Re: [PATCH 20/28] KVM: nVMX: allow MBEC with EVMCS

From: mlevitsk

Date: Tue Jun 02 2026 - 10:41:25 EST

On Tue, 2026-05-05 at 21:52 +0200, Paolo Bonzini wrote:
> From: Jon Kohler <jon@xxxxxxxxxxx>
>
> Extend EVMCS1_SUPPORTED_2NDEXEC to allow MBEC and EVMCS to coexist.
> Presenting both EVMCS and MBEC simultaneously causes KVM to filter out
> MBEC and not present it as a supported control to the guest, preventing
> performance gains from MBEC when Windows HVCI is enabled.
>
> The guest may choose not to use MBEC (e.g., if the admin does not enable
> Windows HVCI / Memory Integrity), but if they use traditional nested
> virt (Hyper-V, WSL2, etc.), having EVMCS exposed is important for
> improving nested guest performance. IOW allowing MBEC and EVMCS to
> coexist provides maximum optionality to Windows users without
> overcomplicating VM administration.
>
> Signed-off-by: Jon Kohler <jon@xxxxxxxxxxx>
> Message-ID: <20251223054806.1611168-8-jon@xxxxxxxxxxx>
> Tested-by: David Riley <d.riley@xxxxxxxxxxx>
> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> ---
>  arch/x86/kvm/vmx/hyperv_evmcs.h | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/kvm/vmx/hyperv_evmcs.h b/arch/x86/kvm/vmx/hyperv_evmcs.h
> index fc7c4e7bd1bf..bc08fe40590e 100644
> --- a/arch/x86/kvm/vmx/hyperv_evmcs.h
> +++ b/arch/x86/kvm/vmx/hyperv_evmcs.h
> @@ -87,6 +87,7 @@
>   SECONDARY_EXEC_PT_CONCEAL_VMX | \
>   SECONDARY_EXEC_BUS_LOCK_DETECTION | \
>   SECONDARY_EXEC_NOTIFY_VM_EXITING | \
> + SECONDARY_EXEC_MODE_BASED_EPT_EXEC | \
>   SECONDARY_EXEC_ENCLS_EXITING)
>  
>  #define EVMCS1_SUPPORTED_3RDEXEC (0ULL)

Unrelated to this patch:

I haven't paid much attention to this particular area of KVM, but 'EVMCSv1_LEGACY' caught my attention now.

According to the Hypervisor Top Level Function Specificaiton v5.0C and v6.0b that I have, there is only one version defined,
version 1. 
Is there a reason on why we choose to call it "Legacy"?

Also I see:

Enlightened VMCSv1 doesn't support these:
....
* TSC_MULTIPLIER = 0x00002032,

And yet I see it defined:

EVMCS1_FIELD(TSC_MULTIPLIER, tsc_multiplier,
HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_GRP2),


Anyway I haven't found any restrictions on the execution controls in the EVMCS in the Microsoft's spec, 
so it is unlikely that it is not supported.

So:
Reviewed-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>

Best regards,
Maxim Levitsky