[PATCH v2 0/5] KVM: x86: Expose Zhaoxin CPUID 0xC0000001 EDX cryptographic features

[PATCH v2 0/5] KVM: x86: Expose Zhaoxin CPUID 0xC0000001 EDX cryptographic features

[Ewan Hai]

This series exposes five groups of Zhaoxin-specific CPUID 0xC0000001 EDX
feature bits to KVM guests. Each group corresponds to a category of
unprivileged cryptographic or RNG instructions that have been present in
Zhaoxin processors but not yet advertised by KVM.

All instructions covered here are unprivileged (no CPL restriction) and
available in all CPU modes (real / V86 / compat / protected / long), with
no associated MSR control. Each feature is reported as a (X, X_EN) pair
where the two bits are redundant by hardware design (set or cleared
together), and both are CPUID-level reporting bits requiring no KVM
emulation.

The five feature groups:

1. SM2 (bits 0, 1): SM2 elliptic-curve public-key cryptography algorithm
   per GM/T 0003-2012. Used for key generation, encryption/decryption,
   digital signatures, and key exchange in Chinese cryptographic
   standards.

2. CCS (bits 4, 5): SM3 hash algorithm per GM/T 0004-2012 and SM4 block
   cipher per GM/T 0002-2012 (supports ECB / CBC / CFB / OFB / CTR plus
   CBC-MAC / CFB-MAC). Foundational primitives for Chinese cryptographic
   protocols.

3. RNG2 (bits 22, 23): Second-generation hardware RNG exposed via the
   REP XRNG2 instruction. Two on-die RNG sources selectable per call,
   with raw and post-processed output modes. Provides high-quality
   entropy for cryptographic operations.

4. PHE2 (bits 25, 26): SHA-384 and SHA-512 hardware acceleration per
   FIPS 180-3, exposed via REP XSHA384 and REP XSHA512. Used by TLS,
   SSH, file integrity, and signature schemes.

5. RSA (bits 27, 28): Big-number modular exponentiation (REP XMODEXP,
   A^B mod M) and modular multiplication (REP MONTMUL2, A*B mod M),
   supporting operand sizes from 256 to 32768 bits. Used for RSA and
   related public-key operations.

References:
  The instruction encodings, control-word formats, and per-feature
  semantics referenced in the individual patches are documented in:
    - GMI Instruction Set Reference (SM2 / SM3 / SM4)
    - PadLock Instruction Reference (XRNG2 / XSHA384 / XSHA512 /
      XMODEXP / MONTMUL2)
  Both available from https://kib.kiev.ua/x86docs/Zhaoxin/

Changes since v1:
- Move the X86_FEATURE_xx definitions from arch/x86/kvm/reverse_cpuid.h
  into arch/x86/include/asm/cpufeatures.h, filling the unused bit
  positions in word 5 (which is reserved for CPUID 0xC0000001 EDX),
  per Sean's review feedback.
- Tighten wording in each commit message: "user-mode" -> "unprivileged
  (no CPL restriction)", since the instructions execute at any CPL.

v1: https://lore.kernel.org/all/20260513124846.1622462-1-ewandevelop@gmail.com/

Ewan Hai (5):
  KVM: x86: Expose Zhaoxin SM2 CPUID feature
  KVM: x86: Expose Zhaoxin CCS (SM3 + SM4) CPUID feature
  KVM: x86: Expose Zhaoxin RNG2 CPUID feature
  KVM: x86: Expose Zhaoxin PHE2 CPUID feature
  KVM: x86: Expose Zhaoxin RSA CPUID feature

 arch/x86/include/asm/cpufeatures.h | 10 ++++++++++
 arch/x86/kvm/cpuid.c               | 10 ++++++++++
 2 files changed, 20 insertions(+)


base-commit: 50897c955902c93ae71c38698abb910525ebdc89
--
2.34.1

[PATCH v2 1/5] KVM: x86: Expose Zhaoxin SM2 CPUID feature

[Ewan Hai]

Advertise the Zhaoxin SM2 instruction support to guests via CPUID
0xC0000001 EDX bits 0 (SM2) and 1 (SM2_EN).

The SM2 instruction (encoding F2 0F A6 C0) implements the SM2
elliptic-curve public-key cryptography algorithm specified in
GM/T 0003-2012; the hardware-level behavior is documented in the
Zhaoxin GMI Instruction Set Reference, chapter 1 ("SM2"). The
instruction multiplexes its sub-functions on the RDX[5:0] control
word: encryption (subsection 1.1), decryption (1.2), signing (1.3),
signature verification (1.4), the three key-exchange sub-operations
of section 1.5 (1.5.1 SM2 key-pair generation, which the spec also
uses for the initiator's ephemeral key; 1.5.2 responder shared-key
derivation; 1.5.3 initiator shared-key derivation), and two
preprocess steps for identity and message hashing (1.6.1 and 1.6.2).

The instruction is unprivileged (no CPL restriction) and available
in all CPU modes, with no associated MSR control. The SM2 and SM2_EN
bits are redundant by hardware design (set or cleared together) and
both serve purely as CPUID-level feature-presence reporting flags
requiring no KVM emulation. Both bits are advertised because
different software may probe either one when checking for SM2
availability.

