From nobody Thu Apr  2 20:09:44 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F5A342882F
	for <linux-kernel@vger.kernel.org>; Thu, 26 Mar 2026 18:18:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774549102; cv=none;
 b=RGV1huF8IJ9dhmcIgQwlJdMyoJ80YgCqFNwfmImjpK3QXKz5My1jm4+G7rEHLSUXrj1Gr6piP18uUOtxqc0OrbS1EuDeNH5Bhd06+3zLIcTHpclbbcYbjMn+5E9FbpOuxdKD1FxkMc4+vuvk9ZBI5CCQpz+Nr7MJkdIXETuetPk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774549102; c=relaxed/simple;
	bh=xKUgHxugBoabM3fxRuQQHWI7f4LSHWH/O9NGxy6QQUY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Q0Fd46mNb+VwN89wUN/24bIjhvPbsdS+ACn2iM0mBpyJNpazhDy5vncRN7vUFIKIv+02GaXvplYyJCD6wz7bhPsW/MFHr4e8VxdJPThxXCUGfeyLSEvSjpaXiCdCIFN9DtgsX6WXHLWkOem0ffZT8dr3uknWKJD5zf0GTGX7TsE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=Wlh/NP3D;
 dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=IB5QlVKT; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="Wlh/NP3D";
	dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="IB5QlVKT"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1774549097;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=WfiNNSEjHN6RC7jg/KmpV4mpRSoDFEjBNWlKFZH7iQI=;
	b=Wlh/NP3Dz1S/447YOH1TNIoJgoynzgtF14etsyNb/GE/xs7ieMp5Xju2DPSgkPae59Fkrc
	nKJAHyb/HDnHYC9U5pE0UxGOylsB4ubblCmLGp3DYmzV8pnbjz7zpRSDTSTQrXUAq2VCi5
	/QJcSv58EJeTim0VNRqiT593SYzBAvc=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-486-Uh5iJGMLMkqdUKpwtyhNwg-1; Thu, 26 Mar 2026 14:18:14 -0400
X-MC-Unique: Uh5iJGMLMkqdUKpwtyhNwg-1
X-Mimecast-MFC-AGG-ID: Uh5iJGMLMkqdUKpwtyhNwg_1774549093
Received: by mail-wm1-f72.google.com with SMTP id
 5b1f17b1804b1-48544725bdeso21039835e9.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Mar 2026 11:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=redhat.com; s=google; t=1774549092; x=1775153892;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WfiNNSEjHN6RC7jg/KmpV4mpRSoDFEjBNWlKFZH7iQI=;
        b=IB5QlVKTu1D7q8C2qjcGgR7SDCRJDdMuTjKcmcVhX+8i0utlGQxK09no5NPU2HNQ3a
         msFLIizggc9IbUfwIRkuZlsYxMZyQJyBunFyoD3v+Bbg0Z87k+tMwuJ/4X+lB2Ff2RiF
         yh3V67NiODLL9ZlsjCg5LcVgajGnJnfz8f2GfWNY9XHdGoDGr1cx+AeVAOETDEoYJWpC
         DhZPfu6/sFhqzEZRBstNmBvr8lTLTZy15lq9Ctz+4ZHOX+zLHK1M1UCgIzNtzXr8/u1q
         h79xpiN3AVmwuvfiAv/SoNUCJUe2Wk/cSwNg+1Qn5+ZSCBYTBnzvQWE5lmxyCR92bqzn
         wg4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774549092; x=1775153892;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=WfiNNSEjHN6RC7jg/KmpV4mpRSoDFEjBNWlKFZH7iQI=;
        b=J8hRLMBVwzpX/ce7Jy2Bz9N8v9PBthHMsAYqx3rHcpBX933sfF+YgIroO6uSfI4dxz
         IanesRGq00Ah/SzeZwK1gbSfEKD7EOETuiGZCCozq+UgDVYsANP0sCvGQnKE8URrF3cR
         4gftTf3UutEGhbKUn3u7KzPBRDW3/KO0k5yBIj8QGKNfqKabiFThXgBmxIPGIXFlybu1
         V5Xj2GdK4N9z1w1MzBtgJmvtA7anqiHFDMigfRPLWTVpwSYnUNmGwGivd4FuN0Whilsf
         mMg0BiqddkbmszdP+LEaHAcjGFN8OoX5vdewMsqeVLlqra8MQ3W/QQsSzSAqMafpbWdg
         esKw==
X-Gm-Message-State: AOJu0YwUJnSa/5zrydYolmYTuhOnTPJ3JBzrJzb02ajEvQ079S92xvD4
	Q5VsRU/lTjlKWExD46GRuZR6f6tyagaKEic0ylO5gwxGLERSIFIzbgGyD6I/4fKGdPw/3YF7SC4
	+YXyeRRT5/Jv8pn4oogYF8DSsEc5hVuKMKZSk9eHGRPnVpJIARDmmWZNIU/R2ljZ+N2w4hyJXYv
	0S0v5RisL4oIWpF1asOUYqlT31ioIQXiya1ctdibFkBLRDvkexZw==
X-Gm-Gg: ATEYQzzHBQgVX2WRm6o5vUHpkGHQkONJKJTtlCINC6JCBqzDuPG1ExroIuums150nOw
	38xJw5NvONEfCU1EwI6D2nUSurzMawbc9dcgv8+tEvN89Ag1yliK+tWLPJJ5STFmjLDOZa3lPvP
	z12DKi+UuT1H57IjspBIrnDj0A++IL5eM52iLG3xhQmsYhouhOcMa3Vwba7ivBhgHgNfljvYmo5
	a6/mXW9JS++46tz1GSFxTjf++peMEwpsBV5kXQI7pIavZpXLfK/nHh3rBXFFGRG5us7UnjLbmB6
	AptFYo83OhatjguoG4ikeRVe9Dqd6X2O1z+Ct9iUI+0k/sKquEjlXR+KN0+zOJcPBHyYiX2qegP
	2HzBPazxiVVh3jcIL3cSFJbZ/9uF92jDzpRDQ01gh7rNzUvbyIoP/29AjfZk7jTsDzEatVmi/sX
	mf/voHbjgXVntoHe1K3Ql6tNHO
X-Received: by 2002:a05:600c:4685:b0:485:2ce2:4c87 with SMTP id
 5b1f17b1804b1-48715fc3562mr140300185e9.4.1774549091935;
        Thu, 26 Mar 2026 11:18:11 -0700 (PDT)
X-Received: by 2002:a05:600c:4685:b0:485:2ce2:4c87 with SMTP id
 5b1f17b1804b1-48715fc3562mr140299445e9.4.1774549091379;
        Thu, 26 Mar 2026 11:18:11 -0700 (PDT)
Received: from [192.168.10.48] ([151.49.85.67])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b919cefd7sm9662731f8f.17.2026.03.26.11.18.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Mar 2026 11:18:09 -0700 (PDT)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org
Cc: Jon Kohler <jon@nutanix.com>,
	Nikunj A Dadhania <nikunj@amd.com>,
	Amit Shah <amit.shah@amd.com>,
	Sean Christopherson <seanjc@google.com>,
	Marcelo Tosatti <mtosatti@redhat.com>
Subject: [PATCH 17/24] KVM: nVMX: allow MBEC with EVMCS
Date: Thu, 26 Mar 2026 19:17:15 +0100
Message-ID: <20260326181723.218115-18-pbonzini@redhat.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260326181723.218115-1-pbonzini@redhat.com>
References: <20260326181723.218115-1-pbonzini@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jon Kohler <jon@nutanix.com>

