* [PATCH v3 00/20] i386: Support CET for KVM
@ 2025-10-24 6:56 Zhao Liu
2025-10-24 6:56 ` [PATCH v3 01/20] linux-headers: Update to v6.18-rc2 Zhao Liu
` (19 more replies)
0 siblings, 20 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Hi,
This the v3 series to support CET (CET-SHSTK & CET-IBT) in QEMU, which
is based on the commit c0e80879c876 ("Merge tag 'pull-vfio-20251022' of
https://github.com/legoater/qemu into staging"). And you can also find
the code here:
https://gitlab.com/zhao.liu/qemu/-/commits/i386-cet-v1-10-22-2025
Compared to v2 [1] (posted two years ago), the basic CET support (
xstate/MSR/vmstate/CPUID) remains roughly unchanged. And I also noted
the change logs in the patches inherited from v2.
Thanks for your feedback!
Overview
========
Control-flow enforcement technology includes 2 x86-architectural
features:
- CET shadow stack (CET-SHSTK or CET-SS).
- CET indirect branch tracking (CET-IBT).
Intel has implemented both 2 features since Sapphire Rapids (P-core) &
Sierra Forest (E-core).
AMD also implemented shadow stack since Zen3 [2] - this series has
considerred only-shstk case and is supposed to work on AMD platform, but
I hasn't tested this on AMD.
The basic CET support (patch 11-17) includes:
* CET-S & CET-U supervisor xstates support.
* CET CPUIDs enumeration.
* CET MSRs save & load.
* CET guest SSP register (KVM treats this as a special internal
register - KVM_REG_GUEST_SSP) save & load.
* Vmstates for MSRs & guest SSP.
But before CET support, there's a lot of cleanup work needed for
supervisor xstate.
Before CET-S/CET-U, QEMU has already supports arch lbr as the 1st
supervisor xstate. Although arch LBR has not yet been merged into KVM
(still planned), this series cleans up supervisor state-related support
and avoids breaking the current arch LBR in QEMU - that's what patch
2-10 are doing.
Additionally, besides KVM, this series also supports CET for TDX.
[1]: https://lore.kernel.org/qemu-devel/20230720111445.99509-1-weijiang.yang@intel.com/
[2]: https://lore.kernel.org/all/20250908201750.98824-1-john.allen@amd.com/
Thanks and Best Regards,
Zhao
---
Chao Gao (1):
i386/cpu: Fix supervisor xstate initialization
Chenyi Qiang (1):
i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM
Yang Weijiang (5):
i386/cpu: Enable xsave support for CET states
i386/kvm: Add save/load support for CET MSRs
i386/kvm: Add save/load support for KVM_REG_GUEST_SSP
i386/machine: Add vmstate for cet-ss and cet-ibt
i386/cpu: Advertise CET related flags in feature words
Zhao Liu (13):
linux-headers: Update to v6.18-rc2
i386/cpu: Clean up indent style of x86_ext_save_areas[]
i386/cpu: Clean up arch lbr xsave struct and comment
i386/cpu: Reorganize arch lbr structure definitions
i386/cpu: Make ExtSaveArea store an array of dependencies
i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM
i386/cpu: Reorganize dependency check for arch lbr state
i386/cpu: Drop pmu check in CPUID 0x1C encoding
i386/cpu: Add missing migratable xsave features
i386/cpu: Add CET support in CR4
i386/cpu: Mark cet-u & cet-s xstates as migratable
i386/cpu: Enable cet-ss & cet-ibt for supported CPU models
i386/tdx: Fix missing spaces in tdx_xfam_deps[]
include/standard-headers/linux/ethtool.h | 1 +
include/standard-headers/linux/fuse.h | 22 +-
.../linux/input-event-codes.h | 1 +
include/standard-headers/linux/input.h | 22 +-
include/standard-headers/linux/pci_regs.h | 10 +
include/standard-headers/linux/virtio_ids.h | 1 +
include/standard-headers/linux/virtio_rtc.h | 237 ++++++++++++++++++
include/standard-headers/linux/virtio_spi.h | 181 +++++++++++++
linux-headers/asm-loongarch/kvm.h | 1 +
linux-headers/asm-riscv/kvm.h | 23 +-
linux-headers/asm-riscv/ptrace.h | 4 +-
linux-headers/asm-x86/kvm.h | 34 +++
linux-headers/asm-x86/unistd_64.h | 1 +
linux-headers/asm-x86/unistd_x32.h | 1 +
linux-headers/linux/kvm.h | 3 +
linux-headers/linux/psp-sev.h | 10 +-
linux-headers/linux/stddef.h | 1 -
linux-headers/linux/vduse.h | 2 +-
linux-headers/linux/vhost.h | 4 +-
target/i386/cpu.c | 227 ++++++++++++-----
target/i386/cpu.h | 99 ++++++--
target/i386/helper.c | 12 +
target/i386/kvm/kvm.c | 103 ++++++++
target/i386/kvm/tdx.c | 20 +-
target/i386/machine.c | 53 ++++
25 files changed, 968 insertions(+), 105 deletions(-)
create mode 100644 include/standard-headers/linux/virtio_rtc.h
create mode 100644 include/standard-headers/linux/virtio_spi.h
--
2.34.1
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH v3 01/20] linux-headers: Update to v6.18-rc2
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 02/20] i386/cpu: Clean up indent style of x86_ext_save_areas[] Zhao Liu
` (18 subsequent siblings)
19 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
include/standard-headers/linux/ethtool.h | 1 +
include/standard-headers/linux/fuse.h | 22 +-
.../linux/input-event-codes.h | 1 +
include/standard-headers/linux/input.h | 22 +-
include/standard-headers/linux/pci_regs.h | 10 +
include/standard-headers/linux/virtio_ids.h | 1 +
include/standard-headers/linux/virtio_rtc.h | 237 ++++++++++++++++++
include/standard-headers/linux/virtio_spi.h | 181 +++++++++++++
| 1 +
| 23 +-
| 4 +-
| 34 +++
| 1 +
| 1 +
| 3 +
| 10 +-
| 1 -
| 2 +-
| 4 +-
19 files changed, 548 insertions(+), 11 deletions(-)
create mode 100644 include/standard-headers/linux/virtio_rtc.h
create mode 100644 include/standard-headers/linux/virtio_spi.h
diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
index eb803140283d..dc24512d2875 100644
--- a/include/standard-headers/linux/ethtool.h
+++ b/include/standard-headers/linux/ethtool.h
@@ -2380,6 +2380,7 @@ enum {
#define RXH_L4_B_0_1 (1 << 6) /* src port in case of TCP/UDP/SCTP */
#define RXH_L4_B_2_3 (1 << 7) /* dst port in case of TCP/UDP/SCTP */
#define RXH_GTP_TEID (1 << 8) /* teid in case of GTP */
+#define RXH_IP6_FL (1 << 9) /* IPv6 flow label */
#define RXH_DISCARD (1 << 31)
#define RX_CLS_FLOW_DISC 0xffffffffffffffffULL
diff --git a/include/standard-headers/linux/fuse.h b/include/standard-headers/linux/fuse.h
index d8b2fd67e16c..abf3a7885817 100644
--- a/include/standard-headers/linux/fuse.h
+++ b/include/standard-headers/linux/fuse.h
@@ -235,6 +235,11 @@
*
* 7.44
* - add FUSE_NOTIFY_INC_EPOCH
+ *
+ * 7.45
+ * - add FUSE_COPY_FILE_RANGE_64
+ * - add struct fuse_copy_file_range_out
+ * - add FUSE_NOTIFY_PRUNE
*/
#ifndef _LINUX_FUSE_H
@@ -266,7 +271,7 @@
#define FUSE_KERNEL_VERSION 7
/** Minor version number of this interface */
-#define FUSE_KERNEL_MINOR_VERSION 44
+#define FUSE_KERNEL_MINOR_VERSION 45
/** The node ID of the root inode */
#define FUSE_ROOT_ID 1
@@ -653,6 +658,7 @@ enum fuse_opcode {
FUSE_SYNCFS = 50,
FUSE_TMPFILE = 51,
FUSE_STATX = 52,
+ FUSE_COPY_FILE_RANGE_64 = 53,
/* CUSE specific operations */
CUSE_INIT = 4096,
@@ -671,7 +677,7 @@ enum fuse_notify_code {
FUSE_NOTIFY_DELETE = 6,
FUSE_NOTIFY_RESEND = 7,
FUSE_NOTIFY_INC_EPOCH = 8,
- FUSE_NOTIFY_CODE_MAX,
+ FUSE_NOTIFY_PRUNE = 9,
};
/* The read buffer is required to be at least 8k, but may be much larger */
@@ -1110,6 +1116,12 @@ struct fuse_notify_retrieve_in {
uint64_t dummy4;
};
+struct fuse_notify_prune_out {
+ uint32_t count;
+ uint32_t padding;
+ uint64_t spare;
+};
+
struct fuse_backing_map {
int32_t fd;
uint32_t flags;
@@ -1122,6 +1134,7 @@ struct fuse_backing_map {
#define FUSE_DEV_IOC_BACKING_OPEN _IOW(FUSE_DEV_IOC_MAGIC, 1, \
struct fuse_backing_map)
#define FUSE_DEV_IOC_BACKING_CLOSE _IOW(FUSE_DEV_IOC_MAGIC, 2, uint32_t)
+#define FUSE_DEV_IOC_SYNC_INIT _IO(FUSE_DEV_IOC_MAGIC, 3)
struct fuse_lseek_in {
uint64_t fh;
@@ -1144,6 +1157,11 @@ struct fuse_copy_file_range_in {
uint64_t flags;
};
+/* For FUSE_COPY_FILE_RANGE_64 */
+struct fuse_copy_file_range_out {
+ uint64_t bytes_copied;
+};
+
#define FUSE_SETUPMAPPING_FLAG_WRITE (1ull << 0)
#define FUSE_SETUPMAPPING_FLAG_READ (1ull << 1)
struct fuse_setupmapping_in {
diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h
index 00dc9caac923..c914ccd7237a 100644
--- a/include/standard-headers/linux/input-event-codes.h
+++ b/include/standard-headers/linux/input-event-codes.h
@@ -27,6 +27,7 @@
#define INPUT_PROP_TOPBUTTONPAD 0x04 /* softbuttons at top of pad */
#define INPUT_PROP_POINTING_STICK 0x05 /* is a pointing stick */
#define INPUT_PROP_ACCELEROMETER 0x06 /* has accelerometer */
+#define INPUT_PROP_HAPTIC_TOUCHPAD 0x07 /* is a haptic touchpad */
#define INPUT_PROP_MAX 0x1f
#define INPUT_PROP_CNT (INPUT_PROP_MAX + 1)
diff --git a/include/standard-headers/linux/input.h b/include/standard-headers/linux/input.h
index d4512c20b543..9aff211dd561 100644
--- a/include/standard-headers/linux/input.h
+++ b/include/standard-headers/linux/input.h
@@ -426,6 +426,24 @@ struct ff_rumble_effect {
uint16_t weak_magnitude;
};
+/**
+ * struct ff_haptic_effect
+ * @hid_usage: hid_usage according to Haptics page (WAVEFORM_CLICK, etc.)
+ * @vendor_id: the waveform vendor ID if hid_usage is in the vendor-defined range
+ * @vendor_waveform_page: the vendor waveform page if hid_usage is in the vendor-defined range
+ * @intensity: strength of the effect as percentage
+ * @repeat_count: number of times to retrigger effect
+ * @retrigger_period: time before effect is retriggered (in ms)
+ */
+struct ff_haptic_effect {
+ uint16_t hid_usage;
+ uint16_t vendor_id;
+ uint8_t vendor_waveform_page;
+ uint16_t intensity;
+ uint16_t repeat_count;
+ uint16_t retrigger_period;
+};
+
/**
* struct ff_effect - defines force feedback effect
* @type: type of the effect (FF_CONSTANT, FF_PERIODIC, FF_RAMP, FF_SPRING,
@@ -462,6 +480,7 @@ struct ff_effect {
struct ff_periodic_effect periodic;
struct ff_condition_effect condition[2]; /* One for each axis */
struct ff_rumble_effect rumble;
+ struct ff_haptic_effect haptic;
} u;
};
@@ -469,6 +488,7 @@ struct ff_effect {
* Force feedback effect types
*/
+#define FF_HAPTIC 0x4f
#define FF_RUMBLE 0x50
#define FF_PERIODIC 0x51
#define FF_CONSTANT 0x52
@@ -478,7 +498,7 @@ struct ff_effect {
#define FF_INERTIA 0x56
#define FF_RAMP 0x57
-#define FF_EFFECT_MIN FF_RUMBLE
+#define FF_EFFECT_MIN FF_HAPTIC
#define FF_EFFECT_MAX FF_RAMP
/*
diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h
index f5b17745de60..07e06aafec50 100644
--- a/include/standard-headers/linux/pci_regs.h
+++ b/include/standard-headers/linux/pci_regs.h
@@ -207,6 +207,9 @@
/* Capability lists */
+#define PCI_CAP_ID_MASK 0x00ff /* Capability ID mask */
+#define PCI_CAP_LIST_NEXT_MASK 0xff00 /* Next Capability Pointer mask */
+
#define PCI_CAP_LIST_ID 0 /* Capability ID */
#define PCI_CAP_ID_PM 0x01 /* Power Management */
#define PCI_CAP_ID_AGP 0x02 /* Accelerated Graphics Port */
@@ -776,6 +779,12 @@
#define PCI_ERR_UNC_MCBTLP 0x00800000 /* MC blocked TLP */
#define PCI_ERR_UNC_ATOMEG 0x01000000 /* Atomic egress blocked */
#define PCI_ERR_UNC_TLPPRE 0x02000000 /* TLP prefix blocked */
