1. Patchew
  2. linux
  3. View series

[PATCH v5 00/28] KVM: combined patchset for MBEC/GMET support

Paolo Bonzini posted 28 patches 1 month, 2 weeks ago
There is a newer version of this series
Documentation/virt/kvm/x86/mmu.rst |  10 +-
arch/x86/include/asm/cpufeatures.h |   1 +
arch/x86/include/asm/kvm-x86-ops.h |   1 +
arch/x86/include/asm/kvm_host.h    |  48 +++++---
arch/x86/include/asm/svm.h         |   1 +
arch/x86/include/asm/vmx.h         |  14 ++-
arch/x86/kvm/hyperv.c              |   4 +-
arch/x86/kvm/mmu.h                 |  30 +++--
arch/x86/kvm/mmu/mmu.c             | 176 ++++++++++++++++++++---------
arch/x86/kvm/mmu/mmutrace.h        |  19 ++--
arch/x86/kvm/mmu/paging_tmpl.h     |  73 ++++++++----
arch/x86/kvm/mmu/spte.c            |  92 +++++++++------
arch/x86/kvm/mmu/spte.h            |  70 +++++++-----
arch/x86/kvm/mmu/tdp_mmu.c         |   6 +-
arch/x86/kvm/svm/nested.c          |  38 ++++++-
arch/x86/kvm/svm/svm.c             |  31 +++++
arch/x86/kvm/svm/svm.h             |   1 +
arch/x86/kvm/vmx/capabilities.h    |  12 +-
arch/x86/kvm/vmx/common.h          |  20 ++--
arch/x86/kvm/vmx/hyperv_evmcs.h    |   1 +
arch/x86/kvm/vmx/main.c            |   9 ++
arch/x86/kvm/vmx/nested.c          |  46 +++++++-
arch/x86/kvm/vmx/tdx.c             |   2 +-
arch/x86/kvm/vmx/vmx.c             |  27 ++++-
arch/x86/kvm/vmx/vmx.h             |   1 +
arch/x86/kvm/vmx/x86_ops.h         |   1 +
arch/x86/kvm/x86.c                 |  18 +--
27 files changed, 529 insertions(+), 223 deletions(-)
[PATCH v5 00/28] KVM: combined patchset for MBEC/GMET support
Posted by Paolo Bonzini 1 month, 2 weeks ago 
I will once more send you to v3 (https://lore.kernel.org/kvm/20260408154217.458420-1-pbonzini@redhat.com/)
for the description of the series.

v4 incorrectly rebased onto 7.1 KVM and broke the case where L1 disables
NPT.  On top of that I made a few final touches on the patch split, and
opted to use the XU bit unconditionally in the MMU even if MBEC is disabled.
This is more consistent with the idea of reducing as much as possible
the differences between mbec=0 and mbec=1 modes.

Paolo

v4->v5:
- patches 8 and 9: swap to clarify use of ACC_USER_MASK to detect read faults
- patch 11: fix final argument to kvm_translate_gpa (using pte_access instead
  of walker->pte_access worked more or less accidentally, but it is incorrect
  because vmx_translate_nested_gpa uses ACC_* constants rather than PT_*)
- patches 13 and 15: revert to always setting shadow_xu_mask ==
  VMX_EPT_USER_EXECUTABLE_MASK, even if MBEC is disabled.  The MMU always
  operates as if MBEC is available, instead of complicating its life (and
  potentially introducing bugs) by mapping XU onto X; blocking incorrect
  configuration can be done at higher levels.  Add a comment on the design.
- patch 24: also block CR4.SMAP
- patches 26 and 28: fix rebase onto 7.1 KVM (fixes nested NPT disabled)

v3->v4:
- patch 15: clear enable_mbec = 0 if enable_ept == 0
- patches 23-27: adjust for rename of nested_ctl to misc_ctl
- patch 24: new
- patch 27: disable svm_get_cpl for SEV-ES/SEV-SNP
- patch 28: fix commit message reference to __nested_svm_check_controls 


Jon Kohler (5):
  KVM: TDX/VMX: rework EPT_VIOLATION_EXEC_FOR_RING3_LIN into PROT_MASK
  KVM: x86/mmu: remove SPTE_PERM_MASK
  KVM: x86/mmu: free up bit 10 of PTEs in preparation for MBEC
  KVM: nVMX: advertise MBEC to nested guests
  KVM: nVMX: allow MBEC with EVMCS

