From nobody Sat Apr  4 04:35:53 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 516F82FFDDE
	for <linux-kernel@vger.kernel.org>; Sat, 21 Mar 2026 00:10:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774051816; cv=none;
 b=jU8iLxNPUmlCGk0Sx4nBWJnXh9K+tFvmXEIsls4Q/HPBCcVQuPVtrnVH1AFh68YtKvSqsrwixu5b8fjZM0dnfZ5+6+OIMIdlP58xgVJEj2mOYXW/EOd1RLwbrWI8IrwLFgyxywieFCRvswSxTDRzy4rWxd7yFzpbhobdYQwFdPs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774051816; c=relaxed/simple;
	bh=m150tyPF0qz+Yniy1uibRcAotrXLeoPzs7/NaMKpPOU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=Sity00UpprXQCoFoI0OV/lPm1M4UJnXjK3noTCUgG4KeFaE+3ML3jfIaHLG9116jtyKnF6Uab21aQ/y2OQpBEhwOcWde66p8+r0rsR38ux+s5kNR1U9SGkFGnayshOe3SWzk7pemtjVWLjm1RXIZqUVw81nzCUzce+guoBQba+A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=GqGN73Bv;
 dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=XWwZJ9zF; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="GqGN73Bv";
	dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="XWwZJ9zF"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1774051814;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=73seKWR51q+TIpru2UraHv6BQGSCJ+KST2GFL+f5EOY=;
	b=GqGN73BvaKDOicPQmNWYR3CUnvxnCMzBHvApuKN28/ZqpoERVxcxamRnUS9y7hc4pueok6
	dExGZlBVmxPmsetnKdVvXqVNbXx4+GEpHol0UrT1J7OhX4rEMfN44A1f4xatiC8drNEPaY
	cttlZPXsIeihUWD+s3f5v3b2Q3yuoNA=
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-210-KnhhlkpSOeCJggU1p-ORrQ-1; Fri, 20 Mar 2026 20:10:13 -0400
X-MC-Unique: KnhhlkpSOeCJggU1p-ORrQ-1
X-Mimecast-MFC-AGG-ID: KnhhlkpSOeCJggU1p-ORrQ_1774051812
Received: by mail-wr1-f72.google.com with SMTP id
 ffacd0b85a97d-43b4a9a3bf6so490402f8f.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Mar 2026 17:10:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=redhat.com; s=google; t=1774051810; x=1774656610;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=73seKWR51q+TIpru2UraHv6BQGSCJ+KST2GFL+f5EOY=;
        b=XWwZJ9zFh9f6TKLxwTRRSL2rnKInjOOCaA32w0hJvilFaQ0SMZj3bl6IBWFB7tmuga
         a08UlrZPdVzUShGZx+uAWtMwjMaWcqa2Umk/MNlRjjckmCSrhQwpiXspEG8BUQgEyI7A
         aJz/n4DLSMF52S11vQUmMqM4UKuP8ZNG9UGo7Z4JIT+zCHXmkJX7SplEiHFWJUxcFOjA
         jMOE6DSE/3z3iHsP+9jD+fBnnKbF/y8JCnzOsfIlbotUBCfAKTGJp6Oh+mOrYw0fYyaj
         OYm7jgQvAOB1I14t0Qf4+m0z2az8xwy5+PKf+d4hnK80TahtDHi03kF19sIaajz8Ymes
         VKMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774051810; x=1774656610;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=73seKWR51q+TIpru2UraHv6BQGSCJ+KST2GFL+f5EOY=;
        b=IKBXfe6jg1szpxBf94fxVMGETCqTgfUC8JlGlAqV9Kn5QQ8k4qrbI3m8LpyADEJbw1
