From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: KVM SVM(AMD) nested - disabled by default?
Date: Sat, 23 Jan 2016 22:05:32 +0100
Message-ID: <56A3EB1C.5020605@redhat.com>
References: <56A39729.8020106@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: kvm-devel <kvm@vger.kernel.org>,
	Joerg Roedel <joerg.roedel@amd.com>,
	Avi Kivity <avi@redhat.com>,
	Cole Robinson <crobinso@redhat.com>,
	"Richard W.M. Jones" <rjones@redhat.com>
To: poma <pomidorabelisima@gmail.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-wm0-f50.google.com ([74.125.82.50]:38348 "EHLO
	mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755018AbcAWVFj (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sat, 23 Jan 2016 16:05:39 -0500
Received: by mail-wm0-f50.google.com with SMTP id b14so28182877wmb.1
        for <kvm@vger.kernel.org>; Sat, 23 Jan 2016 13:05:38 -0800 (PST)
In-Reply-To: <56A39729.8020106@gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>



On 23/01/2016 16:07, poma wrote:
> "KVM: SVM: enable nested svm by default"
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/arch/x86/kvm?id=4b6e4dc
> "Nested SVM is (in my experience) stable enough to be enabled by default. So omit the requirement to pass a module parameter."
> 
> I tried to get an explanation of the eventual -default- change here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1298244
> 
> but "... I am *thinking* of changing it ..." ain't explanation, man.
> 
> I've tested "Nested SVM" myself and it works surprisingly well,
> therefore what is the -actual- reason to switch it off by default?

Neither nested VMX nor nested SVM have ever been audited for security;
they could have bugs that let a malicious guest escape L0.  In fact I
would be surprised if they don't. :(

Paolo