xref: /linux/arch/x86/kvm/Kconfig (revision d1e54dd08f163a9021433020d16a8f8f70ddc41c)

# SPDX-License-Identifier: GPL-2.0
#
# KVM configuration
#

source "virt/kvm/Kconfig"

menuconfig VIRTUALIZATION
	bool "Virtualization"
	default y
	help
	  Say Y here to get to see options for using your Linux host to run other
	  operating systems inside virtual machines (guests).
	  This option alone does not add any kernel code.

	  If you say N, all options in this submenu will be skipped and disabled.

if VIRTUALIZATION

config KVM_X86
	def_tristate KVM if (KVM_INTEL != n || KVM_AMD != n)
	select KVM_COMMON
	select KVM_GENERIC_MMU_NOTIFIER
	select KVM_ELIDE_TLB_FLUSH_IF_YOUNG
	select KVM_MMU_LOCKLESS_AGING
	select HAVE_KVM_IRQCHIP
	select HAVE_KVM_PFNCACHE
	select HAVE_KVM_DIRTY_RING_TSO
	select HAVE_KVM_DIRTY_RING_ACQ_REL
	select HAVE_KVM_IRQ_BYPASS
	select HAVE_KVM_IRQ_ROUTING
	select HAVE_KVM_READONLY_MEM
	select VHOST_TASK
	select KVM_ASYNC_PF
	select USER_RETURN_NOTIFIER
	select KVM_MMIO
	select SCHED_INFO
	select PERF_EVENTS
	select GUEST_PERF_EVENTS
	select HAVE_KVM_MSI
	select HAVE_KVM_CPU_RELAX_INTERCEPT
	select HAVE_KVM_NO_POLL
	select KVM_XFER_TO_GUEST_WORK
	select KVM_GENERIC_DIRTYLOG_READ_PROTECT
	select KVM_VFIO
	select HAVE_KVM_PM_NOTIFIER if PM
	select KVM_GENERIC_HARDWARE_ENABLING
	select KVM_GENERIC_PRE_FAULT_MEMORY
	select KVM_WERROR if WERROR
	select KVM_GUEST_MEMFD if X86_64

config KVM
	tristate "Kernel-based Virtual Machine (KVM) support"
	depends on X86_LOCAL_APIC
	help
	  Support hosting fully virtualized guest machines using hardware
	  virtualization extensions.  You will need a fairly recent
	  processor equipped with virtualization extensions. You will also
	  need to select one or more of the processor modules below.

	  This module provides access to the hardware capabilities through
	  a character device node named /dev/kvm.

	  To compile this as a module, choose M here: the module
	  will be called kvm.

	  If unsure, say N.

config KVM_WERROR
	bool "Compile KVM with -Werror"
	# Disallow KVM's -Werror if KASAN is enabled, e.g. to guard against
	# randomized configs from selecting KVM_WERROR=y, which doesn't play
	# nice with KASAN.  KASAN builds generates warnings for the default
	# FRAME_WARN, i.e. KVM_WERROR=y with KASAN=y requires special tuning.
	# Building KVM with -Werror and KASAN is still doable via enabling
	# the kernel-wide WERROR=y.
	depends on KVM_X86 && ((EXPERT && !KASAN) || WERROR)
	help
	  Add -Werror to the build flags for KVM.

	  If in doubt, say "N".

config KVM_SW_PROTECTED_VM
	bool "Enable support for KVM software-protected VMs"
	depends on EXPERT
	depends on KVM_X86 && X86_64
	select KVM_GENERIC_MEMORY_ATTRIBUTES
	help
	  Enable support for KVM software-protected VMs.  Currently, software-
	  protected VMs are purely a development and testing vehicle for
	  KVM_CREATE_GUEST_MEMFD.  Attempting to run a "real" VM workload as a
	  software-protected VM will fail miserably.

	  If unsure, say "N".

config KVM_INTEL
	tristate "KVM for Intel (and compatible) processors support"
	depends on KVM && IA32_FEAT_CTL
	help
	  Provides support for KVM on processors equipped with Intel's VT
	  extensions, a.k.a. Virtual Machine Extensions (VMX).

	  To compile this as a module, choose M here: the module
	  will be called kvm-intel.

config KVM_INTEL_PROVE_VE
        bool "Check that guests do not receive #VE exceptions"
        depends on KVM_INTEL && EXPERT
        help
          Checks that KVM's page table management code will not incorrectly
          let guests receive a virtualization exception.  Virtualization
          exceptions will be trapped by the hypervisor rather than injected
          in the guest.

