From nobody Thu Apr 2 20:10:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5361C426D16 for ; Thu, 26 Mar 2026 18:18:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774549096; cv=none; b=rjkJl3miECeNbbqpVFe8MYOVrO8PQ7NUHoBCeZuf6KS5yMMg2WdS4LZG0f3bIOY97kShgOGLCI6qJdQnz/tZtOLfTVyecoUb0r5W6HZ1b2Fey+HQg3MQcBE1sgsH/4zfv3JgU4iV/hstfABNMyWgDvyDPGmt11TRFunAoi7Jhiw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774549096; c=relaxed/simple; bh=5gpuzpBc3Bpn9SAXMiqC3JXeJEFjr6zURoeZIrXOkY8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NnYTKkZeDFLglCFzeTWmKJ8WG0p99RWD9GK3RZ9aTde55ASVrxVzAA83Pw+eH5dqyVAw+/GbjsqDCgSHTye0bJpCNn7DQDb5we1d0fI4IgA2eyhPjwFkfDFnC+l34AJvZjt/j56XIKZXAOczbEyfBwZalSVV7QzbynQqIO/krpM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=SChjKFn/; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=UyBNexFh; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="SChjKFn/"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="UyBNexFh" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774549093; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=40gLkqvYyhKvnAeiPGvS0laQA/Arm+OR7E3p28AiBGA=; b=SChjKFn/dGkiJdtpye/0sKBdQqNqDQGfgbB4ev/TpwX1Xbmpd2aWJ/pHCDZStKcagKPEsv w1Wvg6MHTYgt+mUwd/DoyT0UIZ0/Uh6Pveu9rB0U1HlnFFCXOu4a2s0fBF5Uu+37PshQri WlqVNfetufdqUnVfYGDzL56IqGXkLZM= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-534-qZ5UTYuDM-mLYu_ma_oQhA-1; Thu, 26 Mar 2026 14:18:11 -0400 X-MC-Unique: qZ5UTYuDM-mLYu_ma_oQhA-1 X-Mimecast-MFC-AGG-ID: qZ5UTYuDM-mLYu_ma_oQhA_1774549090 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-485c45885e6so9424935e9.0 for ; Thu, 26 Mar 2026 11:18:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1774549089; x=1775153889; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=40gLkqvYyhKvnAeiPGvS0laQA/Arm+OR7E3p28AiBGA=; b=UyBNexFh/SjBFfVcqbVJ1MPIOytQtHbzskaflP+m4oTwESrpM27Ll5OrAdYTKJ5xfb BPQyN7Be1JE0Mc9o6kXhMIR9YNkfd7Bki0iYwwnz7v0rkeuZoYChcPv5FrnjR8/aXcb2 34UHCG32+rrtbo54+beb3dnsOG0o1OqveYEnWStD0nyo2hxoJEbFTUkh6MRhV1YRddH7 iCoLNW3KiW+Q0P4PmS7A09IHqu1fFFUZtCAgIPLb8FjeHX5SBYoT6Tma1klSPkATgrGK 2u9ppz2IqdYM8ZjtfYCGtqZiP6Bxj83WqwYVyVjuUxZIRoTBjAVlJ824/fTn7c0m7xdc xq9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774549089; x=1775153889; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=40gLkqvYyhKvnAeiPGvS0laQA/Arm+OR7E3p28AiBGA=; b=lbkgQmvfKZlmyegyYJtlRa/BU8v1B3CIW599YSosFxhFxpRrDMwOi9U5OfdjJZTpIe agBQyB4+xd3+XmSEbLFtaNVeQbG/SBWJr6kj2PstPSzbPJfdj7KjqBpO5llUudttCupb 9TgkTNjPlvbdNrJMQ3e0aXFact2gKa3ysWnfGXeGj1RXrt8dfqofF2KEZQzGyHBpzaxF rLGmRL4LhclfcsgnmUcYSzwIlE3GfLPC/y4cpLjzhUpwBoo94CIeYXMFOC2HtY4NBYA8 Q6RqNmKMvtJpmEugn996ZeiCurrxt1fU9ndbbYj28Xc83VHWZeHX4PH8U8DbENwXIsPb O31Q== X-Gm-Message-State: AOJu0Yye0HY00SecEFItf931na2gomXh4Q+gQovjqnJO4/ZmBDJ2fPQl bJUintyOZowPBywEi0AU3LbFLQFR4YRrEcS/L+oSqUKeI4MWNhhr/1w1WboJvX0FRBotz6d0C8a gjnOv9SfkyRzeRpwlubZfDPV77FOID+djoFJK3OF4hzDpz1Rz2qaqjEE19iC38J2KrmMVmtApHo Kl8WKw6zJWYFWz4KHkjuz8vxpxFKSRM7kGW0cFbL1WHPD6T9sr8A== X-Gm-Gg: ATEYQzy+j4KS0Aw/NAggxFRhhNVSWW4gLO95ri4MM5Kx8l68FHYIrELCwBSR7TEWizD +u7v9F+FWlBo3ZdauJYc4maHaZVxH3u84rCUStnivXNfAH3rX2JTsq8roXVDG5Zq+cYq0T+WSpR tPPDRSNMSK/O1USHEfCYZeJJyOMSOsGP9EfFYzQLn5x/Mb4ePhN4imbrzP4bB+Isw1QvuoU4Uwl KO71VPV0299dIl6GpGtW8htMtVoB+cE/ZfasIHljxv9KLEL9Dzkyouvo+PXSyG77P8nVsKlpBqf Vg/fA18G3NcPzAsvJDD1P4poe2vXtHCg+G8+hG3b6RgGAqn9rS4WWzuh11U836U/k8ZchQqpVei 0vUE0eSRoU32jv2Kp5iEnkcI4WpsDB+tzXMXdac9d0UxzQgftXTsDCPPacd+J2P2wOEOoUeSkFD L5dOgfZtSM/uK0lLypQDQQyjdG X-Received: by 2002:a05:600c:1d0e:b0:486:fc95:1a91 with SMTP id 5b1f17b1804b1-48715fef618mr126829395e9.12.1774549089469; Thu, 26 Mar 2026 11:18:09 -0700 (PDT) X-Received: by 2002:a05:600c:1d0e:b0:486:fc95:1a91 with SMTP id 5b1f17b1804b1-48715fef618mr126828805e9.12.1774549088943; Thu, 26 Mar 2026 11:18:08 -0700 (PDT) Received: from [192.168.10.48] ([151.49.85.67]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48725d9fdffsm2929365e9.5.2026.03.26.11.18.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2026 11:18:07 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Jon Kohler , Nikunj A Dadhania , Amit Shah , Sean Christopherson , Marcelo Tosatti Subject: [PATCH 16/24] KVM: nVMX: advertise MBEC to nested guests Date: Thu, 26 Mar 2026 19:17:14 +0100 Message-ID: <20260326181723.218115-17-pbonzini@redhat.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260326181723.218115-1-pbonzini@redhat.com> References: <20260326181723.218115-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jon Kohler Advertise SECONDARY_EXEC_MODE_BASED_EPT_EXEC (MBEC) to userspace, which allows userspace to expose and advertise the feature to the guest. When MBEC is enabled by the guest, it is passed to the MMU via cr4_smep, and to the processor by the merging of vmcs12->secondary_vm_exec_control into the VMCS02's secondary VM execution controls. Signed-off-by: Jon Kohler Message-ID: <20251223054806.1611168-9-jon@nutanix.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/mmu.h | 2 +- arch/x86/kvm/mmu/mmu.c | 7 ++++--- arch/x86/kvm/vmx/nested.c | 11 +++++++++++ 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h index 678ce021991f..fa1942b126fb 100644 --- a/arch/x86/kvm/mmu.h +++ b/arch/x86/kvm/mmu.h @@ -93,7 +93,7 @@ void kvm_init_shadow_npt_mmu(struct kvm_vcpu *vcpu, unsig= ned long cr0, unsigned long cr4, u64 efer, gpa_t nested_cr3); void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly, int huge_page_level, bool accessed_dirty, - gpa_t new_eptp); + bool mbec, gpa_t new_eptp); bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu); int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code, u64 fault_address, char *insn, int insn_len); diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index cd2418fe8708..442cbaeaf547 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -5940,7 +5940,7 @@ EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_init_shadow_npt_mm= u); =20 static union kvm_cpu_role kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_di= rty, - bool execonly, u8 level) + bool execonly, u8 level, bool mbec) { union kvm_cpu_role role =3D {0}; =20 @@ -5950,6 +5950,7 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *v= cpu, bool accessed_dirty, */ WARN_ON_ONCE(is_smm(vcpu)); role.base.level =3D level; + role.base.cr4_smep =3D mbec; role.base.has_4_byte_gpte =3D false; role.base.direct =3D false; role.base.ad_disabled =3D !accessed_dirty; @@ -5965,13 +5966,13 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu = *vcpu, bool accessed_dirty, =20 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly, int huge_page_level, bool accessed_dirty, - gpa_t new_eptp) + bool mbec, gpa_t new_eptp) { struct kvm_mmu *context =3D &vcpu->arch.guest_mmu; u8 level =3D vmx_eptp_page_walk_level(new_eptp); union kvm_cpu_role new_mode =3D kvm_calc_shadow_ept_root_page_role(vcpu, accessed_dirty, - execonly, level); + execonly, level, mbec); =20 if (new_mode.as_u64 !=3D context->cpu_role.as_u64) { /* EPT, and thus nested EPT, does not consume CR0, CR4, nor EFER. */ diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 4b742a19bfde..1e84ca353cec 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -469,6 +469,13 @@ static void nested_ept_inject_page_fault(struct kvm_vc= pu *vcpu, vmcs12->guest_physical_address =3D fault->address; } =20 +static inline bool nested_ept_mbec_enabled(struct kvm_vcpu *vcpu) +{ + struct vmcs12 *vmcs12 =3D get_vmcs12(vcpu); + + return nested_cpu_has2(vmcs12, SECONDARY_EXEC_MODE_BASED_EPT_EXEC); +} + static void nested_ept_new_eptp(struct kvm_vcpu *vcpu) { struct vcpu_vmx *vmx =3D to_vmx(vcpu); @@ -477,6 +484,7 @@ static void nested_ept_new_eptp(struct kvm_vcpu *vcpu) =20 kvm_init_shadow_ept_mmu(vcpu, execonly, ept_lpage_level, nested_ept_ad_enabled(vcpu), + nested_ept_mbec_enabled(vcpu), nested_ept_get_eptp(vcpu)); } =20 @@ -7255,6 +7263,9 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_c= aps, msrs->ept_caps |=3D VMX_EPT_AD_BIT; } =20 + if (cpu_has_ept_mbec()) + msrs->secondary_ctls_high |=3D + SECONDARY_EXEC_MODE_BASED_EPT_EXEC; /* * Advertise EPTP switching irrespective of hardware support, * KVM emulates it in software so long as VMFUNC is supported. --=20 2.53.0