Setup Intel Mode Based Execution Control (bit 22) for nested
guest, gated on module parameter enablement.

Signed-off-by: Jon Kohler <jon@nutanix.com>

---
 arch/x86/kvm/vmx/nested.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 931a7361c30f..ce3a6d6dfce7 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -7099,6 +7099,10 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
 		 */
 		if (cpu_has_vmx_vmfunc())
 			msrs->vmfunc_controls = VMX_VMFUNC_EPTP_SWITCHING;
+
+		if (enable_pt_guest_exec_control)
+			msrs->secondary_ctls_high |=
+				SECONDARY_EXEC_MODE_BASED_EPT_EXEC;
 	}
 
 	/*
-- 
2.43.0

On Thu, Mar 13, 2025, Jon Kohler wrote:
> Setup Intel Mode Based Execution Control (bit 22) for nested
> guest, gated on module parameter enablement.

*This* is the enablement patch.  And it's not doing "Setup", it's advertising
SECONDARY_EXEC_MODE_BASED_EPT_EXEC to userspace and allowing userspace to expose
and advertise the feature to the guest.

> Signed-off-by: Jon Kohler <jon@nutanix.com>
> 
> ---
>  arch/x86/kvm/vmx/nested.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 931a7361c30f..ce3a6d6dfce7 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -7099,6 +7099,10 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
>  		 */
>  		if (cpu_has_vmx_vmfunc())
>  			msrs->vmfunc_controls = VMX_VMFUNC_EPTP_SWITCHING;
> +
> +		if (enable_pt_guest_exec_control)
> +			msrs->secondary_ctls_high |=
> +				SECONDARY_EXEC_MODE_BASED_EPT_EXEC;

Land this above the VMFUNC stuff so that more of the secondary_ctls_high code is
clumped together.

>  	}
>  
>  	/*
> -- 
> 2.43.0
>