diff --git a/Software/System/Virtualization/Xen/Xen_Hypervisor_Command_Line_Options.md b/Software/System/Virtualization/Xen/Xen_Hypervisor_Command_Line_Options.md index 577cf82..eec7a77 100644 --- a/Software/System/Virtualization/Xen/Xen_Hypervisor_Command_Line_Options.md +++ b/Software/System/Virtualization/Xen/Xen_Hypervisor_Command_Line_Options.md @@ -44,11 +44,11 @@ Providing a string which does not validly convert to an integer is undefined. A size parameter may be any integer, with a single size suffix -* `T` or `t`: TiB (2^40) -* `G` or `g`: GiB (2^30) -* `M` or `m`: MiB (2^20) -* `K` or `k`: KiB (2^10) -* `B` or `b`: Bytes +* `T` or `t`: TiB (2^40) +* `G` or `g`: GiB (2^30) +* `M` or `m`: MiB (2^20) +* `K` or `k`: KiB (2^10) +* `B` or `b`: Bytes Without a size suffix, the default will be kilo. Providing a suffix other than those listed above is undefined. @@ -93,7 +93,7 @@ Specify which ACPI MADT table to parse for APIC information, if more than one is ### acpi_pstate_strict > `= ` -> +> > Default: `false` Enforce checking that P-state transitions by the ACPI cpufreq driver actually result in the nominated frequency to be established. A warning message will be logged if that isn't the case. @@ -115,7 +115,7 @@ Instruct Xen to ignore timer-interrupt override. ### allowsuperpage > `= ` -> +> > Default: `true` Permit Xen to use superpages when performing memory management. @@ -123,7 +123,7 @@ Permit Xen to use superpages when performing memory management. ### altp2m (Intel) > `= ` -> +> > Default: `false` Permit multiple copies of host p2m. @@ -137,17 +137,17 @@ Override Xen's logic for choosing the APIC driver. By default, if there are more ### allow_unsafe > `= ` -> +> > Default: `false` Force boot on potentially unsafe systems. By default Xen will refuse to boot on systems with the following errata: -* AMD Erratum 121\. Processors with this erratum are subject to a guest triggerable Denial of Service. Override only if you trust all of your PV guests. +* AMD Erratum 121\. Processors with this erratum are subject to a guest triggerable Denial of Service. Override only if you trust all of your PV guests. ### apicv > `= ` -> +> > Default: `true` Permit Xen to use APIC Virtualisation Extensions. This is an optimisation available as part of VT-x, and allows hardware to take care of the guests APIC handling, rather than requiring emulation in Xen. @@ -161,7 +161,7 @@ Increase the verbosity of the APIC code from the default value. ### arat > `= ` -> +> > Default: `true` Permit Xen to use "Always Running APIC Timer" support on compatible hardware in combination with cpuidle. This option is only expected to be useful for developers wishing Xen to fall back to older timing methods on newer hardware. @@ -169,7 +169,7 @@ Permit Xen to use "Always Running APIC Timer" support on compatible hardware in ### asid > `= ` -> +> > Default: `true` Permit Xen to use Address Space Identifiers. This is an optimisation which tags the TLB entries with an ID per vcpu. This allows for guest TLB flushes to be performed without the overhead of a complete TLB flush. @@ -177,7 +177,7 @@ Permit Xen to use Address Space Identifiers. This is an optimisation which tags ### ats > `= ` -> +> > Default: `false` Permits Xen to set up and use PCI Address Translation Services. This is a performance optimisation for PCI Passthrough. @@ -187,7 +187,7 @@ Permits Xen to set up and use PCI Address Translation Services. This is a perfor ### availmem > `= ` -> +> > Default: `0` (no limit) Specify a maximum amount of available memory, to which Xen will clamp the e820 table. @@ -201,7 +201,7 @@ Specify that certain pages, or certain ranges of pages contain bad bytes and sho ### bootscrub > `= ` -> +> > Default: `true` Scrub free RAM during boot. This is a safety feature to prevent accidentally leaking sensitive VM data into other VMs if Xen crashes and reboots. @@ -209,7 +209,7 @@ Scrub free RAM during boot. This is a safety feature to prevent accidentally lea ### bootscrub_chunk > `= ` -> +> > Default: `128M` Maximum RAM block size chunks to be scrubbed whilst holding the page heap lock and not running softirqs. Reduce this if softirqs are not being run frequently enough. Setting this to a high value may cause boot failure, particularly if the NMI watchdog is also enabled. @@ -235,7 +235,7 @@ The `rsb_vmexit=` and `rsb_native=` options can be used to fine tune when the RS ### xenheap_megabytes (arm32) > `= ` -> +> > Default: `0` (1/32 of RAM) Amount of RAM to set aside for the Xenheap. Must be an integer multiple of 32. @@ -251,7 +251,7 @@ If set, override Xen's default choice for the platform timer. ### cmci-threshold > `= ` -> +> > Default: `2` Specify the event count threshold for raising Corrected Machine Check Interrupts. Specifying zero disables CMCI handling. @@ -259,7 +259,7 @@ Specify the event count threshold for raising Corrected Machine Check Interrupts ### cmos-rtc-probe > `= ` -> +> > Default: `false` Flag to indicate whether to probe for a CMOS Real Time Clock irrespective of ACPI indicating none to be there. @@ -270,30 +270,30 @@ Flag to indicate whether to probe for a CMOS Real Time Clock irrespective of ACP Both option `com1` and `com2` follow the same format. -* `` may be either an integer baud rate, or the string `auto` if the bootloader or other earlier firmware has already set it up. -* Optionally, the base baud rate (usually the highest baud rate the device can communicate at) can be specified. -* `DPS` represents the number of data bits, the parity, and the number of stop bits. - * `D` is an integer between 5 and 8 for the number of data bits. - * `P` is a single character representing the type of parity: - * `n` No - * `o` Odd - * `e` Even - * `m` Mark - * `s` Space - * `S` is an integer 1 or 2 for the number of stop bits. -* `` is an integer which specifies the IO base port for UART registers. -* `` is the IRQ number to use, or `0` to use the UART in poll mode only. -* `` is the PCI location of the UART, in `:.` notation. -* `` is the PCI bridge behind which is the UART, in `:.` notation. -* `pci` indicates that Xen should scan the PCI bus for the UART, avoiding Intel AMT devices. -* `amt` indicated that Xen should scan the PCI bus for the UART, including Intel AMT devices if present. +* `` may be either an integer baud rate, or the string `auto` if the bootloader or other earlier firmware has already set it up. +* Optionally, the base baud rate (usually the highest baud rate the device can communicate at) can be specified. +* `DPS` represents the number of data bits, the parity, and the number of stop bits. + * `D` is an integer between 5 and 8 for the number of data bits. + * `P` is a single character representing the type of parity: + * `n` No + * `o` Odd + * `e` Even + * `m` Mark + * `s` Space + * `S` is an integer 1 or 2 for the number of stop bits. +* `` is an integer which specifies the IO base port for UART registers. +* `` is the IRQ number to use, or `0` to use the UART in poll mode only. +* `` is the PCI location of the UART, in `:.` notation. +* `` is the PCI bridge behind which is the UART, in `:.` notation. +* `pci` indicates that Xen should scan the PCI bus for the UART, avoiding Intel AMT devices. +* `amt` indicated that Xen should scan the PCI bus for the UART, including Intel AMT devices if present. A typical setup for most situations might be `com1=115200,8n1` ### conring_size > `= ` -> +> > Default: `conring_size=16k` Specify the size of the console ring buffer. @@ -301,7 +301,7 @@ Specify the size of the console ring buffer. ### console > `= List of [ vga | com1[H,L] | com2[H,L] | dbgp | none ]` -> +> > Default: `console=com1,vga` Specify which console(s) Xen should use. @@ -317,25 +317,25 @@ Specify which console(s) Xen should use. ### console_timestamps > `= none | date | datems | boot` -> +> > Default: `none` Specify which timestamp format Xen should use for each console line. -* `none`: No timestamps -* `date`: Date and time information - * `[YYYY-MM-DD HH:MM:SS]` -* `datems`: Date and time, with milliseconds - * `[YYYY-MM-DD HH:MM:SS.mmm]` -* `boot`: Seconds and microseconds since boot - * `[SSSSSS.uuuuuu]` +* `none`: No timestamps +* `date`: Date and time information + * `[YYYY-MM-DD HH:MM:SS]` +* `datems`: Date and time, with milliseconds + * `[YYYY-MM-DD HH:MM:SS.mmm]` +* `boot`: Seconds and microseconds since boot + * `[SSSSSS.uuuuuu]` For compatibility with the older boolean parameter, specifying `console_timestamps` alone will enable the `date` option. ### console_to_ring > `= ` -> +> > Default: `false` Flag to indicate whether all guest console output should be copied into the console ring buffer. @@ -343,17 +343,17 @@ Flag to indicate whether all guest console output should be copied into the cons ### conswitch > `= [x]` -> +> > Default: `conswitch=a` -Specify which character should be used to switch serial input between Xen and dom0\. The required sequence is CTRL- three times. +Specify which character should be used to switch serial input between Xen and dom0\. The required sequence is CTRL-\ three times. The optional trailing `x` indicates that Xen should not automatically switch the console input to dom0 during boot. Any other value, including omission, causes Xen to automatically switch to the dom0 console during dom0 boot. Use `conswitch=ax` to keep the default switch character, but for xen to keep the console. ### core_parking > `= power | performance` -> +> > Default: `power` ### cpu_type @@ -365,14 +365,14 @@ If set, force use of the performance counters for oprofile, rather than detectin ### cpufreq > `= none | {{ | xen } [:[powersave|performance|ondemand|userspace][,][,[][,[verbose]]]]} | dom0-kernel` -> +> > Default: `xen` Indicate where the responsibility for driving power states lies. Note that the choice of `dom0-kernel` is deprecated and not supported by all Dom0 kernels. -* Default governor policy is ondemand. -* `` and `` are integers which represent max and min processor frequencies respectively. -* `verbose` option can be included as a string or also as `verbose=` +* Default governor policy is ondemand. +* `` and `` are integers which represent max and min processor frequencies respectively. +* `verbose` option can be included as a string or also as `verbose=` ### cpuid (x86) @@ -393,7 +393,7 @@ If the other **cpuid_mask_{,ext_,thermal_,l7s0_}e{a,b,c,d}x** options are fully ### cpuid_mask_{{,ext_}ecx,edx} > `= ` -> +> > Default: `~0` (all bits set) These four command line parameters are used to specify cpuid masks to help with cpuid levelling across a pool of