Hide Forgot
"add /etc/modprobe.d/kvm.conf" http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/commit/?id=dda6c38 http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/tree/kvm.conf#n11 #option kvm_amd nested=1 Do we need a reference to kvm_amd.nested=1 at all when: 2009-09-10: "KVM: SVM: enable nested svm by default" https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/arch/x86/kvm?id=4b6e4dc "Nested SVM is (in my experience) stable enough to be enabled by default. So omit the requirement to pass a module parameter." static int nested = 1; ... 2016-01-13: still is enabled per default: https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/tree/arch/x86/kvm/svm.c?id=refs/tags/next-20160113#n205 static int nested = true; .. # virsh dumpxml <domain> | grep cpu\ mode <cpu mode='host-passthrough'> $ hostnamectl status Static hostname: localhost.localdomain Icon name: computer-vm Chassis: vm ... Virtualization: qemu Operating System: Fedora 24 (Rawhide) CPE OS Name: cpe:/o:fedoraproject:fedora:24 Kernel: Linux 4.4.0-1.fc24.x86_64 Architecture: x86-64 $ cat /sys/module/kvm_amd/parameters/nested 1
Perhaps -only- for kvm_intel.nested=1 because: 2011-07-12: "KVM: nVMX: Add "nested" module option to kvm_intel" https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/arch/x86/kvm?id=801d342 "This patch adds to kvm_intel a module option "nested". This option controls whether the guest can use VMX instructions, i.e., whether we allow nested virtualization. A similar, but separate, option already exists for the SVM module. This option currently defaults to 0, meaning that nested VMX must be explicitly enabled by giving nested=1. When nested VMX matures, the default should probably be changed to enable nested VMX by default - just like nested SVM is currently enabled by default." ... 2016-01-13: still is disabled per default: https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/tree/arch/x86/kvm/vmx.c?id=refs/tags/next-20160113#n103 static bool __read_mostly nested = 0;
Care to comment, Mister Bonzini?
Your analysis is correct. amd defaults to nested=1, intel defaults to nested=0. But paolo indicated to me that the AMD default may be changes to nested=0 in the future. So I suggest we just wait and see
Paolo has already been asked about this, and the answer is in comment 3.
Here is the exact email paolo sent me: On 01/10/2016 03:08 AM, Paolo Bonzini wrote: > Hi Cole, > > The default is off for Intel and I am thinking of changing it for AMD, either upstream or in Rawhide. I haven't created a bug did the latter though. > > Paolo > If that's not sufficient for you, email him yourself. Please stop reopening this bug
Nested virtualization has never been audited for security, so I'll change it to disabled in 4.5.
Yeah, from the production perspective that is the eventual problem. After all that's your "bread and butter". Good luck with that