Extend EVMCS1_SUPPORTED_2NDEXEC to allow MBEC and EVMCS to coexist.
Presenting both EVMCS and MBEC simultaneously causes KVM to filter out
MBEC and not present it as a supported control to the guest, preventing
performance gains from MBEC when Windows HVCI is enabled.

The guest may choose not to use MBEC (e.g., if the admin does not enable
Windows HVCI / Memory Integrity), but if they use traditional nested
virt (Hyper-V, WSL2, etc.), having EVMCS exposed is important for
improving nested guest performance. IOW allowing MBEC and EVMCS to
coexist provides maximum optionality to Windows users without
overcomplicating VM administration.

Signed-off-by: Jon Kohler <jon@nutanix.com>
Message-ID: <20251223054806.1611168-8-jon@nutanix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 arch/x86/kvm/vmx/hyperv_evmcs.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kvm/vmx/hyperv_evmcs.h b/arch/x86/kvm/vmx/hyperv_evmc=
s.h
index fc7c4e7bd1bf..bc08fe40590e 100644
--- a/arch/x86/kvm/vmx/hyperv_evmcs.h
+++ b/arch/x86/kvm/vmx/hyperv_evmcs.h
@@ -87,6 +87,7 @@
 	 SECONDARY_EXEC_PT_CONCEAL_VMX |				\
 	 SECONDARY_EXEC_BUS_LOCK_DETECTION |				\
 	 SECONDARY_EXEC_NOTIFY_VM_EXITING |				\
+	 SECONDARY_EXEC_MODE_BASED_EPT_EXEC |				\
 	 SECONDARY_EXEC_ENCLS_EXITING)
=20
 #define EVMCS1_SUPPORTED_3RDEXEC (0ULL)
--=20
2.53.0