8131cf5b4f
To support TDX, KVM is enhanced to operate with #VE. For TDX, KVM uses the suppress #VE bit in EPT entries selectively, in order to be able to trap non-present conditions. However, #VE isn't used for VMX and it's a bug if it happens. To be defensive and test that VMX case isn't broken introduce an option ept_violation_ve_test and when it's set, BUG the vm. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Isaku Yamahata <isaku.yamahata@intel.com> Message-Id: <d6db6ba836605c0412e166359ba5c46a63c22f86.1705965635.git.isaku.yamahata@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
205 lines
6.0 KiB
Plaintext
205 lines
6.0 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# KVM configuration
|
|
#
|
|
|
|
source "virt/kvm/Kconfig"
|
|
|
|
menuconfig VIRTUALIZATION
|
|
bool "Virtualization"
|
|
default y
|
|
help
|
|
Say Y here to get to see options for using your Linux host to run other
|
|
operating systems inside virtual machines (guests).
|
|
This option alone does not add any kernel code.
|
|
|
|
If you say N, all options in this submenu will be skipped and disabled.
|
|
|
|
if VIRTUALIZATION
|
|
|
|
config KVM
|
|
tristate "Kernel-based Virtual Machine (KVM) support"
|
|
depends on HIGH_RES_TIMERS
|
|
depends on X86_LOCAL_APIC
|
|
select KVM_COMMON
|
|
select KVM_GENERIC_MMU_NOTIFIER
|
|
select HAVE_KVM_IRQCHIP
|
|
select HAVE_KVM_PFNCACHE
|
|
select HAVE_KVM_DIRTY_RING_TSO
|
|
select HAVE_KVM_DIRTY_RING_ACQ_REL
|
|
select HAVE_KVM_IRQ_BYPASS
|
|
select HAVE_KVM_IRQ_ROUTING
|
|
select HAVE_KVM_READONLY_MEM
|
|
select KVM_ASYNC_PF
|
|
select USER_RETURN_NOTIFIER
|
|
select KVM_MMIO
|
|
select SCHED_INFO
|
|
select PERF_EVENTS
|
|
select GUEST_PERF_EVENTS
|
|
select HAVE_KVM_MSI
|
|
select HAVE_KVM_CPU_RELAX_INTERCEPT
|
|
select HAVE_KVM_NO_POLL
|
|
select KVM_XFER_TO_GUEST_WORK
|
|
select KVM_GENERIC_DIRTYLOG_READ_PROTECT
|
|
select KVM_VFIO
|
|
select HAVE_KVM_PM_NOTIFIER if PM
|
|
select KVM_GENERIC_HARDWARE_ENABLING
|
|
help
|
|
Support hosting fully virtualized guest machines using hardware
|
|
virtualization extensions. You will need a fairly recent
|
|
processor equipped with virtualization extensions. You will also
|
|
need to select one or more of the processor modules below.
|
|
|
|
This module provides access to the hardware capabilities through
|
|
a character device node named /dev/kvm.
|
|
|
|
To compile this as a module, choose M here: the module
|
|
will be called kvm.
|
|
|
|
If unsure, say N.
|
|
|
|
config KVM_WERROR
|
|
bool "Compile KVM with -Werror"
|
|
# Disallow KVM's -Werror if KASAN is enabled, e.g. to guard against
|
|
# randomized configs from selecting KVM_WERROR=y, which doesn't play
|
|
# nice with KASAN. KASAN builds generates warnings for the default
|
|
# FRAME_WARN, i.e. KVM_WERROR=y with KASAN=y requires special tuning.
|
|
# Building KVM with -Werror and KASAN is still doable via enabling
|
|
# the kernel-wide WERROR=y.
|
|
depends on KVM && EXPERT && !KASAN
|
|
help
|
|
Add -Werror to the build flags for KVM.
|
|
|
|
If in doubt, say "N".
|
|
|
|
config KVM_SW_PROTECTED_VM
|
|
bool "Enable support for KVM software-protected VMs"
|
|
depends on EXPERT
|
|
depends on KVM && X86_64
|
|
select KVM_GENERIC_PRIVATE_MEM
|
|
help
|
|
Enable support for KVM software-protected VMs. Currently, software-
|
|
protected VMs are purely a development and testing vehicle for
|
|
KVM_CREATE_GUEST_MEMFD. Attempting to run a "real" VM workload as a
|
|
software-protected VM will fail miserably.
|
|
|
|
If unsure, say "N".
