On Wed, Oct 16, 2024 at 10:23:49AM +0800, Zhangfei Gao wrote: > > Nesting support requires the system to either support S2FWB or the > > stronger CANWBS ACPI flag. This is to ensure the VM cannot bypass the > > cache and view incoherent data, currently VFIO lacks any cache flushing > > that would make this safe. > > What if the system does not support S2FWB or CANWBS, any workaround to > passthrough? Eventually we can add the required cache flushing to VFIO, but that would have to be a followup. > Currently I am testing nesting by ignoring this check. This is probably OK, but I wouldn't run it as a production environment with a hostile VM. Jason
