vmcs :) but without actually having to add one.
>> I also see that enable_ept controls the setting of
>> enable_unrestricted_guest. Perhaps both need to be moved to loaded_vmcs ?
>
> No, letting L1 disable EPT in L0 would be pure insanity, and the overall
> paging mode of L2 is already reflected in the MMU.
Absolutely. Unrestricted guest requires EPT, but EPT is invisible to
the guest. (Currently EPT requires guest MAXPHYADDR = host MAXPHYADDR,
in the sense that the guest can detect that the host is lying about
MAXPHYADDR; but that is really a bug that I hope will be fixed in 5.8,
relaxing the requirement to guest MAXPHYADDR <= host PHYADDR).
Paolo
> The dependency on EPT is that VMX requires paging of some form and
> unrestricted guest allows entering non-root with CR0.PG=0, i.e. requires EPT
> be enabled.
next prev parent reply other threads:[~2020-04-18 9:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-15 18:30 [PATCH 0/2 v2] kvm-unit-test: nVMX: Test Selector and Base Address fields of Guest Segment registers Krish Sadhukhan
2020-04-15 18:30 ` [PATCH 1/2 v2] KVM: nVMX: KVM needs to unset "unrestricted guest" VM-execution control in vmcs02 if vmcs12 doesn't set it Krish Sadhukhan
2020-04-15 19:30 ` Sean Christopherson
2020-04-15 20:18 ` Jim Mattson
2020-04-16 9:18 ` Paolo Bonzini
2020-04-18 1:29 ` Krish Sadhukhan
2020-04-18 1:55 ` Sean Christopherson
2020-04-18 9:53 ` Paolo Bonzini [this message]
2020-04-20 15:12 ` Sean Christopherson
2020-04-28 7:25 ` Krish Sadhukhan
2020-04-28 8:14 ` Paolo Bonzini
2020-04-28 17:38 ` Krish Sadhukhan
2020-04-28 18:00 ` Jim Mattson
2020-04-15 18:30 ` [PATCH 2/2 v2] kvm-unit-tests: nVMX: Test Selector and Base Address fields of Guest Segment Registers on vmentry of nested guests Krish Sadhukhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c37b9429-0cb8-6514-44a7-65544873dba0@redhat.com \
--to=pbonzini@redhat.com \
--cc=jmattson@google.com \
--cc=krish.sadhukhan@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=sean.j.christopherson@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.