+#define PCI_ERR_UNC_POISON_BLK 0x04000000 /* Poisoned TLP Egress Blocked */
+#define PCI_ERR_UNC_DMWR_BLK 0x08000000 /* DMWr Request Egress Blocked */
+#define PCI_ERR_UNC_IDE_CHECK 0x10000000 /* IDE Check Failed */
+#define PCI_ERR_UNC_MISR_IDE 0x20000000 /* Misrouted IDE TLP */
+#define PCI_ERR_UNC_PCRC_CHECK 0x40000000 /* PCRC Check Failed */
+#define PCI_ERR_UNC_XLAT_BLK 0x80000000 /* TLP Translation Egress Blocked */
#define PCI_ERR_UNCOR_MASK 0x08 /* Uncorrectable Error Mask */
/* Same bits as above */
#define PCI_ERR_UNCOR_SEVER 0x0c /* Uncorrectable Error Severity */
@@ -798,6 +807,7 @@
#define PCI_ERR_CAP_ECRC_CHKC 0x00000080 /* ECRC Check Capable */
#define PCI_ERR_CAP_ECRC_CHKE 0x00000100 /* ECRC Check Enable */
#define PCI_ERR_CAP_PREFIX_LOG_PRESENT 0x00000800 /* TLP Prefix Log Present */
+#define PCI_ERR_CAP_COMP_TIME_LOG 0x00001000 /* Completion Timeout Prefix/Header Log Capable */
#define PCI_ERR_CAP_TLP_LOG_FLIT 0x00040000 /* TLP was logged in Flit Mode */
#define PCI_ERR_CAP_TLP_LOG_SIZE 0x00f80000 /* Logged TLP Size (only in Flit mode) */
#define PCI_ERR_HEADER_LOG 0x1c /* Header Log Register (16 bytes) */
diff --git a/include/standard-headers/linux/virtio_ids.h b/include/standard-headers/linux/virtio_ids.h
index 7aa2eb766205..6c12db16faa3 100644
--- a/include/standard-headers/linux/virtio_ids.h
+++ b/include/standard-headers/linux/virtio_ids.h
@@ -68,6 +68,7 @@
#define VIRTIO_ID_AUDIO_POLICY 39 /* virtio audio policy */
#define VIRTIO_ID_BT 40 /* virtio bluetooth */
#define VIRTIO_ID_GPIO 41 /* virtio gpio */
+#define VIRTIO_ID_SPI 45 /* virtio spi */
/*
* Virtio Transitional IDs
diff --git a/include/standard-headers/linux/virtio_rtc.h b/include/standard-headers/linux/virtio_rtc.h
new file mode 100644
index 000000000000..7e2c21ebff58
--- /dev/null
+++ b/include/standard-headers/linux/virtio_rtc.h
@@ -0,0 +1,237 @@
+/* SPDX-License-Identifier: ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) */
+/*
+ * Copyright (C) 2022-2024 OpenSynergy GmbH
+ * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ */
+
+#ifndef _LINUX_VIRTIO_RTC_H
+#define _LINUX_VIRTIO_RTC_H
+
+#include "standard-headers/linux/types.h"
+
+/* alarm feature */
+#define VIRTIO_RTC_F_ALARM 0
+
+/* read request message types */
+
+#define VIRTIO_RTC_REQ_READ 0x0001
+#define VIRTIO_RTC_REQ_READ_CROSS 0x0002
+
+/* control request message types */
+
+#define VIRTIO_RTC_REQ_CFG 0x1000
+#define VIRTIO_RTC_REQ_CLOCK_CAP 0x1001
+#define VIRTIO_RTC_REQ_CROSS_CAP 0x1002
+#define VIRTIO_RTC_REQ_READ_ALARM 0x1003
+#define VIRTIO_RTC_REQ_SET_ALARM 0x1004
+#define VIRTIO_RTC_REQ_SET_ALARM_ENABLED 0x1005
+
+/* alarmq message types */
+
+#define VIRTIO_RTC_NOTIF_ALARM 0x2000
+
+/* Message headers */
+
+/** common request header */
+struct virtio_rtc_req_head {
+ uint16_t msg_type;
+ uint8_t reserved[6];
+};
+
+/** common response header */
+struct virtio_rtc_resp_head {
+#define VIRTIO_RTC_S_OK 0
+#define VIRTIO_RTC_S_EOPNOTSUPP 2
+#define VIRTIO_RTC_S_ENODEV 3
+#define VIRTIO_RTC_S_EINVAL 4
+#define VIRTIO_RTC_S_EIO 5
+ uint8_t status;
+ uint8_t reserved[7];
+};
+
+/** common notification header */
+struct virtio_rtc_notif_head {
+ uint16_t msg_type;
+ uint8_t reserved[6];
+};
+
+/* read requests */
+
+/* VIRTIO_RTC_REQ_READ message */
+
+struct virtio_rtc_req_read {
+ struct virtio_rtc_req_head head;
+ uint16_t clock_id;
+ uint8_t reserved[6];
+};
+
+struct virtio_rtc_resp_read {
+ struct virtio_rtc_resp_head head;
+ uint64_t clock_reading;
+};
+
+/* VIRTIO_RTC_REQ_READ_CROSS message */
+
+struct virtio_rtc_req_read_cross {
+ struct virtio_rtc_req_head head;
+ uint16_t clock_id;
+/* Arm Generic Timer Counter-timer Virtual Count Register (CNTVCT_EL0) */
+#define VIRTIO_RTC_COUNTER_ARM_VCT 0
+/* x86 Time-Stamp Counter */
+#define VIRTIO_RTC_COUNTER_X86_TSC 1
+/* Invalid */
+#define VIRTIO_RTC_COUNTER_INVALID 0xFF
+ uint8_t hw_counter;
+ uint8_t reserved[5];
+};
+
+struct virtio_rtc_resp_read_cross {
+ struct virtio_rtc_resp_head head;
+ uint64_t clock_reading;
+ uint64_t counter_cycles;
+};
+
+/* control requests */
+
+/* VIRTIO_RTC_REQ_CFG message */
+
+struct virtio_rtc_req_cfg {
+ struct virtio_rtc_req_head head;
+ /* no request params */
+};
+
+struct virtio_rtc_resp_cfg {
+ struct virtio_rtc_resp_head head;
+ /** # of clocks -> clock ids < num_clocks are valid */
+ uint16_t num_clocks;
+ uint8_t reserved[6];
+};
+
+/* VIRTIO_RTC_REQ_CLOCK_CAP message */
+
+struct virtio_rtc_req_clock_cap {
+ struct virtio_rtc_req_head head;
+ uint16_t clock_id;
+ uint8_t reserved[6];
+};
+
+struct virtio_rtc_resp_clock_cap {
+ struct virtio_rtc_resp_head head;
+#define VIRTIO_RTC_CLOCK_UTC 0
+#define VIRTIO_RTC_CLOCK_TAI 1
+#define VIRTIO_RTC_CLOCK_MONOTONIC 2
+#define VIRTIO_RTC_CLOCK_UTC_SMEARED 3
+#define VIRTIO_RTC_CLOCK_UTC_MAYBE_SMEARED 4
+ uint8_t type;
+#define VIRTIO_RTC_SMEAR_UNSPECIFIED 0
+#define VIRTIO_RTC_SMEAR_NOON_LINEAR 1
+#define VIRTIO_RTC_SMEAR_UTC_SLS 2
+ uint8_t leap_second_smearing;
+#define VIRTIO_RTC_FLAG_ALARM_CAP (1 << 0)
+ uint8_t flags;
+ uint8_t reserved[5];
+};
+
+/* VIRTIO_RTC_REQ_CROSS_CAP message */
+
+struct virtio_rtc_req_cross_cap {
+ struct virtio_rtc_req_head head;
+ uint16_t clock_id;
+ uint8_t hw_counter;
+ uint8_t reserved[5];
+};
+
+struct virtio_rtc_resp_cross_cap {
+ struct virtio_rtc_resp_head head;
+#define VIRTIO_RTC_FLAG_CROSS_CAP (1 << 0)
+ uint8_t flags;
+ uint8_t reserved[7];
