I am running Xen unstable as a nested guest under VMware Workstation 10 and ESX 5.5. Both hypervisors have support for nested EPT but do not support nested VMX PAT. The fix for XSA60 disables EPT when VMX PAT is not present. This causes
HAP to be turned off. To help developers continue to use this configuration for testing, I was wondering if the patch below will be acceptable. Or is there any other way around for this?
Thanks,
Aravindh
---
X86/vmx: Add command line option to allow EPT when PAT is not present
Add a command line option called xsa60_override that allows EPT to be enabled when PAT is not present. This helps in the case of running nested Xen with HAP, when the underlying hypervisor has nested EPT but not nested VMX PAT feature.
Signed-off-by: Aravindh Puthiyaparambil <aravindp@xxxxxxxxx>
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 77ce167..3c241a8 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -58,6 +58,9 @@
#include <asm/hvm/nestedhvm.h>
#include <asm/event.h>
+static bool_t __initdata opt_xsa60_override = 0;
+boolean_param("xsa60_override", opt_xsa60_override);
+
enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
static void vmx_ctxt_switch_from(struct vcpu *v);
@@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init start_vmx(void)
* Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
* (refer to http://xenbits.xen.org/xsa/advisory-60.html).
*/
- if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
+ if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_xsa60_override) )
{
vmx_function_table.hap_supported = 1;