Paolo Bonzini (23):
  KVM: x86/mmu: shuffle high bits of SPTEs in preparation for MBEC
  KVM: x86/mmu: remove SPTE_EPT_*
  KVM: x86/mmu: merge make_spte_{non,}executable
  KVM: x86/mmu: rename and clarify BYTE_MASK
  KVM: x86/mmu: separate more EPT/non-EPT permission_fault()
  KVM: x86/mmu: introduce ACC_READ_MASK
  KVM: x86/mmu: pass PFERR_GUEST_PAGE/FINAL_MASK to kvm_translate_gpa
  KVM: x86/mmu: pass pte_access for final nGPA->GPA walk
  KVM: x86: make translate_nested_gpa vendor-specific
  KVM: x86/mmu: split XS/XU bits for EPT
  KVM: x86/mmu: move cr4_smep to base role
  KVM: VMX: enable use of MBEC
  KVM: nVMX: pass advanced EPT violation vmexit info to guest
  KVM: nVMX: pass PFERR_USER_MASK to MMU on EPT violations
  KVM: x86/mmu: add support for MBEC to EPT page table walks
  KVM: x86/mmu: propagate access mask from root pages down
  KVM: x86/mmu: introduce cpu_role bit for availability of PFEC.I/D
  KVM: SVM: add GMET bit definitions
  KVM: x86/mmu: hard code more bits in kvm_init_shadow_npt_mmu
  KVM: x86/mmu: add support for GMET to NPT page table walks
  KVM: SVM: enable GMET and set it in MMU role
  KVM: SVM: work around errata 1218
  KVM: nSVM: enable GMET for guests

 Documentation/virt/kvm/x86/mmu.rst |  10 +-
 arch/x86/include/asm/cpufeatures.h |   1 +
 arch/x86/include/asm/kvm-x86-ops.h |   1 +
 arch/x86/include/asm/kvm_host.h    |  48 +++++---
 arch/x86/include/asm/svm.h         |   1 +
 arch/x86/include/asm/vmx.h         |  14 ++-
 arch/x86/kvm/hyperv.c              |   4 +-
 arch/x86/kvm/mmu.h                 |  30 +++--
 arch/x86/kvm/mmu/mmu.c             | 176 ++++++++++++++++++++---------
 arch/x86/kvm/mmu/mmutrace.h        |  19 ++--
 arch/x86/kvm/mmu/paging_tmpl.h     |  73 ++++++++----
 arch/x86/kvm/mmu/spte.c            |  92 +++++++++------
 arch/x86/kvm/mmu/spte.h            |  70 +++++++-----
 arch/x86/kvm/mmu/tdp_mmu.c         |   6 +-
 arch/x86/kvm/svm/nested.c          |  38 ++++++-
 arch/x86/kvm/svm/svm.c             |  31 +++++
 arch/x86/kvm/svm/svm.h             |   1 +
 arch/x86/kvm/vmx/capabilities.h    |  12 +-
 arch/x86/kvm/vmx/common.h          |  20 ++--
 arch/x86/kvm/vmx/hyperv_evmcs.h    |   1 +
 arch/x86/kvm/vmx/main.c            |   9 ++
 arch/x86/kvm/vmx/nested.c          |  46 +++++++-
 arch/x86/kvm/vmx/tdx.c             |   2 +-
 arch/x86/kvm/vmx/vmx.c             |  27 ++++-
 arch/x86/kvm/vmx/vmx.h             |   1 +
 arch/x86/kvm/vmx/x86_ops.h         |   1 +
 arch/x86/kvm/x86.c                 |  18 +--
 27 files changed, 529 insertions(+), 223 deletions(-)

-- 
2.52.0
Re: [PATCH v5 00/28] KVM: combined patchset for MBEC/GMET support
Posted by Paolo Bonzini 1 month, 2 weeks ago 
On 4/30/26 17:07, Paolo Bonzini wrote:
> I will once more send you to v3 (https://lore.kernel.org/kvm/20260408154217.458420-1-pbonzini@redhat.com/)
> for the description of the series.
> 
> v4 incorrectly rebased onto 7.1 KVM and broke the case where L1 disables
> NPT.  On top of that I made a few final touches on the patch split, and
> opted to use the XU bit unconditionally in the MMU even if MBEC is disabled.
> This is more consistent with the idea of reducing as much as possible
> the differences between mbec=0 and mbec=1 modes.

