On Mon, Oct 1, 2018 at 2:25 PM, Sean Christopherson
<sean.j.christopherson@xxxxxxxxx> wrote:
> Many moons ago, commit 4c9fc8ef5017 ("KVM: VMX: Add module option to
> disable flexpriority") introduced kvm-intel.flexpriority as it was
> "Useful for debugging". At that time, kvm-intel.flexpriority only
> determined whether or not KVM would enable VIRTUALIZE_APIC_ACCESSES.
> In short, it was intended as a way to disable virtualization of APIC
> accesses for debug purposes. Nowadays, kvm-intel.flexpriority is a
> haphazard param that is inconsistently honored by KVM, e.g. it still
> controls VIRTUALIZE_APIC_ACCESSES but not TPR_SHADOW, CR8-exiting or
> VIRTUALIZE_X2APIC_MODE, and only for non-nested guests. Disabling
> the param also announces support for KVM_TPR_ACCESS_REPORTING (via
> KVM_CAP_VAPIC), which may be functionally desirable, e.g. Qemu uses
> KVM_TPR_ACCESS_REPORTING only to patch MMIO APIC access, but isn't
> exactly accurate given its name since KVM may not intercept/report
> TPR accesses via CR8 or MSR.
>
> Remove kvm-intel.flexpriority as its usefulness for debug is dubious
> given the current code base, while its existence is confusing and
> can complicate code changes and/or lead to new bugs being introduced.
> For example, as of commit 8d860bbeedef ("kvm: vmx: Basic APIC
> virtualization controls have three settings"), KVM will disable
> VIRTUALIZE_APIC_ACCESSES when a nested guest writes APIC_BASE MSR and
> kvm-intel.flexpriority=0, whereas previously KVM would allow a nested
> guest to enable VIRTUALIZE_APIC_ACCESSES so long as it's supported in
> hardware. I.e. KVM now advertises VIRTUALIZE_APIC_ACCESSES to a guest
> but doesn't (always) allow setting it when kvm-intel.flexpriority=0,
> and may even initially allow the control and then clear it when the
> nested guest writes APIC_BASE MSR, which is decidedly odd even if it
> doesn't cause functional issues.
>
> Fixes: 8d860bbeedef ("kvm: vmx: Basic APIC virtualization controls have three settings")
> Cc: Jim Mattson <jmattson@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
I'm happy to see this go, but others may prefer to keep it and make it
work as one might expect it to (i.e. clearing the module parameter
should make kvm behave as if the host didn't advertise the feature).
Reviewed-by: Jim Mattson <jmattson@xxxxxxxxxx>
