Re: BETA5: Xen 4.19.2-pre domU crash/don't start

Reply: Manuel Kuklinski : "Re: BETA5: Xen 4.19.2-pre domU crash/don't start"
In reply to: Manuel Kuklinski : "Re: BETA5: Xen 4.19.2-pre domU crash/don't start"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Roger Pau Monné <roger.pau_at_citrix.com>
Date: Fri, 21 Nov 2025 13:55:15 UTC

On Fri, Nov 21, 2025 at 01:25:59PM +0100, Manuel Kuklinski wrote:
> Am Freitag 21 November 2025 um 9:28:27 +0100, schrieb Roger Pau Monné 2,7K:
> > But those are containers, not VMs, and hence you provably don't need
> > nested HVM to run them?
> > 
> > Have you tried disabling the nestedhvm option and see if those still
> > work?
> 
> Slightly offf-topic now, I suppose: you're right regarding the
> containers. However, if I want to run a VM in GNS3/vrnetlab, it means
> using QEMU - either:
> 
> * QEMU in a GNS3 domU, or
> * QEMU in a container in a Linux domU, as seen with vernetlab
> 
> In both cases I need nested HVM, to be able to use the nested VMs at a
> acceptable speed.
> 
> Could you elaborate on what isn't supposed to work properly in Xen's nested
> virtualization? FWIW, it works without problems in my setup.

It's not (security) supported, and it has known flaws that can be easily
exploited by untrusted guest OSes (or hypervisors):

https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=SUPPORT.md;h=d441bccf373b7d0e7ad7cc996bb2337a4bb73b3d;hb=HEAD#l844

There are plans to rework nested virtualization to it can be fully
supported.  It kind of works if you use Xen on Xen, because both the
L0 and L1 hypervisors make the same decisions about the virtualization
control registers, but breaks when attempting to run KVM or another
hypervisor that's not Xen.

Are you sure you have KVM enabled in that guest, and not merely using
QEMU in TCG mode?

Regards, Roger.