Sanitize at the end might not work because I see some cases in
nested_vmx_setup_ctls_msrs() where we want to expose some things to L1
even though the hardware doesn't support it.
Yes, but these will never include eVMCS-unsupported features.
How are you so sure?
For example, SECONDARY_EXEC_SHADOW_VMCS is unsupported in eVMCS but in
nested_vmx_setup_ctls_msrs() we do:
6675 /*
6676 * We can emulate "VMCS shadowing," even if the hardware
6677 * doesn't support it.
6678 */
6679 msrs->secondary_ctls_high |=
6680 SECONDARY_EXEC_SHADOW_VMCS;
If we sanitize this out it might cause some regression right?