[PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[18341265598]

From: "zhaoge.zhang" <zhangzg12@chinatelecom.cn>

If the hardware does not support the SGX feature and we set the
corresponding flag, when the L1 hypervisor enables the corresponding
feature in VMCS12, the VM entry will fail.

Reported-by: wei xiaoqiong <weixq1@chinatelecom.cn>
Signed-off-by: zhaoge.zhang <zhangzg12@chinatelecom.cn>
Reviewed-by: Huaitong Han <hanht2@chinatelecom.cn>
---
 arch/x86/kvm/vmx/nested.c |  2 +-
 arch/x86/kvm/vmx/vmx.c    | 11 -----------
 arch/x86/kvm/vmx/vmx.h    | 11 +++++++++++
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 937aeb4..396ac07 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -7278,7 +7278,7 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
 		msrs->secondary_ctls_high |=
 			SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
 
-	if (enable_sgx)
+	if (enable_sgx && cpu_has_sgx())
 		msrs->secondary_ctls_high |= SECONDARY_EXEC_ENCLS_EXITING;
 }
 
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 8b24e68..e06e62e 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2673,17 +2673,6 @@ void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
 	}
 }
 
-/*
- * There is no X86_FEATURE for SGX yet, but anyway we need to query CPUID
- * directly instead of going through cpu_has(), to ensure KVM is trapping
- * ENCLS whenever it's supported in hardware.  It does not matter whether
- * the host OS supports or has enabled SGX.
- */
-static bool cpu_has_sgx(void)
-{
-	return cpuid_eax(0) >= 0x12 && (cpuid_eax(0x12) & BIT(0));
-}
-
 static int adjust_vmx_controls(u32 ctl_min, u32 ctl_opt, u32 msr, u32 *result)
 {
 	u32 vmx_msr_low, vmx_msr_high;
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 70bfe81..3e9114b 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -338,6 +338,17 @@ static __always_inline u32 vmx_get_intr_info(struct kvm_vcpu *vcpu)
 	return vt->exit_intr_info;
 }
 
+/*
+ * There is no X86_FEATURE for SGX yet, but anyway we need to query CPUID
+ * directly instead of going through cpu_has(), to ensure KVM is trapping
+ * ENCLS whenever it's supported in hardware.  It does not matter whether
+ * the host OS supports or has enabled SGX.
+ */
+static bool cpu_has_sgx(void)
+{
+	return cpuid_eax(0) >= 0x12 && (cpuid_eax(0x12) & BIT(0));
+}
+
 void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu);
 int allocate_vpid(void);
 void free_vpid(int vpid);
-- 
1.8.3.1

Re: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[Huang, Kai]

On Tue, 2026-03-24 at 11:27 +0800, 18341265598@163.com wrote:
> From: "zhaoge.zhang" <zhangzg12@chinatelecom.cn>
> 
> If the hardware does not support the SGX feature and we set the
> corresponding flag, when the L1 hypervisor enables the corresponding
> feature in VMCS12, the VM entry will fail.
> 
> Reported-by: wei xiaoqiong <weixq1@chinatelecom.cn>
> Signed-off-by: zhaoge.zhang <zhangzg12@chinatelecom.cn>
> Reviewed-by: Huaitong Han <hanht2@chinatelecom.cn>
> ---
>  arch/x86/kvm/vmx/nested.c |  2 +-
>  arch/x86/kvm/vmx/vmx.c    | 11 -----------
>  arch/x86/kvm/vmx/vmx.h    | 11 +++++++++++
>  3 files changed, 12 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 937aeb4..396ac07 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -7278,7 +7278,7 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
>  		msrs->secondary_ctls_high |=
>  			SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
>  
> -	if (enable_sgx)
> +	if (enable_sgx && cpu_has_sgx())
>  		msrs->secondary_ctls_high |= SECONDARY_EXEC_ENCLS_EXITING;
>  }

Are you seeing the case where enable_sgx is true but cpu_has_sgx() reports
false?

It's quite strange because during KVM load, if cpu_has_sgx() is false,
enable_sgx is guaranteed to be false.

The only case that I can think of is after KVM loads somehow machine check
happens, which "soft disables" SGX (CPUID reports SGX1 as 0).

Is this the case you are meeting?


[...]

> +/*
> + * There is no X86_FEATURE for SGX yet, but anyway we need to query CPUID

Btw, the "There is no X86_FEATURE for SGX yet" part is obviously obsolete
now.