hosts. Setting a bit in the mask indicates that the feature should be enabled, while clearing a bit in the mask indicates that the feature should be disabled. It is important to ensure that all hosts in a pool appear the same to guests to allow successful live migration. @@ -401,7 +401,7 @@ These four command line parameters are used to specify cpuid masks to help with ### cpuid_mask_xsave_eax (Intel only) > `= ` -> +> > Default: `~0` (all bits set) This command line parameter is also used to specify a cpuid mask to help with cpuid levelling across a pool of hosts. See the description of the other respective options above. @@ -409,7 +409,7 @@ This command line parameter is also used to specify a cpuid mask to help with cp ### cpuid_mask_{l7s0_{eax,ebx},thermal_ecx} (AMD only) > `= ` -> +> > Default: `~0` (all bits set) These three command line parameters are also used to specify cpuid masks to help with cpuid levelling across a pool of hosts. See the description of the other respective options above. @@ -425,7 +425,7 @@ These three command line parameters are also used to specify cpuid masks to help ### crashinfo_maxaddr > `= ` -> +> > Default: `4G` Specify the maximum address to allocate certain structures, if used in combination with the `low_crashinfo` command line option. @@ -449,7 +449,7 @@ Specify the maximum address to allocate certain structures, if used in combinati ### credit2_runqueue > `= core | socket | node | all` -> +> > Default: `core` Specify how host CPUs are arranged in runqueues. Runqueues are kept balanced with respect to the load generated by the vCPUs running on them. Smaller runqueues (as in with `core`) means more accurate load balancing (for instance, it will deal better with hyperthreading), but also more overhead. @@ -465,7 +465,7 @@ Specify the USB controller to use, either by instance number (when going over th ### debug_stack_lines > `= ` -> +> > Default: `20` Limits the number lines printed in Xen stack traces. @@ -473,7 +473,7 @@ Limits the number lines printed in Xen stack traces. ### debugtrace > `= ` -> +> > Default: `128` Specify the size of the console debug trace buffer in KiB. The debug trace feature is only enabled in debugging builds of Xen. @@ -506,7 +506,7 @@ Gives dom0 a number of VCPUs equal to the number of PCPUs, but always at least ` For example, with `dom0_max_vcpus=4-8`: -> ``` +```sh > Number of > PCPUs | Dom0 VCPUs > 2 | 4 @@ -514,8 +514,8 @@ For example, with `dom0_max_vcpus=4-8`: > 6 | 6 > 8 | 8 > 10 | 8 -> -> ``` +> +``` ### dom0_mem @@ -523,9 +523,9 @@ For example, with `dom0_max_vcpus=4-8`: Set the amount of memory for the initial domain (dom0). If a size is positive, it represents an absolute value. If a size is negative, it is subtracted from the total available memory. -* `` specifies the exact amount of memory. -* `min:` specifies the minimum amount of memory. -* `max:` specifies the maximum amount of memory. +* `` specifies the exact amount of memory. +* `min:` specifies the minimum amount of memory. +* `max:` specifies the maximum amount of memory. If `` is not specified, the default is all the available memory minus some reserve. The reserve is 1/16 of the available memory or 128 MB (whichever is smaller). @@ -540,7 +540,7 @@ If you use this option then it is highly recommended that you disable any dom0 a ### dom0_nodes > `= List of [ | relaxed | strict ]` -> +> > Default: `strict` Specify the NUMA nodes to place Dom0 on. Defaults for vCPU-s created and memory assigned to Dom0 will be adjusted to match the node restrictions set up here. Note that the values to be specified here are ACPI PXM ones, not Xen internal node numbers. `relaxed` sets up vCPU affinities to prefer but be not limited to the specified node(s). @@ -552,7 +552,7 @@ Specify the NUMA nodes to place Dom0 on. Defaults for vCPU-s created and memory ### dom0_vcpus_pin > `= ` -> +> > Default: `false` Pin dom0 vcpus to their respective pcpus @@ -560,7 +560,7 @@ Pin dom0 vcpus to their respective pcpus ### dom0pvh > `= ` -> +> > Default: `false` Flag that makes a 64bit dom0 boot in PVH mode. No 32bit support at present. @@ -568,7 +568,7 @@ Flag that makes a 64bit dom0 boot in PVH mode. No 32bit support at present. ### dtuart (ARM) > `= path [:options]` -> +> > Default: `""` Specify the full path in the device tree for the UART. If the path doesn't start with `/`, it is assumed to be an alias. The options are device specific. @@ -584,7 +584,7 @@ Flag that specifies if RAM should be clipped to the highest cacheable MTRR. ### e820-verbose > `= ` -> +> > Default: `false` Flag that enables verbose output when processing e820 information and applying clipping. @@ -608,21 +608,21 @@ Either force retrieval of monitor EDID information via VESA DDC, or disable it ( All options are of boolean kind and can be prefixed with `no-` to effect the inverse meaning. > `rs` -> +> > Default: `true` -> +> > > Force or disable use of EFI runtime services. -> +> > `attr=uc` -> +> > Default: `off` -> +> > > Allows mapping of RuntimeServices which have no cachability attribute set as UC. ### extra_guest_irqs > `= [][,]` -> +> > Default: `32,` Change the number of PIRQs available for guests. The optional first number is common for all domUs, while the optional second number (preceded by a comma) is for