         5vEXaq8OxLKrkx50HjrIkHFqbTfLuE6mQuMee29MiwBWQoN/SBxvVUzZAB/61p/SiouL
         VT/+98oa8yW/5dmg5sV8hof1jmxKaa6ssSWQ7pb4ITvnvlarnsCcBs7jPb2VX/FNlwqE
         eD7vnLrmQytNDn13VbyDQF9cScaEuPXIX4bh3Eg9nng9VE5G798P2Vgk/Z1zmpd7THtu
         NPujVZob8zVdekYxzo7HPIbNolo27r0hxKo+mU4WAErCUaSNEb1DcpGeprs32aKqD97s
         KwIg==
X-Gm-Message-State: AOJu0YyUrDlVpgd6sIshPGWGHC03Hnju3LTbhscz09U2mSoCfXOkVkv4
	SC8SMg90FWGnTSkkenvxTGbqGezYfnS1hGzHmb5k4M3LhzE2U2OkvvmFJtBIKfvd2+UBnSB8GlF
	OSijDZol8IVa3HcwlLygxRvrWuy/KuUpdLevdDM3R8nPeaED+BOI2VsU4NM4KoG6eU9gUhLCTAf
	zHX0FcR7+9rNgFztvIsviig5KPjYhkLegm4JoOImbaPlJDMNdLZQ==
X-Gm-Gg: ATEYQzwL/AfrRpfw6ryUw157DDsouKavJMb0/SiPN6jPf6geoPRlQvpLVRDpht6l1qo
	T4+wueBiUNgoYpGPmH3aqd0BOOSlhseuOFwpsfVqfyPR8GO/UEuBgLiR7b7ZLd/757qPXorrmmB
	8+Y2EEMdv+HLd5XcIbGYdqfvsXW7kryqjLNn72AlxvL9wm4DSp+107wIUNtk3JCVYGpMIkad2rA
	VI3TF+L6GxhxeJNitNQugFqkzNcm9jQVDX+1hKo+8kFk+fZYyl5uwJRiGcadr9oGJ8J5D99lgH0
	tlYxCj1vszuDQyY2Zgu7xluNdSnuJILhJABZ8ICf50ZtP9vzKlsapFZ9/KFQCex6me1c8gIOMGs
	o9LzfK1oH6tGJIYJYF3/kn9EiQg0uw/pVskLsi8OrJO3NMc68r8RY3pUg/6NPfmzKNU2euU+Ewq
	+o3hjEu6kjHKcZWOTwx6gBq15u
X-Received: by 2002:a05:6000:2dc2:b0:43b:4aba:8f44 with SMTP id
 ffacd0b85a97d-43b64287241mr8001827f8f.45.1774051810582;
        Fri, 20 Mar 2026 17:10:10 -0700 (PDT)
X-Received: by 2002:a05:6000:2dc2:b0:43b:4aba:8f44 with SMTP id
 ffacd0b85a97d-43b64287241mr8001798f8f.45.1774051810116;
        Fri, 20 Mar 2026 17:10:10 -0700 (PDT)
Received: from [192.168.10.48] ([151.49.85.67])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b644ae132sm10122385f8f.6.2026.03.20.17.10.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 17:10:07 -0700 (PDT)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org
Cc: Jon Kohler <jon@nutanix.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Nikunj A Dadhania <nikunj@amd.com>,
	Amit Shah <amit.shah@amd.com>,
	Sean Christopherson <seanjc@google.com>
Subject: [PATCH 14/22] KVM: nVMX: advertise MBEC to nested guests
Date: Sat, 21 Mar 2026 01:09:23 +0100
Message-ID: <20260321000931.1947084-15-pbonzini@redhat.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260321000931.1947084-1-pbonzini@redhat.com>
References: <20260321000931.1947084-1-pbonzini@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jon Kohler <jon@nutanix.com>

Advertise SECONDARY_EXEC_MODE_BASED_EPT_EXEC (MBEC) to userspace, which
allows userspace to expose and advertise the feature to the guest.
When MBEC is enabled by the guest, it is passed to the MMU via cr4_smep
and to the processor by the merging of vmcs12->secondary_vm_exec_control
into the VMCS02's secondary VM execution controls.

