On 18/10/2017 13:06, Kang, Luwei wrote: >>>> Nested virtualization is interesting. We would like the nested >>>> hypervisor to be forced to set the "use GPA for processor tracing" >>>> secondary execution control whenever "enable EPT" is set and RTIT_CTL >>>> is nonzero. There is no way to encode that in >>>> IA32_VMX_PROCBASED_CTLS2, however. It would be nice if Intel could >>>> reserve a bit in IA32_VMX_EPT_VPID_CAP for KVM to express that >>>> constraint. >>> >>> Do you mean if nested hypervisor get the capability of "Guest PT use >>> GPA" and EPT has enable. Highly recommend nested hypervisor set " >>> Guest PT use GPA " as well. >> >> Well, it's required more than recommended. However, it's only required if "enable EPT" is set and RTIT_CTL is nonzero. >> >>> If nested hypervisor is also KVM, "use GPA for processor tracing" >>> will be set for sure. But other hypervisor may not do that. So, we'd >>> better add a flag in IA32_VMX_EPT_VPID_CAP to express that constraint. >> >> Correct. The constraint would be: >> >> * RTIT_CTL on entry is zero if EPT is disabled >> >> * RTIT_CTL on entry is zero if EPT is enabled and "Guest PT uses GPA" is zero >> >> Maybe IA32_VMX_EPT_VPID_CAP is not the best place. I'll let Intel decide that. > > Get it. I have feedback to hardware architect. I hope it can be applied but it may need wait a long time. Note that the hardware need not do anything. However it would be nice if the SDM can define a bit _for the hypervisors_ to enforce the above constraint and fail vmentry if they are not respected. Paolo
