From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B4B2B1FF15C for ; Fri, 31 Oct 2025 13:28:15 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9F3A8108F5; Fri, 31 Oct 2025 13:28:42 +0100 (CET) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Fri, 31 Oct 2025 13:27:40 +0100 Message-ID: <20251031122834.62482-5-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251031122834.62482-1-f.ebner@proxmox.com> References: <20251031122834.62482-1-f.ebner@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761913704325 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.021 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [cpuconfig.pm] Subject: [pve-devel] [PATCH qemu-server 4/7] cpu config: introduce vendor-agnostic 'nested-virt' CPU flag X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" The flag will automatically resolve to the flag required for the current CPU on the host. The 'nested-virt' flag takes precendence over the CPU-specific flag for nesting which might already be present with custom CPU models. In that case, a warning is printed. Suggested-by: Thomas Lamprecht Signed-off-by: Fiona Ebner --- I was thinking about using special characters in the flag name or some custom-/pve-/special- prefix to distinguish from regular flags, but decided against it in the end, because I got the gut feeling it might cause more confusion than it helps. Users who are interested in details will hopefully read the description and for others, having the flag name be direct and descriptive is better. src/PVE/QemuServer/CPUConfig.pm | 40 +++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm index 20e26ee2..dc8929c9 100644 --- a/src/PVE/QemuServer/CPUConfig.pm +++ b/src/PVE/QemuServer/CPUConfig.pm @@ -7,7 +7,10 @@ use JSON; use PVE::JSONSchema; use PVE::Cluster qw(cfs_register_file cfs_read_file); +use PVE::ProcFSTools; +use PVE::RESTEnvironment qw(log_warn); use PVE::Tools qw(run_command get_host_arch); + use PVE::QemuServer::Helpers qw(min_version); use base qw(PVE::SectionConfig Exporter); @@ -162,6 +165,11 @@ my $cpu_vendor_list = { }; our $supported_cpu_flags = [ + { + name => 'nested-virt', + description => "Controls nested virtualization, namely 'svm' for AMD CPUs and 'vmx' for" + . " Intel CPUs.", + }, { name => 'md-clear', description => "Required to let the guest OS know if MDS is mitigated correctly.", @@ -256,8 +264,10 @@ my $cpu_fmt = { }, flags => { description => "List of additional CPU flags separated by ';'. Use '+FLAG' to enable," - . " '-FLAG' to disable a flag. Custom CPU models can specify any flag supported by" - . " QEMU/KVM, VM-specific flags must be from the following set for security reasons: " + . " '-FLAG' to disable a flag. There is a special 'nested-virt' shorthand which" + . " controls nested virtualization for the current CPU ('svm' for AMD and 'vmx' for" + . " Intel). Custom CPU models can specify any flag supported by QEMU/KVM, VM-specific" + . " flags must be from the following set for security reasons: " . join(', ', @supported_cpu_flags_names), format_description => '+FLAG[;-FLAG...]', type => 'string', @@ -578,8 +588,34 @@ sub print_cpu_device { sub resolve_cpu_flags { my $flags = {}; + my $nested_flag; + my $nested_flag_resolved; + my $resolve_nested_flag = sub { + if (!$nested_flag_resolved) { + my $host_cpu_flags = PVE::ProcFSTools::read_cpuinfo()->{flags}; + if ($host_cpu_flags =~ m/\s(svm|vmx)\s/) { + $nested_flag = $1; + } else { + log_warn("ignoring 'nested-virt' CPU flag - unable to resolve from host CPU flags"); + } + $nested_flag_resolved = 1; + } + return $nested_flag; + }; + for my $hash (@_) { for my $flag_name (keys %$hash) { + if ($flag_name eq 'nested-virt') { + my $nested_flag_name = $resolve_nested_flag->() or next; + if ($hash->{$nested_flag_name}) { + warn "warning: CPU flag '$flag_name' overrides '$nested_flag_name'\n"; + } else { + print "CPU flag '$flag_name' resolved to '$nested_flag_name'\n"; + } + $hash->{$nested_flag_name} = delete($hash->{$flag_name}); + $flag_name = $nested_flag_name; + } + my $flag = $hash->{$flag_name}; my $old_flag = $flags->{$flag_name}; -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel