VMCS shadowing requires vPro...any insights?

[Grunthos]

I'd like nested VMs. I have been told that it requires VMCS shadowing. Intel says VMCS is only available with vPro (which includes their awful insecure back-doored management technology). vPro in turn requires a very specific chipset (Q4xx).

So ... my question is ... do I need a motherboard with full vPro support in order to use VMCS? ie. is VMCS merely a "side-loaded" feature of vPro-capable CPUs, or is it inherently integrated with all of vPro?

Probably not the right forum, but it seems like someone here *might* have tested this...

[mpack]

From the user manual (section 15.9 - v6.1.0 Change log):

o Virtualization core: Support for nested hardware-virtualization on Intel CPUs (starting
with 5th generation Core i, codename Broadwell), so far tested only with guest running
VirtualBox.

From memory, nested virtualization for AMD CPUs was added in an earlier version, probably v6.0.0.

[Grunthos]

Yes, but it (for Intel) actually runs apallingly badly on anything without VMCS -- hence the question.

[scottgus1]

Forum guru fth0 found that these items in a VM's vbox.log have to all end in (1) for nested virtualization to work:

VMX - Virtual-Machine Extensions = 0 (1)
Ept - Extended Page Tables = 0 (1)
UnrestrictedGuest - Unrestricted guest = 0 (1)
VmcsShadowing - VMCS shadowing = 0 (1)

We don't have advice on which processors will have these, though. One poster's log, from which I copied this list, is using this CPU:
Intel(R) Core(TM) i7-8850H
The user's log shows no data on how nested VM's would perform, however. They weren't trying nested VM's.

[Grunthos]

@scotgus1 Indeed, that is the root of the underlying problem.

But the question was about the precise CPU and motherboard features needed to make VMCS Shadowing available. It seems clear that one needs a vPro-capable CPU, but it is not clear one needs a vPro motherboard. I guess this is in fact the wrong forum for hardware questions, but I had hope someone had perhaps tried nested VMs on a non-vPro motherboard (probably 99% of all motherboards) with a vPro CPU (probably 10%? of all CPUs).

[mpack]

I had hope someone had perhaps tried nested VMs on a non-vPro motherboard

The sample population won't be very large. VirtualBox didn't support nested VMs at all until quite recently, and most experienced users still avoid the need for them. In general it's a very narrow use case: most VMs that could be run nested can also be run non-nested with less overhead.

[fth0]

I had hope someone had perhaps tried nested VMs on a non-vPro motherboard (probably 99% of all motherboards) with a vPro CPU (probably 10%? of all CPUs).

FWIW, I have two computers with Intel CPUs with the VMCS Shadowing feature, both being a few years old:

Intel Core i7-4790, Lenovo ThinkCentre M93p
Intel Core i5-4690, Apple iMac15,1

Intel says VMCS is only available with vPro

Did you find additional confirmation about that (going beyond my previous argumentation)?

[Grunthos]

I had hope someone had perhaps tried nested VMs on a non-vPro motherboard (probably 99% of all motherboards) with a vPro CPU (probably 10%? of all CPUs).

FWIW, I have two computers with Intel CPUs with the VMCS Shadowing feature, both being a few years old:

Intel Core i7-4790, Lenovo ThinkCentre M93p
Intel Core i5-4690, Apple iMac15,1

Do you also have information on the motherboards? And does nesting work?

Intel says VMCS is only available with vPro

Did you find additional confirmation about that (going beyond my previous argumentation)?

I am not precisely sure what you are asking, but there are numerous sources that mention VMCS only in the context of vPro, some clearer than others:

White paper - specifically states that VMCS will be available on vPro processors:
https://www.intel.com/content/dam/www/p ... -paper.pdf

This explicitly lists vPro and Xeon processors as supporting VMCS:
https://searchservervirtualization.tech ... -shadowing

Paper on vPro:
https://www.intel.com/content/dam/www/p ... -guide.pdf

[fth0]

Do you also have information on the motherboards?

The Lenovo desktop seems to have an Intel Q87 chipset (https://www.lenovo.com/hk/en/desktops-and-all-in-ones/thinkcentre/m-series-tower/ThinkCentre-M93P/p/11TC1TMM93P).

Apple uses its own motherboards, and you'd have to search it for yourself if it's really worth the effort (perhaps on iFixit).

