From nobody Sun Feb  8 02:22:47 2026
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B96EF24BBF0
	for <linux-kernel@vger.kernel.org>; Thu,  5 Feb 2026 23:15:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770333354; cv=none;
 b=fNnpEbrATTXftloLuz+heiVlG7ls3+rx18V36RTJ9siTBvfKCfeIgQ5uI9+fa7Mxo/OP85xVIEPfNuNPSytmcoZj4aRaGsT7JfiILm+Vsfejyq8SFh9U3wtw6NmaumG5dzDDuZcQYtDNdqZqOl9PRQvrif6eDKMzshN80Y3j+gA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770333354; c=relaxed/simple;
	bh=z38i7xJ8mEcWy9tZkax+kUeEbeGtqWOfE4+kMi9dRjs=;
	h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type;
 b=t0xpNK531oy7FyXjSIxcC/oHQRMoJo0LpXliiDTmClZx7BuzyK0f7pF6eG2Q0oiHl3Zg9HGgLiEgNAPvOdTquDFFPMU8gOCXl2RnLCUcb7Iz7mZbDu8OCDWrQxp5wPsLB/fcS8clBbXC99rF+ck5/clFD1i/wafAyo5GiP29dfY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=WFxM0hwo; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="WFxM0hwo"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-2a90e8b54f0so2094695ad.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Feb 2026 15:15:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1770333354; x=1770938154;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Pr9RaIefez2nBGuJOdeMmo4gmWbUowIaURWL9SUM80k=;
        b=WFxM0hwoRq9mbj2QvzsGXoyieuDGBO8yN7TMYHrb90+yazFQf2bJYCJrHMuU+oXY2R
         W46g706Vcc5c3ENls6lK3SlOo2MYQ0d4mUfY1GkvCFMisiWEMSjo1hRlLmr754hDAbzq
         O1sZcZZ97KZYQ+ydutPYI9xJCbLVLeGdbB1Dvsli6jYSBXOzZSVAYlcwTJdlE3+Q/FnT
         kvIBRBcBC7tcMqu7thrqRJ9T9PnuK+N1CLqeSaETYhfTNqi0V+zP1Qr6rZVjNp70dW/l
         lkjmxSN9GvGmAICWYLQoj1RRS5u96s/+lE50A7ay2sEEcNV4uLATvm86sUhKk3ZtE994
         ulJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770333354; x=1770938154;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Pr9RaIefez2nBGuJOdeMmo4gmWbUowIaURWL9SUM80k=;
        b=T1VoJsm9q8S5WLUAzWt/nHiDBPvyU1ScdFZcarPblNQkV984XkSTXUmmE4Faf7J9aa
         X3W93JP5NZ68wyJtstyqndVOAPHA2Puow57ziqx4SK924P7l4Y4d8yAjm/tbh3AKPNEv
         bH/Ra6lkwpA+XdwAueNGUJub2iZY4YM4nsA5MSZPhR5FDmicHBegPd48Ya80cXKSfSNw
         a4MIvIXsKagTtRYLuxztkFEDjLRkiKChnf/StOHbH12NElI1ZL2giIEvkEY0/u0AFVPS
         XbeR0JQLyWpQYih1Fie795cYX2x3oF7yMIlm7rUBMFGqJkre3bKr3ssCz6H8OUCglV6S
         G2tw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWe/dZrX31V9X7NkN+/DugX8T7g+M1rlHSFv14KONrEByie9bjzWDuWwJfiOO0T+uTN5Zn2zsOq8WX0TN0=@vger.kernel.org
X-Gm-Message-State: AOJu0YxcETgL6fVobZ2eQwFUco4ERZeQi+v0vHCc+Lie1O7pPQXtPWqF
	kHnXDaJvdJMhv++N7SMilZS2FBYHVCJC4bKmSQv7iFG6PrdQ/qOTqP7qjSZvJWj5ja8GbMDhQzi
	AvDnBHSNx1eMvbw==
X-Received: from pjblp12.prod.google.com ([2002:a17:90b:4a8c:b0:352:c761:3cf])
 (user=jmattson job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:1246:b0:2a9:410:2413 with SMTP id
 d9443c01a7336-2a95192ab1dmr7613285ad.29.1770333354123;
 Thu, 05 Feb 2026 15:15:54 -0800 (PST)
Date: Thu,  5 Feb 2026 15:15:26 -0800
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog
Message-ID: <20260205231537.1278753-1-jmattson@google.com>
Subject: [PATCH v2] Introduce KVM_X86_QUIRK_VMCS12_FREEZE_IN_SMM_CC
From: Jim Mattson <jmattson@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>, Jonathan Corbet <corbet@lwn.net>,
	Sean Christopherson <seanjc@google.com>, Thomas Gleixner <tglx@kernel.org>,
 Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@linux.intel.com>,
 x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>, kvm@vger.kernel.org,
 linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, Josh Hilke <jrhilke@google.com>
Cc: Jim Mattson <jmattson@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add KVM_X86_QUIRK_VMCS12_FREEZE_IN_SMM_CC to allow L1 to set FREEZE_IN_SMM
in vmcs12's GUEST_IA32_DEBUGCTL field, as permitted prior to
commit 6b1dd26544d0 ("KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM
while running the guest").  The quirk is enabled by default for backwards
compatibility; userspace can disable it via KVM_CAP_DISABLE_QUIRKS2 for
consistency with the constraints on WRMSR(IA32_DEBUGCTL).

