Enumerate ability to enable Intel Mode-Based Execute Control (MBEC) on secondary execution control bit 22.
Intel MBEC is a hardware feature, introduced in the Kabylake generation, that allows for more granular control over execution permissions. MBEC enables the separation and tracking of execution permissions for supervisor (kernel) and user-mode code. It is used as an accelerator for Microsoft's Memory Integrity [1] (also known as hypervisor-protected code integrity or HVCI). [1] https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity Code is mirrored here: https://github.com/JonKohler/linux/tree/mbec-v1-6.18 https://github.com/JonKohler/kvm-unit-tests/tree/mbec-v1 LKML thread(s) are here: Original RFC: https://lore.kernel.org/all/[email protected]/ V1 code: https://lore.kernel.org/all/[email protected]/ KVM unit test changes: https://lore.kernel.org/all/[email protected]/ Cc: Xiaoyao Li <[email protected]> Cc: Zhao Liu <[email protected]> Co-authored-by: Jon Kohler <[email protected]> Co-authored-by: Aditya Desai <[email protected]> Signed-off-by: Jon Kohler <[email protected]> --- target/i386/cpu.c | 6 +++++- target/i386/cpu.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 6417775786..cc81880f28 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1623,7 +1623,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { "vmx-apicv-register", "vmx-apicv-vid", "vmx-ple", "vmx-rdrand-exit", "vmx-invpcid-exit", "vmx-vmfunc", "vmx-shadow-vmcs", "vmx-encls-exit", "vmx-rdseed-exit", "vmx-pml", NULL, NULL, - "vmx-xsaves", NULL, NULL, NULL, + "vmx-xsaves", NULL, "vmx-mbec", NULL, NULL, "vmx-tsc-scaling", "vmx-enable-user-wait-pause", NULL, NULL, NULL, NULL, NULL, }, @@ -1938,6 +1938,10 @@ static FeatureDep feature_dependencies[] = { .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_EPT }, .to = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_UNRESTRICTED_GUEST }, }, + { + .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_EPT }, + .to = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_MODE_BASED_EPT_EXEC }, + }, { .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_VPID }, .to = { FEAT_VMX_EPT_VPID_CAPS, 0xffffffffull << 32 }, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index cee1f692a1..0869e03208 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -1330,6 +1330,7 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w); #define VMX_SECONDARY_EXEC_RDSEED_EXITING 0x00010000 #define VMX_SECONDARY_EXEC_ENABLE_PML 0x00020000 #define VMX_SECONDARY_EXEC_XSAVES 0x00100000 +#define VMX_SECONDARY_EXEC_MODE_BASED_EPT_EXEC 0x00400000 #define VMX_SECONDARY_EXEC_TSC_SCALING 0x02000000 #define VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE 0x04000000 -- 2.43.0