+};
+
+/* VIRTIO_RTC_REQ_READ_ALARM message */
+
+struct virtio_rtc_req_read_alarm {
+ struct virtio_rtc_req_head head;
+ uint16_t clock_id;
+ uint8_t reserved[6];
+};
+
+struct virtio_rtc_resp_read_alarm {
+ struct virtio_rtc_resp_head head;
+ uint64_t alarm_time;
+#define VIRTIO_RTC_FLAG_ALARM_ENABLED (1 << 0)
+ uint8_t flags;
+ uint8_t reserved[7];
+};
+
+/* VIRTIO_RTC_REQ_SET_ALARM message */
+
+struct virtio_rtc_req_set_alarm {
+ struct virtio_rtc_req_head head;
+ uint64_t alarm_time;
+ uint16_t clock_id;
+ /* flag VIRTIO_RTC_FLAG_ALARM_ENABLED */
+ uint8_t flags;
+ uint8_t reserved[5];
+};
+
+struct virtio_rtc_resp_set_alarm {
+ struct virtio_rtc_resp_head head;
+ /* no response params */
+};
+
+/* VIRTIO_RTC_REQ_SET_ALARM_ENABLED message */
+
+struct virtio_rtc_req_set_alarm_enabled {
+ struct virtio_rtc_req_head head;
+ uint16_t clock_id;
+ /* flag VIRTIO_RTC_ALARM_ENABLED */
+ uint8_t flags;
+ uint8_t reserved[5];
+};
+
+struct virtio_rtc_resp_set_alarm_enabled {
+ struct virtio_rtc_resp_head head;
+ /* no response params */
+};
+
+/** Union of request types for requestq */
+union virtio_rtc_req_requestq {
+ struct virtio_rtc_req_read read;
+ struct virtio_rtc_req_read_cross read_cross;
+ struct virtio_rtc_req_cfg cfg;
+ struct virtio_rtc_req_clock_cap clock_cap;
+ struct virtio_rtc_req_cross_cap cross_cap;
+ struct virtio_rtc_req_read_alarm read_alarm;
+ struct virtio_rtc_req_set_alarm set_alarm;
+ struct virtio_rtc_req_set_alarm_enabled set_alarm_enabled;
+};
+
+/** Union of response types for requestq */
+union virtio_rtc_resp_requestq {
+ struct virtio_rtc_resp_read read;
+ struct virtio_rtc_resp_read_cross read_cross;
+ struct virtio_rtc_resp_cfg cfg;
+ struct virtio_rtc_resp_clock_cap clock_cap;
+ struct virtio_rtc_resp_cross_cap cross_cap;
+ struct virtio_rtc_resp_read_alarm read_alarm;
+ struct virtio_rtc_resp_set_alarm set_alarm;
+ struct virtio_rtc_resp_set_alarm_enabled set_alarm_enabled;
+};
+
+/* alarmq notifications */
+
+/* VIRTIO_RTC_NOTIF_ALARM notification */
+
+struct virtio_rtc_notif_alarm {
+ struct virtio_rtc_notif_head head;
+ uint16_t clock_id;
+ uint8_t reserved[6];
+};
+
+/** Union of notification types for alarmq */
+union virtio_rtc_notif_alarmq {
+ struct virtio_rtc_notif_alarm alarm;
+};
+
+#endif /* _LINUX_VIRTIO_RTC_H */
diff --git a/include/standard-headers/linux/virtio_spi.h b/include/standard-headers/linux/virtio_spi.h
new file mode 100644
index 000000000000..54e570fb4a84
--- /dev/null
+++ b/include/standard-headers/linux/virtio_spi.h
@@ -0,0 +1,181 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+/*
+ * Copyright (C) 2023 OpenSynergy GmbH
+ * Copyright (C) 2025 Qualcomm Innovation Center, Inc. All rights reserved.
+ */
+#ifndef _LINUX_VIRTIO_VIRTIO_SPI_H
+#define _LINUX_VIRTIO_VIRTIO_SPI_H
+
+#include "standard-headers/linux/types.h"
+#include "standard-headers/linux/virtio_config.h"
+#include "standard-headers/linux/virtio_ids.h"
+#include "standard-headers/linux/virtio_types.h"
+
+/* Sample data on trailing clock edge */
+#define VIRTIO_SPI_CPHA _BITUL(0)
+/* Clock is high when IDLE */
+#define VIRTIO_SPI_CPOL _BITUL(1)
+/* Chip Select is active high */
+#define VIRTIO_SPI_CS_HIGH _BITUL(2)
+/* Transmit LSB first */
+#define VIRTIO_SPI_MODE_LSB_FIRST _BITUL(3)
+/* Loopback mode */
+#define VIRTIO_SPI_MODE_LOOP _BITUL(4)
+
+/**
+ * struct virtio_spi_config - All config fields are read-only for the
+ * Virtio SPI driver
+ * @cs_max_number: maximum number of chipselect the host SPI controller
+ * supports.
+ * @cs_change_supported: indicates if the host SPI controller supports to toggle
+ * chipselect after each transfer in one message:
+ * 0: unsupported, chipselect will be kept in active state throughout the
+ * message transaction;
+ * 1: supported.
+ * Note: Message here contains a sequence of SPI transfers.
+ * @tx_nbits_supported: indicates the supported number of bit for writing:
+ * bit 0: DUAL (2-bit transfer), 1 for supported
+ * bit 1: QUAD (4-bit transfer), 1 for supported
+ * bit 2: OCTAL (8-bit transfer), 1 for supported
+ * other bits are reserved as 0, 1-bit transfer is always supported.
+ * @rx_nbits_supported: indicates the supported number of bit for reading:
+ * bit 0: DUAL (2-bit transfer), 1 for supported
+ * bit 1: QUAD (4-bit transfer), 1 for supported
+ * bit 2: OCTAL (8-bit transfer), 1 for supported
+ * other bits are reserved as 0, 1-bit transfer is always supported.
+ * @bits_per_word_mask: mask indicating which values of bits_per_word are
+ * supported. If not set, no limitation for bits_per_word.
+ * @mode_func_supported: indicates the following features are supported or not:
+ * bit 0-1: CPHA feature
+ * 0b00: invalid, should support as least one CPHA setting
+ * 0b01: supports CPHA=0 only
+ * 0b10: supports CPHA=1 only
+ * 0b11: supports CPHA=0 and CPHA=1.
+ * bit 2-3: CPOL feature
+ * 0b00: invalid, should support as least one CPOL setting
+ * 0b01: supports CPOL=0 only
+ * 0b10: supports CPOL=1 only
+ * 0b11: supports CPOL=0 and CPOL=1.
+ * bit 4: chipselect active high feature, 0 for unsupported and 1 for
+ * supported, chipselect active low is supported by default.
+ * bit 5: LSB first feature, 0 for unsupported and 1 for supported,
+ * MSB first is supported by default.
+ * bit 6: loopback mode feature, 0 for unsupported and 1 for supported,
+ * normal mode is supported by default.