Signed-off-by: Ewan Hai <ewandevelop@gmail.com>
---
 arch/x86/include/asm/cpufeatures.h | 2 ++
 arch/x86/kvm/cpuid.c               | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 1d506e5d6f46..20b33413189c 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -136,6 +136,8 @@
 #define X86_FEATURE_HYPERVISOR		( 4*32+31) /* "hypervisor" Running on a hypervisor */
 
 /* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
+#define X86_FEATURE_SM2			( 5*32+ 0) /* "sm2" SM2 algorithm */
+#define X86_FEATURE_SM2_EN		( 5*32+ 1) /* "sm2_en" SM2 enabled */
 #define X86_FEATURE_XSTORE		( 5*32+ 2) /* "rng" RNG present (xstore) */
 #define X86_FEATURE_XSTORE_EN		( 5*32+ 3) /* "rng_en" RNG enabled */
 #define X86_FEATURE_XCRYPT		( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index e69156b54cff..1eb4b88aaa80 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -1272,6 +1272,8 @@ void kvm_initialize_cpu_caps(void)
 		kvm_cpu_cap_set(X86_FEATURE_NULL_SEL_CLR_BASE);
 
 	kvm_cpu_cap_init(CPUID_C000_0001_EDX,
+		F(SM2),
+		F(SM2_EN),
 		F(XSTORE),
 		F(XSTORE_EN),
 		F(XCRYPT),
-- 
2.34.1

Re: [PATCH v2 1/5] KVM: x86: Expose Zhaoxin SM2 CPUID feature

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Low] The patch modifies `arch/x86/include/asm/cpufeatures.h` without syncing the changes to the tooling copy at `tools/arch/x86/include/asm/cpufeatures.h`.
--

commit 17e8fbfd326bc812ee6f132253d520b0c7201874
Author: Ewan Hai <ewandevelop@gmail.com>

KVM: x86: Expose Zhaoxin SM2 CPUID feature

This commit advertises the Zhaoxin SM2 algorithm and SM2_EN features to KVM
guests via CPUID 0xC0000001 EDX bits 0 and 1. It updates the CPU features
header and the KVM CPU caps initialization.

> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 1d506e5d6f46a..20b33413189c2 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -136,6 +136,8 @@
>  #define X86_FEATURE_HYPERVISOR		( 4*32+31) /* "hypervisor" Running on a hypervisor */
>  
>  /* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
> +#define X86_FEATURE_SM2			( 5*32+ 0) /* "sm2" SM2 algorithm */
> +#define X86_FEATURE_SM2_EN		( 5*32+ 1) /* "sm2_en" SM2 enabled */

[Severity: Low]
Since arch/x86/include/asm/cpufeatures.h is modified here, should this patch
also update the tooling copy at tools/arch/x86/include/asm/cpufeatures.h?

Without syncing the tooling header, tools/perf/check-headers.sh will emit a
warning during the perf tools build process indicating that the kernel ABI
header differs from the tooling version.

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260528032234.1322565-1-ewandevelop@gmail.com?part=1

Re: [PATCH v2 1/5] KVM: x86: Expose Zhaoxin SM2 CPUID feature

[Ewan Hai]

good catch, I'll fold that into v3.

On Thu, May 28, 2026 at 11:42 AM <sashiko-bot@kernel.org> wrote:
>
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Low] The patch modifies `arch/x86/include/asm/cpufeatures.h` without syncing the changes to the tooling copy at `tools/arch/x86/include/asm/cpufeatures.h`.
> --
>
> commit 17e8fbfd326bc812ee6f132253d520b0c7201874
> Author: Ewan Hai <ewandevelop@gmail.com>
>
> KVM: x86: Expose Zhaoxin SM2 CPUID feature
>
> This commit advertises the Zhaoxin SM2 algorithm and SM2_EN features to KVM
> guests via CPUID 0xC0000001 EDX bits 0 and 1. It updates the CPU features
> header and the KVM CPU caps initialization.
>
> > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> > index 1d506e5d6f46a..20b33413189c2 100644
> > --- a/arch/x86/include/asm/cpufeatures.h
> > +++ b/arch/x86/include/asm/cpufeatures.h
> > @@ -136,6 +136,8 @@
> >  #define X86_FEATURE_HYPERVISOR               ( 4*32+31) /* "hypervisor" Running on a hypervisor */
> >
> >  /* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
> > +#define X86_FEATURE_SM2                      ( 5*32+ 0) /* "sm2" SM2 algorithm */
> > +#define X86_FEATURE_SM2_EN           ( 5*32+ 1) /* "sm2_en" SM2 enabled */
>
> [Severity: Low]
> Since arch/x86/include/asm/cpufeatures.h is modified here, should this patch
> also update the tooling copy at tools/arch/x86/include/asm/cpufeatures.h?
>
> Without syncing the tooling header, tools/perf/check-headers.sh will emit a
> warning during the perf tools build process indicating that the kernel ABI
> header differs from the tooling version.
>
> [ ... ]
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260528032234.1322565-1-ewandevelop@gmail.com?part=1

Re: [PATCH v2 1/5] KVM: x86: Expose Zhaoxin SM2 CPUID feature

[Sean Christopherson]