dom0\. Changing the setting for domU has no impact on dom0 and vice versa. For example to change dom0 without changing domU, use `extra_guest_irqs=,512`. The default value for Dom0 and an eventual separate hardware domain is architecture dependent. Note that specifying zero as domU value means zero, while for dom0 it means to use the default. @@ -630,15 +630,15 @@ Change the number of PIRQs available for guests. The optional first number is co ### flask > `= permissive | enforcing | late | disabled` -> +> > Default: `enforcing` Specify how the FLASK security server should be configured. This option is only available if the hypervisor was compiled with FLASK support. This can be enabled by running either: - make -C xen config and enabling XSM and FLASK. - make -C xen menuconfig and enabling 'FLux Advanced Security Kernel support' and 'Xen Security Modules support' -* `permissive`: This is intended for development and is not suitable for use with untrusted guests. If a policy is provided by the bootloader, it will be loaded; errors will be reported to the ring buffer but will not prevent booting. The policy can be changed to enforcing mode using "xl setenforce". -* `enforcing`: This requires a security policy to be provided by the bootloader and will enter enforcing mode prior to the creation of domain 0\. If a valid policy is not provided, the hypervisor will not continue booting. -* `late`: This disables loading of the security policy from the bootloader. FLASK will be enabled but will not enforce access controls until a policy is loaded by a domain using "xl loadpolicy". Once a policy is loaded, FLASK will run in enforcing mode unless "xl setenforce" has changed that setting. -* `disabled`: This causes the XSM framework to revert to the dummy module. The dummy module provides the same security policy as is used when compiling the hypervisor without support for XSM. The xsm_op hypercall can also be used to switch to this mode after boot, but there is no way to re-enable FLASK once the dummy module is loaded. +* `permissive`: This is intended for development and is not suitable for use with untrusted guests. If a policy is provided by the bootloader, it will be loaded; errors will be reported to the ring buffer but will not prevent booting. The policy can be changed to enforcing mode using "xl setenforce". +* `enforcing`: This requires a security policy to be provided by the bootloader and will enter enforcing mode prior to the creation of domain 0\. If a valid policy is not provided, the hypervisor will not continue booting. +* `late`: This disables loading of the security policy from the bootloader. FLASK will be enabled but will not enforce access controls until a policy is loaded by a domain using "xl loadpolicy". Once a policy is loaded, FLASK will run in enforcing mode unless "xl setenforce" has changed that setting. +* `disabled`: This causes the XSM framework to revert to the dummy module. The dummy module provides the same security policy as is used when compiling the hypervisor without support for XSM. The xsm_op hypercall can also be used to switch to this mode after boot, but there is no way to re-enable FLASK once the dummy module is loaded. ### font @@ -649,7 +649,7 @@ Specify the font size when using the VESA console driver. ### force-ept (Intel) > `= ` -> +> > Default: `false` Allow EPT to be enabled when VMX feature VM_ENTRY_LOAD_GUEST_PAT is not present. @@ -663,23 +663,23 @@ _Warning:_ Due to CVE-2013-2212, VMX feature VM_ENTRY_LOAD_GUEST_PAT is by defau Controls EPT related features. > Sub-options: -> +> > `pml` -> +> > Default: `true` -> +> > > PML is a new hardware feature in Intel's Broadwell Server and further platforms which reduces hypervisor overhead of log-dirty mechanism by automatically recording GPAs (guest physical addresses) when guest memory gets dirty, and therefore significantly reducing number of EPT violation caused by write protection of guest memory, which is a necessity to implement log-dirty mechanism before PML. -> +> > `ad` -> +> > Default: Hardware dependent -> +> > > Have hardware keep accessed/dirty (A/D) bits updated. ### gdb > `= com1[H,L] | com2[H,L] | dbgp` -> +> > Default: `` Specify which console gdbstub should use. See **console**. @@ -687,20 +687,20 @@ Specify which console gdbstub should use. See **console**. ### gnttab > `= List of [ max-ver:, transitive= ]` -> +> > Default: `gnttab=max-ver:2,transitive` Control various aspects of the grant table behaviour available to guests. -* `max-ver` Select the maximum grant table version to offer to guests. Valid version are 1 and 2\. -* `transitive` Permit or disallow the use of transitive grants. Note that the use of grant table v2 without transitive grants is an ABI breakage from the guests point of view. +* `max-ver` Select the maximum grant table version to offer to guests. Valid version are 1 and 2\. +* `transitive` Permit or disallow the use of transitive grants. Note that the use of grant table v2 without transitive grants is an ABI breakage from the guests point of view. The usage of gnttab v2 is not security supported on ARM platforms. ### gnttab_max_frames > `= ` -> +> > Default: `32` Specify the maximum number of frames which any domain may use as part of its grant table. @@ -708,7 +708,7 @@ Specify the maximum number of frames which any domain may use as part of its gra ### gnttab_max_maptrack_frames > `= ` -> +> > Default: `8 * gnttab_max_frames` Specify the maximum number of frames to use as part of a domains maptrack array. @@ -724,7 +724,7 @@ Specify the maximum number of frames per grant table operation and the maximum n ### guest_loglvl > `= [/]` where level is `none | error | warning | info | debug | all` -> +> > Default: `guest_loglvl=none/warning` Set the logging level for Xen guests. Any log message with equal more more importance will be printed. @@ -734,7 +734,7 @@ The optional `` option instructs which severities should be ### hap > `= ` -> +> > Default: `true` Flag to globally enable or disable support for Hardware Assisted Paging (HAP) @@ -742,7 +742,7 @@ Flag to globally enable or disable support for Hardware Assisted Paging (HAP) ### hap_1gb > `= ` -> +> > Default: `true` Flag to enable 1 GB host page table support for Hardware Assisted Paging (HAP). @@ -750,7 +750,7 @@ Flag to enable 1 GB host page table support for Hardware Assisted Paging (HAP). ### hap_2mb > `= ` -> +> > Default: `true` Flag to enable 2 MB host page table support for Hardware Assisted Paging (HAP). @@ -758,7 +758,7 @@ Flag to enable 2 MB host page table support for Hardware Assisted Paging (HAP). ### hardware_dom > `= ` -> +> > Default: `0` Enable late hardware domain creation using the specified domain ID. This is intended to be used when domain 0 is a stub domain which builds a disaggregated system including a hardware domain with the specified domain ID. This option is supported only when compiled with XSM on x86. @@ -766,7 +766,7 @@ Enable late hardware domain creation using the specified domain ID. This is inte ### hest_disable > `= ` -> +> > Default: `false` Control Xens use of the APEI Hardware Error Source Table, should one be found. @@ -781,7 +781,7 @@ Control Xens use of the APEI Hardware Error Source Table, should one be found. The specified value is a bit mask with the individual bits having the following meaning: -> ``` +```sh > Bit 0 - debug level 0 (unused at present) > Bit 1 - debug level 1 (Control Register logging) > Bit 2 - debug level 2 (VMX logging of MSR restores when context switching) @@ -794,15 +794,15 @@ The specified value is a bit mask with the individual bits having the following > Bit 9 - vIOAPIC logging > Bit 10 - hypercall logging > Bit 11 - MSR operation logging -> -> ``` +> +``` Recognized in debug builds of the hypervisor only. ### hvm_fep > `= ` -> +> > Default: `false` Allow use of the Forced Emulation Prefix in HVM guests, to allow emulation of arbitrary instructions. @@ -812,7 +812,7 @@ This option is intended for development purposes, and is only available in debug ### hvm_port80 > `= ` -> +> > Default: `true` Specify whether guests are to be given access to physical port 80 (often used for debugging purposes), to override the DMI based detection of systems known to misbehave upon accesses to that port. @@ -830,105 +830,105 @@ Specify the memory boundary past which memory will be treated as highmem (x86 de ### ioapic_ack > `= old | new` -> +> > Default: `new` unless directed-EOI is supported ### iommu > `= List of [ | force | required | intremap | intpost | qinval | snoop | sharept | dom0-passthrough | dom0-strict | amd-iommu-perdev-intremap | workaround_bios_bug | igfx | verbose | debug ]` -> +> > Sub-options: -> +> > `` -> +> > Default: `on` -> +> > > Control the use of IOMMU(s) in the system. -> +> > All other sub-options are of boolean kind and can be prefixed with `no-` to effect the inverse meaning. -> +> > `force` or `required` -> +> > Default: `false` -> +> > > Don't continue booting unless IOMMU support is found and can be initialized successfully. -> +> > `intremap` -> +> > Default: `true` -> +> > > Control the use of interrupt remapping (DMA remapping will always be enabled if IOMMU functionality is enabled). -> +> > `intpost` -> +> > Default: `false` -> +> > > Control the use of interrupt posting, which depends on the availability of interrupt remapping. -> +> > `qinval` (VT-d) -> +> > Default: `true` -> +> > > Control the use of Queued Invalidation. -> +> > `snoop` (Intel) -> +> > Default: `true` -> +> > > Control the use of Snoop Control. -> +> > `sharept` -> +> > Default: `true` -> +> > > Control whether CPU and IOMMU page tables should be shared. -> +> > `dom0-passthrough` -> +> > Default: `false` -> +> > > Control whether to disable DMA remapping for Dom0. -> +> > `dom0-strict` -> +> > Default: `false` -> +> > > Control whether to set up DMA remapping only for the memory Dom0 actually got assigned. Implies `no-dom0-passthrough`. -> +> > `amd-iommu-perdev-intremap` -> +> > Default: `true` -> +> > > Control whether to set up interrupt remapping data structures per device rather that once for the entire system. Turning this off is making PCI device pass-through insecure and hence unsupported. -> +> > `workaround_bios_bug` (VT-d) -> +> > Default: `false` -> +> > > Causes DRHD entries without any PCI discoverable devices under them to be ignored (normally IOMMU setup fails if any of the devices listed by a DRHD entry aren't PCI discoverable). -> +> > `igfx` (VT-d) -> +> > Default: `true` -> +> > > Enable IOMMU for Intel graphics devices. The intended