On 23/11/19 01:22, Jim Mattson wrote: >> I suggest to also add a comment in code to clarify why we allow setting >> FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX even though we expose a >> vCPU that doesn’t support Intel TXT. >> (I think the compatibility to existing workloads that sets this >> blindly on boot is a legit reason. Just recommend documenting it.) >> >> In addition, if the nested hypervisor which relies on this is >> public, please also mention it in commit message for reference. > > It's not an L1 hypervisor that's the problem. It's Google's L0 > hypervisor. We've been incorrectly reporting IA32_FEATURE_CONTROL as 7 > to nested guests for years, and now we have thousands of running VMs > with the bogus value. I've thought about just changing it to 5 on the > fly (on real hardware, one could almost blame it on SMM, but the MSR > is *locked*, after all). Queued, thanks. Paolo
