From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Hildenbrand <david@redhat.com>
Subject: Re: [PATCH] KVM: nVMX: initialize PML fields in vmcs02
Date: Tue, 4 Apr 2017 15:25:48 +0200
Message-ID: <01e8ab04-4e16-ac99-bb1d-994bbd937787@redhat.com>
References: <20170404121853.28057-1-lprosek@redhat.com>
 <d596ffae-1379-e8b7-8d9e-8065ef41e119@redhat.com>
 <CABdb7342nVi7yMY0r2my2vwwFxLs-Oqfn3eXssR=qKAkVi-Xyw@mail.gmail.com>
 <903edb56-6e81-b528-cc20-a710e91aba3b@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: KVM list <kvm@vger.kernel.org>, kai.huang@linux.intel.com,
        Wanpeng Li <wanpeng.li@hotmail.com>
To: Ladi Prosek <lprosek@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:40586 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752998AbdDDNZu (ORCPT <rfc822;kvm@vger.kernel.org>);
        Tue, 4 Apr 2017 09:25:50 -0400
In-Reply-To: <903edb56-6e81-b528-cc20-a710e91aba3b@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 04.04.2017 15:09, David Hildenbrand wrote:
> 
>>>> +     if (enable_pml) {
>>>> +             /*
>>>> +              * Conceptually we want to copy the PML address and index from
>>>> +              * vmcs01 here, and then back to vmcs01 on nested vmexit. But,
>>>> +              * since we always flush the log on each vmexit, this happens
>>>
>>> we == KVM running in g2?
>>>
>>> If so, other hypervisors might handle this differently.
>>
>> No, we as KVM in L0. Hypervisors running in L1 do not see PML at all,
>> this is L0-only code.
> 
> Okay, was just confused why we enable PML for our nested guest (L2)
> although not supported/enabled for guest hypervisors (L1). I would have
> guessed that it is to be kept disabled completely for nested guests
> (!SECONDARY_EXEC_ENABLE_PML).
> 
> But I assume that this a mysterious detail of the MMU code I still have
> to look into in detail.
> 

So for secondary exec controls we:

1. enable almost any exec control enabled also for our L1 (except 4 of
them)
-> slightly scary, but I hope somebody thought well of this
2. blindly copy over whatever L2 gave us
-> very scary

Especially if I am not wrong:

PML available on HW but disabled by setting "enable_pml = 0".
L1 blindly enabling PML for L2.

We now run our vmcs02 with SECONDARY_EXEC_ENABLE_PML without pml regions
being set up.

Am I missing a whitelist somewhere? I hope so. Such things should always
have whitelists.

-- 

Thanks,

David