I am not precisely sure what you are asking, but there are numerous sources that mention VMCS only in the context of vPro, some clearer than others

Thanks for the links, those are the documents that I've also found in the past. They strongly indicate that VMCS shadowing is an Intel vPro only feature, but are quite old (like my Intel CPUs). FWIW, I've looked at a lot of VBox.log files in the forums in the previous months, and every CPU with VMCS shadowing which I've bothered looking up at ark.intel.com had the Intel vPro Platform Eligibility. But I stopped looking after the 9th generation of Intel CPUs, since I was convinced already.

[Grunthos]

Yep,that matches my expectations (ie. VMCS only occurs with vPro).

What I am asking is: can VMCS be used on a MOTHERBOARD that does not support vPro...ie. are these features tightly linked (VMCS wont work without vPro on the mobo), or are they loosely coupled (eg. for marketing), so that VMCS might possibly work on any motherboard? ie. if I put a VMCS-capable CPU in a non-vPro motherbaord, will I have access to VMCS?

The Q* motherboards are, AFAICT, the only ones that support vPro. Question is: can I used VMCS on a non-Q motherboard?

( Sorry, my original question must have been really unclear! Not sure how I could make it better though. )

[fth0]

If (1) the VMCS Shadowing CPU feature is only provided with Intel vPro CPUs, and (2) Intel vPro CPUs only run in motherboards with an Intel vPro Q* chipset, the question just doesn't seem to make much sense. I don't expect anyone to try out if (2) is true, because if someone buys the more expensive CPU, they probably won't try to save money on the motherboard.

[Grunthos]

If (1) the VMCS Shadowing CPU feature is only provided with Intel vPro CPUs, and (2) Intel vPro CPUs only run in motherboards with an Intel vPro Q* chipset, the question just doesn't seem to make much sense. I don't expect anyone to try out if (2) is true, because if someone buys the more expensive CPU, they probably won't try to save money on the motherboard.

Yes; the question does require that (2) be false.

[Grunthos]

For those who care: Thankfully (2) IS false, and VMCS does NOT depend on vPro.

[Feryno]

The first CPU where I had VMCS shadowing was Xeon E3-1230 v3. It wasn't present in the previous generation (I had Xeon E3-1230 v2).
The VMCS shadowing is not essential to run nested child hypervisor. It just makes it faster as it reduces VM exits.
Without VMCS shadowing when a child hypervisor = L1 executes VMREAD or VMWRITE, it always causes vm exits into parent hypervisor = L0, which emulates these instructions. The emulation itself could be quite fast, like few hundreds of CPU cycles, but the VMEXIT and VMENTRY are very costly (like 1000-2000 CPU cycles done by hardware).
With VMCS shadowing when child hypervisor = L1 executes VMREAD / VMWRITE these instructions do not cause vm exits into parent hypervisor = L0 and they operate directly on VMCS shadow page which is very fast. The parent hypervisor = L0 utilizes extra CPU cycles to read and write the VMCS shadow page (which is not performed when no VMCS shadowing), but the overal performance is much better with the VMCS shadowing. The difference is best visible when booting OS = L2, there is not significant difference when the OS is idle.
If you have a CPU with VMCS shadowing, for comparing the performance difference with and without it, you can very likely tell your parent hypervisor = L0 not to use the feature (some starting param, it depends on whether the hypervisor developer implemented that choice).
This is CPU feature and does not depend on chipset. Virtualization (Intel VMX) is also a CPU feature and it could be disabled and locked in UEFI setup menu, but the VMCS shadowing cannot be disabled either locked, it could be just used or not used (thus no UEFI setup menu for it). If it is present then the parent hypervisor will very likely use it (performance enhancement) so you have to tell it manually not to use it to compare the performance difference.
If bit 31. of MSR 0x482 is set to 1 then MSR 0x48B is present (secondary processor based vm execution controls). If bit 14. of MSR 0x48B is set to 1 then VMCS shadowing is present. Or look into /proc/cpuinfo whether you find the feature.
I saw a video where they tested a machine with N100 which is very cheap and it seems to have the vmcs shadowing present, the string wraps at the end of line so it is visible only "sha" at the end of a line and "dow_vmcs" on the next line.
YT, video name:
ASRock’s N100DC-ITX: Cherry Trail Replacement
time 10:12