Re: [PATCH 2/2] KVM: TDX: Disable pmu virtualization for TDX VMs

[Vishal Annapurve]

On Wed, May 6, 2026 at 4:03 PM Sean Christopherson <seanjc@xxxxxxxxxx> wrote:
>
> On Tue, May 05, 2026, FirstName LastName wrote:
> > From: Vishal Annapurve <vannapurve@xxxxxxxxxx>
> >
> > TDX module virtualizes PMU for TDX VMs[1]. Host has following
> > toggles to control the PMU functionality exposed to TDX VMs:
> > 1) Configure TD_PARAMS to allow guests to use performance monitoring.
> > 2) Restrict the TD to a subset of the PEBS counters if supported.
> > 3) Limit the TD to setup a certain perfmon events using basic/enhanced
> >    event filtering.
> >
> > KVM will need to be enlightened to support these toggles. Explicitly
> > disable PMU virtualization for TDX VMs by default until such a support lands.
> >
> > [1] Section 15.2: https://cdrdv2.intel.com/v1/dl/getContent/733575
> >
> > Suggested-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> > Signed-off-by: Vishal Annapurve <vannapurve@xxxxxxxxxx>
> > ---
> >  arch/x86/kvm/vmx/tdx.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
> > index 1e47c194af53..01498c25942d 100644
> > --- a/arch/x86/kvm/vmx/tdx.c
> > +++ b/arch/x86/kvm/vmx/tdx.c
> > @@ -638,6 +638,12 @@ int tdx_vm_init(struct kvm *kvm)
> >       kvm->arch.has_private_mem = true;
> >       kvm->arch.disabled_quirks |= KVM_X86_QUIRK_IGNORE_GUEST_PAT;
> >
> > +     /*
> > +      * PMU support is provide by the TDX-Module (if enabled for the VM).
> > +      * From KVM's perspective, the VM doesn't have a virtual PMU.
> > +      */
> > +     kvm->arch.enable_pmu = false;
>
> Gah, I forgot that KVM_CAP_PMU_CAPABILITY allows re-enabling PMU support (which
> is really quite annoying).  Unless we want to risk breaking userspace, the best
> idea I can come up with is to add a has_protected_pmu flag, and then disallow
> KVM_CAP_PMU_CAPABILITY.
>
> The question then becomes, do we keep patch 1 and also clear enable_pmu in tdx.c,
> or do we keep the ordering and have kvm_arch_init_vm() consume has_protected_pmu?
> Neither one is particularly awesome :-/

I am inclined to send the v2 with the latter option i.e. keep the
ordering the same and have kvm_arch_init_vm() consume
has_protected_pmu. Let's see how that goes.

>
> diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
> index c470e40a00aa..8371dcaaed1a 100644
> --- a/arch/x86/include/asm/kvm_host.h
> +++ b/arch/x86/include/asm/kvm_host.h
> @@ -1422,6 +1422,7 @@ struct kvm_arch {
>         bool has_private_mem;
>         bool has_protected_state;
>         bool has_protected_eoi;
> +       bool has_protected_pmu;
>         bool pre_fault_allowed;
>         struct hlist_head *mmu_page_hash;
>         struct list_head active_mmu_pages;
> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
> index 04ce321ebdf3..3ba295bd44f8 100644
> --- a/arch/x86/kvm/vmx/tdx.c
> +++ b/arch/x86/kvm/vmx/tdx.c
> @@ -635,6 +635,7 @@ int tdx_vm_init(struct kvm *kvm)
>          * i.e. all EOIs are accelerated and never trigger exits.
>          */
>         kvm->arch.has_protected_eoi = true;
> +       kvm->arch.has_protected_pmu = true;
>         kvm->arch.has_private_mem = true;
>         kvm->arch.disabled_quirks |= KVM_X86_QUIRK_IGNORE_GUEST_PAT;
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 0a1b63c63d1a..57d78255c80c 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -6910,7 +6910,8 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm,
>                         break;
>
>                 mutex_lock(&kvm->lock);
> -               if (!kvm->created_vcpus && !kvm->arch.created_mediated_pmu) {
> +               if (!kvm->created_vcpus && !kvm->arch.created_mediated_pmu &&
> +                   !kvm->arch.has_protected_pmu) {
>                         kvm->arch.enable_pmu = !(cap->args[0] & KVM_PMU_CAP_DISABLE);
>                         r = 0;
>                 }