+ * @max_freq_hz: the maximum clock rate supported in Hz unit, 0 means no
+ * limitation for transfer speed.
+ * @max_word_delay_ns: the maximum word delay supported, in nanoseconds.
+ * A value of 0 indicates that word delay is unsupported.
+ * Each transfer may consist of a sequence of words.
+ * @max_cs_setup_ns: the maximum delay supported after chipselect is asserted,
+ * in ns unit, 0 means delay is not supported to introduce after chipselect is
+ * asserted.
+ * @max_cs_hold_ns: the maximum delay supported before chipselect is deasserted,
+ * in ns unit, 0 means delay is not supported to introduce before chipselect
+ * is deasserted.
+ * @max_cs_incative_ns: maximum delay supported after chipselect is deasserted,
+ * in ns unit, 0 means delay is not supported to introduce after chipselect is
+ * deasserted.
+ */
+struct virtio_spi_config {
+ uint8_t cs_max_number;
+ uint8_t cs_change_supported;
+#define VIRTIO_SPI_RX_TX_SUPPORT_DUAL _BITUL(0)
+#define VIRTIO_SPI_RX_TX_SUPPORT_QUAD _BITUL(1)
+#define VIRTIO_SPI_RX_TX_SUPPORT_OCTAL _BITUL(2)
+ uint8_t tx_nbits_supported;
+ uint8_t rx_nbits_supported;
+ uint32_t bits_per_word_mask;
+#define VIRTIO_SPI_MF_SUPPORT_CPHA_0 _BITUL(0)
+#define VIRTIO_SPI_MF_SUPPORT_CPHA_1 _BITUL(1)
+#define VIRTIO_SPI_MF_SUPPORT_CPOL_0 _BITUL(2)
+#define VIRTIO_SPI_MF_SUPPORT_CPOL_1 _BITUL(3)
+#define VIRTIO_SPI_MF_SUPPORT_CS_HIGH _BITUL(4)
+#define VIRTIO_SPI_MF_SUPPORT_LSB_FIRST _BITUL(5)
+#define VIRTIO_SPI_MF_SUPPORT_LOOPBACK _BITUL(6)
+ uint32_t mode_func_supported;
+ uint32_t max_freq_hz;
+ uint32_t max_word_delay_ns;
+ uint32_t max_cs_setup_ns;
+ uint32_t max_cs_hold_ns;
+ uint32_t max_cs_inactive_ns;
+};
+
+/**
+ * struct spi_transfer_head - virtio SPI transfer descriptor
+ * @chip_select_id: chipselect index the SPI transfer used.
+ * @bits_per_word: the number of bits in each SPI transfer word.
+ * @cs_change: whether to deselect device after finishing this transfer
+ * before starting the next transfer, 0 means cs keep asserted and
+ * 1 means cs deasserted then asserted again.
+ * @tx_nbits: bus width for write transfer.
+ * 0,1: bus width is 1, also known as SINGLE
+ * 2 : bus width is 2, also known as DUAL
+ * 4 : bus width is 4, also known as QUAD
+ * 8 : bus width is 8, also known as OCTAL
+ * other values are invalid.
+ * @rx_nbits: bus width for read transfer.
+ * 0,1: bus width is 1, also known as SINGLE
+ * 2 : bus width is 2, also known as DUAL
+ * 4 : bus width is 4, also known as QUAD
+ * 8 : bus width is 8, also known as OCTAL
+ * other values are invalid.
+ * @reserved: for future use.
+ * @mode: SPI transfer mode.
+ * bit 0: CPHA, determines the timing (i.e. phase) of the data
+ * bits relative to the clock pulses.For CPHA=0, the
+ * "out" side changes the data on the trailing edge of the
+ * preceding clock cycle, while the "in" side captures the data
+ * on (or shortly after) the leading edge of the clock cycle.
+ * For CPHA=1, the "out" side changes the data on the leading
+ * edge of the current clock cycle, while the "in" side
+ * captures the data on (or shortly after) the trailing edge of
+ * the clock cycle.
+ * bit 1: CPOL, determines the polarity of the clock. CPOL=0 is a
+ * clock which idles at 0, and each cycle consists of a pulse
+ * of 1. CPOL=1 is a clock which idles at 1, and each cycle
+ * consists of a pulse of 0.
+ * bit 2: CS_HIGH, if 1, chip select active high, else active low.
+ * bit 3: LSB_FIRST, determines per-word bits-on-wire, if 0, MSB
+ * first, else LSB first.
+ * bit 4: LOOP, loopback mode.
+ * @freq: the transfer speed in Hz.
+ * @word_delay_ns: delay to be inserted between consecutive words of a
+ * transfer, in ns unit.
+ * @cs_setup_ns: delay to be introduced after CS is asserted, in ns
+ * unit.
+ * @cs_delay_hold_ns: delay to be introduced before CS is deasserted
+ * for each transfer, in ns unit.
+ * @cs_change_delay_inactive_ns: delay to be introduced after CS is
+ * deasserted and before next asserted, in ns unit.
+ */
+struct spi_transfer_head {
+ uint8_t chip_select_id;
+ uint8_t bits_per_word;
+ uint8_t cs_change;
+ uint8_t tx_nbits;
+ uint8_t rx_nbits;
+ uint8_t reserved[3];
+ uint32_t mode;
+ uint32_t freq;
+ uint32_t word_delay_ns;
+ uint32_t cs_setup_ns;
+ uint32_t cs_delay_hold_ns;
+ uint32_t cs_change_delay_inactive_ns;
+};
+
+/**
+ * struct spi_transfer_result - virtio SPI transfer result
+ * @result: Transfer result code.
+ * VIRTIO_SPI_TRANS_OK: Transfer successful.
+ * VIRTIO_SPI_PARAM_ERR: Parameter error.
+ * VIRTIO_SPI_TRANS_ERR: Transfer error.
