[RESPONDED] Hard resets running VMs on AMD 7640U

@jwp can you explain or link some documentation on how I can expose those feature one by one ? I’m not sure how to do that, but basically using kvm64, I’m loosing the AMD SEV feature which makes me unable to boot a Linux VM and inside that Linux VM boot Windows for instance.

EDIT :
Running virsh capabilities showed me most of the flags, I think but I’m still not sure where I should insert them in the XML, most likely inside <cpu>....</cpu>

Here is the list :

      <feature name='ht'/>
      <feature name='monitor'/>
      <feature name='x2apic'/>
      <feature name='osxsave'/>
      <feature name='erms'/>
      <feature name='invpcid'/>
      <feature name='cmt'/>
      <feature name='avx512f'/>
      <feature name='avx512dq'/>
      <feature name='avx512ifma'/>
      <feature name='avx512cd'/>
      <feature name='avx512bw'/>
      <feature name='avx512vl'/>
      <feature name='avx512vbmi'/>
      <feature name='pku'/>
      <feature name='ospke'/>
      <feature name='avx512vbmi2'/>
      <feature name='gfni'/>
      <feature name='vaes'/>
      <feature name='vpclmulqdq'/>
      <feature name='avx512vnni'/>
      <feature name='avx512bitalg'/>
      <feature name='avx512-vpopcntdq'/>
      <feature name='flush-l1d'/>
      <feature name='avx512-bf16'/>
      <feature name='xsaves'/>
      <feature name='mbm_total'/>
      <feature name='mbm_local'/>
      <feature name='cmp_legacy'/>
      <feature name='extapic'/>
      <feature name='ibs'/>
      <feature name='skinit'/>
      <feature name='wdt'/>
      <feature name='tce'/>
      <feature name='topoext'/>
      <feature name='perfctr_nb'/>
      <feature name='invtsc'/>
      <feature name='ibrs'/>
      <feature name='stibp-always-on'/>
      <feature name='amd-ssbd'/>
      <feature name='amd-psfd'/>
      <feature name='lbrv'/>
      <feature name='svm-lock'/>
      <feature name='tsc-scale'/>
      <feature name='vmcb-clean'/>
      <feature name='flushbyasid'/>
      <feature name='decodeassists'/>
      <feature name='pause-filter'/>
      <feature name='pfthreshold'/>
      <feature name='v-vmsave-vmload'/>
      <feature name='vgif'/>
      <feature name='vnmi'/>
      <feature name='svme-addr-chk'/>
      <feature name='no-nested-data-bp'/>
      <feature name='lfence-always-serializing'/>
      <feature name='null-sel-clr-base'/>
      <feature name='auto-ibrs'/>

EDIT 2: I think I found the way how to expose feature I think, just check the flags in lscpu and then add the one you wish to expose in the <cpu> :

  <cpu mode="custom" match="exact" check="none">
    <model fallback="allow">kvm64</model>
    <feature policy="require" name="ibpb"/>
    <feature policy="require" name="spec-ctrl"/>
    <feature policy="require" name="ssbd"/>
    <feature policy="require" name="virt-ssbd"/>
    <feature policy="require" name="svm"/>
    <feature policy="require" name="svm-lock"/>
  </cpu>

Yup you figured it out

Related, nesting VMs with hardware acceleration within disparate OS’s/hypervisors can be super fragile. Generally nesting is only supported on specifically tested combinations, and even then generally of the same hypervisor type.

Well, it may be broken occasionally, but it should never reset the host. It would be interesting to find out whether this happens on Windows as well. This could help to narrow down the issue to hypervisor or CPU issue.

So far testing kvm64 and a lot of feature exposed, the nested Windows VM did not boot past the Tianocore BIOS.

Changing the CPU to qemu64, it is working fine for now (if I hit a reset, I will update here), so far I haven’t had a reset on my host where previously exposing the whole CPU in pass through did reset my host.

I will most likely try to narrow down the feature flags list to what is explicitly needed + security flags.

If you can narrow it down, this would be super valuable to figure out what’s going on! Thank you for putting so much effort into this!