usage of this option is `no-igfx`, which is similar to Linux `intel_iommu=igfx_off` option used to workaround graphics issues. If adding `no-igfx` fixes anything, you should file a bug reporting the problem. -> +> > `verbose` -> +> > Default: `false` -> +> > > Increase IOMMU code's verbosity. -> +> > `debug` -> +> > Default: `false` -> +> > > Enable IOMMU debugging code (implies `verbose`). ### iommu_inclusive_mapping (VT-d) > `= ` -> +> > Default: `false` Use this to work around firmware issues providing correct RMRR entries. Rather than only mapping RAM pages for IOMMU accesses for Dom0, with this option all pages not marked as unusable in the E820 table will get a mapping established. @@ -968,7 +968,7 @@ Force the use of use of the local APIC on a uniprocessor system, even if left di ### loglvl > `= [/]` where level is `none | error | warning | info | debug | all` -> +> > Default: `loglvl=warning` Set the logging level for Xen. Any log message with equal more more importance will be printed. @@ -978,7 +978,7 @@ The optional `` option instructs which severities should be ### low_crashinfo > `= none | min | all` -> +> > Default: `none` if not specified at all, or to `min` if **low_crashinfo** is present without qualification. This option is only useful for hosts with a 32bit dom0 kernel, wishing to use kexec functionality in the case of a crash. It represents which data structures should be deliberately allocated in low memory, so the crash kernel may find find them. Should be used in combination with **crashinfo_maxaddr**. @@ -986,7 +986,7 @@ This option is only useful for hosts with a 32bit dom0 kernel, wishing to use ke ### low_mem_virq_limit > `= ` -> +> > Default: `64M` Specify the threshold below which Xen will inform dom0 that the quantity of free memory is getting low. Specifying `0` will disable this notification. @@ -994,7 +994,7 @@ Specify the threshold below which Xen will inform dom0 that the quantity of free ### memop-max-order > `= [][,[][,[][,]]]` -> +> > x86 default: `9,18,12,12` ARM default: `9,18,10,10` Change the maximum order permitted for allocation (or allocation-like) requests issued by the various kinds of domains (in this order: ordinary DomU, control domain, hardware domain, and - when supported by the platform - DomU with pass-through device assigned). @@ -1036,7 +1036,7 @@ Specify the maximum address of physical RAM. Any RAM beyond this limit is ignore ### mmcfg > `= [,amd-fam10]` -> +> > Default: `1` Specify if the MMConfig space should be enabled. @@ -1044,7 +1044,7 @@ Specify if the MMConfig space should be enabled. ### mmio-relax > `= | all` -> +> > Default: `false` By default, domains may not create cached mappings to MMIO regions. This option relaxes the check for Domain 0 (or when using `all`, all PV domains), to permit the use of cacheable MMIO mappings. @@ -1052,7 +1052,7 @@ By default, domains may not create cached mappings to MMIO regions. This option ### msi > `= ` -> +> > Default: `true` Force Xen to (not) use PCI-MSI, even if ACPI FADT says otherwise. @@ -1060,7 +1060,7 @@ Force Xen to (not) use PCI-MSI, even if ACPI FADT says otherwise. ### mtrr.show > `= ` -> +> > Default: `false` Print boot time MTRR state (x86 only). @@ -1068,7 +1068,7 @@ Print boot time MTRR state (x86 only). ### mwait-idle > `= ` -> +> > Default: `true` Use the MWAIT idle driver (with model specific C-state knowledge) instead of the ACPI based one. @@ -1076,7 +1076,7 @@ Use the MWAIT idle driver (with model specific C-state knowledge) instead of the ### nmi > `= ignore | dom0 | fatal` -> +> > Default: `fatal` for a debug build, or `dom0` for a non-debug build Specify what Xen should do in the event of an NMI parity or I/O error. `ignore` discards the error; `dom0` causes Xen to report the error to dom0, while 'fatal' causes Xen to print diagnostics and then hang. @@ -1090,7 +1090,7 @@ Because responsibility for APIC setup is shared between Xen and the domain 0 ker ### invpcid (x86) > `= ` -> +> > Default: `true` By default, Xen will use the INVPCID instruction for TLB management if it is available. This option can be used to cause Xen to fall back to older mechanisms, which are generally slower. @@ -1104,7 +1104,7 @@ Disable software IRQ balancing and affinity. This can be used on systems such as ### nolapic > `= ` -> +> > Default: `false` Ignore the local APIC on a uniprocessor system, even if enabled by the BIOS. @@ -1134,13 +1134,13 @@ Disable SMP support. No secondary processors will be booted. Defaults to booting ### numa > `= on | off | fake= | noacpi` -> +> > Default: `on` ### pci > `= {no-}serr | {no-}perr` -> +> > Default: Signaling left as set by firmware. Disable signaling of SERR (system errors) and/or PERR (parity errors) on all PCI devices. @@ -1166,7 +1166,7 @@ This option can be specified more than once (up to 8 times at present). ### pku > `= ` -> +> > Default: `true` Flag to enable Memory Protection Keys. @@ -1176,9 +1176,9 @@ The protection-key feature provides an additional mechanism by which IA-32e pagi ### pcid (x86) > `= | xpti=` -> +> > Default: `xpti` -> +> > Can be modified at runtime (change takes effect only for domains created afterwards) If available, control usage of the PCID feature of the processor for 64-bit pv-domains. PCID can be used either for no