> On Dec 23, 2025, at 12:24 AM, Jon Kohler <[email protected]> wrote: > > Enumerate ability to enable Intel Mode-Based Execute Control (MBEC) > on secondary execution control bit 22. > > Intel MBEC is a hardware feature, introduced in the Kabylake > generation, that allows for more granular control over execution > permissions. MBEC enables the separation and tracking of execution > permissions for supervisor (kernel) and user-mode code. It is used as > an accelerator for Microsoft's Memory Integrity [1] (also known as > hypervisor-protected code integrity or HVCI). > > [1] > https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity > > Code is mirrored here: > https://github.com/JonKohler/linux/tree/mbec-v1-6.18 > https://github.com/JonKohler/kvm-unit-tests/tree/mbec-v1 > > LKML thread(s) are here: > Original RFC: > https://lore.kernel.org/all/[email protected]/ > V1 code: https://lore.kernel.org/all/[email protected]/ > KVM unit test changes: > https://lore.kernel.org/all/[email protected]/ > > Cc: Xiaoyao Li <[email protected]> > Cc: Zhao Liu <[email protected]> > Co-authored-by: Jon Kohler <[email protected]> > Co-authored-by: Aditya Desai <[email protected]> > Signed-off-by: Jon Kohler <[email protected]> > --- > target/i386/cpu.c | 6 +++++- > target/i386/cpu.h | 1 + > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/target/i386/cpu.c b/target/i386/cpu.c > index 6417775786..cc81880f28 100644 > --- a/target/i386/cpu.c > +++ b/target/i386/cpu.c > @@ -1623,7 +1623,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { > "vmx-apicv-register", "vmx-apicv-vid", "vmx-ple", > "vmx-rdrand-exit", > "vmx-invpcid-exit", "vmx-vmfunc", "vmx-shadow-vmcs", > "vmx-encls-exit", > "vmx-rdseed-exit", "vmx-pml", NULL, NULL, > - "vmx-xsaves", NULL, NULL, NULL, > + "vmx-xsaves", NULL, "vmx-mbec", NULL, > NULL, "vmx-tsc-scaling", "vmx-enable-user-wait-pause", NULL, > NULL, NULL, NULL, NULL, > }, > @@ -1938,6 +1938,10 @@ static FeatureDep feature_dependencies[] = { > .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_EPT }, > .to = { FEAT_VMX_SECONDARY_CTLS, > VMX_SECONDARY_EXEC_UNRESTRICTED_GUEST }, > }, > + { > + .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_EPT }, > + .to = { FEAT_VMX_SECONDARY_CTLS, > VMX_SECONDARY_EXEC_MODE_BASED_EPT_EXEC }, > + }, > { > .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_VPID }, > .to = { FEAT_VMX_EPT_VPID_CAPS, 0xffffffffull << 32 }, > diff --git a/target/i386/cpu.h b/target/i386/cpu.h > index cee1f692a1..0869e03208 100644 > --- a/target/i386/cpu.h > +++ b/target/i386/cpu.h > @@ -1330,6 +1330,7 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU > *cpu, FeatureWord w); > #define VMX_SECONDARY_EXEC_RDSEED_EXITING 0x00010000 > #define VMX_SECONDARY_EXEC_ENABLE_PML 0x00020000 > #define VMX_SECONDARY_EXEC_XSAVES 0x00100000 > +#define VMX_SECONDARY_EXEC_MODE_BASED_EPT_EXEC 0x00400000 > #define VMX_SECONDARY_EXEC_TSC_SCALING 0x02000000 > #define VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE 0x04000000 > > -- > 2.43.0
Howdy qemu list - pinging this one again. The KVM side is still pending review, but this one is pretty straight forward no matter what direction the KVM side takes. Thanks, Jon
