Re: [PATCH v6 00/28] KVM: combined patchset for MBEC/GMET support

[Paolo Bonzini]

On 5/12/26 16:32, Paolo Bonzini wrote:
The trace shows that CET is not used at all unless MBEC is
> present. In particular (after "trace-cmd record -e kvm ...") I can do:
>
> $ trace-cmd report |grep  -e msr_write.*da0| sed 's/.*kvm_/kvm_/' | sort -u
>
> and it shows as expected this with +vmx-mbec,+cet-ss,+cet-ibt:
>
> kvm_msr:              msr_write da0 = 0x800
>
> but not with -vmx-mbec,+cet-ss,+cet-ibt.  This initialization is
> performed by Hyper-V even before VMXON, and the breakage happens even
> if Memory Integrity is disabled inside Windows.
>
> Knowing that Hyper-V was not running any nested guest at the time of
> the hang, I changed __vmcs_writel() to have
>
>          if (field == SECONDARY_VM_EXEC_CONTROL) value &=
> ~SECONDARY_EXEC_MODE_BASED_EPT_EXEC;

I have now reproduced the guest hang with a one line change on top of 
kvm/master:

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 937aeb474af7..43e0f20e4e26 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -7231,6 +7231,7 @@ static void nested_vmx_setup_secondary_ctls(u32 
ept_caps,
        if (enable_ept) {
                /* nested EPT: emulate EPT also to L1 */
                msrs->secondary_ctls_high |=
+                       SECONDARY_EXEC_MODE_BASED_EPT_EXEC | /* hem hem */
                        SECONDARY_EXEC_ENABLE_EPT;
                msrs->ept_caps =
                        VMX_EPT_PAGE_WALK_4_BIT |

(which would break very badly if Hyper-V were to start a nested guest, 
but the trace says it doesn't).

Can you check what behavior you get from this (actually silly) change? 
It should allow you to exercise Hyper-V's CET paths without the burden 
of the MMU changes.

Paolo