On Thu, May 28, 2026, Ewan Hai wrote:
> On Thu, May 28, 2026 at 11:42 AM <sashiko-bot@kernel.org> wrote:
> >
> > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> > - [Low] The patch modifies `arch/x86/include/asm/cpufeatures.h` without syncing the changes to the tooling copy at `tools/arch/x86/include/asm/cpufeatures.h`.
> > --
> >
> > commit 17e8fbfd326bc812ee6f132253d520b0c7201874
> > Author: Ewan Hai <ewandevelop@gmail.com>
> >
> > KVM: x86: Expose Zhaoxin SM2 CPUID feature
> >
> > This commit advertises the Zhaoxin SM2 algorithm and SM2_EN features to KVM
> > guests via CPUID 0xC0000001 EDX bits 0 and 1. It updates the CPU features
> > header and the KVM CPU caps initialization.
> >
> > > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> > > index 1d506e5d6f46a..20b33413189c2 100644
> > > --- a/arch/x86/include/asm/cpufeatures.h
> > > +++ b/arch/x86/include/asm/cpufeatures.h
> > > @@ -136,6 +136,8 @@
> > >  #define X86_FEATURE_HYPERVISOR               ( 4*32+31) /* "hypervisor" Running on a hypervisor */
> > >
> > >  /* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
> > > +#define X86_FEATURE_SM2                      ( 5*32+ 0) /* "sm2" SM2 algorithm */
> > > +#define X86_FEATURE_SM2_EN           ( 5*32+ 1) /* "sm2_en" SM2 enabled */
> >
> > [Severity: Low]
> > Since arch/x86/include/asm/cpufeatures.h is modified here, should this patch
> > also update the tooling copy at tools/arch/x86/include/asm/cpufeatures.h?
> >
> > Without syncing the tooling header, tools/perf/check-headers.sh will emit a
> > warning during the perf tools build process indicating that the kernel ABI
> > header differs from the tooling version.
>
> good catch, I'll fold that into v3.

No, ignore Sashiko.  The perf tooling folks keep the tools/ headers synchronized,
they are very deliberately not used by KVM selftests.

P.S. Please don't top-post.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v2 1/5] KVM: x86: Expose Zhaoxin SM2 CPUID feature

[Ewan Hai]

On Thu, May 28, 2026 at 8:49 PM Sean Christopherson <seanjc@google.com> wrote:
>
> On Thu, May 28, 2026, Ewan Hai wrote:
> > On Thu, May 28, 2026 at 11:42 AM <sashiko-bot@kernel.org> wrote:
> > >
> > > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> > > - [Low] The patch modifies `arch/x86/include/asm/cpufeatures.h` without syncing the changes to the tooling copy at `tools/arch/x86/include/asm/cpufeatures.h`.
> > > --
> > >
> > > commit 17e8fbfd326bc812ee6f132253d520b0c7201874
> > > Author: Ewan Hai <ewandevelop@gmail.com>
> > >
> > > KVM: x86: Expose Zhaoxin SM2 CPUID feature
> > >
> > > This commit advertises the Zhaoxin SM2 algorithm and SM2_EN features to KVM
> > > guests via CPUID 0xC0000001 EDX bits 0 and 1. It updates the CPU features
> > > header and the KVM CPU caps initialization.
> > >
> > > > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> > > > index 1d506e5d6f46a..20b33413189c2 100644
> > > > --- a/arch/x86/include/asm/cpufeatures.h
> > > > +++ b/arch/x86/include/asm/cpufeatures.h
> > > > @@ -136,6 +136,8 @@
> > > >  #define X86_FEATURE_HYPERVISOR               ( 4*32+31) /* "hypervisor" Running on a hypervisor */
> > > >
> > > >  /* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
> > > > +#define X86_FEATURE_SM2                      ( 5*32+ 0) /* "sm2" SM2 algorithm */
> > > > +#define X86_FEATURE_SM2_EN           ( 5*32+ 1) /* "sm2_en" SM2 enabled */
> > >
> > > [Severity: Low]
> > > Since arch/x86/include/asm/cpufeatures.h is modified here, should this patch
> > > also update the tooling copy at tools/arch/x86/include/asm/cpufeatures.h?
> > >
> > > Without syncing the tooling header, tools/perf/check-headers.sh will emit a
> > > warning during the perf tools build process indicating that the kernel ABI
> > > header differs from the tooling version.
> >
> > good catch, I'll fold that into v3.
>
> No, ignore Sashiko.  The perf tooling folks keep the tools/ headers synchronized,
> they are very deliberately not used by KVM selftests.
>

Got it!

> P.S. Please don't top-post.
>

Apologies, won't top-post again.

> https://people.kernel.org/tglx/notes-about-netiquette

[PATCH v2 2/5] KVM: x86: Expose Zhaoxin CCS (SM3 + SM4) CPUID feature

[Ewan Hai]

Advertise the Zhaoxin CCS (Chinese Cryptography Standard) feature to
guests via CPUID 0xC0000001 EDX bits 4 (CCS) and 5 (CCS_EN). CCS groups
two user-mode instructions for Chinese national cryptographic
primitives, documented in the Zhaoxin GMI Instruction Set Reference,
chapter 2 ("CCS instruction group"):

  - SM3 (encoding F3 0F A6 E8, subsection 2.1) implements the SM3 hash
    algorithm specified in GM/T 0004-2012. It supports two modes
    selected by RAX: auto-padding stream mode (RAX=0) and pre-padded
    block mode (RAX=-1).

  - SM4 (encoding F3 0F A7 F0, subsection 2.2) implements the SM4 block
    cipher specified in GM/T 0002-2012, supporting ECB / CBC / CFB /
    OFB / CTR modes via a control word in RAX, and CBC-MAC / CFB-MAC
    when RAX bit[11] is set.

