On 18/04/20 03:55, Sean Christopherson wrote:
>
> static inline bool is_unrestricted_guest(struct kvm_vcpu *vcpu)
> {
> return enable_unrestricted_guest && (!is_guest_mode(vcpu) ||
> to_vmx(vcpu)->nested.unrestricted_guest);
> }
>
> Putting the flag in loaded_vmcs might be more performant? My guess is it'd
> be in the noise, at which point I'd rather have it be clear the override is
> only possible/necessary for nested guests.
Even better: you can use secondary_exec_controls_get, which does get the
flag from the loaded_vmcs :) but without actually having to add one.
>> I also see that enable_ept controls the setting of
>> enable_unrestricted_guest. Perhaps both need to be moved to loaded_vmcs ?
>
> No, letting L1 disable EPT in L0 would be pure insanity, and the overall
> paging mode of L2 is already reflected in the MMU.
Absolutely. Unrestricted guest requires EPT, but EPT is invisible to
the guest. (Currently EPT requires guest MAXPHYADDR = host MAXPHYADDR,
in the sense that the guest can detect that the host is lying about
MAXPHYADDR; but that is really a bug that I hope will be fixed in 5.8,
relaxing the requirement to guest MAXPHYADDR <= host PHYADDR).
Paolo
> The dependency on EPT is that VMX requires paging of some form and
> unrestricted guest allows entering non-root with CR0.PG=0, i.e. requires EPT
> be enabled.
