On 12/20/2009 07:08 PM, Andi Kleen wrote:
Gleb Natapov<gleb@xxxxxxxxxx> writes:
+int nested = 1;
+EXPORT_SYMBOL_GPL(nested);
Unless this is a lot better tested and audited wouldn't it make more sense
to default it to off?
This is actually a move of an existing svm-only variable, which defaults
to enabled. Nested svm has been tested for a while.
I don't think it's a big burden to let users set a special knob for this,
but it would be a big problem if there was some kind of jail break
hidden in there that could be exploited by malicious guests.
True. It makes sense to have different defaults of vmx and svm.
Since VMX was not originally designed to be nested that wouldn't surprise me.
vmx was designed to correct the non-virtualizability of x86. It would
have been criminal to design it without nesting in mind, especially
given all the prior art.
vmx does support nesting, albeit not very efficiently.
--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