Both instructions are unprivileged (no CPL restriction) and available
in all CPU modes, with no associated MSR control. The CCS and CCS_EN
bits are redundant by hardware design (set or cleared together) and
both serve purely as CPUID-level feature-presence reporting flags
requiring no KVM emulation. Both bits are advertised because different
software may probe either one when checking for CCS availability.

Signed-off-by: Ewan Hai <ewandevelop@gmail.com>
---
 arch/x86/include/asm/cpufeatures.h | 2 ++
 arch/x86/kvm/cpuid.c               | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 20b33413189c..276e4ef90bd0 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -140,6 +140,8 @@
 #define X86_FEATURE_SM2_EN		( 5*32+ 1) /* "sm2_en" SM2 enabled */
 #define X86_FEATURE_XSTORE		( 5*32+ 2) /* "rng" RNG present (xstore) */
 #define X86_FEATURE_XSTORE_EN		( 5*32+ 3) /* "rng_en" RNG enabled */
+#define X86_FEATURE_CCS			( 5*32+ 4) /* "ccs" SM3 + SM4 instructions */
+#define X86_FEATURE_CCS_EN		( 5*32+ 5) /* "ccs_en" CCS enabled */
 #define X86_FEATURE_XCRYPT		( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */
 #define X86_FEATURE_XCRYPT_EN		( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */
 #define X86_FEATURE_ACE2		( 5*32+ 8) /* "ace2" Advanced Cryptography Engine v2 */
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 1eb4b88aaa80..8aaa3f20670e 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -1276,6 +1276,8 @@ void kvm_initialize_cpu_caps(void)
 		F(SM2_EN),
 		F(XSTORE),
 		F(XSTORE_EN),
+		F(CCS),
+		F(CCS_EN),
 		F(XCRYPT),
 		F(XCRYPT_EN),
 		F(ACE2),
-- 
2.34.1

Re: [PATCH v2 2/5] KVM: x86: Expose Zhaoxin CCS (SM3 + SM4) CPUID feature

[Binbin Wu]

On 5/28/2026 11:22 AM, Ewan Hai wrote:
> Advertise the Zhaoxin CCS (Chinese Cryptography Standard) feature to
> guests via CPUID 0xC0000001 EDX bits 4 (CCS) and 5 (CCS_EN). CCS groups
> two user-mode instructions for Chinese national cryptographic
         ^
Nit: 
It's supposed to be replaced?

> primitives, documented in the Zhaoxin GMI Instruction Set Reference,
> chapter 2 ("CCS instruction group"):
> 
>   - SM3 (encoding F3 0F A6 E8, subsection 2.1) implements the SM3 hash
>     algorithm specified in GM/T 0004-2012. It supports two modes
>     selected by RAX: auto-padding stream mode (RAX=0) and pre-padded
>     block mode (RAX=-1).
> 
>   - SM4 (encoding F3 0F A7 F0, subsection 2.2) implements the SM4 block
>     cipher specified in GM/T 0002-2012, supporting ECB / CBC / CFB /
>     OFB / CTR modes via a control word in RAX, and CBC-MAC / CFB-MAC
>     when RAX bit[11] is set.
> 
> Both instructions are unprivileged (no CPL restriction) and available
> in all CPU modes, with no associated MSR control. The CCS and CCS_EN
> bits are redundant by hardware design (set or cleared together) and
> both serve purely as CPUID-level feature-presence reporting flags
> requiring no KVM emulation. Both bits are advertised because different
> software may probe either one when checking for CCS availability.
> 
> Signed-off-by: Ewan Hai <ewandevelop@gmail.com>
> ---
>  arch/x86/include/asm/cpufeatures.h | 2 ++
>  arch/x86/kvm/cpuid.c               | 2 ++
>  2 files changed, 4 insertions(+)
> 
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 20b33413189c..276e4ef90bd0 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -140,6 +140,8 @@
>  #define X86_FEATURE_SM2_EN		( 5*32+ 1) /* "sm2_en" SM2 enabled */
>  #define X86_FEATURE_XSTORE		( 5*32+ 2) /* "rng" RNG present (xstore) */
>  #define X86_FEATURE_XSTORE_EN		( 5*32+ 3) /* "rng_en" RNG enabled */
> +#define X86_FEATURE_CCS			( 5*32+ 4) /* "ccs" SM3 + SM4 instructions */
> +#define X86_FEATURE_CCS_EN		( 5*32+ 5) /* "ccs_en" CCS enabled */
>  #define X86_FEATURE_XCRYPT		( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */
>  #define X86_FEATURE_XCRYPT_EN		( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */
>  #define X86_FEATURE_ACE2		( 5*32+ 8) /* "ace2" Advanced Cryptography Engine v2 */
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index 1eb4b88aaa80..8aaa3f20670e 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -1276,6 +1276,8 @@ void kvm_initialize_cpu_caps(void)
>  		F(SM2_EN),
>  		F(XSTORE),
>  		F(XSTORE_EN),
> +		F(CCS),
> +		F(CCS_EN),
>  		F(XCRYPT),
>  		F(XCRYPT_EN),
>  		F(ACE2),

Re: [PATCH v2 2/5] KVM: x86: Expose Zhaoxin CCS (SM3 + SM4) CPUID feature

[Ewan Hai]

On Tue, Jun 2, 2026 at 3:30 PM Binbin Wu <binbin.wu@linux.intel.com> wrote:
>
>
>
> On 5/28/2026 11:22 AM, Ewan Hai wrote:
> > Advertise the Zhaoxin CCS (Chinese Cryptography Standard) feature to
> > guests via CPUID 0xC0000001 EDX bits 4 (CCS) and 5 (CCS_EN). CCS groups
> > two user-mode instructions for Chinese national cryptographic
>          ^
> Nit:
> It's supposed to be replaced?
>

Good catch, thanks. Sweeping the series I also found the same
"user-mode" leftover in patch 5 (RSA) , "provides two user-mode
instructions for modular arithmetic on big integers". Will tighten
patch 2, 4, and 5 to "unprivileged" in v3.

