[PATCH 17/24] KVM: nVMX: allow MBEC with EVMCS

Next message: Paolo Bonzini: "[PATCH 11/24] KVM: x86/mmu: move cr4_smep to base role"
Previous message: Stephen Hemminger: "[PATCH v3 6/7] selftests/tc-testing: Add mirred test cases exercising loops"
In reply to: Paolo Bonzini: "[PATCH 13/24] KVM: nVMX: pass advanced EPT violation vmexit info to guest"
Next in thread: Paolo Bonzini: "[PATCH 11/24] KVM: x86/mmu: move cr4_smep to base role"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Bonzini

Date: Thu Mar 26 2026 - 14:32:42 EST

From: Jon Kohler <jon@xxxxxxxxxxx>

Extend EVMCS1_SUPPORTED_2NDEXEC to allow MBEC and EVMCS to coexist.
Presenting both EVMCS and MBEC simultaneously causes KVM to filter out
MBEC and not present it as a supported control to the guest, preventing
performance gains from MBEC when Windows HVCI is enabled.

The guest may choose not to use MBEC (e.g., if the admin does not enable
Windows HVCI / Memory Integrity), but if they use traditional nested
virt (Hyper-V, WSL2, etc.), having EVMCS exposed is important for
improving nested guest performance. IOW allowing MBEC and EVMCS to
coexist provides maximum optionality to Windows users without
overcomplicating VM administration.

Signed-off-by: Jon Kohler <jon@xxxxxxxxxxx>
Message-ID: <20251223054806.1611168-8-jon@xxxxxxxxxxx>
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
---
arch/x86/kvm/vmx/hyperv_evmcs.h | 1 +
1 file changed, 1 insertion(+)

diff --git a/arch/x86/kvm/vmx/hyperv_evmcs.h b/arch/x86/kvm/vmx/hyperv_evmcs.h
index fc7c4e7bd1bf..bc08fe40590e 100644
--- a/arch/x86/kvm/vmx/hyperv_evmcs.h
+++ b/arch/x86/kvm/vmx/hyperv_evmcs.h
@@ -87,6 +87,7 @@
SECONDARY_EXEC_PT_CONCEAL_VMX | \
SECONDARY_EXEC_BUS_LOCK_DETECTION | \
SECONDARY_EXEC_NOTIFY_VM_EXITING | \
+ SECONDARY_EXEC_MODE_BASED_EPT_EXEC | \
SECONDARY_EXEC_ENCLS_EXITING)

#define EVMCS1_SUPPORTED_3RDEXEC (0ULL)
--
2.53.0