From nobody Wed Oct 1 21:27:58 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ADEDA145355 for ; Wed, 1 Oct 2025 00:15:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759277741; cv=none; b=TPWfwku39BE6cLYx3ADsLEVQ0IZi7KThxJ26gXLyb5vsSiSTASKDjk2FCPMnB6FW7/18rqUyrvuH9ktxDORvyPXqPVV8LamFY11zyV/4J8TwfFSyyNSaJ/2ZClO6bp7gJjGvooBMsfUVhRjTKNrxqQNMMBRvqirVgwX3X44brsk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759277741; c=relaxed/simple; bh=E1g89qz/ZY0dhHwx4qcmJ7x5mFzqCX12pJmsaJRKND0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Content-Type; b=WRzv7miIvw32gIjG/WlOq+zDWLjgKGpQrpV/YLGm157s9dwnLN6FEHnnQU8rSPosWjFh1wjY6mDzcgUxBgYqQMctuoHGH6jD2rQOk/7l/rT37gIeMbBOOVXXz8hap8Z60w5OIF14kETEYP8ntNYkr83YcKirgYkiTEsZgieoUAc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=EOzLHNX4; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="EOzLHNX4" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b552f91033cso8015589a12.1 for ; Tue, 30 Sep 2025 17:15:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1759277739; x=1759882539; darn=vger.kernel.org; h=to:from:subject:message-id:references:mime-version:in-reply-to:date :from:to:cc:subject:date:message-id:reply-to; bh=wIEK6qNuqRubYvP258NgbgAUUEfNkVMfJZpTtE2rW84=; b=EOzLHNX4KOmo6vac4ceI+EkKuDqTE4NefHd/irSogzmJS8IYZB7QdTmnMrkEHYt9nD hn3xUPJd2fLGi4Pyigrbg7qCnn7JLg0Csl8HvnOERSYBuF07C4D1EVm9LINC4j/OVqUk JrqD34socij6HTGRdWYAeO8kgU39HgOFzXqAusDPA4aiHpoclwaW5oHXduIwb4UvwAzA CvhAeu12vKj0nNdnxYqiU02gr9cmrQ5kYbBTMommHyM1BO8qDlY/IzX9e6yR0MPUKcL8 KQfGBWPmFexsVv5i3ltFYsxg8qrh3hXMffcpvETUQRZi9DrqwnfGsHb5+aDbHWSeUQS8 TqRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759277739; x=1759882539; h=to:from:subject:message-id:references:mime-version:in-reply-to:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wIEK6qNuqRubYvP258NgbgAUUEfNkVMfJZpTtE2rW84=; b=QDJZbDGPqMFAvFDv4noEPu8tgui8FT3t5xhlSriNtcEp0XsCRozFpfAqxn8DfAzRjN mOQaAnw9aY3GNGzlwnPSbQI79GUuyb7YJCrTWJjFef5C/WytgOpPtQxIiw7CWODsZvZS PzZLM3wX2TwG/NmXQagszELNNxH7/1j13nMFDCdPV5bTDvFef8R0cGK7GOP8SUBEoEyG XAAKIkMpvfU7t3USoil7kripN3F0iKhuE7Jq8K6heG9c5Lb4WwjnlOrQ0Rdg+HviJLGu N3LKElHofe5QjB8Nikmf1Wo7QmZnTitE6uxo0eHAtSrh8PG1qm3BPhcPgRQIZ8u61pht xJzA== X-Forwarded-Encrypted: i=1; AJvYcCUUBYvkAm+huwuvz1ZMYsyS7s2RujKQJTrSAskGfmuhNTA+E98NFhHYPX1WcJ6/eaQuvRWi52Q+334W5Wo=@vger.kernel.org X-Gm-Message-State: AOJu0YwRSjbUGraNpeezYdtlksYrs+F3S+shJjjisFRq3aOpjFlRbxuz SAvZqD4hI66O1P1kReOlU+7PB4K4psDPIuc1LZfIS0+KCKmNA9PXhD2c+8Uq1Lrvz3q+4LD4Xp/ aWMH1CVhozC1K+Q== X-Google-Smtp-Source: AGHT+IEJMSvJJoH6li85hWbtpDIp13j5UuAunqLpYUIMRlasU3y61u+MMNAqyVeuM2D1EWr0caMLQu6eNYzQEQ== X-Received: from pfdc25.prod.google.com ([2002:aa7:8c19:0:b0:77f:17c9:e8fc]) (user=jmattson job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:6da6:b0:2ff:3752:8375 with SMTP id adf61e73a8af0-321dfc7ca66mr1943503637.45.1759277739003; Tue, 30 Sep 2025 17:15:39 -0700 (PDT) Date: Tue, 30 Sep 2025 17:14:07 -0700 In-Reply-To: <20251001001529.1119031-1-jmattson@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251001001529.1119031-1-jmattson@google.com> X-Mailer: git-send-email 2.51.0.618.g983fd99d29-goog Message-ID: <20251001001529.1119031-2-jmattson@google.com> Subject: [PATCH v2 1/2] KVM: x86: Advertise EferLmsleUnsupported to userspace From: Jim Mattson To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Sean Christopherson , Paolo Bonzini , Pawan Gupta , Tom Lendacky , Jim Mattson , Perry Yuan , Sohil Mehta , "Xin Li (Intel)" , Joerg Roedel , Avi Kivity , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Yosry Ahmed Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" CPUID.80000008H:EBX.EferLmsleUnsupported[bit 20] is a defeature bit. When this bit is clear, EFER.LMSLE is supported. When this bit is set, EFER.LMLSE is unsupported. KVM has never supported EFER.LMSLE, so it cannot support a 0-setting of this bit. Pass through the bit in KVM_GET_SUPPORTED_CPUID to advertise the unavailability of EFER.LMSLE to userspace. Signed-off-by: Jim Mattson Reviewed-by: Yosry Ahmed --- v1 -> v2: Pass through the bit from hardware, rather than forcing it to be set. arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kvm/cpuid.c | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 751ca35386b0..f9b593721917 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -338,6 +338,7 @@ #define X86_FEATURE_AMD_STIBP (13*32+15) /* Single Thread Indirect Branch= Predictors */ #define X86_FEATURE_AMD_STIBP_ALWAYS_ON (13*32+17) /* Single Thread Indire= ct Branch Predictors always-on preferred */ #define X86_FEATURE_AMD_IBRS_SAME_MODE (13*32+19) /* Indirect Branch Restr= icted Speculation same mode protection*/ +#define X86_FEATURE_EFER_LMSLE_MBZ (13*32+20) /* EFER.LMSLE must be zero */ #define X86_FEATURE_AMD_PPIN (13*32+23) /* "amd_ppin" Protected Processor= Inventory Number */ #define X86_FEATURE_AMD_SSBD (13*32+24) /* Speculative Store Bypass Disab= le */ #define X86_FEATURE_VIRT_SSBD (13*32+25) /* "virt_ssbd" Virtualized Specu= lative Store Bypass Disable */ diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index e2836a255b16..4823970611fd 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -1096,6 +1096,7 @@ void kvm_set_cpu_caps(void) F(AMD_STIBP), F(AMD_STIBP_ALWAYS_ON), F(AMD_IBRS_SAME_MODE), + F(EFER_LMSLE_MBZ), F(AMD_PSFD), F(AMD_IBPB_RET), ); --=20 2.51.0.618.g983fd99d29-goog From nobody Wed Oct 1 21:27:58 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14110186284 for ; Wed, 1 Oct 2025 00:15:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759277742; cv=none; b=kM5cL0cp69Xjo+8r8H/fXlDqB+kbCCCOs0dDVmoUzX0WfN3h02YW+fT0UvalscDnXP9gqCam1gxdMlNIfqDCeKBWLPwxiKz0FaSsaQ7TtOFseBB7j3SY/cujsO8HNCJ2DJMqt7Yn0X8pEsJW0PqhGnxfmWMBGnAexNarOIVGJmY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759277742; c=relaxed/simple; bh=Kducq2ZeSjXYvGI/ghOcZsk4NUusB8RxSwzsVgzEpgw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Content-Type; b=V10YsgoY6j7bzYlwfDiMRqu6EX4xIWOd+72ga1AS29QK01Syg41guIlYHNV1TB7cPj6i2SjG5QxecIM4SLxia510/iuOdT491uqCHYwsVohla28j/SXQzcPT+TIFrAaOHup3nnQpOthIF0ea0WjGipj+x3w8HtN6Vv1cslM69Vc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=PTYcjf2y; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PTYcjf2y" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-269a2b255aaso117821455ad.3 for ; Tue, 30 Sep 2025 17:15:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1759277740; x=1759882540; darn=vger.kernel.org; h=to:from:subject:message-id:references:mime-version:in-reply-to:date :from:to:cc:subject:date:message-id:reply-to; bh=LcYitO65fM6U+2guQlIxnINa19j5zqeVtzHxSXLQKIA=; b=PTYcjf2yc8QM1y2Lp+iN4nMpe+n9kNDkkffxMdzj0fPBDS6XjVpE2a9Ss3io9NFAYz RBLGGuRj83SfFkkprgVZyY9QiTwVxQZgxMLz/AFTB3hzHjewJSEw9xsj/2djSBm7hFCo jciT3hYZquFauZBWnjen4a8D7hYgZoSjK7+Cj++4qOvC1maNaYO1qw1t6fuQeF5mpUeI +eBmKt/pSNFm43CTAvT4FYTwaJGj9JINzZ+bHHH93bEveT07ASJOcEHT0XDiR3NyEa7c gqYa2cV44pAVO6HPCf4MhcVncTZRQn9+VdeLlufUeHWDlV8eXLHAKMQdtYOpajAKwtNQ zBWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759277740; x=1759882540; h=to:from:subject:message-id:references:mime-version:in-reply-to:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LcYitO65fM6U+2guQlIxnINa19j5zqeVtzHxSXLQKIA=; b=FVC8WeL694zlavvtDvM7K1FjYdykwK8Ad5JSy2BeE5Dvu7LCWIhwSc6XXzue74XfLE Q7tW2dwEwRAoGRaFVvO4Zju5zRnnI4bl3bXsv2Wb7foZO4yaBk5h7atn0oQVHCr4ws1g dY8GHNPOCfFXLUNSxHier79qg+aA7m/W+13XPkKCHPb9fcfFc1VraXVfUfLLAlY3JXK8 jBOYYBqy3L1fPBv4LePDIiY0vVo18zWAdpTKDQ6TRcDWpMMasouh+rP7fZfXaL1z/hqA u9qi5VMpke8M4sA1fxIHgYrmahhwpk+hX5FALCyIM2us+qqgEafqHHtsrdCBIsFKITz8 jaCg== X-Forwarded-Encrypted: i=1; AJvYcCWsz77R3Z/I/XK/8PRT4nfArCFnyaiZHx7X1ilWBsd4Thypj379CvNeftT3t9f8ekWW4OY0BNWro88ywrA=@vger.kernel.org X-Gm-Message-State: AOJu0Yxu1Smbzh3rszxModPukU6VACldoATR3wdzn7gVqL12YnJBrHAW T6Nq7pGKDtwmU4Y1RRUVVecRgTZZyPB1Up9aM6cCglVVzI7y8MaJOyLE6hMLcI2ty7Lhl0SlGNf MRhXE0YtEtO3RgA== X-Google-Smtp-Source: AGHT+IEIIEjWwhQ/2dq2CphjZTc2Klk/2tjbWkphIg3Eyh1AwnfRMWPBkeJy4YRaqzCXcKDyOONweBtc+rC66Q== X-Received: from plsm6.prod.google.com ([2002:a17:902:bb86:b0:267:dbc3:f98d]) (user=jmattson job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ef02:b0:269:a4ed:13c9 with SMTP id d9443c01a7336-28e7f2eee4amr16409815ad.30.1759277740288; Tue, 30 Sep 2025 17:15:40 -0700 (PDT) Date: Tue, 30 Sep 2025 17:14:08 -0700 In-Reply-To: <20251001001529.1119031-1-jmattson@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251001001529.1119031-1-jmattson@google.com> X-Mailer: git-send-email 2.51.0.618.g983fd99d29-goog Message-ID: <20251001001529.1119031-3-jmattson@google.com> Subject: [PATCH v2 2/2] KVM: SVM: Disallow EFER.LMSLE when not supported by hardware From: Jim Mattson To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Sean Christopherson , Paolo Bonzini , Pawan Gupta , Tom Lendacky , Jim Mattson , Perry Yuan , Sohil Mehta , "Xin Li (Intel)" , Joerg Roedel , Avi Kivity , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Yosry Ahmed Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modern AMD CPUs do not support segment limit checks in 64-bit mode (i.e. EFER.LMSLE must be zero). Do not allow a guest to set EFER.LMSLE on a CPU that requires the bit to be zero. For backwards compatibility, allow EFER.LMSLE to be set on CPUs that support segment limit checks in 64-bit mode, even though KVM's implementation of the feature is incomplete (e.g. KVM's emulator does not enforce segment limits in 64-bit mode). Fixes: eec4b140c924 ("KVM: SVM: Allow EFER.LMSLE to be set with nested svm") Signed-off-by: Jim Mattson Reviewed-by: Yosry Ahmed --- arch/x86/kvm/svm/svm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 1bfebe40854f..78d0fc85d0bd 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -5351,7 +5351,9 @@ static __init int svm_hardware_setup(void) =20 if (nested) { pr_info("Nested Virtualization enabled\n"); - kvm_enable_efer_bits(EFER_SVME | EFER_LMSLE); + kvm_enable_efer_bits(EFER_SVME); + if (!boot_cpu_has(X86_FEATURE_EFER_LMSLE_MBZ)) + kvm_enable_efer_bits(EFER_LMSLE); =20 r =3D nested_svm_init_msrpm_merge_offsets(); if (r) --=20 2.51.0.618.g983fd99d29-goog