From nobody Sat Apr 4 03:33:34 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B7CF2ED17B for ; Sat, 21 Mar 2026 00:10:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774051814; cv=none; b=RUC0Atx5p6opm7BmwDgA3nvIHUAtm21OIr2gbNTk0dNu3JZhi6k0pRdzsqEReZczy2ymuBW23IY40bQ9K7JSREU1ZRSM/kY0DvFywqKNlMewDl8HNCVBm7ray1cowqGZ0nFF5+/rCTHrxJP1+WOvj6Dz8HbD+4E7fbTKvYYQJGY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774051814; c=relaxed/simple; bh=ANppQFqf+X4t4pHOfjYdzVVFwAF97XHTPN/zZhag3Ps=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=n2JwRkd3o2FgIZULzDp8FwyQKjxGN+VwlCsWFt0dNa03IvEDymYv1wKWuUr24ZG/iSicbA36LdYYL32njonFl4pVthiBZbweDnJSRGLILgMxBDz6dUDWaV/N+KFrIcVKM70p9PkQxP4VzgB1Z9kd/TrMD51jcHhx3tGIRQ8Yoz4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=MrLnXcEI; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=OnpumlhD; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="MrLnXcEI"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="OnpumlhD" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774051811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zdVmercWnCZLP8zFvHBbqxOZlu/sYmRu38PlBYz1DLw=; b=MrLnXcEICp8dOW9SImnkMq5Z7X082CFhsGY5tsjzTxOkKlV+MI/x2nPqUjWVYqeji4iitb ngEWFPq1qJhU9T/xSWyMSni+LKDeTRwr4ZdTByW65BsNEYZAolPkl880BUFumYHAh8eJ2N /pUeMvdHgyG4C1IEVErAJqUpx5Taipg= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-611-5Bl-mymeNQen5wjLiVX62Q-1; Fri, 20 Mar 2026 20:10:09 -0400 X-MC-Unique: 5Bl-mymeNQen5wjLiVX62Q-1 X-Mimecast-MFC-AGG-ID: 5Bl-mymeNQen5wjLiVX62Q_1774051808 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-486f89b7f69so15179065e9.0 for ; Fri, 20 Mar 2026 17:10:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1774051807; x=1774656607; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zdVmercWnCZLP8zFvHBbqxOZlu/sYmRu38PlBYz1DLw=; b=OnpumlhD4bB93COB0i+aQ9dSXMxvANr0bncrOFxU3MT5CljNInJ1plrTDDyFC7MV6e 5qP4CUF4Jxsh/chZTZKETUzaUZkh4N5sJXoL6jPzB2Xq/PiEUgzNfTRXnOlPn7uO7Jd1 P8VIUGcA/NzJtq+YwKVgguTlx/oW9rlsdxhzMj+Us3hUonNc4H9mjKsIXOJwhm4INxUo a3vVirOBQM0TRRkT4fYVca1ev0hLhxO99NIDoktpsLw7n3dCMpQUsbGNpnfmmdbunLZH GL3RZ8EdlOv/m8evroidKiTEQWMAwbl/B3WQudkgjfHUKwxjh4LB7T6U34t1Cy3JoF8b NRKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774051807; x=1774656607; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=zdVmercWnCZLP8zFvHBbqxOZlu/sYmRu38PlBYz1DLw=; b=cfHAlZvfHoOYuFgt/Z/jK42RcZVAbYqWSPk/zgXHg5AVPQ3YeFxNaQhwZz8qeVQJN4 9OkvxwE2+DF7KkjOh3FBA/W3kh1e0lAEmdan47yOY8LmWKaOsBqFHWSUPMmDI8kHTFDR ic6+GzoZsl8pwjBRJlXGmLiTCk0asbCRjPXe5yNRKwjwfmwia89wq3CLDOPqJtVcoLlb i2fMfubMMLBSyfLK3oUY7+WGtEuqhQrlzBb+kl9VWXlBzW+hFrbSEu0u4Kpip6XQ3UeW fX16iaAP1E/45RubxIpDWoY4wzuTroFnx4LxTvjxbPxLKUjP1ZMVm2s4qtB6VcDHXG1A xWxA== X-Gm-Message-State: AOJu0YynF1Wbjce+6K4pDeIce/zuMPGhp1vcPMW24Lb2xLNF494CMso5 d3j7P57QeH39qVdCSlKRUOGGgt2oBK1bJC/IlqeSTzOkw0WGzM5PIRf6xnke/zF6RojR78Ua1vT nO5P1fdXUxlPlYEzbWAuoUZv+7OAbgjY7hWLjMfKm3IzkTJoCVmBZTgSw5c1iXSbqacTO7h6wQW aQozs6MwIR4rZ6DBC3dDYdTKSsCck2cW/v+FiOvyEw3e3sEPzAAg== X-Gm-Gg: ATEYQzxGTHbxrDTU7uVe/UdfaIPbi7h1CBy/szZNek2u+eZZKDCzWFseUVB+g59QMr5 B2SG1PIy/V0zJVna9t0JoZzD7TRgNQskJM/oLACoQYWMmKr+1pK97ZyUWNrk2JS8qkCsfNFkmzS XYb0CbX9o1kTEV2nDepAgCTxQJG6HTlL2jlMSuFKjqLhaoYDdzLPxM6lkr8g2Gn/+D0vvgTK/I2 WNtdxIIOpWoET8JaDF9WLHQK1yiK1IYa3cmAgD2cwXnITZotVM/PkkVcd/RswnfLFy+G5J8S77r tQEc1PEicPgz7tbSkDDObnB9pOLTAUtYyNcoLLS6Zn/nSz6vxkN9kGNjf6zj9bcs5JL3qsFvCD7 EE9WgnLJPVN3X+KVXKLsAnz/MwEeS41n8PHgp4ztMzNG8n5+TCANnehPLaQJtCcWwXayMB85J3D wYzOupIO1XJawr7vVUOBPM5BuX X-Received: by 2002:a05:600c:530f:b0:485:2ce2:4c87 with SMTP id 5b1f17b1804b1-486febb455dmr74703445e9.4.1774051807400; Fri, 20 Mar 2026 17:10:07 -0700 (PDT) X-Received: by 2002:a05:600c:530f:b0:485:2ce2:4c87 with SMTP id 5b1f17b1804b1-486febb455dmr74703105e9.4.1774051806935; Fri, 20 Mar 2026 17:10:06 -0700 (PDT) Received: from [192.168.10.48] ([151.49.85.67]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-486f8b949e1sm289668275e9.9.2026.03.20.17.10.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Mar 2026 17:10:04 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Jon Kohler , Marcelo Tosatti , Nikunj A Dadhania , Amit Shah , Sean Christopherson Subject: [PATCH 13/22] KVM: x86/mmu: add support for nested MBEC Date: Sat, 21 Mar 2026 01:09:22 +0100 Message-ID: <20260321000931.1947084-14-pbonzini@redhat.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260321000931.1947084-1-pbonzini@redhat.com> References: <20260321000931.1947084-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Signed-off-by: Paolo Bonzini --- arch/x86/kvm/mmu/paging_tmpl.h | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index c657ea90bb33..d50085308506 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -124,12 +124,17 @@ static inline void FNAME(protect_clean_gpte)(struct k= vm_mmu *mmu, unsigned *acce *access &=3D mask; } =20 -static inline int FNAME(is_present_gpte)(unsigned long pte) +static inline int FNAME(is_present_gpte)(struct kvm_mmu *mmu, + unsigned long pte) { #if PTTYPE !=3D PTTYPE_EPT return pte & PT_PRESENT_MASK; #else - return pte & 7; + /* + * For EPT, an entry is present if any of bits 2:0 are set. + * With mode-based execute control, bit 10 also indicates presence. + */ + return pte & (7 | (mmu_has_mbec(mmu) ? VMX_EPT_USER_EXECUTABLE_MASK : 0)); #endif } =20 @@ -152,7 +157,7 @@ static bool FNAME(prefetch_invalid_gpte)(struct kvm_vcp= u *vcpu, struct kvm_mmu_page *sp, u64 *spte, u64 gpte) { - if (!FNAME(is_present_gpte)(gpte)) + if (!FNAME(is_present_gpte)(vcpu->arch.mmu, gpte)) goto no_present; =20 /* Prefetch only accessed entries (unless A/D bits are disabled). */ @@ -173,14 +178,17 @@ static bool FNAME(prefetch_invalid_gpte)(struct kvm_v= cpu *vcpu, static inline unsigned FNAME(gpte_access)(u64 gpte) { unsigned access; -#if PTTYPE =3D=3D PTTYPE_EPT /* - * For now nested MBEC is not supported and permission_fault() ignores - * ACC_USER_EXEC_MASK. + * Set bits in ACC_*_MASK even if they might not be used in the + * actual checks. For example, if EFER.NX is clear permission_fault() + * will ignore ACC_EXEC_MASK, and if MBEC is disabled it will + * ignore ACC_USER_EXEC_MASK. */ +#if PTTYPE =3D=3D PTTYPE_EPT access =3D ((gpte & VMX_EPT_WRITABLE_MASK) ? ACC_WRITE_MASK : 0) | ((gpte & VMX_EPT_EXECUTABLE_MASK) ? ACC_EXEC_MASK : 0) | - ((gpte & VMX_EPT_READABLE_MASK) ? ACC_READ_MASK : 0); + ((gpte & VMX_EPT_READABLE_MASK) ? ACC_READ_MASK : 0) | + ((gpte & VMX_EPT_USER_EXECUTABLE_MASK) ? ACC_USER_EXEC_MASK : 0); #else /* * P is set here, so the page is always readable and W/U/!NX represent @@ -335,7 +343,7 @@ static int FNAME(walk_addr_generic)(struct guest_walker= *walker, if (walker->level =3D=3D PT32E_ROOT_LEVEL) { pte =3D mmu->get_pdptr(vcpu, (addr >> 30) & 3); trace_kvm_mmu_paging_element(pte, walker->level); - if (!FNAME(is_present_gpte)(pte)) + if (!FNAME(is_present_gpte)(mmu, pte)) goto error; --walker->level; } @@ -417,7 +425,7 @@ static int FNAME(walk_addr_generic)(struct guest_walker= *walker, */ pte_access =3D pt_access & (pte ^ walk_nx_mask); =20 - if (unlikely(!FNAME(is_present_gpte)(pte))) + if (unlikely(!FNAME(is_present_gpte)(mmu, pte))) goto error; =20 if (unlikely(FNAME(is_rsvd_bits_set)(mmu, pte, walker->level))) { @@ -514,6 +522,9 @@ static int FNAME(walk_addr_generic)(struct guest_walker= *walker, * ACC_*_MASK flags! */ walker->fault.exit_qualification |=3D EPT_VIOLATION_RWX_TO_PROT(pte_acce= ss); + if (mmu_has_mbec(mmu)) + walker->fault.exit_qualification |=3D + EPT_VIOLATION_USER_EXEC_TO_PROT(pte_access); } #endif walker->fault.address =3D addr; --=20 2.52.0