Bug 1298244
Summary: | kvm.conf - kvm_amd.nested=1 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | poma <pomidorabelisima> |
Component: | qemu | Assignee: | Fedora Virtualization Maintainers <virt-maint> |
Status: | CLOSED DEFERRED | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | amit.shah, berrange, cfergeau, crobinso, dwmw2, itamar, pbonzini, rjones, virt-maint |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-01-21 15:16:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
poma
2016-01-13 15:17:21 UTC
Perhaps -only- for kvm_intel.nested=1 because: 2011-07-12: "KVM: nVMX: Add "nested" module option to kvm_intel" https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/arch/x86/kvm?id=801d342 "This patch adds to kvm_intel a module option "nested". This option controls whether the guest can use VMX instructions, i.e., whether we allow nested virtualization. A similar, but separate, option already exists for the SVM module. This option currently defaults to 0, meaning that nested VMX must be explicitly enabled by giving nested=1. When nested VMX matures, the default should probably be changed to enable nested VMX by default - just like nested SVM is currently enabled by default." ... 2016-01-13: still is disabled per default: https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/tree/arch/x86/kvm/vmx.c?id=refs/tags/next-20160113#n103 static bool __read_mostly nested = 0; Care to comment, Mister Bonzini? Your analysis is correct. amd defaults to nested=1, intel defaults to nested=0. But paolo indicated to me that the AMD default may be changes to nested=0 in the future. So I suggest we just wait and see Care to comment, Mister Bonzini? Paolo has already been asked about this, and the answer is in comment 3. Care to comment, Mister Bonzini? Here is the exact email paolo sent me:
On 01/10/2016 03:08 AM, Paolo Bonzini wrote:
> Hi Cole,
>
> The default is off for Intel and I am thinking of changing it for AMD, either upstream or in Rawhide. I haven't created a bug did the latter though.
>
> Paolo
>
If that's not sufficient for you, email him yourself. Please stop reopening this bug
Nested virtualization has never been audited for security, so I'll change it to disabled in 4.5. Yeah, from the production perspective that is the eventual problem. After all that's your "bread and butter". Good luck with that |