I placed this also at branch kvm-mbec of 
https://git.kernel.org/pub/scm/virt/kvm/kvm.git.

Paolo

> Paolo
> 
> v4->v5:
> - patches 8 and 9: swap to clarify use of ACC_USER_MASK to detect read faults
> - patch 11: fix final argument to kvm_translate_gpa (using pte_access instead
>    of walker->pte_access worked more or less accidentally, but it is incorrect
>    because vmx_translate_nested_gpa uses ACC_* constants rather than PT_*)
> - patches 13 and 15: revert to always setting shadow_xu_mask ==
>    VMX_EPT_USER_EXECUTABLE_MASK, even if MBEC is disabled.  The MMU always
>    operates as if MBEC is available, instead of complicating its life (and
>    potentially introducing bugs) by mapping XU onto X; blocking incorrect
>    configuration can be done at higher levels.  Add a comment on the design.
> - patch 24: also block CR4.SMAP
> - patches 26 and 28: fix rebase onto 7.1 KVM (fixes nested NPT disabled)
> 
> v3->v4:
> - patch 15: clear enable_mbec = 0 if enable_ept == 0
> - patches 23-27: adjust for rename of nested_ctl to misc_ctl
> - patch 24: new
> - patch 27: disable svm_get_cpl for SEV-ES/SEV-SNP
> - patch 28: fix commit message reference to __nested_svm_check_controls
> 
> 
> Jon Kohler (5):
>    KVM: TDX/VMX: rework EPT_VIOLATION_EXEC_FOR_RING3_LIN into PROT_MASK
>    KVM: x86/mmu: remove SPTE_PERM_MASK
>    KVM: x86/mmu: free up bit 10 of PTEs in preparation for MBEC
>    KVM: nVMX: advertise MBEC to nested guests
>    KVM: nVMX: allow MBEC with EVMCS
> 
> Paolo Bonzini (23):
>    KVM: x86/mmu: shuffle high bits of SPTEs in preparation for MBEC
>    KVM: x86/mmu: remove SPTE_EPT_*
>    KVM: x86/mmu: merge make_spte_{non,}executable
>    KVM: x86/mmu: rename and clarify BYTE_MASK
>    KVM: x86/mmu: separate more EPT/non-EPT permission_fault()
>    KVM: x86/mmu: introduce ACC_READ_MASK
>    KVM: x86/mmu: pass PFERR_GUEST_PAGE/FINAL_MASK to kvm_translate_gpa
>    KVM: x86/mmu: pass pte_access for final nGPA->GPA walk
>    KVM: x86: make translate_nested_gpa vendor-specific
>    KVM: x86/mmu: split XS/XU bits for EPT
>    KVM: x86/mmu: move cr4_smep to base role
>    KVM: VMX: enable use of MBEC
>    KVM: nVMX: pass advanced EPT violation vmexit info to guest
>    KVM: nVMX: pass PFERR_USER_MASK to MMU on EPT violations
>    KVM: x86/mmu: add support for MBEC to EPT page table walks
>    KVM: x86/mmu: propagate access mask from root pages down
>    KVM: x86/mmu: introduce cpu_role bit for availability of PFEC.I/D
>    KVM: SVM: add GMET bit definitions
>    KVM: x86/mmu: hard code more bits in kvm_init_shadow_npt_mmu
>    KVM: x86/mmu: add support for GMET to NPT page table walks
>    KVM: SVM: enable GMET and set it in MMU role
>    KVM: SVM: work around errata 1218
>    KVM: nSVM: enable GMET for guests
> 
>   Documentation/virt/kvm/x86/mmu.rst |  10 +-
>   arch/x86/include/asm/cpufeatures.h |   1 +
>   arch/x86/include/asm/kvm-x86-ops.h |   1 +
>   arch/x86/include/asm/kvm_host.h    |  48 +++++---
>   arch/x86/include/asm/svm.h         |   1 +
>   arch/x86/include/asm/vmx.h         |  14 ++-
>   arch/x86/kvm/hyperv.c              |   4 +-
>   arch/x86/kvm/mmu.h                 |  30 +++--
>   arch/x86/kvm/mmu/mmu.c             | 176 ++++++++++++++++++++---------
>   arch/x86/kvm/mmu/mmutrace.h        |  19 ++--
>   arch/x86/kvm/mmu/paging_tmpl.h     |  73 ++++++++----
>   arch/x86/kvm/mmu/spte.c            |  92 +++++++++------
>   arch/x86/kvm/mmu/spte.h            |  70 +++++++-----
>   arch/x86/kvm/mmu/tdp_mmu.c         |   6 +-
>   arch/x86/kvm/svm/nested.c          |  38 ++++++-
>   arch/x86/kvm/svm/svm.c             |  31 +++++
>   arch/x86/kvm/svm/svm.h             |   1 +
>   arch/x86/kvm/vmx/capabilities.h    |  12 +-
>   arch/x86/kvm/vmx/common.h          |  20 ++--
>   arch/x86/kvm/vmx/hyperv_evmcs.h    |   1 +
>   arch/x86/kvm/vmx/main.c            |   9 ++
>   arch/x86/kvm/vmx/nested.c          |  46 +++++++-
>   arch/x86/kvm/vmx/tdx.c             |   2 +-
>   arch/x86/kvm/vmx/vmx.c             |  27 ++++-
>   arch/x86/kvm/vmx/vmx.h             |   1 +
>   arch/x86/kvm/vmx/x86_ops.h         |   1 +
>   arch/x86/kvm/x86.c                 |  18 +--
>   27 files changed, 529 insertions(+), 223 deletions(-)
>
Re: [PATCH v5 00/28] KVM: combined patchset for MBEC/GMET support
Posted by Sean Christopherson 1 month, 2 weeks ago 
On Thu, Apr 30, 2026, Paolo Bonzini wrote:
> On 4/30/26 17:07, Paolo Bonzini wrote:
> > I will once more send you to v3 (https://lore.kernel.org/kvm/20260408154217.458420-1-pbonzini@redhat.com/)
> > for the description of the series.
> > 
> > v4 incorrectly rebased onto 7.1 KVM and broke the case where L1 disables
> > NPT.  On top of that I made a few final touches on the patch split, and
> > opted to use the XU bit unconditionally in the MMU even if MBEC is disabled.
> > This is more consistent with the idea of reducing as much as possible
> > the differences between mbec=0 and mbec=1 modes.
> 
> I placed this also at branch kvm-mbec of
> https://git.kernel.org/pub/scm/virt/kvm/kvm.git.

