On Mon, 2018-09-24 at 11:05 -0700, Jim Mattson wrote: > As specified in Intel's SDM, do not allow the L1 hypervisor to launch > an L2 guest with the VM-execution controls for "unrestricted guest" or > "mode-based execute control for EPT" set and the VM-execution control > for "enable EPT" clear. > > Note that the VM-execution control for "mode-based execute control for > EPT" is not yet virtualized by kvm. > > Reported-by: Andrew Thornton <andrewth@xxxxxxxxxx> > Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx> > Reviewed-by: Peter Shier <pshier@xxxxxxxxxx> Reviewed-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
