blob: 4287a8071a3ab60dfda8c26bf06ca7c92bed4831 [file] [log] [blame]
# SPDX-License-Identifier: GPL-2.0
#
# KVM configuration
#
source "virt/kvm/Kconfig"
menuconfig VIRTUALIZATION
bool "Virtualization"
default y
help
Say Y here to get to see options for using your Linux host to run other
operating systems inside virtual machines (guests).
This option alone does not add any kernel code.
If you say N, all options in this submenu will be skipped and disabled.
if VIRTUALIZATION
config KVM
tristate "Kernel-based Virtual Machine (KVM) support"
depends on HIGH_RES_TIMERS
depends on X86_LOCAL_APIC
select KVM_COMMON
select KVM_GENERIC_MMU_NOTIFIER
select HAVE_KVM_IRQCHIP
select HAVE_KVM_PFNCACHE
select HAVE_KVM_DIRTY_RING_TSO
select HAVE_KVM_DIRTY_RING_ACQ_REL
select HAVE_KVM_IRQ_BYPASS
select HAVE_KVM_IRQ_ROUTING
select HAVE_KVM_READONLY_MEM
select KVM_ASYNC_PF
select USER_RETURN_NOTIFIER
select KVM_MMIO
select SCHED_INFO
select PERF_EVENTS
select GUEST_PERF_EVENTS
select HAVE_KVM_MSI
select HAVE_KVM_CPU_RELAX_INTERCEPT
select HAVE_KVM_NO_POLL
select KVM_XFER_TO_GUEST_WORK
select KVM_GENERIC_DIRTYLOG_READ_PROTECT
select KVM_VFIO
select HAVE_KVM_PM_NOTIFIER if PM
select KVM_GENERIC_HARDWARE_ENABLING
select KVM_GENERIC_PRE_FAULT_MEMORY
select KVM_WERROR if WERROR
help
Support hosting fully virtualized guest machines using hardware
virtualization extensions. You will need a fairly recent
processor equipped with virtualization extensions. You will also
need to select one or more of the processor modules below.
This module provides access to the hardware capabilities through
a character device node named /dev/kvm.
To compile this as a module, choose M here: the module
will be called kvm.
If unsure, say N.
config KVM_WERROR
bool "Compile KVM with -Werror"
# Disallow KVM's -Werror if KASAN is enabled, e.g. to guard against
# randomized configs from selecting KVM_WERROR=y, which doesn't play
# nice with KASAN. KASAN builds generates warnings for the default
# FRAME_WARN, i.e. KVM_WERROR=y with KASAN=y requires special tuning.
# Building KVM with -Werror and KASAN is still doable via enabling
# the kernel-wide WERROR=y.
depends on KVM && ((EXPERT && !KASAN) || WERROR)
help
Add -Werror to the build flags for KVM.
If in doubt, say "N".
config KVM_SW_PROTECTED_VM
bool "Enable support for KVM software-protected VMs"
depends on EXPERT
depends on KVM && X86_64
select KVM_GENERIC_PRIVATE_MEM
help
Enable support for KVM software-protected VMs. Currently, software-
protected VMs are purely a development and testing vehicle for
KVM_CREATE_GUEST_MEMFD. Attempting to run a "real" VM workload as a
software-protected VM will fail miserably.
If unsure, say "N".
config KVM_INTEL
tristate "KVM for Intel (and compatible) processors support"
depends on KVM && IA32_FEAT_CTL
help
Provides support for KVM on processors equipped with Intel's VT
extensions, a.k.a. Virtual Machine Extensions (VMX).
To compile this as a module, choose M here: the module
will be called kvm-intel.
config KVM_INTEL_PROVE_VE
bool "Check that guests do not receive #VE exceptions"
depends on KVM_INTEL && EXPERT
help
Checks that KVM's page table management code will not incorrectly
let guests receive a virtualization exception. Virtualization
exceptions will be trapped by the hypervisor rather than injected
in the guest.
Note: some CPUs appear to generate spurious EPT Violations #VEs
that trigger KVM's WARN, in particular with eptad=0 and/or nested
virtualization.
If unsure, say N.
config X86_SGX_KVM
bool "Software Guard eXtensions (SGX) Virtualization"
depends on X86_SGX && KVM_INTEL
help
Enables KVM guests to create SGX enclaves.
This includes support to expose "raw" unreclaimable enclave memory to
guests via a device node, e.g. /dev/sgx_vepc.
If unsure, say N.
config KVM_AMD
tristate "KVM for AMD processors support"
depends on KVM && (CPU_SUP_AMD || CPU_SUP_HYGON)
help
Provides support for KVM on AMD processors equipped with the AMD-V
(SVM) extensions.
To compile this as a module, choose M here: the module
will be called kvm-amd.
config KVM_AMD_SEV
bool "AMD Secure Encrypted Virtualization (SEV) support"
default y
depends on KVM_AMD && X86_64
depends on CRYPTO_DEV_SP_PSP && !(KVM_AMD=y && CRYPTO_DEV_CCP_DD=m)
select ARCH_HAS_CC_PLATFORM
select KVM_GENERIC_PRIVATE_MEM
select HAVE_KVM_GMEM_PREPARE
select HAVE_KVM_GMEM_INVALIDATE
help
Provides support for launching Encrypted VMs (SEV) and Encrypted VMs
with Encrypted State (SEV-ES) on AMD processors.
config KVM_SMM
bool "System Management Mode emulation"
default y
depends on KVM
help
Provides support for KVM to emulate System Management Mode (SMM)
in virtual machines. This can be used by the virtual machine
firmware to implement UEFI secure boot.
If unsure, say Y.
config KVM_HYPERV
bool "Support for Microsoft Hyper-V emulation"
depends on KVM
default y
help
Provides KVM support for emulating Microsoft Hyper-V. This allows KVM
to expose a subset of the paravirtualized interfaces defined in the
Hyper-V Hypervisor Top-Level Functional Specification (TLFS):
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs
These interfaces are required for the correct and performant functioning
of Windows and Hyper-V guests on KVM.
If unsure, say "Y".
config KVM_XEN
bool "Support for Xen hypercall interface"
depends on KVM
help
Provides KVM support for the hosting Xen HVM guests and
passing Xen hypercalls to userspace.
If in doubt, say "N".
config KVM_PROVE_MMU
bool "Prove KVM MMU correctness"
depends on DEBUG_KERNEL
depends on KVM
depends on EXPERT
help
Enables runtime assertions in KVM's MMU that are too costly to enable
in anything remotely resembling a production environment, e.g. this
gates code that verifies a to-be-freed page table doesn't have any
present SPTEs.
If in doubt, say "N".
config KVM_EXTERNAL_WRITE_TRACKING
bool
config KVM_MAX_NR_VCPUS
int "Maximum number of vCPUs per KVM guest"
depends on KVM
range 1024 4096
default 4096 if MAXSMP
default 1024
help
Set the maximum number of vCPUs per KVM guest. Larger values will increase
the memory footprint of each KVM guest, regardless of how many vCPUs are
created for a given VM.
endif # VIRTUALIZATION