Note that the quirk only bypasses the consistency check. The vmcs02 bit is
still owned by the host, and PMCs are not frozen during virtualized SMM.
In particular, if a host administrator decides that PMCs should not be
frozen during physical SMM, then L1 has no say in the matter.

Fixes: 095686e6fcb4 ("KVM: nVMX: Check vmcs12->guest_ia32_debugctl on neste=
d VM-Enter")
Signed-off-by: Jim Mattson <jmattson@google.com>
---
 Documentation/virt/kvm/api.rst  | 10 ++++++++++
 arch/x86/include/asm/kvm_host.h |  3 ++-
 arch/x86/include/uapi/asm/kvm.h |  1 +
 arch/x86/kvm/vmx/nested.c       | 23 +++++++++++++++++++----
 4 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index d04b4bdd60c1..325e565ff99e 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8482,6 +8482,16 @@ KVM_X86_QUIRK_IGNORE_GUEST_PAT      By default, on I=
ntel platforms, KVM ignores
                                     guest software, for example if it does=
 not
                                     expose a bochs graphics device (which =
is
                                     known to have had a buggy driver).
+
+KVM_X86_QUIRK_VMCS12_FREEZE_IN_SMM_CC
+				    By default, KVM relaxes the consistency
+				    check for GUEST_IA32_DEBUGCTL in vmcb12
+				    to allow FREEZE_IN_SMM to be set.  When
+				    this quirk is disabled, KVM requires
+				    this bit to be cleared.  Note that the
+				    vmcs02 bit is still completely
+				    controlled by the host, regardless of
+				    the quirk setting.
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
=20
 7.32 KVM_CAP_MAX_VCPU_ID
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos=
t.h
index ff07c45e3c73..1669d4797f0b 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2485,7 +2485,8 @@ int memslot_rmap_alloc(struct kvm_memory_slot *slot, =
unsigned long npages);
 	 KVM_X86_QUIRK_MWAIT_NEVER_UD_FAULTS |	\
 	 KVM_X86_QUIRK_SLOT_ZAP_ALL |		\
 	 KVM_X86_QUIRK_STUFF_FEATURE_MSRS |	\
-	 KVM_X86_QUIRK_IGNORE_GUEST_PAT)
+	 KVM_X86_QUIRK_IGNORE_GUEST_PAT |	\
+	 KVM_X86_QUIRK_VMCS12_FREEZE_IN_SMM_CC)
=20
 #define KVM_X86_CONDITIONAL_QUIRKS		\
 	(KVM_X86_QUIRK_CD_NW_CLEARED |		\
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv=
m.h
index 846a63215ce1..76128958bbca 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -476,6 +476,7 @@ struct kvm_sync_regs {
 #define KVM_X86_QUIRK_SLOT_ZAP_ALL		(1 << 7)
 #define KVM_X86_QUIRK_STUFF_FEATURE_MSRS	(1 << 8)
 #define KVM_X86_QUIRK_IGNORE_GUEST_PAT		(1 << 9)
+#define KVM_X86_QUIRK_VMCS12_FREEZE_IN_SMM_CC	(1 << 10)
=20
 #define KVM_STATE_NESTED_FORMAT_VMX	0
 #define KVM_STATE_NESTED_FORMAT_SVM	1
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 248635da6766..9bd29b9375fb 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3300,10 +3300,25 @@ static int nested_vmx_check_guest_state(struct kvm_=
vcpu *vcpu,
 	if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_W=
P)))
 		return -EINVAL;
=20
-	if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
-	    (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
-	     CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))=
))
-		return -EINVAL;
+	if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) {
+		u64 debugctl =3D vmcs12->guest_ia32_debugctl;
+
+		/*
+		 * FREEZE_IN_SMM is not virtualized, but allow L1 to set it
+		 * in VMCB12's DEBUGCTL under a quirk for backwards
+		 * compatibility.  Note that the quirk only relaxes the
+		 * consistency check. The vmcb02 bit is still under the
+		 * control of the host. In particular, if a host
+		 * administrator decides to clear the bit, then L1 has no
+		 * say in the matter.
+		 */
+		if (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_VMCS12_FREEZE_IN_SMM_CC=
))
+			debugctl &=3D ~DEBUGCTLMSR_FREEZE_IN_SMM;
+
+		if (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
+		    CC(!vmx_is_valid_debugctl(vcpu, debugctl, false)))
+			return -EINVAL;
+	}
=20
 	if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) &&
 	    CC(!kvm_pat_valid(vmcs12->guest_ia32_pat)))

base-commit: e944fe2c09f405a2e2d147145c9b470084bc4c9a
--=20
2.53.0.rc2.204.g2597b5adb4-goog