+ */
+struct spi_transfer_result {
+#define VIRTIO_SPI_TRANS_OK 0
+#define VIRTIO_SPI_PARAM_ERR 1
+#define VIRTIO_SPI_TRANS_ERR 2
+ uint8_t result;
+};
+
+#endif /* #ifndef _LINUX_VIRTIO_VIRTIO_SPI_H */
--git a/linux-headers/asm-loongarch/kvm.h b/linux-headers/asm-loongarch/kvm.h
index 5f354f5c6847..57ba1a563bb1 100644
--- a/linux-headers/asm-loongarch/kvm.h
+++ b/linux-headers/asm-loongarch/kvm.h
@@ -103,6 +103,7 @@ struct kvm_fpu {
#define KVM_LOONGARCH_VM_FEAT_PMU 5
#define KVM_LOONGARCH_VM_FEAT_PV_IPI 6
#define KVM_LOONGARCH_VM_FEAT_PV_STEALTIME 7
+#define KVM_LOONGARCH_VM_FEAT_PTW 8
/* Device Control API on vcpu fd */
#define KVM_LOONGARCH_VCPU_CPUCFG 0
--git a/linux-headers/asm-riscv/kvm.h b/linux-headers/asm-riscv/kvm.h
index ef27d4289da1..759a4852c09a 100644
--- a/linux-headers/asm-riscv/kvm.h
+++ b/linux-headers/asm-riscv/kvm.h
@@ -9,7 +9,7 @@
#ifndef __LINUX_KVM_RISCV_H
#define __LINUX_KVM_RISCV_H
-#ifndef __ASSEMBLY__
+#ifndef __ASSEMBLER__
#include <linux/types.h>
#include <asm/bitsperlong.h>
@@ -56,6 +56,7 @@ struct kvm_riscv_config {
unsigned long mimpid;
unsigned long zicboz_block_size;
unsigned long satp_mode;
+ unsigned long zicbop_block_size;
};
/* CORE registers for KVM_GET_ONE_REG and KVM_SET_ONE_REG */
@@ -185,6 +186,10 @@ enum KVM_RISCV_ISA_EXT_ID {
KVM_RISCV_ISA_EXT_ZICCRSE,
KVM_RISCV_ISA_EXT_ZAAMO,
KVM_RISCV_ISA_EXT_ZALRSC,
+ KVM_RISCV_ISA_EXT_ZICBOP,
+ KVM_RISCV_ISA_EXT_ZFBFMIN,
+ KVM_RISCV_ISA_EXT_ZVFBFMIN,
+ KVM_RISCV_ISA_EXT_ZVFBFWMA,
KVM_RISCV_ISA_EXT_MAX,
};
@@ -205,6 +210,7 @@ enum KVM_RISCV_SBI_EXT_ID {
KVM_RISCV_SBI_EXT_DBCN,
KVM_RISCV_SBI_EXT_STA,
KVM_RISCV_SBI_EXT_SUSP,
+ KVM_RISCV_SBI_EXT_FWFT,
KVM_RISCV_SBI_EXT_MAX,
};
@@ -214,6 +220,18 @@ struct kvm_riscv_sbi_sta {
unsigned long shmem_hi;
};
+struct kvm_riscv_sbi_fwft_feature {
+ unsigned long enable;
+ unsigned long flags;
+ unsigned long value;
+};
+
+/* SBI FWFT extension registers for KVM_GET_ONE_REG and KVM_SET_ONE_REG */
+struct kvm_riscv_sbi_fwft {
+ struct kvm_riscv_sbi_fwft_feature misaligned_deleg;
+ struct kvm_riscv_sbi_fwft_feature pointer_masking;
+};
+
/* Possible states for kvm_riscv_timer */
#define KVM_RISCV_TIMER_STATE_OFF 0
#define KVM_RISCV_TIMER_STATE_ON 1
@@ -297,6 +315,9 @@ struct kvm_riscv_sbi_sta {
#define KVM_REG_RISCV_SBI_STA (0x0 << KVM_REG_RISCV_SUBTYPE_SHIFT)
#define KVM_REG_RISCV_SBI_STA_REG(name) \
(offsetof(struct kvm_riscv_sbi_sta, name) / sizeof(unsigned long))
+#define KVM_REG_RISCV_SBI_FWFT (0x1 << KVM_REG_RISCV_SUBTYPE_SHIFT)
+#define KVM_REG_RISCV_SBI_FWFT_REG(name) \
+ (offsetof(struct kvm_riscv_sbi_fwft, name) / sizeof(unsigned long))
/* Device Control API: RISC-V AIA */
#define KVM_DEV_RISCV_APLIC_ALIGN 0x1000
--git a/linux-headers/asm-riscv/ptrace.h b/linux-headers/asm-riscv/ptrace.h
index 1e3166caca8c..a3f8211ede44 100644
--- a/linux-headers/asm-riscv/ptrace.h
+++ b/linux-headers/asm-riscv/ptrace.h
@@ -6,7 +6,7 @@
#ifndef _ASM_RISCV_PTRACE_H
#define _ASM_RISCV_PTRACE_H
-#ifndef __ASSEMBLY__
+#ifndef __ASSEMBLER__
#include <linux/types.h>
@@ -127,6 +127,6 @@ struct __riscv_v_regset_state {
*/
#define RISCV_MAX_VLENB (8192)
-#endif /* __ASSEMBLY__ */
+#endif /* __ASSEMBLER__ */
#endif /* _ASM_RISCV_PTRACE_H */
--git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h
index f0c1a730d9c3..3bb38f6c3a41 100644
--- a/linux-headers/asm-x86/kvm.h
+++ b/linux-headers/asm-x86/kvm.h
@@ -35,6 +35,11 @@
#define MC_VECTOR 18
#define XM_VECTOR 19
#define VE_VECTOR 20
+#define CP_VECTOR 21
+
+#define HV_VECTOR 28
+#define VC_VECTOR 29
+#define SX_VECTOR 30
/* Select x86 specific features in <linux/kvm.h> */
#define __KVM_HAVE_PIT
@@ -409,6 +414,35 @@ struct kvm_xcrs {
__u64 padding[16];
};
+#define KVM_X86_REG_TYPE_MSR 2
+#define KVM_X86_REG_TYPE_KVM 3
+
+#define KVM_X86_KVM_REG_SIZE(reg) \
+({ \
+ reg == KVM_REG_GUEST_SSP ? KVM_REG_SIZE_U64 : 0; \
+})
+
+#define KVM_X86_REG_TYPE_SIZE(type, reg) \
+({ \
+ __u64 type_size = (__u64)type << 32; \
+ \
+ type_size |= type == KVM_X86_REG_TYPE_MSR ? KVM_REG_SIZE_U64 : \
+ type == KVM_X86_REG_TYPE_KVM ? KVM_X86_KVM_REG_SIZE(reg) : \
+ 0; \
+ type_size; \
+})
+
+#define KVM_X86_REG_ID(type, index) \
+ (KVM_REG_X86 | KVM_X86_REG_TYPE_SIZE(type, index) | index)
+
+#define KVM_X86_REG_MSR(index) \
+ KVM_X86_REG_ID(KVM_X86_REG_TYPE_MSR, index)
+#define KVM_X86_REG_KVM(index) \
+ KVM_X86_REG_ID(KVM_X86_REG_TYPE_KVM, index)
+
+/* KVM-defined registers starting from 0 */
+#define KVM_REG_GUEST_SSP 0
+
#define KVM_SYNC_X86_REGS (1UL << 0)
#define KVM_SYNC_X86_SREGS (1UL << 1)
#define KVM_SYNC_X86_EVENTS (1UL << 2)
--git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h
index 2f55bebb81cc..26c258d1a609 100644
--- a/linux-headers/asm-x86/unistd_64.h
+++ b/linux-headers/asm-x86/unistd_64.h
@@ -337,6 +337,7 @@
#define __NR_io_pgetevents 333
#define __NR_rseq 334
#define __NR_uretprobe 335
+#define __NR_uprobe 336
#define __NR_pidfd_send_signal 424
#define __NR_io_uring_setup 425
#define __NR_io_uring_enter 426
--git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
index 8cc8673f1547..65c2aed94623 100644
--- a/linux-headers/asm-x86/unistd_x32.h
+++ b/linux-headers/asm-x86/unistd_x32.h
@@ -290,6 +290,7 @@
#define __NR_io_pgetevents (__X32_SYSCALL_BIT + 333)
#define __NR_rseq (__X32_SYSCALL_BIT + 334)
#define __NR_uretprobe (__X32_SYSCALL_BIT + 335)
+#define __NR_uprobe (__X32_SYSCALL_BIT + 336)
#define __NR_pidfd_send_signal (__X32_SYSCALL_BIT + 424)
#define __NR_io_uring_setup (__X32_SYSCALL_BIT + 425)
#define __NR_io_uring_enter (__X32_SYSCALL_BIT + 426)
--git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index be704965d865..4ea28ef7cac1 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -954,6 +954,7 @@ struct kvm_enable_cap {
#define KVM_CAP_ARM_EL2_E2H0 241
#define KVM_CAP_RISCV_MP_STATE_RESET 242
#define KVM_CAP_ARM_CACHEABLE_PFNMAP_SUPPORTED 243
+#define KVM_CAP_GUEST_MEMFD_FLAGS 244
struct kvm_irq_routing_irqchip {
__u32 irqchip;
@@ -1590,6 +1591,8 @@ struct kvm_memory_attributes {
#define KVM_MEMORY_ATTRIBUTE_PRIVATE (1ULL << 3)
#define KVM_CREATE_GUEST_MEMFD _IOWR(KVMIO, 0xd4, struct kvm_create_guest_memfd)
+#define GUEST_MEMFD_FLAG_MMAP (1ULL << 0)
+#define GUEST_MEMFD_FLAG_INIT_SHARED (1ULL << 1)
struct kvm_create_guest_memfd {
__u64 size;
--git a/linux-headers/linux/psp-sev.h b/linux-headers/linux/psp-sev.h
index 113c4ceb7840..c525125ea815 100644
--- a/linux-headers/linux/psp-sev.h
+++ b/linux-headers/linux/psp-sev.h
