Re: [PATCH V3 01/13] target/i386: Disable unsupported BTS for guest

["Chen, Zide" <zide.chen@intel.com>]

On 4/22/2026 3:07 AM, Zhao Liu wrote:
> On Wed, Mar 04, 2026 at 10:07:00AM -0800, Zide Chen wrote:
>> Date: Wed, 4 Mar 2026 10:07:00 -0800
>> From: Zide Chen <zide.chen@intel.com>
>> Subject: [PATCH V3 01/13] target/i386: Disable unsupported BTS for guest
>> X-Mailer: git-send-email 2.53.0
>>
>> BTS (Branch Trace Store), enumerated by IA32_MISC_ENABLE.BTS_UNAVAILABLE
>> (bit 11), is deprecated and has been superseded by LBR and Intel PT.
> 
> I'm not clear from which platform this bit will be set by default?

My apologies, my statement was inaccurate and misleading. Newer PMU
features may cover most of the use cases addressed by BTS, and BTS
appears to see limited use in practice. However, it remains supported in
the latest CPUs.

> 
>> KVM yields control of this bit to userspace since KVM commit
>> 9fc222967a39 ("KVM: x86: Give host userspace full control of
>> MSR_IA32_MISC_ENABLES").
> 
> If KVM won't support it, it's better to only configure for KVM.

But QEMU doesn't support PMU for other hypervisors.

> 
>> However, QEMU does not set this bit, which allows guests to write the
>> BTS and BTINT bits in IA32_DEBUGCTL.  Since KVM doesn't support BTS,
>> this may lead to unexpected MSR access errors.
> 
> But overall, this way is a bit user-unfriendly. For cases where CPUID
> is unavailable, it would be more proper to check the KVM API to
> determine whether support is available; making this change in userspace
> feels a bit like applying the special patch for a corner case.
> 
> I found there's another patch where Paolo and Sean didn't want to make
> such changes directly earlier on....
> https://lore.kernel.org/qemu-devel/20220718032206.34488-1-zhenzhong.duan@intel.com/

Old KVM (prior to 9fc222967a39): KVM silently set BTS_UNAVAIL to hide
BTS from the guest. It worked fine.

New KVM (since 9fc222967a39): KVM gives userspace full control of
MSR_IA32_MISC_ENABLES and stopped sanitizing it. As shown in the KVM
snippet below, if KVM advertises PEBS, X86_FEATURE_DS could be exposed
and the guest incorrectly concludes BTS is available.

        if (vmx_pebs_supported()) {
                kvm_cpu_cap_check_and_set(X86_FEATURE_DS);
                kvm_cpu_cap_check_and_set(X86_FEATURE_DTES64);
        }

Paolo pointed out that a QEMU-only fix is insufficient because old QEMU
+ new KVM remains broken. Two KVM-side approaches were proposed:

Option 1 (quirk): adding a KVM quirk to restore the old sanitizing
behavior for MSR_IA32_MISC_ENABLES when running with old userspace.

Option 2 (synthetic feature MSR): KVM exposes a new synthetic MSR for
userspace to explicitly control BTS/PEBS guest visibility, with a safe
default of hidden.

It is debatable whether either fix is worth the effort for such a rarely
used feature.