VM in VM in VM: Nested VT-x issue

0

Just for fun, I'm trying to run a VM inside a VM that runs inside a VM.

I'm pretty sure that my CPU doesn't actually support nested VT-x normally, but I was able to force-enable that setting in the outer level of Virtualbox using this command:

VBoxManage modifyvm vm-name-here --nested-hw-virt on

That allowed me to run a VM inside a VM. It's pretty slow (booting takes about 15 minutes), but everything (without timeouts) works fine.

Now the issue: I need VT-x inside the middle VM as well, otherwise it can't start the inner VM (the error message is pretty clear about that). But if I run the above command inside the outer VM to also enforce passing on VT-x to the middle level, then it doesn't start the middle VM anymore, with this error message:

Cannot enable nested VT-x/AMD-V without nested-paging and unresricted guest execution!
(VERR_CPUM_INVALID_HWVIRT_CONFIG).

Result Code: 
NS_ERROR_FAILURE (0x80004005)
Component: 
ConsoleWrap
Interface: 
IConsole {872da645-4a9b-1727-bee2-5585105b9eed}

I wasn't able to find an explanation what this "unrestricted guest execution" is and the only hint to fix this error was to disable Hyper-V in Windows settings, which doesn't apply here, because it's Linux in Linux in Linux in Linux. I've also tried switching the "Paravirtualisation device" to something other than "default" on all levels (as a guess, because "Hyper-V" is an option there), but that doesn't fix it either.
The mouseover of the little "V" indicator on all levels says "Unrestricted execution: active", but I read somewhere that that might be unreliable. "Enable nested paging" is checked on all levels.

Setup:

HOST:
This laptop: https://geizhals.de/schenker-xmg-a507-vsy-10504411-a1686447.html
CPU: Intel Core i7-7700HQ
OS: Manjaro (with KDE) 20.1.2
Kernel: 5.8.16-2
Potentially relevant installed packages: dkms 2.8.3-1.1, intel-ucode 20200616-1, lib32-util-linux 2.36-1,
 lib32-vulkan-intel 20.1.8-1, libva-intel-driver 2.4.1-1, linux-api-headers 5.8-1,
 linux-firmware 20201005.r1732.58d41d0-1, linux-latest 5.8-2, linux-latest-nvidia-450xx 5.8-2,
 linux-latest-virtualbox-host-modules 5.8-2, linux58 5.8.16-2, linux58-headers 5.8.16-2,
 linux58-nvidia-450xx 450.80.02-3, linux58-virtualbox-host-modules 6.1.14-13, util-linux 2.36-4,
 util-linux-libs 2.36-4, virtualbox 6.1.14-1, virtualbox 6.1.14-1, virtualbox-host-dkms 6.1.14-1,
 vulkan-intel 20.1.8-1, xf86-video-intel 1:2.99.917+908+g7181c5a4-1

OUTER VM:
OS: Manjaro (with KDE) 20.1.2
Kernel: 5.8.16-2
Settings: PAE/NX, nested VT-x/AMD-V and nested paging enabled, default paravirtualisation device,
 graphics controller VBoxSVGA, rest mostly default
Relevant installed packages: dkms 2.8.3-1.1, intel-ucode 20200616-1, lib32-libva-intel-driver 2.4.1-1,
 lib32-util-linux 2.36-1, libva-intel-driver 2.4.1-1, linux-api-headers 5.8-1,
 linux-firmware 20201005.r1732.58d41d0-1, linux-latest 5.8-2, linux-latest-virtualbox-guest-modules 5.8-2,
 linux-latest-virtualbox-host-modules 5.8-2, linux58 5.8.16-2, linux58-headers 5.8.16-2,
 linux58-virtualbox-guest-modules 6.1.14-13, linux58-virtualbox-host-modules 6.1.14-13, util-linux 2.36-4,
 util-linux-libs 2.36-4, virtualbox 6.1.14-1, virtualbox-guest-utils 6.1.14-1,
 virtualbox-host-dkms 6.1.14-1