A decent number of nits, but nothing that truly necessitates a respin or rewriting
of history.  I don't have a strong preference between doing fixups versus cleanups
on top.
Re: [PATCH v5 00/28] KVM: combined patchset for MBEC/GMET support
Posted by Paolo Bonzini 1 month, 2 weeks ago 
On Thu, Apr 30, 2026 at 9:17 PM Sean Christopherson <seanjc@google.com> wrote:
>
> On Thu, Apr 30, 2026, Paolo Bonzini wrote:
> > On 4/30/26 17:07, Paolo Bonzini wrote:
> > > I will once more send you to v3 (https://lore.kernel.org/kvm/20260408154217.458420-1-pbonzini@redhat.com/)
> > > for the description of the series.
> > >
> > > v4 incorrectly rebased onto 7.1 KVM and broke the case where L1 disables
> > > NPT.  On top of that I made a few final touches on the patch split, and
> > > opted to use the XU bit unconditionally in the MMU even if MBEC is disabled.
> > > This is more consistent with the idea of reducing as much as possible
> > > the differences between mbec=0 and mbec=1 modes.
> >
> > I placed this also at branch kvm-mbec of
> > https://git.kernel.org/pub/scm/virt/kvm/kvm.git.
>
> A decent number of nits, but nothing that truly necessitates a respin or rewriting
> of history.  I don't have a strong preference between doing fixups versus cleanups
> on top.

I'll definitely do fixups.

Paolo

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.