From: Grygorii Strashko <grygorii_strashko@epam.com>

For x86 Xen safety certification only PVH Gusts are selected to be allowed
which are started by using direct Direct Kernel Boot only. There is also an
assumption that x86 Guest's (OS) early boot code (which is running not in
64-bit mode) does not access Xen interfaces (hypercalls, shared_info, ..).

In this case the Xen HVM 32-bit COMPAT interface become unused and leaves
gaps in terms of coverage.

Hence now all prerequisite changes are in place, introduce a
CONFIG_HVM_COMPAT option through which HVM(PVH) 32-bit interface support on
64-bit Xen can be disabled.

By default, CONFIG_HVM_COMPAT is ("y") enabled and accessible only in
EXPERT mode.

Signed-off-by: Grygorii Strashko <grygorii_strashko@epam.com>
---
changes in v2:
- fix format and move above HVM_FEP

 xen/arch/x86/hvm/Kconfig | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/Kconfig b/xen/arch/x86/hvm/Kconfig
index c323d767e77c..88090f5b3965 100644
--- a/xen/arch/x86/hvm/Kconfig
+++ b/xen/arch/x86/hvm/Kconfig
@@ -2,7 +2,6 @@ menuconfig HVM
 	bool "HVM support"
 	depends on !PV_SHIM_EXCLUSIVE
 	default !PV_SHIM
-	select COMPAT
 	select IOREQ_SERVER
 	select MEM_ACCESS_ALWAYS_ON
 	help
@@ -35,6 +34,24 @@ config INTEL_VMX
 	  If your system includes a processor with Intel VT-x support, say Y.
 	  If in doubt, say Y.
 
+config HVM_COMPAT
+	bool "HVM 32-bit hypercalls interface support" if EXPERT
+	select COMPAT
+	default y
+	help
+	  The HVM 32-bit interface must be enabled for HVM domains to be able to
+	  make hypercalls in 32bit mode. Non-PVH domains unconditionally need this
+	  option so that hvmloader may issue hypercalls in 32bit mode.
+
+	  The HVM 32-bit interface can be disabled if:
+	  - Only PVH domains are used
+	  - Guests (OS) are started by using direct Direct Kernel Boot
+	  - Guests (OS) are 64-bit and Guest early boot code, which is running not
+	    in 64-bit mode, does not access Xen interfaces
+	    (hypercalls, shared_info, ..)
+
+	  If unsure, say Y.
+
 config HVM_FEP
 	bool "HVM Forced Emulation Prefix support (UNSUPPORTED)" if UNSUPPORTED
 	default DEBUG
-- 
2.34.1

On 2025-11-19 14:30, Grygorii Strashko wrote:
> From: Grygorii Strashko <grygorii_strashko@epam.com>
> 
> For x86 Xen safety certification only PVH Gusts are selected to be allowed

s/Gusts/Guests/

> which are started by using direct Direct Kernel Boot only. There is also an

s/direct Direct/direct/

> assumption that x86 Guest's (OS) early boot code (which is running not in
> 64-bit mode) does not access Xen interfaces (hypercalls, shared_info, ..).
> 
> In this case the Xen HVM 32-bit COMPAT interface become unused and leaves
> gaps in terms of coverage.
> 
> Hence now all prerequisite changes are in place, introduce a
> CONFIG_HVM_COMPAT option through which HVM(PVH) 32-bit interface support on
> 64-bit Xen can be disabled.
> 
> By default, CONFIG_HVM_COMPAT is ("y") enabled and accessible only in
> EXPERT mode.
> 
> Signed-off-by: Grygorii Strashko <grygorii_strashko@epam.com>
> ---
> changes in v2:
> - fix format and move above HVM_FEP
> 
>   xen/arch/x86/hvm/Kconfig | 19 ++++++++++++++++++-
>   1 file changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/xen/arch/x86/hvm/Kconfig b/xen/arch/x86/hvm/Kconfig
> index c323d767e77c..88090f5b3965 100644
> --- a/xen/arch/x86/hvm/Kconfig
> +++ b/xen/arch/x86/hvm/Kconfig
> @@ -2,7 +2,6 @@ menuconfig HVM
>   	bool "HVM support"
>   	depends on !PV_SHIM_EXCLUSIVE
>   	default !PV_SHIM
> -	select COMPAT
>   	select IOREQ_SERVER
>   	select MEM_ACCESS_ALWAYS_ON
>   	help
> @@ -35,6 +34,24 @@ config INTEL_VMX
>   	  If your system includes a processor with Intel VT-x support, say Y.
>   	  If in doubt, say Y.
>   
> +config HVM_COMPAT
> +	bool "HVM 32-bit hypercalls interface support" if EXPERT

Maybe "HVM 32-bit compat hypercall support" to get "compat" in the 
user-visible text?

> +	select COMPAT
> +	default y
> +	help
> +	  The HVM 32-bit interface must be enabled for HVM domains to be able to
> +	  make hypercalls in 32bit mode. Non-PVH domains unconditionally need this
> +	  option so that hvmloader may issue hypercalls in 32bit mode.
> +
> +	  The HVM 32-bit interface can be disabled if:
> +	  - Only PVH domains are used
> +	  - Guests (OS) are started by using direct Direct Kernel Boot
> +	  - Guests (OS) are 64-bit and Guest early boot code, which is running not
> +	    in 64-bit mode, does not access Xen interfaces
> +	    (hypercalls, shared_info, ..)
> +
> +	  If unsure, say Y.
> +

Maybe something like:
"""
Support HVM hypercalls from 32-bit code.  Hypercalls from 64-bit code 
are always supported.

Disabling 32-bit compat hypercalls reduces the hypervisor binary size. 
HVM guests require the 32-bit hvmloader, so they cannot run with this 
disabled.  i.e. Xen will only run 64-bit PVH guests with this disabled.

If unsure, say Y.
"""

While what you wrote is correct, I tried to rephrase to highlight the 
the implications.

Regards,
Jason

>   config HVM_FEP
>   	bool "HVM Forced Emulation Prefix support (UNSUPPORTED)" if UNSUPPORTED
>   	default DEBUG