On 2/13/26 17:02, Stefano Stabellini wrote: > Introduce CONFIG_NESTED_VIRT (default n) to allow nested virtualization > support to be disabled at build time. This is useful for embedded or > safety-focused deployments where nested virtualization is not needed, > reducing code size and attack surface. > > When CONFIG_NESTED_VIRT=n, the following source files are excluded: > - arch/x86/hvm/nestedhvm.c > - arch/x86/hvm/svm/nestedsvm.c > - arch/x86/hvm/vmx/vvmx.c > - arch/x86/mm/nested.c > - arch/x86/mm/hap/nested_hap.c > - arch/x86/mm/hap/nested_ept.c > > Add inline stubs where needed in headers. Guard assembly code paths > for nested virt with #ifdef CONFIG_NESTED_VIRT. Move exception > injection for VMX/SVM instructions to the callers in vmx.c/svm.c to > avoid header dependency issues in the stubs. > > No functional change when CONFIG_NESTED_VIRT=y. > > Signed-off-by: Stefano Stabellini <[email protected]> > > --- > Changes in v3: > - Kconfig: Change "depends on AMD_SVM || INTEL_VMX" to "depends on HVM" > - Kconfig: Remove redundant "default n" line > - Kconfig: Remove "If unsure, say N." from help text > - mm/hap/Makefile: Simplify using intermediate nested-y variable: > nested-y := nested_hap.o > nested-$(CONFIG_INTEL_VMX) += nested_ept.o > obj-$(CONFIG_NESTED_VIRT) += $(nested-y) > - svm/nestedhvm.h: Remove #ifdef CONFIG_NESTED_VIRT stubs, keep only > function declarations (the functions are only called from code that > is already compiled out when nested virt is disabled) > - svm/nestedhvm.h: Add CONFIG_NESTED_VIRT guard to nsvm_efer_svm_enabled > macro to return false when nested virt is disabled > - svm/svm.c: Move #UD injection for STGI/CLGI to the caller instead of > stub functions, checking nestedhvm_enabled()/nsvm_efer_svm_enabled() > - svm/svm.c: Mark svm_vmexit_do_vmrun/vmload/vmsave as __maybe_unused > - svm/svm.c: Remove empty nsvm_vcpu_switch stub (now guarded in asm) > - svm/entry.S: Add #ifdef CONFIG_NESTED_VIRT guards around nested virt > specific code paths > - vmx/vmx.c: Remove empty nvmx_switch_guest stub (now guarded in asm) > - vmx/vmx.c: Move nvmx_enqueue_n2_exceptions and nvmx_vmexit_event to > vvmx.c where they belong > - vmx/vvmx.h: Add declarations for nvmx_vmexit_event and > nvmx_enqueue_n2_exceptions > - vmx/vvmx.h: Fix nvmx_msr_read_intercept stub comment > - vmx/vvmx.h: nvmx_handle_vmx_insn stub returns X86EMUL_EXCEPTION with > ASSERT_UNREACHABLE (caller handles injection) > - vmx/vvmx.h: Convert get_vvmcs macro to inline function in stubs > - vmx/entry.S: Add #ifdef CONFIG_NESTED_VIRT guard around nvmx_switch_guest > - nestedhvm.h: Convert macro stubs to proper inline functions > --- > xen/arch/x86/hvm/Kconfig | 7 +++ > xen/arch/x86/hvm/Makefile | 2 +- > xen/arch/x86/hvm/svm/Makefile | 2 +- > xen/arch/x86/hvm/svm/entry.S | 4 ++ > xen/arch/x86/hvm/svm/nestedhvm.h | 2 +- > xen/arch/x86/hvm/svm/svm.c | 18 ++++-- > xen/arch/x86/hvm/vmx/Makefile | 2 +- > xen/arch/x86/hvm/vmx/entry.S | 2 + > xen/arch/x86/hvm/vmx/vmx.c | 31 +--------- > xen/arch/x86/hvm/vmx/vvmx.c | 26 +++++++++ > xen/arch/x86/include/asm/hvm/hvm.h | 2 +- > xen/arch/x86/include/asm/hvm/nestedhvm.h | 64 +++++++++++++++++--- > xen/arch/x86/include/asm/hvm/vmx/vvmx.h | 74 ++++++++++++++++++++++++ > xen/arch/x86/mm/Makefile | 2 +- > xen/arch/x86/mm/hap/Makefile | 5 +- > xen/arch/x86/mm/p2m.h | 6 ++ > xen/arch/x86/sysctl.c | 2 + > xen/include/public/sysctl.h | 4 +- > 18 files changed, 204 insertions(+), 51 deletions(-) > > diff --git a/xen/arch/x86/hvm/Kconfig b/xen/arch/x86/hvm/Kconfig > index f32bf5cbb7..af661385b5 100644 > --- a/xen/arch/x86/hvm/Kconfig > +++ b/xen/arch/x86/hvm/Kconfig > @@ -92,4 +92,11 @@ config MEM_SHARING > bool "Xen memory sharing support (UNSUPPORTED)" if UNSUPPORTED > depends on INTEL_VMX > > +config NESTED_VIRT > + bool "Nested virtualization support> + depends on HVM > + help > + Enable nested virtualization, allowing guests to run their own > + hypervisors. This requires hardware support.
Should this also come with a warning that allowing guests to use nested virtualization is insecure unless both L1 and L2 guests are trusted? -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
