Bug 1298244 - kvm.conf - kvm_amd.nested=1
kvm.conf - kvm_amd.nested=1
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Fedora Virtualization Maintainers
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-13 10:17 EST by poma
Modified: 2016-01-25 15:22 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-21 10:16:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description poma 2016-01-13 10:17:21 EST
"add /etc/modprobe.d/kvm.conf"
http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/commit/?id=dda6c38

http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/tree/kvm.conf#n11
#option kvm_amd nested=1

Do we need a reference to kvm_amd.nested=1 at all when:

2009-09-10:
"KVM: SVM: enable nested svm by default"
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/arch/x86/kvm?id=4b6e4dc

"Nested SVM is (in my experience) stable enough to be enabled by default. So omit the requirement to pass a module parameter."

static int nested = 1;

...

2016-01-13:
still is enabled per default:
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/tree/arch/x86/kvm/svm.c?id=refs/tags/next-20160113#n205

static int nested = true;

..

# virsh dumpxml <domain> | grep cpu\ mode
  <cpu mode='host-passthrough'>


$ hostnamectl status 
   Static hostname: localhost.localdomain
         Icon name: computer-vm
           Chassis: vm
                ...
    Virtualization: qemu
  Operating System: Fedora 24 (Rawhide)
       CPE OS Name: cpe:/o:fedoraproject:fedora:24
            Kernel: Linux 4.4.0-1.fc24.x86_64
      Architecture: x86-64


$ cat /sys/module/kvm_amd/parameters/nested
1
Comment 1 poma 2016-01-13 10:20:47 EST
Perhaps -only- for kvm_intel.nested=1 because:

2011-07-12:
"KVM: nVMX: Add "nested" module option to kvm_intel"
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/arch/x86/kvm?id=801d342

"This patch adds to kvm_intel a module option "nested". This option controls whether the guest can use VMX instructions, i.e., whether we allow nested virtualization. A similar, but separate, option already exists for the SVM module. This option currently defaults to 0, meaning that nested VMX must be explicitly enabled by giving nested=1. When nested VMX matures, the default should probably be changed to enable nested VMX by default - just like nested SVM is currently enabled by default."

...

2016-01-13:
still is disabled per default:
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/tree/arch/x86/kvm/vmx.c?id=refs/tags/next-20160113#n103

static bool __read_mostly nested = 0;
Comment 2 poma 2016-01-13 10:25:23 EST
Care to comment, Mister Bonzini?
Comment 3 Cole Robinson 2016-01-13 10:27:38 EST
Your analysis is correct. amd defaults to nested=1, intel defaults to nested=0. But paolo indicated to me that the AMD default may be changes to nested=0 in the future. So I suggest we just wait and see
Comment 4 poma 2016-01-15 18:00:51 EST
Care to comment, Mister Bonzini?
Comment 5 Richard W.M. Jones 2016-01-16 03:18:57 EST
Paolo has already been asked about this, and the answer is
in comment 3.
Comment 6 poma 2016-01-16 04:05:47 EST
Care to comment, Mister Bonzini?
Comment 7 Cole Robinson 2016-01-21 10:16:28 EST
Here is the exact email paolo sent me:

On 01/10/2016 03:08 AM, Paolo Bonzini wrote:
> Hi Cole,
> 
> The default is off for Intel and I am thinking of changing it for AMD, either upstream or in Rawhide. I haven't created a bug did the latter though.
> 
> Paolo
> 

If that's not sufficient for you, email him yourself. Please stop reopening this bug
Comment 8 Paolo Bonzini 2016-01-23 15:45:18 EST
Nested virtualization has never been audited for security, so I'll change it to disabled in 4.5.
Comment 9 poma 2016-01-25 15:22:19 EST
Yeah, from the production perspective that is the eventual problem.
After all that's your "bread and butter".

Good luck with that

Note You need to log in before you can comment on or make changes to this bug.