[MODERATED] Re: ***UNCHECKED*** Re: NX, nested virtualization and arch caps

Historical speck list archives
 help / color / mirror / Atom feed

From: Joerg Roedel <jroedel@suse.de>
To: speck@linutronix.de
Subject: [MODERATED] Re: ***UNCHECKED*** Re: NX, nested virtualization and arch caps
Date: Wed, 16 Oct 2019 10:45:18 +0200	[thread overview]
Message-ID: <20191016084518.GE4695@suse.de> (raw)
In-Reply-To: <20191016081507.GD4695@suse.de>

On Wed, Oct 16, 2019 at 10:15:07AM +0200, speck for Joerg Roedel wrote:
> I also think that any nested hypervisor can ignore the ITLB_MULTIHIT
> bug, but for a different reason: The host also builds the nested EPT
> table as a shadow of the guests EPT table, so it does the mitigation on
> behalf of the nested hypervisor.

Left out the case where host mitigation is disabled: I agree in this
case too with your reasoning, one should only disable the host
mitigation when the guests are trusted. And the guests are only trusted
when they only run trusted guests themselves.

By passing through the issue to the nested hypervisor we could support
untrusted nested guests on trusted guests with host mitigation disabled.
But this is probably not faster than enabling the mitigation on the host
because then KVM will trap/emulate all the guest EPT updates for
splitting/promoting hugepages.

Regards,

	Joerg

     prev parent reply	other threads:[~2019-10-16  8:45 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-15  9:45 [MODERATED] NX, nested virtualization and arch caps Paolo Bonzini
2019-10-16  8:15 ` [MODERATED] Re: ***UNCHECKED*** " Joerg Roedel
2019-10-16  8:45   ` Joerg Roedel [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191016084518.GE4695@suse.de \
    --to=jroedel@suse.de \
    --cc=speck@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).