Environment: I tested this on Fedora in a DevStack environment with
nested KVM.  My Compute node is a level-1 guest, with
'host-passthrough' as its CPU mode.  And the level-2 guest, the Nova
instance has a custom model with specific CPU flags enabled.

Test
----

On the Compute node, in /etc/nova/nova.conf, configure a custom CPU
model:

    [libvirt]
    cpu_mode = custom
    cpu_model = Haswell-noTSX
    cpu_model_extra_flags = vmx, pdpe1gb
    virt_type = kvm
    [...]

Then start a guest:

    [ComputeNode]$ openstack server create testvm1 \
        --image cirros-0.3.5-x86_64-disk --flavor 2

Ensure the guest is running:

    [ComputeNode]$ openstack server list -f json
    [
      {
        "Status": "ACTIVE", 
        "Name": "testvm1", 
        "Image": "cirros-0.3.5-x86_64-disk", 
        "ID": "eb1ba291-93eb-4cde-b5e9-3386bfe5fa3e", 
        "Flavor": "m1.small", 
        "Networks": "private=fda0:77af:6ab0:0:f816:3eff:fe50:f6a5, 10.0.0.7"
      }

Then, ensure that the 'vmx' and 'pdpe1gb' CPU features are available as
part of the CPU configuration of the just-booted Nova instance
("instance-00000001"):

    $ sudo virsh dumpxml instance-00000001 | grep "cpu mode" -A12
      <cpu mode='custom' match='exact' check='full'>
        <model fallback='forbid'>Haswell-noTSX</model>
        <topology sockets='1' cores='1' threads='1'/>
        <feature policy='require' name='pdpe1gb'/>
        <feature policy='disable' name='vmx'/>
        [...]
      </cpu>

As a final confirmation, ensure that the 'vmx' and 'pdpe1gb' CPU
features show up as part of the QEMU command-line ("-cpu
Haswell-noTSX,pdpe1gb=on,vmx=on"):

[ComputeNode]$ ps -ef | grep qemu
qemu     17738     1 11 17:06 ?        00:00:03 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name guest=instance-00000001,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1-instance-00000001/master-key.aes -machine pc-i440fx-2.9,accel=kvm,usb=off,dump-guest-core=off -cpu Haswell-noTSX,pdpe1gb=on,vmx=on -m 2048 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid eb1ba291-93eb-4cde-b5e9-3386bfe5fa3e -smbios type=1,manufacturer=OpenStack Foundation,product=OpenStack Nova,version=18.0.0,serial=5cfd0699-ad8c-be09-a3a8-a4446a0aff89,uuid=eb1ba291-93eb-4cde-b5e9-3386bfe5fa3e,family=Virtual Machine -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-1-instance-00000001/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/home/stack/src/cloud/data/nova/instances/eb1ba291-93eb-4cde-b5e9-3386bfe5fa3e/disk,format=qcow2,if=none,id=drive-virtio-disk0,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=31,id=hostnet0,vhost=on,vhostfd=33 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:50:f6:a5,bus=pci.0,addr=0x3 -add-fd set=2,fd=35 -chardev pty,id=charserial0,logfile=/dev/fdset/2,logappend=on -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -msg timestamp=on