Re: [PATCH v3 00/27] KVM: combined patchset for MBEC/GMET support

From: David Riley

Date: Wed Apr 15 2026 - 03:07:13 EST

Hi Paolo, Jon,

Thanks to Paolo for sending the new patch series (v3), and to Jon
for the feedback on my previous test.

I have once again tested this patchset (v3) on both Intel and AMD
platforms using Proxmox VE (based on Debian Trixie) with a Windows
Server guest (24H2, Build 26100.1742).

The focus of the tests were live migrations between different hosts
(Intel <-> Intel & AMD <-> AMD).

All tests used the same base setup:

Kernel: mainline 7.0.0-rc7 (with MBEC/GMET v3 patches applied)
QEMU: our downstream QEMU build based on 10.2.1, plus Jon's patches
virtio-win: 0.1.271

Windows Guest:
For the guest setup I enabled Virtualization-Based Security (VBS)
and Hypervisor-Protected Code Integrity (HVCI).

I set the following in the Group Policy Editor (DeviceGuard):
* Select Platform Security Level: Secure Boot
* Virtualization Based Protection of Code Integrity: Enabled without
  lock
* Require UEFI Memory Attributes Table: Checked

Hosts:
Intel Nodes:
   CPU: Intel(R) Xeon(R) Gold 6426Y

AMD Nodes:
   CPU: AMD EPYC 7302P


I tested the following:

1. Intel without Hyper-V Enlightenments:

QEMU CPU options: -cpu 'host,+kvm_pv_eoi,+kvm_pv_unhalt,level=30'
AvailableSecurityProperties [0]:  1,2,4,5,7

Security Property 7 indicates MBEC/GMET support. [0]

I migrated the virtual guest between the two Intel hosts whilst
running Cinebench R32.200. No issues were found, but the VM does not
perform well without Hyper-V Enlightenments.

2. Intel with Hyper-V Enlightenments:

QEMU CPU options: -cpu 'host,+hv-evmcs,+hv-ipi,+hv-relaxed,
  +hv-runtime,hv-spinlocks=0x1fff,+hv-stimer,+hv-synic,+hv-time,
+hv-tlbflush,+hv-tlbflush-ext,+hv-vapic,+hv-vpindex,+hv-xmm-input,
  +kvm_pv_eoi,+kvm_pv_unhalt,level=30,+vmx-mbec'

AvailableSecurityProperties [0]: 1,2,4,5,7

I again migrated the virtual machine between the two Intel hosts
whilst running Cinebench R32.200. No issues were found, but the VM
performs significantly better with Hyper-V Enlightenments set.

3. AMD without Hyper-V Enlightenments:

QEMU CPU options: -cpu 'host,+kvm_pv_eoi,+kvm_pv_unhalt,level=30'

AvailableSecurityProperties [0]: 1,2,4,5,7

I migrated the virtual machine between the two AMD hosts whilst
running Cinebench R32.200. No issues were found.

4. AMD with Hyper-V Enlightenments:

QEMU CPU options: -cpu 'host,+gmet,+hv-emsr-bitmap,+hv-ipi,
+hv-relaxed,+hv-runtime,hv-spinlocks=0x1fff,+hv-stimer,+hv-synic,
  +hv-time,+hv-tlbflush,+hv-tlbflush-ext,+hv-vapic,+hv-vpindex,
  +hv-xmm-input,+kvm_pv_eoi,+kvm_pv_unhalt,level=30'

AvailableSecurityProperties [0]: 1,2,4,5,7

I again migrated the virtual machine between the two AMD hosts whilst
running Cinebench R32.200. I have not found any issues.

Tested-by: David Riley <d.riley@xxxxxxxxxxx>

[0] https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security