#1004652 linux-image-5.10.0-11-amd64: should default to disabling nested virtualisation in kvm

#1004652#5
Date:
2022-01-31 06:17:29 UTC
From:
To:
https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html

The above blog post describes a security issue on AMD CPUs with nested KVM
enabled and refers to another post about previous issues with KVM on Intel.

The vast majority of KVM users don't use nested KVM.  As it's easy to
determine whether nested KVM is enabled (if you have a reason to look for
it) it won't be a great inconvenience to users of nested KVM to default to
disabling it.  But for the majority who don't have a need for it enabling
that feature by default increases the attack surface for no benefit and they
won't notice it.

I believe that the default for KVM should be to disable nested virtualisation.
This could be done by a kernel patch or by the configuration of kmod.  I think
it's best to get the kernel people to consider it first, we can transfer the
bug to kmod if you think that's best.

For users who read this, the following in /etc/modprobe.d/kvm.conf will cause
nested virtualisation to be disabled the next time the KVM module is loaded:
options kvm_intel nested=0
options kvm_amd nested=0