domain at all (`false`), for all of them (`true`), only for those subject to XPTI (`xpti`) or for those not subject to XPTI (`no-xpti`). The feature is used only in case INVPCID is supported and not disabled via `invpcid=false`. @@ -1186,7 +1186,7 @@ If available, control usage of the PCID feature of the processor for 64-bit pv-d ### psr (Intel) > `= List of ( cmt: | rmid_max: | cat: | cos_max: | cdp: )` -> +> > Default: `psr=cmt:0,rmid_max:255,cat:0,cos_max:255,cdp:0` Platform Shared Resource(PSR) Services. Intel Haswell and later server platforms offer information about the sharing of resources. @@ -1197,22 +1197,22 @@ To use the PSR cache allocation service for a certain domain, a capacity bitmask The following resources are available: -* Cache Monitoring Technology (Haswell and later). Information regarding the L3 cache occupancy. - * `cmt` instructs Xen to enable/disable Cache Monitoring Technology. - * `rmid_max` indicates the max value for rmid. -* Memory Bandwidth Monitoring (Broadwell and later). Information regarding the total/local memory bandwidth. Follow the same options with Cache Monitoring Technology. +* Cache Monitoring Technology (Haswell and later). Information regarding the L3 cache occupancy. + * `cmt` instructs Xen to enable/disable Cache Monitoring Technology. + * `rmid_max` indicates the max value for rmid. +* Memory Bandwidth Monitoring (Broadwell and later). Information regarding the total/local memory bandwidth. Follow the same options with Cache Monitoring Technology. -* Cache Allocation Technology (Broadwell and later). Information regarding the cache allocation. +* Cache Allocation Technology (Broadwell and later). Information regarding the cache allocation. - * `cat` instructs Xen to enable/disable Cache Allocation Technology. - * `cos_max` indicates the max value for COS ID. -* Code and Data Prioritization Technology (Broadwell and later). Information regarding the code cache and the data cache allocation. CDP is based on CAT. - * `cdp` instructs Xen to enable/disable Code and Data Prioritization. Note that `cos_max` of CDP is a little different from `cos_max` of CAT. With CDP, one COS will corespond two CBMs other than one with CAT, due to the sum of CBMs is fixed, that means actual `cos_max` in use will automatically reduce to half when CDP is enabled. + * `cat` instructs Xen to enable/disable Cache Allocation Technology. + * `cos_max` indicates the max value for COS ID. +* Code and Data Prioritization Technology (Broadwell and later). Information regarding the code cache and the data cache allocation. CDP is based on CAT. + * `cdp` instructs Xen to enable/disable Code and Data Prioritization. Note that `cos_max` of CDP is a little different from `cos_max` of CAT. With CDP, one COS will corespond two CBMs other than one with CAT, due to the sum of CBMs is fixed, that means actual `cos_max` in use will automatically reduce to half when CDP is enabled. ### pv-linear-pt > `= ` -> +> > Default: `true` Only available if Xen is compiled with CONFIG_PV_LINEAR_PT support enabled. @@ -1224,7 +1224,7 @@ Linux and MiniOS don't use this technique. NetBSD and Novell Netware do; there m ### pv-l1tf (x86) > `= List of [ , dom0=, domu= ]` -> +> > Default: `false` on believed-unaffected hardware. `domu` on believed-affected hardware. Mitigations for L1TF / XSA-273 / CVE-2018-3620 for PV guests. @@ -1238,7 +1238,7 @@ If CONFIG_SHADOW_PAGING is not compiled in, this mitigation instead crashes the ### reboot > `= t[riple] | k[bd] | a[cpi] | p[ci] | P[ower] | e[fi] | n[o] [, [w]arm | [c]old]` -> +> > Default: `0` Specify the host reboot method. @@ -1264,7 +1264,7 @@ Specify the host reboot method. ### ro-hpet > `= ` -> +> > Default: `true` Map the HPET page as read only in Dom0\. If disabled the page will be mapped with read and write permissions. @@ -1272,7 +1272,7 @@ Map the HPET page as read only in Dom0\. If disabled the page will be mapped wit ### sched > `= credit | credit2 | arinc653` -> +> > Default: `sched=credit` Choose the default scheduler. @@ -1304,7 +1304,7 @@ This option inverts the logic, so that the scheduler in effect tries to keep the ### serial_tx_buffer > `= ` -> +> > Default: `16kB` Set the serial transmit buffer size. @@ -1312,7 +1312,7 @@ Set the serial transmit buffer size. ### smep > `= ` -> +> > Default: `true` Flag to enable Supervisor Mode Execution Protection @@ -1320,7 +1320,7 @@ Flag to enable Supervisor Mode Execution Protection ### smap > `= ` -> +> > Default: `true` Flag to enable Supervisor Mode Access Prevention @@ -1355,10 +1355,10 @@ Use of a positive boolean value for either of these options is invalid. The booleans `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` offer fine grained control over the alternative blocks used by Xen. These impact Xen's ability to protect itself, and Xen's ability to virtualise support for guests to use. -* `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests respectively. -* `msr-sc=` offers control over Xen's support for manipulating MSR_SPEC_CTRL on entry and exit. These blocks are necessary to virtualise support for guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. -* `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen. -* `md-clear=` offers control over whether to use VERW to flush microarchitectural