[PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[Roger Pau Monne]

If shadow paging has been compiled out short circuit the creation of HVM
guests that attempt to use shadow paging at arch_sanitise_domain_config().
There's no need to further build the domain when creation is doomed to fail
later on.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
 xen/arch/x86/domain.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 8b2f33f1a06c..8eb1509782ef 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -627,6 +627,12 @@ int arch_sanitise_domain_config(struct xen_domctl_createdomain *config)
         return -EINVAL;
     }
 
+    if ( hvm && !hap && !IS_ENABLED(CONFIG_SHADOW_PAGING) )
+    {
+        dprintk(XENLOG_INFO, "Shadow paging requested but not available\n");
+        return -EINVAL;
+    }
+
     if ( !hvm )
         /*
          * It is only meaningful for XEN_DOMCTL_CDF_oos_off to be clear
-- 
2.51.0

Re: [PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[Jan Beulich]

On 09.02.2026 15:40, Roger Pau Monne wrote:
> If shadow paging has been compiled out short circuit the creation of HVM
> guests that attempt to use shadow paging at arch_sanitise_domain_config().
> There's no need to further build the domain when creation is doomed to fail
> later on.
> 
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

Acked-by: Jan Beulich <jbeulich@suse.com>

Re: [PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[Alejandro Vallejo]

On Mon Feb 9, 2026 at 3:40 PM CET, Roger Pau Monne wrote:
> If shadow paging has been compiled out short circuit the creation of HVM
> guests that attempt to use shadow paging at arch_sanitise_domain_config().
> There's no need to further build the domain when creation is doomed to fail
> later on.
>
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> ---
>  xen/arch/x86/domain.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
> index 8b2f33f1a06c..8eb1509782ef 100644
> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -627,6 +627,12 @@ int arch_sanitise_domain_config(struct xen_domctl_createdomain *config)
>          return -EINVAL;
>      }
>  
> +    if ( hvm && !hap && !IS_ENABLED(CONFIG_SHADOW_PAGING) )
> +    {
> +        dprintk(XENLOG_INFO, "Shadow paging requested but not available\n");

nit: s/requested/required/, maybe?

Also, with this in place can't we get rid of the panic in create_dom0() that
checks an identical condition?

Cheers,
Alejandro

Re: [PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[Roger Pau Monné]

On Mon, Feb 09, 2026 at 05:02:26PM +0100, Alejandro Vallejo wrote:
> On Mon Feb 9, 2026 at 3:40 PM CET, Roger Pau Monne wrote:
> > If shadow paging has been compiled out short circuit the creation of HVM
> > guests that attempt to use shadow paging at arch_sanitise_domain_config().
> > There's no need to further build the domain when creation is doomed to fail
> > later on.
> >
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> > ---
> >  xen/arch/x86/domain.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
> > index 8b2f33f1a06c..8eb1509782ef 100644
> > --- a/xen/arch/x86/domain.c
> > +++ b/xen/arch/x86/domain.c
> > @@ -627,6 +627,12 @@ int arch_sanitise_domain_config(struct xen_domctl_createdomain *config)
> >          return -EINVAL;
> >      }
> >  
> > +    if ( hvm && !hap && !IS_ENABLED(CONFIG_SHADOW_PAGING) )
> > +    {
> > +        dprintk(XENLOG_INFO, "Shadow paging requested but not available\n");
> 
> nit: s/requested/required/, maybe?

The wording matches the rest of the messages in
arch_sanitise_domain_config().  I'm not saying that makes it correct,
but if we word this differently we should also change the others
IMO.

> Also, with this in place can't we get rid of the panic in create_dom0() that
> checks an identical condition?

Hm, I would possibly leave that one, as I think it's clearer for the
dom0 case.  Otherwise someone using a build without HAP or shadow and
attempting to boot in PVH mode will get a message saying: "Shadow
paging requested but not available", which is IMO less clear than
getting a "Neither HAP nor Shadow available for PVH domain" error
message.

Just my thinking, both checks achieve the same result, but the error
message in the create_dom0() instance is more helpful in the context
of dom0 creation.

Thanks, Roger.

Re: [PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[Jan Beulich]

On 09.02.2026 17:11, Roger Pau Monné wrote:
> On Mon, Feb 09, 2026 at 05:02:26PM +0100, Alejandro Vallejo wrote:
>> On Mon Feb 9, 2026 at 3:40 PM CET, Roger Pau Monne wrote:
>>> If shadow paging has been compiled out short circuit the creation of HVM
>>> guests that attempt to use shadow paging at arch_sanitise_domain_config().
>>> There's no need to further build the domain when creation is doomed to fail
>>> later on.
>>>
>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>> ---
>>>  xen/arch/x86/domain.c | 6 ++++++
>>>  1 file changed, 6 insertions(+)
>>>
>>> diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
>>> index 8b2f33f1a06c..8eb1509782ef 100644
>>> --- a/xen/arch/x86/domain.c
>>> +++ b/xen/arch/x86/domain.c
>>> @@ -627,6 +627,12 @@ int arch_sanitise_domain_config(struct xen_domctl_createdomain *config)
>>>          return -EINVAL;
>>>      }
>>>  
>>> +    if ( hvm && !hap && !IS_ENABLED(CONFIG_SHADOW_PAGING) )
>>> +    {
>>> +        dprintk(XENLOG_INFO, "Shadow paging requested but not available\n");
>>
>> nit: s/requested/required/, maybe?
> 
> The wording matches the rest of the messages in
> arch_sanitise_domain_config().  I'm not saying that makes it correct,
> but if we word this differently we should also change the others
> IMO.