Re: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[Sean Christopherson]

On Tue, Mar 24, 2026, Kai Huang wrote:
> On Tue, 2026-03-24 at 11:27 +0800, 18341265598@163.com wrote:
> > From: "zhaoge.zhang" <zhangzg12@chinatelecom.cn>
> > 
> > If the hardware does not support the SGX feature and we set the
> > corresponding flag, when the L1 hypervisor enables the corresponding
> > feature in VMCS12, the VM entry will fail.
> > 
> > Reported-by: wei xiaoqiong <weixq1@chinatelecom.cn>
> > Signed-off-by: zhaoge.zhang <zhangzg12@chinatelecom.cn>
> > Reviewed-by: Huaitong Han <hanht2@chinatelecom.cn>
> > ---
> >  arch/x86/kvm/vmx/nested.c |  2 +-
> >  arch/x86/kvm/vmx/vmx.c    | 11 -----------
> >  arch/x86/kvm/vmx/vmx.h    | 11 +++++++++++
> >  3 files changed, 12 insertions(+), 12 deletions(-)
> > 
> > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > index 937aeb4..396ac07 100644
> > --- a/arch/x86/kvm/vmx/nested.c
> > +++ b/arch/x86/kvm/vmx/nested.c
> > @@ -7278,7 +7278,7 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
> >  		msrs->secondary_ctls_high |=
> >  			SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
> >  
> > -	if (enable_sgx)
> > +	if (enable_sgx && cpu_has_sgx())
> >  		msrs->secondary_ctls_high |= SECONDARY_EXEC_ENCLS_EXITING;
> >  }
> 
> Are you seeing the case where enable_sgx is true but cpu_has_sgx() reports
> false?
> 
> It's quite strange because during KVM load, if cpu_has_sgx() is false,
> enable_sgx is guaranteed to be false.
> 
> The only case that I can think of is after KVM loads somehow machine check
> happens, which "soft disables" SGX (CPUID reports SGX1 as 0).
> 
> Is this the case you are meeting?

It's a moot point (unless I'm getting -ENOCOFFEE, which is very possible at the
moment), because "enable_sgx" is cleared if ENCLS-exiting isn't supported.

	if (!cpu_has_vmx_encls_vmexit())
		enable_sgx = false;

Where cpu_has_vmx_encls_vmexit() is peeking at vmcs_config.cpu_based_2nd_exec_ctrl:

  static inline bool cpu_has_vmx_encls_vmexit(void)
  {
	return vmcs_config.cpu_based_2nd_exec_ctrl &
		SECONDARY_EXEC_ENCLS_EXITING;
  }

And thus already incorporates this code:

	if (!cpu_has_sgx())
		_cpu_based_2nd_exec_control &= ~SECONDARY_EXEC_ENCLS_EXITING;


I suppose the #MC could happen between setup_vmcs_config() and
nested_vmx_setup_ctls_msrs(), but at that point, KVM is hosed no matter what.

Re: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[Huang, Kai]

On Tue, 2026-03-31 at 09:30 -0700, Sean Christopherson wrote:
> On Tue, Mar 24, 2026, Kai Huang wrote:
> > On Tue, 2026-03-24 at 11:27 +0800, 18341265598@163.com wrote:
> > > From: "zhaoge.zhang" <zhangzg12@chinatelecom.cn>
> > > 
> > > If the hardware does not support the SGX feature and we set the
> > > corresponding flag, when the L1 hypervisor enables the corresponding
> > > feature in VMCS12, the VM entry will fail.
> > > 
> > > Reported-by: wei xiaoqiong <weixq1@chinatelecom.cn>
> > > Signed-off-by: zhaoge.zhang <zhangzg12@chinatelecom.cn>
> > > Reviewed-by: Huaitong Han <hanht2@chinatelecom.cn>
> > > ---
> > >  arch/x86/kvm/vmx/nested.c |  2 +-
> > >  arch/x86/kvm/vmx/vmx.c    | 11 -----------
> > >  arch/x86/kvm/vmx/vmx.h    | 11 +++++++++++
> > >  3 files changed, 12 insertions(+), 12 deletions(-)
> > > 
> > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > > index 937aeb4..396ac07 100644
> > > --- a/arch/x86/kvm/vmx/nested.c
> > > +++ b/arch/x86/kvm/vmx/nested.c
> > > @@ -7278,7 +7278,7 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
> > >  		msrs->secondary_ctls_high |=
> > >  			SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
> > >  
> > > -	if (enable_sgx)
> > > +	if (enable_sgx && cpu_has_sgx())
> > >  		msrs->secondary_ctls_high |= SECONDARY_EXEC_ENCLS_EXITING;
> > >  }
> > 
> > Are you seeing the case where enable_sgx is true but cpu_has_sgx() reports
> > false?
> > 
> > It's quite strange because during KVM load, if cpu_has_sgx() is false,
> > enable_sgx is guaranteed to be false.
> > 
> > The only case that I can think of is after KVM loads somehow machine check
> > happens, which "soft disables" SGX (CPUID reports SGX1 as 0).
> > 
> > Is this the case you are meeting?
> 
> It's a moot point (unless I'm getting -ENOCOFFEE, which is very possible at the
> moment), because "enable_sgx" is cleared if ENCLS-exiting isn't supported.
> 
> 	if (!cpu_has_vmx_encls_vmexit())
> 		enable_sgx = false;
> 
> Where cpu_has_vmx_encls_vmexit() is peeking at vmcs_config.cpu_based_2nd_exec_ctrl:
> 
>   static inline bool cpu_has_vmx_encls_vmexit(void)
>   {
> 	return vmcs_config.cpu_based_2nd_exec_ctrl &
> 		SECONDARY_EXEC_ENCLS_EXITING;
>   }
> 
> And thus already incorporates this code:
> 
> 	if (!cpu_has_sgx())
> 		_cpu_based_2nd_exec_control &= ~SECONDARY_EXEC_ENCLS_EXITING;
> 
> 
> I suppose the #MC could happen between setup_vmcs_config() and
> nested_vmx_setup_ctls_msrs(), but at that point, KVM is hosed no matter what.