[PATCH v2 3/5] KVM: x86: Expose Zhaoxin RNG2 CPUID feature

[Ewan Hai]

Advertise the Zhaoxin second-generation hardware RNG to guests via
CPUID 0xC0000001 EDX bits 22 (RNG2) and 23 (RNG2_EN).

RNG2 is exposed by the REP XRNG2 instruction (encoding F3 0F A7 F8),
documented in the Zhaoxin PadLock Instruction Reference, subsection 1.3
("REP XRNG2"). It produces random bytes from two on-die RNG sources
selectable via RAX bits[10:9] and an output mode (raw vs post-processed)
controlled by RDX bits[1:0], providing high-quality entropy intended
for cryptographic operations.

REP XRNG2 is unprivileged (no CPL restriction) and available in all
CPU modes, with no associated MSR control. The RNG2 and RNG2_EN bits
are redundant by hardware design (set or cleared together) and both
serve purely as CPUID-level feature-presence reporting flags requiring
no KVM emulation. Both bits are advertised because different software
may probe either one when checking for RNG2 availability.

Signed-off-by: Ewan Hai <ewandevelop@gmail.com>
---
 arch/x86/include/asm/cpufeatures.h | 2 ++
 arch/x86/kvm/cpuid.c               | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 276e4ef90bd0..e264758d58e2 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -150,6 +150,8 @@
 #define X86_FEATURE_PHE_EN		( 5*32+11) /* "phe_en" PHE enabled */
 #define X86_FEATURE_PMM			( 5*32+12) /* "pmm" PadLock Montgomery Multiplier */
 #define X86_FEATURE_PMM_EN		( 5*32+13) /* "pmm_en" PMM enabled */
+#define X86_FEATURE_RNG2		( 5*32+22) /* "rng2" RNG v2 */
+#define X86_FEATURE_RNG2_EN		( 5*32+23) /* "rng2_en" RNG2 enabled */
 
 /* More extended AMD flags: CPUID level 0x80000001, ECX, word 6 */
 #define X86_FEATURE_LAHF_LM		( 6*32+ 0) /* "lahf_lm" LAHF/SAHF in long mode */
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 8aaa3f20670e..087c41341240 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -1286,6 +1286,8 @@ void kvm_initialize_cpu_caps(void)
 		F(PHE_EN),
 		F(PMM),
 		F(PMM_EN),
+		F(RNG2),
+		F(RNG2_EN),
 	);
 
 	/*
-- 
2.34.1

[PATCH v2 4/5] KVM: x86: Expose Zhaoxin PHE2 CPUID feature

[Ewan Hai]

Advertise the Zhaoxin PadLock Hash Engine v2 to guests via CPUID
0xC0000001 EDX bits 25 (PHE2) and 26 (PHE2_EN). PHE2 extends the
PadLock hash family with SHA-384 and SHA-512 support per FIPS 180-3,
complementing the existing PHE feature (SHA-1 and SHA-256).

Two user-mode instructions are exposed, documented in the Zhaoxin
PadLock Instruction Reference, chapter 3 ("Hash Engine"):

  - REP XSHA384 (encoding F3 0F A6 D8, subsection 3.3)
  - REP XSHA512 (encoding F3 0F A6 E0, subsection 3.4)

Both consume software-padded 128-byte blocks (RCX = block count, RSI =
input, RDI = state) and produce hash output in the state buffer.

Both instructions are unprivileged (no CPL restriction) and available
in all CPU modes, with no associated MSR control. The PHE2 and PHE2_EN
bits are redundant by hardware design (set or cleared together) and
both serve purely as CPUID-level feature-presence reporting flags
requiring no KVM emulation. Both bits are advertised because different
software may probe either one when checking for PHE2 availability.

Signed-off-by: Ewan Hai <ewandevelop@gmail.com>
---
 arch/x86/include/asm/cpufeatures.h | 2 ++
 arch/x86/kvm/cpuid.c               | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index e264758d58e2..3702d7a30ae6 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -152,6 +152,8 @@
 #define X86_FEATURE_PMM_EN		( 5*32+13) /* "pmm_en" PMM enabled */
 #define X86_FEATURE_RNG2		( 5*32+22) /* "rng2" RNG v2 */
 #define X86_FEATURE_RNG2_EN		( 5*32+23) /* "rng2_en" RNG2 enabled */
+#define X86_FEATURE_PHE2		( 5*32+25) /* "phe2" PadLock Hash Engine v2 */
+#define X86_FEATURE_PHE2_EN		( 5*32+26) /* "phe2_en" PHE2 enabled */
 
 /* More extended AMD flags: CPUID level 0x80000001, ECX, word 6 */
 #define X86_FEATURE_LAHF_LM		( 6*32+ 0) /* "lahf_lm" LAHF/SAHF in long mode */
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 087c41341240..3fb81f7a6107 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -1288,6 +1288,8 @@ void kvm_initialize_cpu_caps(void)
 		F(PMM_EN),
 		F(RNG2),
 		F(RNG2_EN),
+		F(PHE2),
+		F(PHE2_EN),
 	);
 
