macos – Is nested virtualization is supported by Apple Silicon chips (M2/M3)?

The brief reply is sure. The technical particulars are under:

Privilege Ranges

It relies upon a bit on what you imply by “assist” precisely. To higher perceive the nuances in that phrase, first a fast and tough overview of how ARM CPUs (such because the Apple Silicon M-series) runs software program at completely different privilege ranges:

ARM CPUs divide the world into completely different exceptions ranges – specifically EL0, EL1, EL2 and EL3. Right here EL0 is the least privileged stage and EL3 is probably the most privileged stage.

How They Work

Software program operating at a particular exception stage is restricted in varied methods. When that software program tries to carry out some operation that has been restricted, the CPU will typically pause that software program, and as a substitute begin operating the software program that executes at the next exception stage and let that software program resolve whether or not or not, and the way, the operation must be allowed to proceed.

For instance a typical utility resembling “Calendar.app” can be operating at EL0. If it tries to do one thing privileged, resembling entry to disk storage, the CPU would successfully pause this system and let working system code operating at EL1 resolve if and the way that operation must be allowed to proceed.

Privilege Ranges and Virtualisation

While you add {hardware} assisted virtualisation into the combo, you’ll usually discover the software program performing the virtualisation administration (referred to as the hypervisor) operating at EL2.

Apple doesn’t at the moment make use of EL3.

This manner of organising privilege ranges can be discovered on Intel CPUs. Right here you may need heard of “rings”, which is mainly the identical idea. They do the numbering within the reverse means although, in order that ring 0 is probably the most privileged.

Nested Virtualisation

Now with the theoretical overview out of the way in which, we are able to begin answering the query at hand:

Non-hardware Assisted Nested Virtualisation

It’s after all completely attainable to make use of nested virtualisation with the Apple Silicon sequence like with virtually every other CPU. You’ll be able to simply run every little thing at EL0 with out requiring any particular working system or {hardware} options. It may be performed with emulation and can normally be fairly gradual.

One other chance is to make use of unusual {hardware} assisted virtualisation. The primary layer can be {hardware} virtualised like typical. Then you definitely would use paravirtualisation software program to run a modified working system inside the primary stage visitor at EL0, to be able to have second stage visitors. It will be sophisticated, restricted in efficiency and require customised visitor software program. It’s often not what you need.

{Hardware}-assisted Nested Virtualisation

I assume you are speaking about {hardware} assisted nested virtualisation as a substitute:

In that case you will have a bunch hypervisor that gives the primary stage of virtualisation, and a visitor hypervisor that gives the second stage (or extra) stage of virtualisation. As talked about earlier than, the host hypervisor runs at EL2. Which means that the visitor hypervisor runs at EL1.

Apple M1 CPU – no {hardware} help

The {hardware} options for virtualisation are managed through registers (and different means). On the Apple M1 CPU the registers at EL2 can’t be modified by EL1 software program in any respect. This mans {that a} visitor hypervisor operating at EL1 inside a digital machine can not use {hardware} virtualisation options to supply nested virtualisation.

v8.3-A {hardware} help

ARM launched assist for nested virtualisation with their v8.3-A specification. Which means that a visitor hypervisor operating at EL1 modifying the EL2 registers for {hardware} assisted nested virtualisation (HCR_EL2.NV, HCR_EL2.NV1 and HCR_EL2.AT) will trigger the CPU to pause the visitor hypervisor, and let the host hypervisor operating at EL2 resolve whether or not and tips on how to proceed. That could be a large half in enabling nested virtualisation. There are different particulars, for instance associated to reminiscence and interrupt administration.

One factor to notice is that this strategy of pausing the software program and letting extra privileged software program run takes a while. That is what is named a context change – which you’d additionally identified from simply normal macOS the place a context change occurs each time you transition from operating utility code to operating working system code. So that you need to ideally have as few context switches as attainable to get optimum efficiency.

v8.4-A {hardware} help

As nested virtualisation means altering a number of registers very often you’re going to get a efficiency hit right here. With ARM’s v8.4-A specification they launched a efficiency optimisation, which might be although of as letting the visitor hypervisor in EL1 modify plenty of registers after which letting the host hypervisor in EL2 course of them in a batch. That improves efficiency for nested virtualisation. This function is enabled throught the HCR_EL2.NV2 register.

CPU Characteristic Indication

The ARM specification additionally features a means for the CPU to tell the software program of which options it assist. Particularly for nested virtualisation the CPU can sign both that it does not assist nested virtualisation in any respect, that’s helps the v8.3-A stage (HCR_EL2.NV, HCR_EL2.NV1 and HHCR_EL2.AT) or that it helps the v8.4-A stage (addition of HCR_EL2.NV2).

Apple M-series Capabilities

The Apple M1 CPU doesn’t assist {hardware} assisted nested virtualisation in any respect.

The Apple M2 and M3 CPUs assist the v8.4-A stage of {hardware} assisted nested virtualisation.

Software program Help for Nested Virtualisation

Nonetheless, Apple has not equipped person stage software program for that function. I.e. the Virtualisation and Hypervisor frameworks that comes with macOS doesn’t (but) assist {hardware} assisted nested virtualization.

Which means that for instance when operating Home windows 11 inside VMware Fusion or Parallels Desktop you will not have entry to the WSL2 function (Home windows Subsystem for Linux 2).

I do know progress has been made on Asahi Linux in supporting this, so in some unspecified time in the future sooner or later, the present M2 and M3 {hardware} will likely get assist.