MIDDLE VM:
OS, kernel, settings, relevant installed packages: same as outer VM, except VT-x disabled for now

INNER VM:
OS: either Manjaro (with KDE) 20.1.2 or Manjaro 32bit (with XFCE) 18.0.4, if only 32bit works
Kernel: 5.8.?-?
Settings: same as in outer VM, but currently invalid because of missing VT-x

Outputs of grep -E --color 'vmx|svm' /proc/cpuinfo on the systems:

Host, 8 times this:

flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d
vmx flags       : vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest ple pml ept_mode_based_exec

Outer VM, 2 times this:

flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti tpr_shadow vnmi flexpriority vpid fsgsbase avx2 invpcid rdseed clflushopt md_clear flush_l1d
vmx flags       : vnmi flexpriority tsc_offset vtpr vapic

Middle VM, if the nested VT-x option is disabled in its settings: empty output (otherwise it doesn't even start)


Outputs of lscpu:

HOST:
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   39 bits physical, 48 bits virtual
CPU(s):                          8
On-line CPU(s) list:             0-7
Thread(s) per core:              2
Core(s) per socket:              4
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           158
Model name:                      Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
Stepping:                        9
CPU MHz:                         993.110
CPU max MHz:                     3800.0000
CPU min MHz:                     800.0000
BogoMIPS:                        5602.18
Virtualization:                  VT-x
L1d cache:                       128 KiB
L1i cache:                       128 KiB
L2 cache:                        1 MiB
L3 cache:                        6 MiB
NUMA node0 CPU(s):               0-7
Vulnerability Itlb multihit:     KVM: Mitigation: VMX disabled
Vulnerability L1tf:              Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Srbds:             Mitigation; Microcode
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xt
                                 opology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_
                                 lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushop
                                 t intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d

OUTER VM:
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   39 bits physical, 48 bits virtual
CPU(s):                          2
On-line CPU(s) list:             0,1
Thread(s) per core:              1
Core(s) per socket:              2
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           158
Model name:                      Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
Stepping:                        9
CPU MHz:                         2807.998
BogoMIPS:                        5618.99
Virtualization:                  VT-x
Hypervisor vendor:               KVM
Virtualization type:             full
L1d cache:                       64 KiB
L1i cache:                       64 KiB
L2 cache:                        512 KiB
L3 cache:                        12 MiB
NUMA node0 CPU(s):               0,1
Vulnerability Itlb multihit:     KVM: Mitigation: VMX disabled
Vulnerability L1tf:              Mitigation; PTE Inversion; VMX EPT disabled
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT Host state unknown
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Srbds:             Unknown: Dependent on hypervisor status
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good
                                  nopl xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hyper
                                 visor lahf_lm abm 3dnowprefetch invpcid_single pti tpr_shadow vnmi flexpriority vpid fsgsbase avx2 invpcid rdseed clflushopt md_clear flush_l1d

MIDDLE VM (with nested VT-x disabled):
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   39 bits physical, 48 bits virtual
CPU(s):                          1
On-line CPU(s) list:             0
Thread(s) per core:              1
Core(s) per socket:              1
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           158
Model name:                      Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
Stepping:                        9
CPU MHz:                         2806.774
BogoMIPS:                        5615.44
Hypervisor vendor:               KVM
Virtualization type:             full
L1d cache:                       32 KiB
L1i cache:                       32 KiB
L2 cache:                        256 KiB
L3 cache:                        6 MiB
NUMA node0 CPU(s):               0
Vulnerability Itlb multihit:     KVM: Mitigation: VMX unsupported
Vulnerability L1tf:              Mitigation; PTE Inversion
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT Host state unknown
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good
                                  nopl xtopology nonstop_tsc cpuid tsc_known_freq pni ssse3 pcid sse4_1 sse4_2 x2apic hypervisor lahf_lm invpcid_single pti fsgsbase invpcid md_
                                 clear flush_l1d
linux
virtualbox
virtual-machine
virtualization
intel-core-i7
asked on Super User Oct 28, 2020 by Fabian Röling • edited Oct 29, 2020 by Fabian Röling

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0