Re: [PATCH 9/9] KVM: x86: Disable KVM_INTEL_PROVE_VE by default

[Paolo Bonzini]

On Tue, May 21, 2024 at 8:18 PM Sean Christopherson <seanjc@xxxxxxxxxx> wrote:
> > -          This should never be enabled in a production environment.
> > +          Note that #VE trapping appears to be buggy on some CPUs.
>
> I see where you're coming from, but I don't think "trapping" is much better,
> e.g. it suggests there's something broken with the interception of #VEs.  Ah,
> the entire help text is weird.

Yeah, I didn't want to say #VE is broken altogether - interception is
where we saw issues, and #VE is used in production as far as I know
(not just by TDX; at least Xen and maybe Hyper-V use it for
anti-malware purposes?).

Maybe "Note: there appear to be bugs in some CPUs that will trigger
the WARN, in particular with eptad=0 and/or nested virtualization"
covers all bases.

Paolo

>
> This?
>
> config KVM_INTEL_PROVE_VE
>         bool "Verify guests do not receive unexpected EPT Violation #VEs"
>         depends on KVM_INTEL && EXPERT
>         help
>           Enable EPT Violation #VEs (when supported) for all VMs, to verify
>           that KVM's EPT management code will not incorrectly result in a #VE
>           (KVM is supposed to supress #VEs by default).  Unexpected #VEs will
>           be intercepted by KVM and will trigger a WARN, but are otherwise
>           transparent to the guest.
>
>           Note, EPT Violation #VE support appears to be buggy on some CPUs.
>
>           This should never be enabled in a production environment!
>
>           If unsure, say N.
>