On 01/10/2018 23:25, Sean Christopherson wrote: > kvm-intel.flexpriority is a > haphazard param that is inconsistently honored by KVM, e.g. it still > controls VIRTUALIZE_APIC_ACCESSES but not TPR_SHADOW, CR8-exiting or > VIRTUALIZE_X2APIC_MODE This is on purpose: the original purpose of VIRTUALIZE_APIC_ACCESSES was to speed up Windows XP and 2003, which didn't use CR8. Processors without it could already execute newer Windows versions without the overhead of emulating TPR accesses (notice how VIRTUALIZE_APIC_ACCESSES is a secondary execution control, while TPR_SHADOW is a primary control). Likewise, VIRTUALIZE_X2APIC_MODE only deals with MSR reads and writes, not MMIO accesses. We could add a separate knob to turn it off, but I never did it because the code paths are not as different as for flexpriority or, say, !APICv or !vNMI. > , and only for non-nested guests. Not sure if this is a bug, but it is certainly cleaner if flexpriority=0 masks VIRTUALIZE_APIC_ACCESSES from nested guests too. Paolo
