KVM: VMX: Introduce Intel Mode-Based Execute Control (MBEC)

[RFC PATCH 05/18] KVM: x86: Add pt_guest_exec_control to kvm_vcpu_arch

Posted by Jon Kohler 9 months, 1 week ago

Add bool for pt_guest_exec_control to kvm_vcpu_arch, to be used for
runtime checks for Intel Mode Based Execution Control (MBEC) and
AMD Guest Mode Execute Control (GMET).

Signed-off-by: Jon Kohler <jon@nutanix.com>

---
 arch/x86/include/asm/kvm_host.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index fd37dad38670..192233eb557a 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -856,6 +856,8 @@ struct kvm_vcpu_arch {
 	struct kvm_hypervisor_cpuid kvm_cpuid;
 	bool is_amd_compatible;
 
+	bool pt_guest_exec_control;
+
 	/*
 	 * FIXME: Drop this macro and use KVM_NR_GOVERNED_FEATURES directly
 	 * when "struct kvm_vcpu_arch" is no longer defined in an
-- 
2.43.0

Re: [RFC PATCH 05/18] KVM: x86: Add pt_guest_exec_control to kvm_vcpu_arch

Posted by Sean Christopherson 7 months, 1 week ago

On Thu, Mar 13, 2025, Jon Kohler wrote:
> Add bool for pt_guest_exec_control to kvm_vcpu_arch, to be used for
> runtime checks for Intel Mode Based Execution Control (MBEC) and
> AMD Guest Mode Execute Control (GMET).
> 
> Signed-off-by: Jon Kohler <jon@nutanix.com>
> 
> ---
>  arch/x86/include/asm/kvm_host.h | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
> index fd37dad38670..192233eb557a 100644
> --- a/arch/x86/include/asm/kvm_host.h
> +++ b/arch/x86/include/asm/kvm_host.h
> @@ -856,6 +856,8 @@ struct kvm_vcpu_arch {
>  	struct kvm_hypervisor_cpuid kvm_cpuid;
>  	bool is_amd_compatible;
>  
> +	bool pt_guest_exec_control;

Again, aside from the fast that putting this in kvm_vcpu_arch is wrong, this not
worth of a separate patch.

Re: [RFC PATCH 05/18] KVM: x86: Add pt_guest_exec_control to kvm_vcpu_arch

Posted by Chao Gao 7 months, 4 weeks ago

On Thu, Mar 13, 2025 at 01:36:44PM -0700, Jon Kohler wrote:
>Add bool for pt_guest_exec_control to kvm_vcpu_arch, to be used for
>runtime checks for Intel Mode Based Execution Control (MBEC) and
>AMD Guest Mode Execute Control (GMET).
>
>Signed-off-by: Jon Kohler <jon@nutanix.com>
>
>---
> arch/x86/include/asm/kvm_host.h | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
>index fd37dad38670..192233eb557a 100644
>--- a/arch/x86/include/asm/kvm_host.h
>+++ b/arch/x86/include/asm/kvm_host.h
>@@ -856,6 +856,8 @@ struct kvm_vcpu_arch {
> 	struct kvm_hypervisor_cpuid kvm_cpuid;
> 	bool is_amd_compatible;
> 
>+	bool pt_guest_exec_control;

What is the purpose of this field? Does it indicate whether MBEC is enabled
for L1, L2, or VMCS12?

if it is intended to track whether MBEC is enabled in VMCS12, I think you
need to introduce a new bit in kvm_mmu_page_role rather than using a
per-vCPU variable. This way, the entire shadow EPT is reconstructed if the
L1 VMM toggles the MBEC control bit in VMCS12. Reconstruction is necessary
because toggling MBEC changes the meaning of bits 2 and 10 in EPT page
table, i.e., previous shadow MMU pages cannot be reused.