Exactly.  I think we can ignore this unless we can get more info from the
author :-)

Re: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[zhaogezhang]

Thanks to all the maintainers for your timely feedback and correction. Much appreciated!


> 在 2026年4月1日，05:07，Huang, Kai <kai.huang@intel.com> 写道：
> 
> On Tue, 2026-03-31 at 09:30 -0700, Sean Christopherson wrote:
>>> On Tue, Mar 24, 2026, Kai Huang wrote:
>>> On Tue, 2026-03-24 at 11:27 +0800, 18341265598@163.com wrote:
>>>> From: "zhaoge.zhang" <zhangzg12@chinatelecom.cn>
>>>> 
>>>> If the hardware does not support the SGX feature and we set the
>>>> corresponding flag, when the L1 hypervisor enables the corresponding
>>>> feature in VMCS12, the VM entry will fail.
>>>> 
>>>> Reported-by: wei xiaoqiong <weixq1@chinatelecom.cn>
>>>> Signed-off-by: zhaoge.zhang <zhangzg12@chinatelecom.cn>
>>>> Reviewed-by: Huaitong Han <hanht2@chinatelecom.cn>
>>>> ---
>>>> arch/x86/kvm/vmx/nested.c |  2 +-
>>>> arch/x86/kvm/vmx/vmx.c    | 11 -----------
>>>> arch/x86/kvm/vmx/vmx.h    | 11 +++++++++++
>>>> 3 files changed, 12 insertions(+), 12 deletions(-)
>>>> 
>>>> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
>>>> index 937aeb4..396ac07 100644
>>>> --- a/arch/x86/kvm/vmx/nested.c
>>>> +++ b/arch/x86/kvm/vmx/nested.c
>>>> @@ -7278,7 +7278,7 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
>>>>        msrs->secondary_ctls_high |=
>>>>            SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
>>>> 
>>>> -    if (enable_sgx)
>>>> +    if (enable_sgx && cpu_has_sgx())
>>>>        msrs->secondary_ctls_high |= SECONDARY_EXEC_ENCLS_EXITING;
>>>> }
>>> 
>>> Are you seeing the case where enable_sgx is true but cpu_has_sgx() reports
>>> false?
>>> 
>>> It's quite strange because during KVM load, if cpu_has_sgx() is false,
>>> enable_sgx is guaranteed to be false.
>>> 
>>> The only case that I can think of is after KVM loads somehow machine check
>>> happens, which "soft disables" SGX (CPUID reports SGX1 as 0).
>>> 
>>> Is this the case you are meeting?
>> 
>> It's a moot point (unless I'm getting -ENOCOFFEE, which is very possible at the
>> moment), because "enable_sgx" is cleared if ENCLS-exiting isn't supported.
>> 
>>    if (!cpu_has_vmx_encls_vmexit())
>>        enable_sgx = false;
>> 
>> Where cpu_has_vmx_encls_vmexit() is peeking at vmcs_config.cpu_based_2nd_exec_ctrl:
>> 
>>  static inline bool cpu_has_vmx_encls_vmexit(void)
>>  {
>>    return vmcs_config.cpu_based_2nd_exec_ctrl &
>>        SECONDARY_EXEC_ENCLS_EXITING;
>>  }
>> 
>> And thus already incorporates this code:
>> 
>>    if (!cpu_has_sgx())
>>        _cpu_based_2nd_exec_control &= ~SECONDARY_EXEC_ENCLS_EXITING;
>> 
>> 
>> I suppose the #MC could happen between setup_vmcs_config() and
>> nested_vmx_setup_ctls_msrs(), but at that point, KVM is hosed no matter what.
> 
> Exactly.  I think we can ignore this unless we can get more info from the
> author :-)