Signed-off-by: Jon Kohler <jon@nutanix.com>
Message-ID: <20251223054806.1611168-9-jon@nutanix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 arch/x86/kvm/mmu.h        |  2 +-
 arch/x86/kvm/mmu/mmu.c    |  7 ++++---
 arch/x86/kvm/vmx/nested.c | 10 ++++++++++
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 2a6caac39d40..035244ccbb5e 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -93,7 +93,7 @@ void kvm_init_shadow_npt_mmu(struct kvm_vcpu *vcpu, unsig=
ned long cr0,
 			     unsigned long cr4, u64 efer, gpa_t nested_cr3);
 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
 			     int huge_page_level, bool accessed_dirty,
-			     gpa_t new_eptp);
+			     bool mbec, gpa_t new_eptp);
 bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);
 int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
 				u64 fault_address, char *insn, int insn_len);
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index a0b4774e405a..647dffb69d85 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -5839,7 +5839,7 @@ EXPORT_SYMBOL_GPL(kvm_init_shadow_npt_mmu);
=20
 static union kvm_cpu_role
 kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_di=
rty,
-				   bool execonly, u8 level)
+				   bool execonly, u8 level, bool mbec)
 {
 	union kvm_cpu_role role =3D {0};
=20
@@ -5849,6 +5849,7 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *v=
cpu, bool accessed_dirty,
 	 */
 	WARN_ON_ONCE(is_smm(vcpu));
 	role.base.level =3D level;
+	role.base.cr4_smep =3D mbec;
 	role.base.has_4_byte_gpte =3D false;
 	role.base.direct =3D false;
 	role.base.ad_disabled =3D !accessed_dirty;
@@ -5864,13 +5865,13 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu =
*vcpu, bool accessed_dirty,
=20
 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
 			     int huge_page_level, bool accessed_dirty,
-			     gpa_t new_eptp)
+			     bool mbec, gpa_t new_eptp)
 {
 	struct kvm_mmu *context =3D &vcpu->arch.guest_mmu;
 	u8 level =3D vmx_eptp_page_walk_level(new_eptp);
 	union kvm_cpu_role new_mode =3D
 		kvm_calc_shadow_ept_root_page_role(vcpu, accessed_dirty,
-						   execonly, level);
+						   execonly, level, mbec);
=20
 	if (new_mode.as_u64 !=3D context->cpu_role.as_u64) {
 		/* EPT, and thus nested EPT, does not consume CR0, CR4, nor EFER. */
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 7c55551a2680..7b0861d02166 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -460,6 +460,12 @@ static void nested_ept_inject_page_fault(struct kvm_vc=
pu *vcpu,
 	vmcs12->guest_physical_address =3D fault->address;
 }
=20
+static inline bool nested_ept_mbec_enabled(struct kvm_vcpu *vcpu)
+{
+	struct vmcs12 *vmcs12 =3D get_vmcs12(vcpu);
+	return nested_cpu_has2(vmcs12, SECONDARY_EXEC_MODE_BASED_EPT_EXEC);
+}
+
 static void nested_ept_new_eptp(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx =3D to_vmx(vcpu);
@@ -468,6 +474,7 @@ static void nested_ept_new_eptp(struct kvm_vcpu *vcpu)
=20
 	kvm_init_shadow_ept_mmu(vcpu, execonly, ept_lpage_level,
 				nested_ept_ad_enabled(vcpu),
+				nested_ept_mbec_enabled(vcpu),
 				nested_ept_get_eptp(vcpu));
 }
=20
@@ -7145,6 +7152,9 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_c=
aps,
 			msrs->ept_caps |=3D VMX_EPT_AD_BIT;
 		}
=20
+		if (cpu_has_ept_mbec())
+			msrs->secondary_ctls_high |=3D
+				SECONDARY_EXEC_MODE_BASED_EPT_EXEC;
 		/*
 		 * Advertise EPTP switching irrespective of hardware support,
 		 * KVM emulates it in software so long as VMFUNC is supported.
--=20
2.52.0