|
|
|
|
config KVM_INTEL
|
|
tristate "KVM for Intel (and compatible) processors support"
|
|
depends on KVM && IA32_FEAT_CTL
|
|
help
|
|
Provides support for KVM on processors equipped with Intel's VT
|
|
extensions, a.k.a. Virtual Machine Extensions (VMX).
|
|
|
|
To compile this as a module, choose M here: the module
|
|
will be called kvm-intel.
|
|
|
|
config KVM_INTEL_PROVE_VE
|
|
bool "Check that guests do not receive #VE exceptions"
|
|
default KVM_PROVE_MMU || DEBUG_KERNEL
|
|
depends on KVM_INTEL
|
|
help
|
|
|
|
Checks that KVM's page table management code will not incorrectly
|
|
let guests receive a virtualization exception. Virtualization
|
|
exceptions will be trapped by the hypervisor rather than injected
|
|
in the guest.
|
|
|
|
If unsure, say N.
|
|
|
|
config X86_SGX_KVM
|
|
bool "Software Guard eXtensions (SGX) Virtualization"
|
|
depends on X86_SGX && KVM_INTEL
|
|
help
|
|
|
|
Enables KVM guests to create SGX enclaves.
|
|
|
|
This includes support to expose "raw" unreclaimable enclave memory to
|
|
guests via a device node, e.g. /dev/sgx_vepc.
|
|
|
|
If unsure, say N.
|
|
|
|
config KVM_AMD
|
|
tristate "KVM for AMD processors support"
|
|
depends on KVM && (CPU_SUP_AMD || CPU_SUP_HYGON)
|
|
help
|
|
Provides support for KVM on AMD processors equipped with the AMD-V
|
|
(SVM) extensions.
|
|
|
|
To compile this as a module, choose M here: the module
|
|
will be called kvm-amd.
|
|
|
|
config KVM_AMD_SEV
|
|
bool "AMD Secure Encrypted Virtualization (SEV) support"
|
|
default y
|
|
depends on KVM_AMD && X86_64
|
|
depends on CRYPTO_DEV_SP_PSP && !(KVM_AMD=y && CRYPTO_DEV_CCP_DD=m)
|
|
select ARCH_HAS_CC_PLATFORM
|
|
help
|
|
Provides support for launching Encrypted VMs (SEV) and Encrypted VMs
|
|
with Encrypted State (SEV-ES) on AMD processors.
|
|
|
|
config KVM_SMM
|
|
bool "System Management Mode emulation"
|
|
default y
|
|
depends on KVM
|
|
help
|
|
Provides support for KVM to emulate System Management Mode (SMM)
|
|
in virtual machines. This can be used by the virtual machine
|
|
firmware to implement UEFI secure boot.
|
|
|
|
If unsure, say Y.
|
|
|
|
config KVM_HYPERV
|
|
bool "Support for Microsoft Hyper-V emulation"
|
|
depends on KVM
|
|
default y
|
|
help
|
|
Provides KVM support for emulating Microsoft Hyper-V. This allows KVM
|
|
to expose a subset of the paravirtualized interfaces defined in the
|
|
Hyper-V Hypervisor Top-Level Functional Specification (TLFS):
|
|
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs
|
|
These interfaces are required for the correct and performant functioning
|
|
of Windows and Hyper-V guests on KVM.
|
|
|
|
If unsure, say "Y".
|
|
|
|
config KVM_XEN
|
|
bool "Support for Xen hypercall interface"
|
|
depends on KVM
|
|
help
|
|
Provides KVM support for the hosting Xen HVM guests and
|
|
passing Xen hypercalls to userspace.
|
|
|
|
If in doubt, say "N".
|
|
|
|
config KVM_PROVE_MMU
|
|
bool "Prove KVM MMU correctness"
|
|
depends on DEBUG_KERNEL
|
|
depends on KVM
|
|
depends on EXPERT
|
|
help
|
|
Enables runtime assertions in KVM's MMU that are too costly to enable
|
|
in anything remotely resembling a production environment, e.g. this
|
|
gates code that verifies a to-be-freed page table doesn't have any
|
|
present SPTEs.
|
|
|
|
If in doubt, say "N".
|
|
|
|
config KVM_EXTERNAL_WRITE_TRACKING
|
|
bool
|
|
|
|
config KVM_MAX_NR_VCPUS
|
|
int "Maximum number of vCPUs per KVM guest"
|
|
depends on KVM
|
|
range 1024 4096
|
|
default 4096 if MAXSMP
|
|
default 1024
|
|
help
|
|
Set the maximum number of vCPUs per KVM guest. Larger values will increase
|
|
the memory footprint of each KVM guest, regardless of how many vCPUs are
|
|
created for a given VM.
|
|
|
|
endif # VIRTUALIZATION
|