@@ -185,6 +185,10 @@ struct sev_user_data_get_id2 {
* @mask_chip_id: whether chip id is present in attestation reports or not
* @mask_chip_key: whether attestation reports are signed or not
* @vlek_en: VLEK (Version Loaded Endorsement Key) hashstick is loaded
+ * @feature_info: whether SNP_FEATURE_INFO command is available
+ * @rapl_dis: whether RAPL is disabled
+ * @ciphertext_hiding_cap: whether platform has ciphertext hiding capability
+ * @ciphertext_hiding_en: whether ciphertext hiding is enabled
* @rsvd1: reserved
* @guest_count: the number of guest currently managed by the firmware
* @current_tcb_version: current TCB version
@@ -200,7 +204,11 @@ struct sev_user_data_snp_status {
__u32 mask_chip_id:1; /* Out */
__u32 mask_chip_key:1; /* Out */
__u32 vlek_en:1; /* Out */
- __u32 rsvd1:29;
+ __u32 feature_info:1; /* Out */
+ __u32 rapl_dis:1; /* Out */
+ __u32 ciphertext_hiding_cap:1; /* Out */
+ __u32 ciphertext_hiding_en:1; /* Out */
+ __u32 rsvd1:25;
__u32 guest_count; /* Out */
__u64 current_tcb_version; /* Out */
__u64 reported_tcb_version; /* Out */
--git a/linux-headers/linux/stddef.h b/linux-headers/linux/stddef.h
index e1fcfcf3b332..48ee4438e0ef 100644
--- a/linux-headers/linux/stddef.h
+++ b/linux-headers/linux/stddef.h
@@ -3,7 +3,6 @@
#define _LINUX_STDDEF_H
-
#ifndef __always_inline
#define __always_inline __inline__
#endif
--git a/linux-headers/linux/vduse.h b/linux-headers/linux/vduse.h
index f46269af349a..da6ac89af18e 100644
--- a/linux-headers/linux/vduse.h
+++ b/linux-headers/linux/vduse.h
@@ -237,7 +237,7 @@ struct vduse_iova_umem {
* struct vduse_iova_info - information of one IOVA region
* @start: start of the IOVA region
* @last: last of the IOVA region
- * @capability: capability of the IOVA regsion
+ * @capability: capability of the IOVA region
* @reserved: for future use, needs to be initialized to zero
*
* Structure used by VDUSE_IOTLB_GET_INFO ioctl to get information of
--git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h
index 283348b64af9..c57674a6aa0d 100644
--- a/linux-headers/linux/vhost.h
+++ b/linux-headers/linux/vhost.h
@@ -260,7 +260,7 @@
* When fork_owner is set to VHOST_FORK_OWNER_KTHREAD:
* - Vhost will create vhost workers as kernel threads.
*/
-#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x83, __u8)
+#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x84, __u8)
/**
* VHOST_GET_FORK_OWNER - Get the current fork_owner flag for the vhost device.
@@ -268,6 +268,6 @@
*
* @return: An 8-bit value indicating the current thread mode.
*/
-#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x84, __u8)
+#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x85, __u8)
#endif
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 02/20] i386/cpu: Clean up indent style of x86_ext_save_areas[]
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
2025-10-24 6:56 ` [PATCH v3 01/20] linux-headers: Update to v6.18-rc2 Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-27 5:47 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment Zhao Liu
` (17 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 58 +++++++++++++++++++++++++++--------------------
1 file changed, 33 insertions(+), 25 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 0a66e1fec939..f0e179c2d235 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2028,38 +2028,46 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
.feature = FEAT_1_ECX, .bits = CPUID_EXT_XSAVE,
.size = sizeof(X86LegacyXSaveArea) + sizeof(X86XSaveHeader),
},
- [XSTATE_YMM_BIT] =
- { .feature = FEAT_1_ECX, .bits = CPUID_EXT_AVX,
- .size = sizeof(XSaveAVX) },
- [XSTATE_BNDREGS_BIT] =
- { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
- .size = sizeof(XSaveBNDREG) },
- [XSTATE_BNDCSR_BIT] =
- { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
- .size = sizeof(XSaveBNDCSR) },
- [XSTATE_OPMASK_BIT] =
- { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
- .size = sizeof(XSaveOpmask) },
- [XSTATE_ZMM_Hi256_BIT] =
- { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
- .size = sizeof(XSaveZMM_Hi256) },
- [XSTATE_Hi16_ZMM_BIT] =
- { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
- .size = sizeof(XSaveHi16_ZMM) },
- [XSTATE_PKRU_BIT] =
- { .feature = FEAT_7_0_ECX, .bits = CPUID_7_0_ECX_PKU,
- .size = sizeof(XSavePKRU) },
+ [XSTATE_YMM_BIT] = {
+ .feature = FEAT_1_ECX, .bits = CPUID_EXT_AVX,
+ .size = sizeof(XSaveAVX),
+ },
+ [XSTATE_BNDREGS_BIT] = {
+ .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
+ .size = sizeof(XSaveBNDREG),
+ },
+ [XSTATE_BNDCSR_BIT] = {
+ .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
+ .size = sizeof(XSaveBNDCSR),
+ },
+ [XSTATE_OPMASK_BIT] = {
+ .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
+ .size = sizeof(XSaveOpmask),
+ },
+ [XSTATE_ZMM_Hi256_BIT] = {
+ .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
+ .size = sizeof(XSaveZMM_Hi256),
+ },
+ [XSTATE_Hi16_ZMM_BIT] = {
+ .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
+ .size = sizeof(XSaveHi16_ZMM),
+ },
+ [XSTATE_PKRU_BIT] = {
+ .feature = FEAT_7_0_ECX, .bits = CPUID_7_0_ECX_PKU,
+ .size = sizeof(XSavePKRU),
+ },
[XSTATE_ARCH_LBR_BIT] = {
- .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
- .offset = 0 /*supervisor mode component, offset = 0 */,
- .size = sizeof(XSavesArchLBR) },
+ .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
+ .offset = 0 /*supervisor mode component, offset = 0 */,
+ .size = sizeof(XSavesArchLBR),
+ },
[XSTATE_XTILE_CFG_BIT] = {
.feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
.size = sizeof(XSaveXTILECFG),
},
[XSTATE_XTILE_DATA_BIT] = {
.feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
- .size = sizeof(XSaveXTILEDATA)
+ .size = sizeof(XSaveXTILEDATA),
},
};
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
2025-10-24 6:56 ` [PATCH v3 01/20] linux-headers: Update to v6.18-rc2 Zhao Liu
2025-10-24 6:56 ` [PATCH v3 02/20] i386/cpu: Clean up indent style of x86_ext_save_areas[] Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-24 18:20 ` Chen, Zide
2025-10-27 6:08 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions Zhao Liu
` (16 subsequent siblings)
19 siblings, 2 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Arch LBR state is area 15, not 19. Fix this comment. And considerring
other areas don't mention user or supervisor state, for consistent
style, remove "Supervisor mode" from its comment.
