Add VM-Exit handlers for SEAMCALL and TDCALL as the instructions are gated
only by VMXON, and so a buggy/misbehaving guest will likely be terminated
(because KVM bails with KVM_INTERNAL_ERROR_UNEXPECTED_EXIT_REASON) if the
guest executes SEAMCALL or TDCALL.

v2:
 - Apply the behavior only to VMX.  KVM can't inject #UDs for TDX, and the
   TDX-Module is supposed to handle SEAMCALL. [Chao]
 - Fix nested exit handling (inverted return). [Xiaoyao]
 - WARN if the TDX-Module punts a SEAMCALL exit to KVM. [Xiaoyao]
 - Fix typos. [Binbin]

v1: https://lore.kernel.org/all/20251014231042.1399849-1-seanjc@google.com

Sean Christopherson (2):
  KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL
  KVM: TDX: WARN if a SEAMCALL VM-Exit makes its way out to KVM

 arch/x86/include/uapi/asm/vmx.h | 1 +
 arch/x86/kvm/vmx/nested.c       | 8 ++++++++
 arch/x86/kvm/vmx/tdx.c          | 3 +++
 arch/x86/kvm/vmx/vmx.c          | 8 ++++++++
 4 files changed, 20 insertions(+)


base-commit: 6b36119b94d0b2bb8cea9d512017efafd461d6ac
-- 
2.51.0.858.gf9c4a03a3a-goog

On Thu, 16 Oct 2025 11:21:46 -0700, Sean Christopherson wrote:
> Add VM-Exit handlers for SEAMCALL and TDCALL as the instructions are gated
> only by VMXON, and so a buggy/misbehaving guest will likely be terminated
> (because KVM bails with KVM_INTERNAL_ERROR_UNEXPECTED_EXIT_REASON) if the
> guest executes SEAMCALL or TDCALL.
> 
> v2:
>  - Apply the behavior only to VMX.  KVM can't inject #UDs for TDX, and the
>    TDX-Module is supposed to handle SEAMCALL. [Chao]
>  - Fix nested exit handling (inverted return). [Xiaoyao]
>  - WARN if the TDX-Module punts a SEAMCALL exit to KVM. [Xiaoyao]
>  - Fix typos. [Binbin]
> 
> [...]

Applied patch 1 to kvm-x86 fixes.

[1/2] KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL
      https://github.com/kvm-x86/linux/commit/9d7dfb95da2c

--
https://github.com/kvm-x86/linux/tree/next