From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [PATCH 1/7] Nested VMX patch 1 implements vmon and vmoff Date: Sun, 20 Dec 2009 21:04:49 +0200 Message-ID: <4B2E7551.6050201@redhat.com> References: <1260470309-7166-1-git-send-email-oritw@il.ibm.com> <1260470309-7166-2-git-send-email-oritw@il.ibm.com> <20091220142018.GI4490@redhat.com> <87eimpefpn.fsf@basil.nowhere.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Gleb Natapov , oritw@il.ibm.com, kvm@vger.kernel.org, benami@il.ibm.com, abelg@il.ibm.com, muli@il.ibm.com, aliguori@us.ibm.com, mdday@us.ibm.com To: Andi Kleen Return-path: Received: from mx1.redhat.com ([209.132.183.28]:26053 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751280AbZLTTFE (ORCPT ); Sun, 20 Dec 2009 14:05:04 -0500 In-Reply-To: <87eimpefpn.fsf@basil.nowhere.org> Sender: kvm-owner@vger.kernel.org List-ID: On 12/20/2009 07:08 PM, Andi Kleen wrote: > Gleb Natapov writes: > >>> >>> +int nested = 1; >>> +EXPORT_SYMBOL_GPL(nested); >>> > Unless this is a lot better tested and audited wouldn't it make more sense > to default it to off? > > This is actually a move of an existing svm-only variable, which defaults to enabled. Nested svm has been tested for a while. > I don't think it's a big burden to let users set a special knob for this, > but it would be a big problem if there was some kind of jail break > hidden in there that could be exploited by malicious guests. > True. It makes sense to have different defaults of vmx and svm. > Since VMX was not originally designed to be nested that wouldn't surprise me. > vmx was designed to correct the non-virtualizability of x86. It would have been criminal to design it without nesting in mind, especially given all the prior art. vmx does support nesting, albeit not very efficiently. -- Do not meddle in the internals of kernels, for they are subtle and quick to panic.