          Note: some CPUs appear to generate spurious EPT Violations #VEs
          that trigger KVM's WARN, in particular with eptad=0 and/or nested
          virtualization.

          If unsure, say N.

config X86_SGX_KVM
	bool "Software Guard eXtensions (SGX) Virtualization"
	depends on X86_SGX && KVM_INTEL
	help

	  Enables KVM guests to create SGX enclaves.

	  This includes support to expose "raw" unreclaimable enclave memory to
	  guests via a device node, e.g. /dev/sgx_vepc.

	  If unsure, say N.

config KVM_INTEL_TDX
	bool "Intel Trust Domain Extensions (TDX) support"
	default y
	depends on INTEL_TDX_HOST
	select KVM_GENERIC_MEMORY_ATTRIBUTES
	select HAVE_KVM_ARCH_GMEM_POPULATE
	help
	  Provides support for launching Intel Trust Domain Extensions (TDX)
	  confidential VMs on Intel processors.

	  If unsure, say N.

config KVM_AMD
	tristate "KVM for AMD processors support"
	depends on KVM && (CPU_SUP_AMD || CPU_SUP_HYGON)
	help
	  Provides support for KVM on AMD processors equipped with the AMD-V
	  (SVM) extensions.

	  To compile this as a module, choose M here: the module
	  will be called kvm-amd.

config KVM_AMD_SEV
	bool "AMD Secure Encrypted Virtualization (SEV) support"
	default y
	depends on KVM_AMD && X86_64
	depends on CRYPTO_DEV_SP_PSP && !(KVM_AMD=y && CRYPTO_DEV_CCP_DD=m)
	select ARCH_HAS_CC_PLATFORM
	select KVM_GENERIC_MEMORY_ATTRIBUTES
	select HAVE_KVM_ARCH_GMEM_PREPARE
	select HAVE_KVM_ARCH_GMEM_INVALIDATE
	select HAVE_KVM_ARCH_GMEM_POPULATE
	help
	  Provides support for launching encrypted VMs which use Secure
	  Encrypted Virtualization (SEV), Secure Encrypted Virtualization with
	  Encrypted State (SEV-ES), and Secure Encrypted Virtualization with
	  Secure Nested Paging (SEV-SNP) technologies on AMD processors.

config KVM_IOAPIC
	bool "I/O APIC, PIC, and PIT emulation"
	default y
	depends on KVM_X86
	help
	  Provides support for KVM to emulate an I/O APIC, PIC, and PIT, i.e.
	  for full in-kernel APIC emulation.

	  If unsure, say Y.

config KVM_SMM
	bool "System Management Mode emulation"
	default y
	depends on KVM_X86
	help
	  Provides support for KVM to emulate System Management Mode (SMM)
	  in virtual machines.  This can be used by the virtual machine
	  firmware to implement UEFI secure boot.

	  If unsure, say Y.

config KVM_HYPERV
	bool "Support for Microsoft Hyper-V emulation"
	depends on KVM_X86
	default y
	help
	  Provides KVM support for emulating Microsoft Hyper-V.  This allows KVM
	  to expose a subset of the paravirtualized interfaces defined in the
	  Hyper-V Hypervisor Top-Level Functional Specification (TLFS):
	  https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs
	  These interfaces are required for the correct and performant functioning
	  of Windows and Hyper-V guests on KVM.

	  If unsure, say "Y".

config KVM_XEN
	bool "Support for Xen hypercall interface"
	depends on KVM_X86
	help
	  Provides KVM support for the hosting Xen HVM guests and
	  passing Xen hypercalls to userspace.

	  If in doubt, say "N".

config KVM_PROVE_MMU
	bool "Prove KVM MMU correctness"
	depends on DEBUG_KERNEL
	depends on KVM_X86
	depends on EXPERT
	help
	  Enables runtime assertions in KVM's MMU that are too costly to enable
	  in anything remotely resembling a production environment, e.g. this
	  gates code that verifies a to-be-freed page table doesn't have any
	  present SPTEs.

	  If in doubt, say "N".

config KVM_EXTERNAL_WRITE_TRACKING
	bool

config KVM_MAX_NR_VCPUS
	int "Maximum number of vCPUs per KVM guest"
	depends on KVM_X86
	range 1024 4096
	default 4096 if MAXSMP
	default 1024
	help
	  Set the maximum number of vCPUs per KVM guest. Larger values will increase
	  the memory footprint of each KVM guest, regardless of how many vCPUs are
	  created for a given VM.

endif # VIRTUALIZATION