 	/*
-- 
2.34.1

Re: [PATCH v2 4/5] KVM: x86: Expose Zhaoxin PHE2 CPUID feature

[Binbin Wu]

On 5/28/2026 11:22 AM, Ewan Hai wrote:
> Advertise the Zhaoxin PadLock Hash Engine v2 to guests via CPUID
> 0xC0000001 EDX bits 25 (PHE2) and 26 (PHE2_EN). PHE2 extends the
> PadLock hash family with SHA-384 and SHA-512 support per FIPS 180-3,
> complementing the existing PHE feature (SHA-1 and SHA-256).
> 
> Two user-mode instructions are exposed, documented in the Zhaoxin
         ^
Nit: 
It's supposed to be replaced?

> PadLock Instruction Reference, chapter 3 ("Hash Engine"):
> 
>   - REP XSHA384 (encoding F3 0F A6 D8, subsection 3.3)
>   - REP XSHA512 (encoding F3 0F A6 E0, subsection 3.4)
> 
> Both consume software-padded 128-byte blocks (RCX = block count, RSI =
> input, RDI = state) and produce hash output in the state buffer.
> 
> Both instructions are unprivileged (no CPL restriction) and available
> in all CPU modes, with no associated MSR control. The PHE2 and PHE2_EN
> bits are redundant by hardware design (set or cleared together) and
> both serve purely as CPUID-level feature-presence reporting flags
> requiring no KVM emulation. Both bits are advertised because different
> software may probe either one when checking for PHE2 availability.
> 
> Signed-off-by: Ewan Hai <ewandevelop@gmail.com>
> ---
>  arch/x86/include/asm/cpufeatures.h | 2 ++
>  arch/x86/kvm/cpuid.c               | 2 ++
>  2 files changed, 4 insertions(+)
> 
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index e264758d58e2..3702d7a30ae6 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -152,6 +152,8 @@
>  #define X86_FEATURE_PMM_EN		( 5*32+13) /* "pmm_en" PMM enabled */
>  #define X86_FEATURE_RNG2		( 5*32+22) /* "rng2" RNG v2 */
>  #define X86_FEATURE_RNG2_EN		( 5*32+23) /* "rng2_en" RNG2 enabled */
> +#define X86_FEATURE_PHE2		( 5*32+25) /* "phe2" PadLock Hash Engine v2 */
> +#define X86_FEATURE_PHE2_EN		( 5*32+26) /* "phe2_en" PHE2 enabled */
>  
>  /* More extended AMD flags: CPUID level 0x80000001, ECX, word 6 */
>  #define X86_FEATURE_LAHF_LM		( 6*32+ 0) /* "lahf_lm" LAHF/SAHF in long mode */
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index 087c41341240..3fb81f7a6107 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -1288,6 +1288,8 @@ void kvm_initialize_cpu_caps(void)
>  		F(PMM_EN),
>  		F(RNG2),
>  		F(RNG2_EN),
> +		F(PHE2),
> +		F(PHE2_EN),
>  	);
>  
>  	/*

[PATCH v2 5/5] KVM: x86: Expose Zhaoxin RSA CPUID feature

[Ewan Hai]

Advertise the Zhaoxin big-number arithmetic engine to guests via
CPUID 0xC0000001 EDX bits 27 (RSA) and 28 (RSA_EN). The RSA feature
provides two user-mode instructions for modular arithmetic on big
integers, documented in the Zhaoxin PadLock Instruction Reference,
chapter 4 ("Modular Multiplication and Exponentiation Engine"). Both
support operand sizes from 256 to 32768 bits (in 128-bit increments):

  - REP XMODEXP  (encoding F3 0F A6 F8, subsection 4.1) computes
    A^B mod M
  - REP MONTMUL2 (encoding F3 0F A6 F0, subsection 4.2) computes
    A*B mod M

REP MONTMUL2 is the long-mode replacement of legacy REP MONTMUL, which
is restricted to compatibility and 32-bit protected modes. These
primitives accelerate RSA and related public-key operations.

Both instructions are unprivileged (no CPL restriction) and available
in all CPU modes, with no associated MSR control. The RSA and RSA_EN
bits are redundant by hardware design (set or cleared together) and
both serve purely as CPUID-level feature-presence reporting flags
requiring no KVM emulation. Both bits are advertised because different
software may probe either one when checking for RSA availability.

Signed-off-by: Ewan Hai <ewandevelop@gmail.com>
---
 arch/x86/include/asm/cpufeatures.h | 2 ++
 arch/x86/kvm/cpuid.c               | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 3702d7a30ae6..a769c83588f7 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -154,6 +154,8 @@
 #define X86_FEATURE_RNG2_EN		( 5*32+23) /* "rng2_en" RNG2 enabled */
 #define X86_FEATURE_PHE2		( 5*32+25) /* "phe2" PadLock Hash Engine v2 */
 #define X86_FEATURE_PHE2_EN		( 5*32+26) /* "phe2_en" PHE2 enabled */
+#define X86_FEATURE_RSA			( 5*32+27) /* "rsa" Big-number arithmetic */
+#define X86_FEATURE_RSA_EN		( 5*32+28) /* "rsa_en" RSA enabled */
 
