Xen project Mailing List

Re: [PATCH v2] x86/hvm: Add Kconfig option to disable nested virtualization

To: Stefano Stabellini <stefano.stabellini@xxxxxxx>

Date: Mon, 9 Feb 2026 16:09:44 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: roger.pau@xxxxxxxxxx, andrew.cooper3@xxxxxxxxxx, jason.andryuk@xxxxxxx, alejandro.garciavallejo@xxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Mon, 09 Feb 2026 15:09:49 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 06.02.2026 22:05, Stefano Stabellini wrote: > --- a/xen/arch/x86/hvm/Kconfig > +++ b/xen/arch/x86/hvm/Kconfig > @@ -92,4 +92,14 @@ config MEM_SHARING > bool "Xen memory sharing support (UNSUPPORTED)" if UNSUPPORTED > depends on INTEL_VMX > > +config NESTED_VIRT > + bool "Nested virtualization support" > + depends on AMD_SVM || INTEL_VMX Should be HVM? Or else have separate NESTED_SVM and NESTED_VMX? > + default n Please omit such a redundant line. > --- a/xen/arch/x86/hvm/svm/nestedhvm.h > +++ b/xen/arch/x86/hvm/svm/nestedhvm.h > @@ -26,6 +26,13 @@ > #define nsvm_efer_svm_enabled(v) \ > (!!((v)->arch.hvm.guest_efer & EFER_SVME)) > > +#define NSVM_INTR_NOTHANDLED 3 > +#define NSVM_INTR_NOTINTERCEPTED 2 > +#define NSVM_INTR_FORCEVMEXIT 1 > +#define NSVM_INTR_MASKED 0 It feels suspicious that all of these need moving ... > +#ifdef CONFIG_NESTED_VIRT ... ahead of this. > --- a/xen/arch/x86/include/asm/hvm/nestedhvm.h > +++ b/xen/arch/x86/include/asm/hvm/nestedhvm.h > @@ -25,9 +25,21 @@ enum nestedhvm_vmexits { > /* Nested HVM on/off per domain */ > static inline bool nestedhvm_enabled(const struct domain *d) > { > - return IS_ENABLED(CONFIG_HVM) && (d->options & > XEN_DOMCTL_CDF_nested_virt); > + return IS_ENABLED(CONFIG_NESTED_VIRT) && > + (d->options & XEN_DOMCTL_CDF_nested_virt); > } > > +/* Nested paging */ > +#define NESTEDHVM_PAGEFAULT_DONE 0 > +#define NESTEDHVM_PAGEFAULT_INJECT 1 > +#define NESTEDHVM_PAGEFAULT_L1_ERROR 2 > +#define NESTEDHVM_PAGEFAULT_L0_ERROR 3 > +#define NESTEDHVM_PAGEFAULT_MMIO 4 > +#define NESTEDHVM_PAGEFAULT_RETRY 5 > +#define NESTEDHVM_PAGEFAULT_DIRECT_MMIO 6 > + > +#ifdef CONFIG_NESTED_VIRT Same here. > --- a/xen/arch/x86/mm/hap/Makefile > +++ b/xen/arch/x86/mm/hap/Makefile > @@ -2,5 +2,5 @@ obj-y += hap.o > obj-y += guest_walk_2.o > obj-y += guest_walk_3.o > obj-y += guest_walk_4.o > -obj-y += nested_hap.o > -obj-$(CONFIG_INTEL_VMX) += nested_ept.o > +obj-$(CONFIG_NESTED_VIRT) += nested_hap.o > +obj-$(filter $(CONFIG_NESTED_VIRT),$(CONFIG_INTEL_VMX)) += nested_ept.o Maybe slightly easier to read as nested-y := nested_hap.o nested-$(CONFIG_INTEL_VMX) += nested_ept.o obj-$(CONFIG_NESTED_VIRT) += $(nested-y) > --- a/xen/arch/x86/sysctl.c > +++ b/xen/arch/x86/sysctl.c > @@ -103,6 +103,8 @@ void arch_do_physinfo(struct xen_sysctl_physinfo *pi) > pi->capabilities |= XEN_SYSCTL_PHYSCAP_hap; > if ( IS_ENABLED(CONFIG_SHADOW_PAGING) ) > pi->capabilities |= XEN_SYSCTL_PHYSCAP_shadow; > + if ( hvm_nested_virt_supported() ) > + pi->capabilities |= XEN_SYSCTL_PHYSCAP_nestedhvm; > } > > long arch_do_sysctl( > --- a/xen/include/public/sysctl.h > +++ b/xen/include/public/sysctl.h > @@ -100,9 +100,11 @@ struct xen_sysctl_tbuf_op { > /* Xen supports the Grant v1 and/or v2 ABIs. */ > #define XEN_SYSCTL_PHYSCAP_gnttab_v1 (1u << 8) > #define XEN_SYSCTL_PHYSCAP_gnttab_v2 (1u << 9) > +/* The platform supports nested HVM. */ > +#define XEN_SYSCTL_PHYSCAP_nestedhvm (1u << 10) Doesn't this want introducing up front, for the tool stack to make use of? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.