Re: [PATCH 14/22] KVM: nVMX: advertise MBEC to nested guests

[Jon Kohler]

> On Mar 20, 2026, at 8:09 PM, Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote:
> 
> From: Jon Kohler <jon@xxxxxxxxxxx>
> 
> Advertise SECONDARY_EXEC_MODE_BASED_EPT_EXEC (MBEC) to userspace, which
> allows userspace to expose and advertise the feature to the guest.
> When MBEC is enabled by the guest, it is passed to the MMU via cr4_smep
> and to the processor by the merging of vmcs12->secondary_vm_exec_control
> into the VMCS02's secondary VM execution controls.
> 
> Signed-off-by: Jon Kohler <jon@xxxxxxxxxxx>
> Message-ID: <20251223054806.1611168-9-jon@xxxxxxxxxxx>
> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> ---
> arch/x86/kvm/mmu.h        |  2 +-
> arch/x86/kvm/mmu/mmu.c    |  7 ++++---
> arch/x86/kvm/vmx/nested.c | 10 ++++++++++
> 3 files changed, 15 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
> index 2a6caac39d40..035244ccbb5e 100644
> --- a/arch/x86/kvm/mmu.h
> +++ b/arch/x86/kvm/mmu.h
> @@ -93,7 +93,7 @@ void kvm_init_shadow_npt_mmu(struct kvm_vcpu *vcpu, unsigned long cr0,
>     unsigned long cr4, u64 efer, gpa_t nested_cr3);
> void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
>     int huge_page_level, bool accessed_dirty,
> -     gpa_t new_eptp);
> +     bool mbec, gpa_t new_eptp);
> bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);
> int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
> u64 fault_address, char *insn, int insn_len);
> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> index a0b4774e405a..647dffb69d85 100644
> --- a/arch/x86/kvm/mmu/mmu.c
> +++ b/arch/x86/kvm/mmu/mmu.c
> @@ -5839,7 +5839,7 @@ EXPORT_SYMBOL_GPL(kvm_init_shadow_npt_mmu);
> 
> static union kvm_cpu_role
> kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
> -   bool execonly, u8 level)
> +   bool execonly, u8 level, bool mbec)
> {
> union kvm_cpu_role role = {0};
> 
> @@ -5849,6 +5849,7 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
> */
> WARN_ON_ONCE(is_smm(vcpu));
> role.base.level = level;
> + role.base.cr4_smep = mbec;
> role.base.has_4_byte_gpte = false;
> role.base.direct = false;
> role.base.ad_disabled = !accessed_dirty;
> @@ -5864,13 +5865,13 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
> 
> void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
>     int huge_page_level, bool accessed_dirty,
> -     gpa_t new_eptp)
> +     bool mbec, gpa_t new_eptp)
> {
> struct kvm_mmu *context = &vcpu->arch.guest_mmu;
> u8 level = vmx_eptp_page_walk_level(new_eptp);
> union kvm_cpu_role new_mode =
> kvm_calc_shadow_ept_root_page_role(vcpu, accessed_dirty,
> -   execonly, level);
> +   execonly, level, mbec);
> 
> if (new_mode.as_u64 != context->cpu_role.as_u64) {
> /* EPT, and thus nested EPT, does not consume CR0, CR4, nor EFER. */
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 7c55551a2680..7b0861d02166 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -460,6 +460,12 @@ static void nested_ept_inject_page_fault(struct kvm_vcpu *vcpu,
> vmcs12->guest_physical_address = fault->address;
> }
> 
> +static inline bool nested_ept_mbec_enabled(struct kvm_vcpu *vcpu)
> +{
> + struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
> + return nested_cpu_has2(vmcs12, SECONDARY_EXEC_MODE_BASED_EPT_EXEC);
> +}
> +

checkpatch.pl complaint:
WARNING: Missing a blank line after declarations
#83: FILE: arch/x86/kvm/vmx/nested.c:468:
+       struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+       return nested_cpu_has2(vmcs12, SECONDARY_EXEC_MODE_BASED_EPT_EXEC);

> static void nested_ept_new_eptp(struct kvm_vcpu *vcpu)
> {
> struct vcpu_vmx *vmx = to_vmx(vcpu);
> @@ -468,6 +474,7 @@ static void nested_ept_new_eptp(struct kvm_vcpu *vcpu)
> 
> kvm_init_shadow_ept_mmu(vcpu, execonly, ept_lpage_level,
> nested_ept_ad_enabled(vcpu),
> + nested_ept_mbec_enabled(vcpu),
> nested_ept_get_eptp(vcpu));
> }
> 
> @@ -7145,6 +7152,9 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
> msrs->ept_caps |= VMX_EPT_AD_BIT;
> }
> 
> + if (cpu_has_ept_mbec())
> + msrs->secondary_ctls_high |=
> + SECONDARY_EXEC_MODE_BASED_EPT_EXEC;
> /*
> * Advertise EPTP switching irrespective of hardware support,
> * KVM emulates it in software so long as VMFUNC is supported.
> -- 
> 2.52.0
>