 /* More extended AMD flags: CPUID level 0x80000001, ECX, word 6 */
 #define X86_FEATURE_LAHF_LM		( 6*32+ 0) /* "lahf_lm" LAHF/SAHF in long mode */
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 3fb81f7a6107..94ea9abae566 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -1290,6 +1290,8 @@ void kvm_initialize_cpu_caps(void)
 		F(RNG2_EN),
 		F(PHE2),
 		F(PHE2_EN),
+		F(RSA),
+		F(RSA_EN),
 	);
 
 	/*
-- 
2.34.1

Re: [PATCH v2 5/5] KVM: x86: Expose Zhaoxin RSA CPUID feature

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Exposing the RSA big-number arithmetic engine to untrusted guests creates a severe local denial-of-service vulnerability (Instruction Time DoS).
- [Low] The newly added X86_FEATURE_RSA and X86_FEATURE_RSA_EN flags were not synchronized to the tools/ directory.
--

commit 39b1d23089ffb8d188fc17bb71d4da69fbf1ff4a
Author: Ewan Hai <ewandevelop@gmail.com>

KVM: x86: Expose Zhaoxin RSA CPUID feature

This patch advertises the Zhaoxin big-number arithmetic engine to guests
by exposing the RSA and RSA_EN CPUID feature flags. It allows guests to
use REP XMODEXP and REP MONTMUL2 instructions for accelerating public-key
operations.

> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 3702d7a30ae61..a769c83588f7c 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -154,6 +154,8 @@
>  #define X86_FEATURE_RNG2_EN		( 5*32+23) /* "rng2_en" RNG2 enabled */
>  #define X86_FEATURE_PHE2		( 5*32+25) /* "phe2" PadLock Hash Engine v2 */
>  #define X86_FEATURE_PHE2_EN		( 5*32+26) /* "phe2_en" PHE2 enabled */
> +#define X86_FEATURE_RSA			( 5*32+27) /* "rsa" Big-number arithmetic */
> +#define X86_FEATURE_RSA_EN		( 5*32+28) /* "rsa_en" RSA enabled */

[Severity: Low]
Should these new flags also be synchronized to
tools/arch/x86/include/asm/cpufeatures.h? 

It looks like check-tools-headers might warn during the build if the tools
header isn't kept in sync with the main cpufeatures.h additions.

[ ... ]

> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index 3fb81f7a61076..94ea9abae566d 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -1290,6 +1290,8 @@ void kvm_initialize_cpu_caps(void)
>  		F(RNG2_EN),
>  		F(PHE2),
>  		F(PHE2_EN),
> +		F(RSA),
> +		F(RSA_EN),

[Severity: High]
Does exposing these instructions to untrusted guests risk a denial of
service?

Since REP XMODEXP and REP MONTMUL2 are unprivileged and support operands up
to 32768 bits, can a guest user-space application force the physical CPU core
into a prolonged computation?

If the hardware doesn't efficiently yield to external host interrupts during
these massive operations, it seems like this could stall the host, delaying
interrupts and VM-exits, potentially triggering host RCU stalls or watchdog
lockups.

>  	);
>  
>  	/*

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260528032234.1322565-1-ewandevelop@gmail.com?part=5

Re: [PATCH v2 5/5] KVM: x86: Expose Zhaoxin RSA CPUID feature

[Ewan Hai]

On Thu, May 28, 2026 at 1:03 PM <sashiko-bot@kernel.org> wrote:
>
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> - [High] Exposing the RSA big-number arithmetic engine to untrusted guests creates a severe local denial-of-service vulnerability (Instruction Time DoS).
> - [Low] The newly added X86_FEATURE_RSA and X86_FEATURE_RSA_EN flags were not synchronized to the tools/ directory.
> --
>
> commit 39b1d23089ffb8d188fc17bb71d4da69fbf1ff4a
> Author: Ewan Hai <ewandevelop@gmail.com>
>
> KVM: x86: Expose Zhaoxin RSA CPUID feature
>
> This patch advertises the Zhaoxin big-number arithmetic engine to guests
> by exposing the RSA and RSA_EN CPUID feature flags. It allows guests to
> use REP XMODEXP and REP MONTMUL2 instructions for accelerating public-key
> operations.
>
> > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> > index 3702d7a30ae61..a769c83588f7c 100644
> > --- a/arch/x86/include/asm/cpufeatures.h
> > +++ b/arch/x86/include/asm/cpufeatures.h
> > @@ -154,6 +154,8 @@
> >  #define X86_FEATURE_RNG2_EN          ( 5*32+23) /* "rng2_en" RNG2 enabled */
> >  #define X86_FEATURE_PHE2             ( 5*32+25) /* "phe2" PadLock Hash Engine v2 */
> >  #define X86_FEATURE_PHE2_EN          ( 5*32+26) /* "phe2_en" PHE2 enabled */
> > +#define X86_FEATURE_RSA                      ( 5*32+27) /* "rsa" Big-number arithmetic */
> > +#define X86_FEATURE_RSA_EN           ( 5*32+28) /* "rsa_en" RSA enabled */
>
> [Severity: Low]
> Should these new flags also be synchronized to
> tools/arch/x86/include/asm/cpufeatures.h?
>
> It looks like check-tools-headers might warn during the build if the tools
> header isn't kept in sync with the main cpufeatures.h additions.

I'll fold that into v3.