buffers on idle and exit from Xen. _Note: For compatibility with development versions of this fix, `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor documentation in preference to here._ +* `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests respectively. +* `msr-sc=` offers control over Xen's support for manipulating MSR_SPEC_CTRL on entry and exit. These blocks are necessary to virtualise support for guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. +* `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen. +* `md-clear=` offers control over whether to use VERW to flush microarchitectural buffers on idle and exit from Xen. _Note: For compatibility with development versions of this fix, `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor documentation in preference to here._ If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` locations. The default thunk is `retpoline` (generally preferred for Intel hardware), with the alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and `lfence` (an `lfence; jmp *%reg` gadget, preferred for AMD). @@ -1375,7 +1375,7 @@ On hardware supporting L1D_FLUSH, the `l1d-flush=` option can be used to force o ### sync_console > `= ` -> +> > Default: `false` Flag to force synchronous console output. Useful for debugging, but not suitable for production environments due to incurred overhead. @@ -1395,7 +1395,7 @@ Specify the per-cpu trace buffer size in pages. ### tdt > `= ` -> +> > Default: `true` Flag to enable TSC deadline as the APIC timer mode. @@ -1455,7 +1455,7 @@ Specify how and where to find CPU microcode update blob. ### vcpu_migration_delay > `= ` -> +> > Default: `0` Specify a delay, in microseconds, between migrations of a VCPU between PCPUs when using the credit1 scheduler. This prevents rapid fluttering of a VCPU between CPUs, and reduces the implicit overheads such as cache-warming. 1ms (1000) has been measured as a good value. @@ -1491,7 +1491,7 @@ The optional `keep` parameter causes Xen to continue using the vga console even ### vpid (Intel) > `= ` -> +> > Default: `true` Use Virtual Processor ID support if available. This prevents the need for TLB flushes on VM entry and exit, increasing performance. @@ -1499,7 +1499,7 @@ Use Virtual Processor ID support if available. This prevents the need for TLB fl ### vpmu > `= ( | { bts | ipc | arch | rtm-abort= [, ...] } )` -> +> > Default: `off` Switch on the virtualized performance monitoring unit for HVM guests. @@ -1526,12 +1526,12 @@ If a boolean is not used, combinations of flags are allowed, comma separated. Fo Note that if **watchdog** option is also specified vpmu will be turned off. -_Warning:_ As the virtualisation is not 100% safe, don't use the vpmu flag on production systems (see http://xenbits.xen.org/xsa/advisory-163.html)! +_Warning:_ As the virtualisation is not 100% safe, don't use the vpmu flag on production systems (see )! ### vwfi > `= trap | native -> +> > Default: `trap` WFI is the ARM instruction to "wait for interrupt". WFE is similar and means "wait for event". This option, which is ARM specific, changes the way guest WFI and WFE are implemented in Xen. By default, Xen traps both instructions. In the case of WFI, Xen blocks the guest vcpu; in the case of WFE, Xen yield the guest vcpu. When setting vwfi to `native`, Xen doesn't trap either instruction, running them in guest context. Setting vwfi to `native` reduces irq latency significantly. It can also lead to suboptimal scheduling decisions, but only when the system is oversubscribed (i.e., in total there are more vCPUs than pCPUs). @@ -1539,7 +1539,7 @@ WFI is the ARM instruction to "wait for interrupt". WFE is similar and means "wa ### watchdog > `= force | ` -> +> > Default: `false` Run an NMI watchdog on each processor. If a processor is stuck for longer than the **watchdog_timeout**, a panic occurs. When `force` is specified, in addition to running an NMI watchdog on each processor, unknown NMIs will still be processed. @@ -1547,7 +1547,7 @@ Run an NMI watchdog on each processor. If a processor is stuck for longer than t ### watchdog_timeout > `= ` -> +> > Default: `5` Set the NMI watchdog timeout in seconds. Specifying `0` will turn off the watchdog. @@ -1555,7 +1555,7 @@ Set the NMI watchdog timeout in seconds. Specifying `0` will turn off the watchd ### x2apic > `= ` -> +> > Default: `true` Permit use of x2apic setup for SMP environments. @@ -1563,7 +1563,7 @@ Permit use of x2apic setup for SMP environments. ### x2apic_phys > `= ` -> +> > Default: `true` if **FADT** mandates physical mode, `false` otherwise. In the case that x2apic is in use, this option switches between physical and clustered mode. The default, given no hint from the **FADT**, is cluster mode. @@ -1571,7 +1571,7 @@ In the case that x2apic is in use, this option switches between physical and clu ### xpti > `= List of [ default | | dom0= | domu= ]` -> +> > Default: `false` on hardware not to be vulnerable to Meltdown (e.g. AMD) Default: `true` everywhere else Override default selection of whether to isolate 64-bit PV guest page tables. @@ -1587,7 +1587,7 @@ With `dom0` and `domu` it is possible to control page table isolation for dom0 o ### xsave > `= ` -> +> > Default: `true` Permit use of the `xsave/xrstor` instructions.