+1

>> Also, with this in place can't we get rid of the panic in create_dom0() that
>> checks an identical condition?
> 
> Hm, I would possibly leave that one, as I think it's clearer for the
> dom0 case.  Otherwise someone using a build without HAP or shadow and
> attempting to boot in PVH mode will get a message saying: "Shadow
> paging requested but not available", which is IMO less clear than
> getting a "Neither HAP nor Shadow available for PVH domain" error
> message.
> 
> Just my thinking, both checks achieve the same result, but the error
> message in the create_dom0() instance is more helpful in the context
> of dom0 creation.

+1

Jan

Re: [PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[Alejandro Vallejo]

On Mon Feb 9, 2026 at 5:11 PM CET, Roger Pau Monné wrote:
> On Mon, Feb 09, 2026 at 05:02:26PM +0100, Alejandro Vallejo wrote:
>> On Mon Feb 9, 2026 at 3:40 PM CET, Roger Pau Monne wrote:
>> > If shadow paging has been compiled out short circuit the creation of HVM
>> > guests that attempt to use shadow paging at arch_sanitise_domain_config().
>> > There's no need to further build the domain when creation is doomed to fail
>> > later on.
>> >
>> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>> > ---
>> >  xen/arch/x86/domain.c | 6 ++++++
>> >  1 file changed, 6 insertions(+)
>> >
>> > diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
>> > index 8b2f33f1a06c..8eb1509782ef 100644
>> > --- a/xen/arch/x86/domain.c
>> > +++ b/xen/arch/x86/domain.c
>> > @@ -627,6 +627,12 @@ int arch_sanitise_domain_config(struct xen_domctl_createdomain *config)
>> >          return -EINVAL;
>> >      }
>> >  
>> > +    if ( hvm && !hap && !IS_ENABLED(CONFIG_SHADOW_PAGING) )
>> > +    {
>> > +        dprintk(XENLOG_INFO, "Shadow paging requested but not available\n");
>> 
>> nit: s/requested/required/, maybe?
>
> The wording matches the rest of the messages in
> arch_sanitise_domain_config().  I'm not saying that makes it correct,
> but if we word this differently we should also change the others
> IMO.

My point is rather that HAP, or relaxed MSRs, or other settings are actively
requested via createdomain flags. Shadow is instead the consequence of not
setting HAP. You don't request shadow, you either requested something else or
you hit the error.

It's not terrible wording, just imprecise.

>> Also, with this in place can't we get rid of the panic in create_dom0() that
>> checks an identical condition?
>
> Hm, I would possibly leave that one, as I think it's clearer for the
> dom0 case.  Otherwise someone using a build without HAP or shadow and
> attempting to boot in PVH mode will get a message saying: "Shadow
> paging requested but not available", which is IMO less clear than
> getting a "Neither HAP nor Shadow available for PVH domain" error
> message.
>
> Just my thinking, both checks achieve the same result, but the error
> message in the create_dom0() instance is more helpful in the context
> of dom0 creation.

Fair enough. It doesn't matter much anyway. With or without the adjusted printk.

  Reviewed-by: Alejandro Vallejo <alejandro.garciavallejo@amd.com>

Cheers,
Alejandro

Re: [PATCH] x86/hvm: short-circuit HVM shadow guest creation earlier

[Roger Pau Monné]

On Mon, Feb 09, 2026 at 05:26:54PM +0100, Alejandro Vallejo wrote:
> On Mon Feb 9, 2026 at 5:11 PM CET, Roger Pau Monné wrote:
> > On Mon, Feb 09, 2026 at 05:02:26PM +0100, Alejandro Vallejo wrote:
> >> On Mon Feb 9, 2026 at 3:40 PM CET, Roger Pau Monne wrote:
> >> > If shadow paging has been compiled out short circuit the creation of HVM
> >> > guests that attempt to use shadow paging at arch_sanitise_domain_config().
> >> > There's no need to further build the domain when creation is doomed to fail
> >> > later on.
> >> >
> >> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> >> > ---
> >> >  xen/arch/x86/domain.c | 6 ++++++
> >> >  1 file changed, 6 insertions(+)
> >> >
> >> > diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
> >> > index 8b2f33f1a06c..8eb1509782ef 100644
> >> > --- a/xen/arch/x86/domain.c
> >> > +++ b/xen/arch/x86/domain.c
> >> > @@ -627,6 +627,12 @@ int arch_sanitise_domain_config(struct xen_domctl_createdomain *config)
> >> >          return -EINVAL;
> >> >      }
> >> >  
> >> > +    if ( hvm && !hap && !IS_ENABLED(CONFIG_SHADOW_PAGING) )
> >> > +    {
> >> > +        dprintk(XENLOG_INFO, "Shadow paging requested but not available\n");
> >> 
> >> nit: s/requested/required/, maybe?
> >
> > The wording matches the rest of the messages in
> > arch_sanitise_domain_config().  I'm not saying that makes it correct,
> > but if we word this differently we should also change the others
> > IMO.
> 
> My point is rather that HAP, or relaxed MSRs, or other settings are actively
> requested via createdomain flags. Shadow is instead the consequence of not
> setting HAP. You don't request shadow, you either requested something else or
> you hit the error.
> 
> It's not terrible wording, just imprecise.

Hm, I see.  I've always considered not requesting HAP equivalent to
requesting shadow.  IOW: not setting XEN_DOMCTL_CDF_hap doesn't mean
"pick any possible option" but rather it's an explicit request to use
shadow paging on HVM.

The interface would possibly be cleaner if we had both a HAP and
Shadow flags, and lack of any being selected could mean for Xen to
pick the default one.

Thanks, Roger.