From: Binbin Wu <binbin.wu@linux.intel.com>
To: kvm@vger.kernel.org
Cc: pbonzini@redhat.com, seanjc@google.com,
rick.p.edgecombe@intel.com, xiaoyao.li@intel.com,
chao.gao@intel.com, kai.huang@intel.com
Subject: Re: [RFC PATCH 17/27] KVM: x86: Init allowed masks for extended CPUID range in paranoid mode
Date: Tue, 21 Apr 2026 15:55:59 +0800 [thread overview]
Message-ID: <16768449-df59-4798-948d-3be609d3942d@linux.intel.com> (raw)
In-Reply-To: <20260417073610.3246316-18-binbin.wu@linux.intel.com>
Below are responses to issues reported by sashiko. [1]
[1] https://sashiko.dev/#/patchset/20260417073610.3246316-1-binbin.wu%40linux.intel.com?part=17
[...]
> @@ -1310,6 +1311,18 @@ void kvm_initialize_cpu_caps(void)
> F(AVX10_VNNI_INT, F_CPUID_DEFAULT),
> );
>
> + kvm_cpu_cap_ignore(0x80000000, 0, 0, BIT(CPUID_EAX),
> + F_CPUID_DEFAULT | F_CPUID_TDX);
> + kvm_cpu_cap_ignore(0x80000000, 0, 0, BIT(CPUID_EBX) | BIT(CPUID_ECX) | BIT(CPUID_EDX),
> + F_CPUID_SVM);
Issue #1:
"Does this strict zero-checking of EBX, ECX, and EDX on VMX/TDX break
userspace VMMs like QEMU?
QEMU unconditionally populates 0x80000000 EBX, ECX, and EDX with the CPU
vendor string (e.g., GenuineIntel) across all x86 architectures. When
KVM paranoid mode is enabled, KVM will reject these non-zero values.
This could cause KVM_SET_CPUID2 to fail with -EINVAL, breaking VM creation
for TDX (where paranoid mode is forced to true) or VMX.
Do these registers need to be ignored across all overlays, similar to the
explicit workaround implemented below for 0x80000001 EAX?"
The concern is valid.
Although after commit a539cd26145c
("i386/cpu: Mark EBX/ECX/EDX in CPUID 0x80000000 leaf as reserved for Intel"),
QEMU by default zeros out EBX, ECX, EDX for Intel or Zhaoxin CPUs,
But for back compatibility (PC machine v10.0 and older), or
vendor_cpuid_only_v2 is manually disabled, there will be problems.
Considering CPUID paranoid mode is enforced for TDX, it will cause problem
when older QEMU populates 0x80000000 EBX, ECX, and EDX unconditionally. Will
add 0x80000000 EBX/ECX/EDX to ignored set for VMX/TDX as well.
[...]
> @@ -1388,6 +1422,10 @@ void kvm_initialize_cpu_caps(void)
> F(AMD_IBPB_RET, F_CPUID_DEFAULT),
> );
>
> + kvm_cpu_cap_init_mf(CPUID_8000_0008_ECX, GENMASK_U32(17, 12) | GENMASK_U32(7, 0),
> + F_CPUID_SVM);
> + kvm_cpu_cap_ignore(0x80000008, 0, 0, BIT(CPUID_EDX), F_CPUID_SVM);
> +
Issue #2:
"Will initializing this allowed mask exclusively for AMD cause failures for
multi-core VMs booted via QEMU on Intel?
QEMU unconditionally populates 0x80000008 ECX with the core count and
APIC ID size for any multi-core guest configuration, bypassing host vendor
checks.
Under KVM paranoid mode, KVM will reject these non-zero values on Intel
hosts, causing KVM_SET_CPUID2 to fail and preventing multi-core VMs from
booting.
Does the allowed mask or ignore rule for this register need to be expanded
to include VMX and TDX?"
Similar to issue #1, for back compatibility (PC machine v10.0 and older), will
add the allowed mask for ECX in VMX/TDX overlays and ignore EDX for VMX/TDX
overlays for CPUID 0x80000008.
next prev parent reply other threads:[~2026-04-21 7:56 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 7:35 [RFC PATCH 00/27] KVM: x86: Add a paranoid mode for CPUID verification Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 01/27] KVM: x86: Fix emulated CPUID features being applied to wrong sub-leaf Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 02/27] KVM: x86: Reorder the features for CPUID 7 Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 03/27] KVM: x86: Add definitions for CPUID overlays Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 04/27] KVM: x86: Extend F() and its variants " Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 05/27] KVM: x86: Extend kvm_cpu_cap_{set/clear}() to configure overlays Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 06/27] KVM: x86: Populate TDX CPUID overlay with supported feature bits Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 07/27] KVM: x86: Support KVM_GET_{SUPPORTED,EMULATED}_CPUID as VM scope ioctls Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 08/27] KVM: x86: Thread @kvm to KVM CPU capability helpers Binbin Wu
2026-04-21 6:18 ` Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 09/27] KVM: x86: Use overlays of KVM CPU capabilities Binbin Wu
2026-04-21 5:31 ` Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 10/27] KVM: x86: Use vendor-specific overlay flags instead of F_CPUID_DEFAULT Binbin Wu
2026-04-21 6:43 ` Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 11/27] KVM: SVM: Drop unnecessary clears of unsupported common x86 features Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 12/27] KVM: x86: Split KVM CPU cap leafs into two parts Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 13/27] KVM: x86: Add a helper to initialize CPUID multi-bit fields Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 14/27] KVM: x86: Add a helper to init multiple feature bits based on raw CPUID Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 15/27] KVM: x86: Add infrastructure to track CPUID entries ignored in paranoid mode Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 16/27] KVM: x86: Init allowed masks for basic CPUID range " Binbin Wu
2026-04-21 6:51 ` Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 17/27] KVM: x86: Init allowed masks for extended " Binbin Wu
2026-04-21 7:55 ` Binbin Wu [this message]
2026-04-17 7:36 ` [RFC PATCH 18/27] KVM: x86: Handle Centaur CPUID leafs " Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 19/27] KVM: x86: Track KVM PV CPUID features for " Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 20/27] KVM: x86: Add per-VM flag to track CPUID " Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 21/27] KVM: x86: Make kvm_vcpu_after_set_cpuid() return an error code Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 22/27] KVM: x86: Verify userspace CPUID inputs in paranoid mode Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 23/27] KVM: x86: Account for runtime CPUID features " Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 24/27] KVM: x86: Skip paranoid CPUID check for KVM PV leafs when base is relocated Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 25/27] KVM: x86: Add new KVM_CAP_X86_CPUID_PARANOID Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 26/27] KVM: x86: Add a helper to query the allowed CPUID mask Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 27/27] KVM: TDX: Replace hardcoded CPUID filtering with the allowed mask Binbin Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16768449-df59-4798-948d-3be609d3942d@linux.intel.com \
--to=binbin.wu@linux.intel.com \
--cc=chao.gao@intel.com \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=xiaoyao.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox