x86/vmx: Add force-ept command line option
Add a "force-ept" command line option to allow EPT to be enabled when
VMX feature VM_ENTRY_LOAD_GUEST_PAT is not present.
Due to CVE-2013-2212, this feature is required by default as a
prerequisite for using EPT. If you are not using PCI Passthrough, or
trust the guest administrator who would be using passthrough, then the
requirement can be relaxed. This option is particularly useful for
nested virtualization, to allow the L1 hypervisor to use EPT even if
the L0 hypervisor does not provide VM_ENTRY_LOAD_GUEST_PAT.
Signed-off-by: Aravindh Puthiyaparambil <aravindp@cisco.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
projects / xen.git / commit