Xen project Mailing List

Re: [PATCH] x86/hvm: Add Kconfig option to disable nested virtualization

To: Stefano Stabellini <stefano.stabellini@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: Demi Marie Obenour <demiobenour@xxxxxxxxx>

Date: Fri, 13 Feb 2026 18:48:10 -0500

Autocrypt: addr=demiobenour@xxxxxxxxx; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT

Cc: roger.pau@xxxxxxxxxx, jbeulich@xxxxxxxx, andrew.cooper3@xxxxxxxxxx, jason.andryuk@xxxxxxx, alejandro.garciavallejo@xxxxxxx

Delivery-date: Fri, 13 Feb 2026 23:48:45 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2/13/26 17:02, Stefano Stabellini wrote: > Introduce CONFIG_NESTED_VIRT (default n) to allow nested virtualization > support to be disabled at build time. This is useful for embedded or > safety-focused deployments where nested virtualization is not needed, > reducing code size and attack surface. > > When CONFIG_NESTED_VIRT=n, the following source files are excluded: > - arch/x86/hvm/nestedhvm.c > - arch/x86/hvm/svm/nestedsvm.c > - arch/x86/hvm/vmx/vvmx.c > - arch/x86/mm/nested.c > - arch/x86/mm/hap/nested_hap.c > - arch/x86/mm/hap/nested_ept.c > > Add inline stubs where needed in headers. Guard assembly code paths > for nested virt with #ifdef CONFIG_NESTED_VIRT. Move exception > injection for VMX/SVM instructions to the callers in vmx.c/svm.c to > avoid header dependency issues in the stubs. > > No functional change when CONFIG_NESTED_VIRT=y. > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxx> > > --- > Changes in v3: > - Kconfig: Change "depends on AMD_SVM || INTEL_VMX" to "depends on HVM" > - Kconfig: Remove redundant "default n" line > - Kconfig: Remove "If unsure, say N." from help text > - mm/hap/Makefile: Simplify using intermediate nested-y variable: > nested-y := nested_hap.o > nested-$(CONFIG_INTEL_VMX) += nested_ept.o > obj-$(CONFIG_NESTED_VIRT) += $(nested-y) > - svm/nestedhvm.h: Remove #ifdef CONFIG_NESTED_VIRT stubs, keep only > function declarations (the functions are only called from code that > is already compiled out when nested virt is disabled) > - svm/nestedhvm.h: Add CONFIG_NESTED_VIRT guard to nsvm_efer_svm_enabled > macro to return false when nested virt is disabled > - svm/svm.c: Move #UD injection for STGI/CLGI to the caller instead of > stub functions, checking nestedhvm_enabled()/nsvm_efer_svm_enabled() > - svm/svm.c: Mark svm_vmexit_do_vmrun/vmload/vmsave as __maybe_unused > - svm/svm.c: Remove empty nsvm_vcpu_switch stub (now guarded in asm) > - svm/entry.S: Add #ifdef CONFIG_NESTED_VIRT guards around nested virt > specific code paths > - vmx/vmx.c: Remove empty nvmx_switch_guest stub (now guarded in asm) > - vmx/vmx.c: Move nvmx_enqueue_n2_exceptions and nvmx_vmexit_event to > vvmx.c where they belong > - vmx/vvmx.h: Add declarations for nvmx_vmexit_event and > nvmx_enqueue_n2_exceptions > - vmx/vvmx.h: Fix nvmx_msr_read_intercept stub comment > - vmx/vvmx.h: nvmx_handle_vmx_insn stub returns X86EMUL_EXCEPTION with > ASSERT_UNREACHABLE (caller handles injection) > - vmx/vvmx.h: Convert get_vvmcs macro to inline function in stubs > - vmx/entry.S: Add #ifdef CONFIG_NESTED_VIRT guard around nvmx_switch_guest > - nestedhvm.h: Convert macro stubs to proper inline functions > --- > xen/arch/x86/hvm/Kconfig | 7 +++ > xen/arch/x86/hvm/Makefile | 2 +- > xen/arch/x86/hvm/svm/Makefile | 2 +- > xen/arch/x86/hvm/svm/entry.S | 4 ++ > xen/arch/x86/hvm/svm/nestedhvm.h | 2 +- > xen/arch/x86/hvm/svm/svm.c | 18 ++++-- > xen/arch/x86/hvm/vmx/Makefile | 2 +- > xen/arch/x86/hvm/vmx/entry.S | 2 + > xen/arch/x86/hvm/vmx/vmx.c | 31 +--------- > xen/arch/x86/hvm/vmx/vvmx.c | 26 +++++++++ > xen/arch/x86/include/asm/hvm/hvm.h | 2 +- > xen/arch/x86/include/asm/hvm/nestedhvm.h | 64 +++++++++++++++++--- > xen/arch/x86/include/asm/hvm/vmx/vvmx.h | 74 ++++++++++++++++++++++++ > xen/arch/x86/mm/Makefile | 2 +- > xen/arch/x86/mm/hap/Makefile | 5 +- > xen/arch/x86/mm/p2m.h | 6 ++ > xen/arch/x86/sysctl.c | 2 + > xen/include/public/sysctl.h | 4 +- > 18 files changed, 204 insertions(+), 51 deletions(-) > > diff --git a/xen/arch/x86/hvm/Kconfig b/xen/arch/x86/hvm/Kconfig > index f32bf5cbb7..af661385b5 100644 > --- a/xen/arch/x86/hvm/Kconfig > +++ b/xen/arch/x86/hvm/Kconfig > @@ -92,4 +92,11 @@ config MEM_SHARING > bool "Xen memory sharing support (UNSUPPORTED)" if UNSUPPORTED > depends on INTEL_VMX > > +config NESTED_VIRT > + bool "Nested virtualization support> + depends on HVM > + help > + Enable nested virtualization, allowing guests to run their own > + hypervisors. This requires hardware support. Should this also come with a warning that allowing guests to use nested virtualization is insecure unless both L1 and L2 guests are trusted? -- Sincerely, Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.