hvf: Add API to verify Nested Virt is supported

jakecorrenti · jakecorrenti · commit 0c582d5ee87f · 2025-04-23T16:15:26.000-04:00
Add an API to check if the current system supports Nested Virt on macOS.

Signed-off-by: Jake Correnti &lt;jakecorrenti+github@proton.me&gt;
diff --git a/include/libkrun.h b/include/libkrun.h
@@ -560,6 +560,19 @@ int32_t krun_setgid(uint32_t ctx_id, gid_t gid);
  */
 int32_t krun_set_nested_virt(uint32_t ctx_id, bool enabled);
 
+/**
+ * Check the system if Nested Virtualization is supported
+ *
+ * Notes:
+ *  This feature is only supported on macOS.
+ *
+ * Returns:
+ *  - 1 : Success and Nested Virtualization is supported
+ *  - 0 : Success and Nested Virtualization is not supported
+ *  - <0: Failure
+ */
+int32_t krun_check_nested_virt(void);
+
 /**
  * Specify whether to split IRQCHIP responsibilities between the host and the guest.
  *
diff --git a/src/hvf/src/lib.rs b/src/hvf/src/lib.rs
@@ -9,6 +9,9 @@
 #[allow(deref_nullptr)]
 pub mod bindings;
 
+#[macro_use]
+extern crate log;
+
 use bindings::*;
 
 #[cfg(target_arch = "aarch64")]
@@ -206,11 +209,39 @@ pub fn vcpu_set_vtimer_mask(vcpuid: u64, masked: bool) -> Result<(), Error> {
     }
 }
 
-pub struct HvfNestedBindings {
-    hv_vm_config_get_el2_supported:
-        libloading::Symbol<'static, unsafe extern "C" fn(*mut bool) -> hv_return_t>,
-    hv_vm_config_set_el2_enabled:
-        libloading::Symbol<'static, unsafe extern "C" fn(hv_vm_config_t, bool) -> hv_return_t>,
+pub fn check_nested_virt() -> Result<bool, Error> {
+    // Only M3 and newer chips will support nested virtualization. Query the
+    // system to verify if the chip has support.
+    let get_el2_supported: libloading::Symbol<
+        'static,
+        unsafe extern "C" fn(*mut bool) -> hv_return_t,
+    > = unsafe {
+        HVF.get(b"hv_vm_config_get_el2_supported")
+            .map_err(Error::FindSymbol)?
+    };
+    let mut el2_supported: bool = false;
+    let ret = unsafe { (get_el2_supported)(&mut el2_supported) };
+    if ret != HV_SUCCESS {
+        error!("processor does not support the nested virtualization functionality");
+        return Err(Error::NestedCheck);
+    }
+
+    // nested virtualization requires macOS 15.0+
+    match std::process::Command::new("sw_vers")
+        .arg("--productVersion")
+        .output()
+    {
+        Ok(cmd_output) => {
+            let macos_version: u8 = String::from_utf8_lossy(&cmd_output.stdout)[..2]
+                .parse()
+                .unwrap();
+            Ok(el2_supported && macos_version >= 15)
+        }
+        Err(e) => {
+            error!("unable to check macOS version: {:?}", e);
+            Err(Error::NestedCheck)
+        }
+    }
 }
 
 pub struct HvfVm {}
@@ -225,30 +256,16 @@ static HVF: LazyLock<libloading::Library> = LazyLock::new(|| unsafe {
 impl HvfVm {
     pub fn new(nested_enabled: bool) -> Result<Self, Error> {
         let config = unsafe { hv_vm_config_create() };
-
         if nested_enabled {
-            let bindings = unsafe {
-                HvfNestedBindings {
-                    hv_vm_config_get_el2_supported: HVF
-                        .get(b"hv_vm_config_get_el2_supported")
-                        .map_err(Error::FindSymbol)?,
-                    hv_vm_config_set_el2_enabled: HVF
-                        .get(b"hv_vm_config_set_el2_enabled")
-                        .map_err(Error::FindSymbol)?,
-                }
+            let set_el2_enabled: libloading::Symbol<
+                'static,
+                unsafe extern "C" fn(hv_vm_config_t, bool) -> hv_return_t,
+            > = unsafe {
+                HVF.get(b"hv_vm_config_set_el2_enabled")
+                    .map_err(Error::FindSymbol)?
             };
 
-            let mut el2_supported: bool = false;
-            let ret = unsafe { (bindings.hv_vm_config_get_el2_supported)(&mut el2_supported) };
-            if ret != HV_SUCCESS {
-                return Err(Error::NestedCheck);
-            }
-
-            if !el2_supported {
-                return Err(Error::NestedCheck);
-            }
-
-            let ret = unsafe { (bindings.hv_vm_config_set_el2_enabled)(config, true) };
+            let ret = unsafe { (set_el2_enabled)(config, true) };
             if ret != HV_SUCCESS {
                 return Err(Error::EnableEL2);
             }
diff --git a/src/libkrun/src/lib.rs b/src/libkrun/src/lib.rs
@@ -1062,6 +1062,19 @@ pub unsafe extern "C" fn krun_set_nested_virt(ctx_id: u32, enabled: bool) -> i32
     }
 }
 
+#[allow(clippy::missing_safety_doc)]
+#[no_mangle]
+pub unsafe extern "C" fn krun_check_nested_virt() -> i32 {
+    if cfg!(target_os = "macos") {
+        match hvf::check_nested_virt() {
+            Ok(supp) => supp as i32,
+            Err(_) => -libc::EINVAL,
+        }
+    } else {
+        -libc::EINVAL
+    }
+}
+
 #[allow(clippy::missing_safety_doc)]
 #[no_mangle]
 pub extern "C" fn krun_split_irqchip(ctx_id: u32, enable: bool) -> i32 {