Re: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[kernel test robot]

Hi,

kernel test robot noticed the following build warnings:

[auto build test WARNING on kvm/queue]
[also build test WARNING on kvm/next linus/master v6.16-rc1 next-20260327]
[cannot apply to kvm/linux-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/18341265598-163-com/vmx-nested-Set-the-SGX-feature-flag-only-when-hardware-supported/20260329-093645
base:   https://git.kernel.org/pub/scm/virt/kvm/kvm.git queue
patch link:    https://lore.kernel.org/r/1774322860-25106-1-git-send-email-18341265598%40163.com
patch subject: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.
config: x86_64-rhel-9.4 (https://download.01.org/0day-ci/archive/20260329/202603291021.Yc83e9lC-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260329/202603291021.Yc83e9lC-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603291021.Yc83e9lC-lkp@intel.com/

All warnings (new ones prefixed by >>):

   In file included from arch/x86/kvm/kvm-asm-offsets.c:10:
>> arch/x86/kvm/vmx/vmx.h:347:13: warning: 'cpu_has_sgx' defined but not used [-Wunused-function]
     347 | static bool cpu_has_sgx(void)
         |             ^~~~~~~~~~~


vim +/cpu_has_sgx +347 arch/x86/kvm/vmx/vmx.h

   340	
   341	/*
   342	 * There is no X86_FEATURE for SGX yet, but anyway we need to query CPUID
   343	 * directly instead of going through cpu_has(), to ensure KVM is trapping
   344	 * ENCLS whenever it's supported in hardware.  It does not matter whether
   345	 * the host OS supports or has enabled SGX.
   346	 */
 > 347	static bool cpu_has_sgx(void)
   348	{
   349		return cpuid_eax(0) >= 0x12 && (cpuid_eax(0x12) & BIT(0));
   350	}
   351	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.

[kernel test robot]

Hi,

kernel test robot noticed the following build warnings:

[auto build test WARNING on kvm/queue]
[also build test WARNING on kvm/next linus/master v7.0-rc5 next-20260327]
[cannot apply to kvm/linux-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/18341265598-163-com/vmx-nested-Set-the-SGX-feature-flag-only-when-hardware-supported/20260329-093645
base:   https://git.kernel.org/pub/scm/virt/kvm/kvm.git queue
patch link:    https://lore.kernel.org/r/1774322860-25106-1-git-send-email-18341265598%40163.com
patch subject: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.
config: i386-randconfig-012-20260329 (https://download.01.org/0day-ci/archive/20260329/202603291639.FHVs3bEt-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.4.0-5) 12.4.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260329/202603291639.FHVs3bEt-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603291639.FHVs3bEt-lkp@intel.com/

All warnings (new ones prefixed by >>):

   In file included from arch/x86/kvm/vmx/hyperv.h:7,
                    from arch/x86/kvm/vmx/nested.h:6,
                    from arch/x86/kvm/vmx/pmu_intel.c:21:
>> arch/x86/kvm/vmx/vmx.h:347:13: warning: 'cpu_has_sgx' defined but not used [-Wunused-function]
     347 | static bool cpu_has_sgx(void)
         |             ^~~~~~~~~~~


vim +/cpu_has_sgx +347 arch/x86/kvm/vmx/vmx.h

   340	
   341	/*
   342	 * There is no X86_FEATURE for SGX yet, but anyway we need to query CPUID
   343	 * directly instead of going through cpu_has(), to ensure KVM is trapping
   344	 * ENCLS whenever it's supported in hardware.  It does not matter whether
   345	 * the host OS supports or has enabled SGX.
   346	 */
 > 347	static bool cpu_has_sgx(void)
   348	{
   349		return cpuid_eax(0) >= 0x12 && (cpuid_eax(0x12) & BIT(0));
   350	}
   351	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki