From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christoph Egger Subject: Re: [PATCH 04/17] vmx: nest: domain and vcpu flags Date: Thu, 20 May 2010 11:51:49 +0200 Message-ID: <201005201151.49589.Christoph.Egger@amd.com> References: <1271929289-18572-1-git-send-email-qing.he@intel.com> <1271929289-18572-5-git-send-email-qing.he@intel.com> <20100520093753.GL4164@whitby.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20100520093753.GL4164@whitby.uk.xensource.com> Content-Disposition: inline List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com Cc: Tim Deegan , Qing He List-Id: xen-devel@lists.xenproject.org On Thursday 20 May 2010 11:37:53 Tim Deegan wrote: > At 10:41 +0100 on 22 Apr (1271932876), Qing He wrote: > > Introduce a domain create flag to allow user to set availability > > of nested virtualization. > > The flag will be used to disable all reporting and function > > facilities, improving guest security. > > I have the same reservation about this as Christoph's patch: I don't > think this needs to be a create-time flag - there's no reason it can't > be enabled or disabled with a domctl after domain creation. (And of > course we'll want it to bve the same interface on both SVM and VMX.) I already reworked that part to use HVM_PARAM_*. It showed up one caveat: The nestedhvm_enabled() becomes true after p2m_init() run. So the hap-on-hap code wasn't initialized. I worked around that by initialising nestedp2m's in p2m_init() unconditionally of having nestedhvm=1 in the guest config file or not. Christoph -- ---to satisfy European Law for business letters: Advanced Micro Devices GmbH Einsteinring 24, 85609 Dornach b. Muenchen Geschaeftsfuehrer: Andrew Bowd, Thomas M. McCoy, Giuliano Meroni Sitz: Dornach, Gemeinde Aschheim, Landkreis Muenchen Registergericht Muenchen, HRB Nr. 43632