Re: [PATCH v6 00/28] KVM: combined patchset for MBEC/GMET support

[Paolo Bonzini]

On Mon, May 11, 2026 at 12:54 PM David Riley <d.riley@xxxxxxxxxxx> wrote:
> Environment:
> - Kernel: mainline 7.1.0-rc2 (with v6 patches applied)

Using 7.0.4 + v6 patches applied (except for the AMD ones) I could
reproduce the guest not booting, but not the host lockups. I also have
Windows Server 2025 build 26100, and in my case the host is a Meteor
Lake.

I'm running my guest with

$ qemu-kvm \
   -M q35 -drive if=ide,file=win2k25.qcow2 \
   -cpu host,+vmx-mbec,+cet-ss,+cet-ibt -vnc :0 \
   -monitor stdio -m 8192 \
   -bios /usr/share/edk2/ovmf/OVMF.stateless.secboot.fd  \
   -device nec-usb-xhci -usbdevice tablet -smp 8

However, the trace shows that CET is not used at all unless MBEC is
present. In particular (after "trace-cmd record -e kvm ...") I can do:

$ trace-cmd report |grep  -e msr_write.*da0| sed 's/.*kvm_/kvm_/' | sort -u

and it shows as expected this with +vmx-mbec,+cet-ss,+cet-ibt:

kvm_msr:              msr_write da0 = 0x800

but not with -vmx-mbec,+cet-ss,+cet-ibt.  This initialization is
performed by Hyper-V even before VMXON, and the breakage happens even
if Memory Integrity is disabled inside Windows.

Knowing that Hyper-V was not running any nested guest at the time of
the hang, I changed __vmcs_writel() to have

        if (field == SECONDARY_VM_EXEC_CONTROL) value &=
~SECONDARY_EXEC_MODE_BASED_EPT_EXEC;

which is admittedly a bit blunt :) but lets Hyper-V use CET, while
basically undoing the effects of this patch for non-nested operation.
This also hung for me.

If possible, could you please check:

1) whether 7.0 + patches (up to 22/28) also causes the host to hang?
2) whether 7.1 + patches (up to 22/28) also causes the host to hang?

to understand if this is a) something caused by our different setup b)
a regression in 7.1 c) something caused by the last 6 patches?

So, while the host hanging is worrisome, this seems to be caused more
likely by the CET enablement rather than by MBEC.

Thanks,

Paolo