>
> [ ... ]
>
> > diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> > index 3fb81f7a61076..94ea9abae566d 100644
> > --- a/arch/x86/kvm/cpuid.c
> > +++ b/arch/x86/kvm/cpuid.c
> > @@ -1290,6 +1290,8 @@ void kvm_initialize_cpu_caps(void)
> >               F(RNG2_EN),
> >               F(PHE2),
> >               F(PHE2_EN),
> > +             F(RSA),
> > +             F(RSA_EN),
>
> [Severity: High]
> Does exposing these instructions to untrusted guests risk a denial of
> service?
>
> Since REP XMODEXP and REP MONTMUL2 are unprivileged and support operands up
> to 32768 bits, can a guest user-space application force the physical CPU core
> into a prolonged computation?
>
> If the hardware doesn't efficiently yield to external host interrupts during
> these massive operations, it seems like this could stall the host, delaying
> interrupts and VM-exits, potentially triggering host RCU stalls or watchdog
> lockups.
>

the PadLock spec guarantees these instructions are interruptible:
state is saved on any interrupt/exception and execution resumes
from the saved state on return. We've also empirically observed
mid-instruction preemption on the 1024-bit MONTMUL2 path during
host scheduling tests. KVM's normal VM-exit on host timer/IPI
applies, so a guest can't actually stall the host core beyond a
normal RCU quiesce window. The existing REP XCRYPT/XSHA
(already exposed via word 5) share the same interruptibility model
and have been in guests for years without DoS reports.

> >       );
> >
> >       /*
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260528032234.1322565-1-ewandevelop@gmail.com?part=5

Re: [PATCH v2 0/5] KVM: x86: Expose Zhaoxin CPUID 0xC0000001 EDX cryptographic features

[Binbin Wu]

On 5/28/2026 11:22 AM, Ewan Hai wrote:
> This series exposes five groups of Zhaoxin-specific CPUID 0xC0000001 EDX
> feature bits to KVM guests. Each group corresponds to a category of
> unprivileged cryptographic or RNG instructions that have been present in
> Zhaoxin processors but not yet advertised by KVM.
> 
> All instructions covered here are unprivileged (no CPL restriction) and
> available in all CPU modes (real / V86 / compat / protected / long), with
> no associated MSR control. Each feature is reported as a (X, X_EN) pair
> where the two bits are redundant by hardware design (set or cleared
> together), and both are CPUID-level reporting bits requiring no KVM
> emulation.
> 
> The five feature groups:
> 
> 1. SM2 (bits 0, 1): SM2 elliptic-curve public-key cryptography algorithm
>    per GM/T 0003-2012. Used for key generation, encryption/decryption,
>    digital signatures, and key exchange in Chinese cryptographic
>    standards.
> 
> 2. CCS (bits 4, 5): SM3 hash algorithm per GM/T 0004-2012 and SM4 block
>    cipher per GM/T 0002-2012 (supports ECB / CBC / CFB / OFB / CTR plus
>    CBC-MAC / CFB-MAC). Foundational primitives for Chinese cryptographic
>    protocols.
> 
> 3. RNG2 (bits 22, 23): Second-generation hardware RNG exposed via the
>    REP XRNG2 instruction. Two on-die RNG sources selectable per call,
>    with raw and post-processed output modes. Provides high-quality
>    entropy for cryptographic operations.
> 
> 4. PHE2 (bits 25, 26): SHA-384 and SHA-512 hardware acceleration per
>    FIPS 180-3, exposed via REP XSHA384 and REP XSHA512. Used by TLS,
>    SSH, file integrity, and signature schemes.
> 
> 5. RSA (bits 27, 28): Big-number modular exponentiation (REP XMODEXP,
>    A^B mod M) and modular multiplication (REP MONTMUL2, A*B mod M),
>    supporting operand sizes from 256 to 32768 bits. Used for RSA and
>    related public-key operations.
> 
> References:
>   The instruction encodings, control-word formats, and per-feature
>   semantics referenced in the individual patches are documented in:
>     - GMI Instruction Set Reference (SM2 / SM3 / SM4)
>     - PadLock Instruction Reference (XRNG2 / XSHA384 / XSHA512 /
>       XMODEXP / MONTMUL2)
>   Both available from https://kib.kiev.ua/x86docs/Zhaoxin/
> 
> Changes since v1:
> - Move the X86_FEATURE_xx definitions from arch/x86/kvm/reverse_cpuid.h
>   into arch/x86/include/asm/cpufeatures.h, filling the unused bit
>   positions in word 5 (which is reserved for CPUID 0xC0000001 EDX),
>   per Sean's review feedback.
> - Tighten wording in each commit message: "user-mode" -> "unprivileged
>   (no CPL restriction)", since the instructions execute at any CPL.
> 
> v1: https://lore.kernel.org/all/20260513124846.1622462-1-ewandevelop@gmail.com/
> 
> Ewan Hai (5):
>   KVM: x86: Expose Zhaoxin SM2 CPUID feature
>   KVM: x86: Expose Zhaoxin CCS (SM3 + SM4) CPUID feature
>   KVM: x86: Expose Zhaoxin RNG2 CPUID feature
>   KVM: x86: Expose Zhaoxin PHE2 CPUID feature
>   KVM: x86: Expose Zhaoxin RSA CPUID feature
> 
>  arch/x86/include/asm/cpufeatures.h | 10 ++++++++++
>  arch/x86/kvm/cpuid.c               | 10 ++++++++++
>  2 files changed, 20 insertions(+)

Two nits in patch 2 and patch 4.

Otherwise,
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
> 
> 
> base-commit: 50897c955902c93ae71c38698abb910525ebdc89
> --
> 2.34.1
>