Moreover, rename XSavesArchLBR to XSaveArchLBR since there's no need to
emphasize XSAVES in naming; the XSAVE related structure is mainly
used to represent memory layout.
In addition, arch lbr specifies its offset of xsave component as 0. But
this cannot help on anything. The offset of ExtSaveArea is initialized
by accelerators (e.g., hvf_cpu_xsave_init(), kvm_cpu_xsave_init() and
x86_tcg_cpu_xsave_init()), so explicitly setting the offset doesn't
work and CPUID 0xD encoding has already ensure supervisor states won't
have non-zero offsets. Drop the offset initialization and its comment
from the xsave area of arch lbr.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 3 +--
target/i386/cpu.h | 8 ++++----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index f0e179c2d235..b9a5a0400dea 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2058,8 +2058,7 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
},
[XSTATE_ARCH_LBR_BIT] = {
.feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
- .offset = 0 /*supervisor mode component, offset = 0 */,
- .size = sizeof(XSavesArchLBR),
+ .size = sizeof(XSaveArchLBR),
},
[XSTATE_XTILE_CFG_BIT] = {
.feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index d0da9bfe58ce..886a941e481c 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1747,15 +1747,15 @@ typedef struct {
#define ARCH_LBR_NR_ENTRIES 32
-/* Ext. save area 19: Supervisor mode Arch LBR state */
-typedef struct XSavesArchLBR {
+/* Ext. save area 15: Arch LBR state */
+typedef struct XSaveArchLBR {
uint64_t lbr_ctl;
uint64_t lbr_depth;
uint64_t ler_from;
uint64_t ler_to;
uint64_t ler_info;
LBREntry lbr_records[ARCH_LBR_NR_ENTRIES];
-} XSavesArchLBR;
+} XSaveArchLBR;
QEMU_BUILD_BUG_ON(sizeof(XSaveAVX) != 0x100);
QEMU_BUILD_BUG_ON(sizeof(XSaveBNDREG) != 0x40);
@@ -1766,7 +1766,7 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveHi16_ZMM) != 0x400);
QEMU_BUILD_BUG_ON(sizeof(XSavePKRU) != 0x8);
QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
-QEMU_BUILD_BUG_ON(sizeof(XSavesArchLBR) != 0x328);
+QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
typedef struct ExtSaveArea {
uint32_t feature, bits;
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (2 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-24 18:20 ` Chen, Zide
2025-10-27 6:22 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 05/20] i386/cpu: Make ExtSaveArea store an array of dependencies Zhao Liu
` (15 subsequent siblings)
19 siblings, 2 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
- Move ARCH_LBR_NR_ENTRIES macro and LBREntry definition before XSAVE
areas definitions.
- Reorder XSavesArchLBR (area 15) between XSavePKRU (area 9) and
XSaveXTILECFG (area 17), and reorder the related QEMU_BUILD_BUG_ON
check to keep the same ordering.
This makes xsave structures to be organized together and makes them
clearer.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.h | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 886a941e481c..ac527971d8cd 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1652,6 +1652,14 @@ typedef struct {
#define NB_OPMASK_REGS 8
+typedef struct {
+ uint64_t from;
+ uint64_t to;
+ uint64_t info;
+} LBREntry;
+
+#define ARCH_LBR_NR_ENTRIES 32
+
/* CPU can't have 0xFFFFFFFF APIC ID, use that value to distinguish
* that APIC ID hasn't been set yet
*/
@@ -1729,24 +1737,6 @@ typedef struct XSavePKRU {
uint32_t padding;
} XSavePKRU;
-/* Ext. save area 17: AMX XTILECFG state */
-typedef struct XSaveXTILECFG {
- uint8_t xtilecfg[64];
-} XSaveXTILECFG;
-
-/* Ext. save area 18: AMX XTILEDATA state */
-typedef struct XSaveXTILEDATA {
- uint8_t xtiledata[8][1024];
-} XSaveXTILEDATA;
-
-typedef struct {
- uint64_t from;
- uint64_t to;
- uint64_t info;
-} LBREntry;
-
-#define ARCH_LBR_NR_ENTRIES 32
-
/* Ext. save area 15: Arch LBR state */
typedef struct XSaveArchLBR {
uint64_t lbr_ctl;
@@ -1757,6 +1747,16 @@ typedef struct XSaveArchLBR {
LBREntry lbr_records[ARCH_LBR_NR_ENTRIES];
} XSaveArchLBR;
+/* Ext. save area 17: AMX XTILECFG state */
+typedef struct XSaveXTILECFG {
+ uint8_t xtilecfg[64];
+} XSaveXTILECFG;
+
+/* Ext. save area 18: AMX XTILEDATA state */
+typedef struct XSaveXTILEDATA {
+ uint8_t xtiledata[8][1024];
+} XSaveXTILEDATA;
+
QEMU_BUILD_BUG_ON(sizeof(XSaveAVX) != 0x100);
QEMU_BUILD_BUG_ON(sizeof(XSaveBNDREG) != 0x40);
QEMU_BUILD_BUG_ON(sizeof(XSaveBNDCSR) != 0x40);
@@ -1764,9 +1764,9 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveOpmask) != 0x40);
QEMU_BUILD_BUG_ON(sizeof(XSaveZMM_Hi256) != 0x200);
QEMU_BUILD_BUG_ON(sizeof(XSaveHi16_ZMM) != 0x400);
QEMU_BUILD_BUG_ON(sizeof(XSavePKRU) != 0x8);
+QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
-QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
typedef struct ExtSaveArea {
uint32_t feature, bits;
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 05/20] i386/cpu: Make ExtSaveArea store an array of dependencies
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (3 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-27 7:04 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 06/20] i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM Zhao Liu
` (14 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Some XSAVE components depend on multiple features. For example, Opmask/
ZMM_Hi256/Hi16_ZMM depend on avx512f OR avx10, and for CET (which will
be supported later), cet_u/cet_s will depend on shstk OR ibt.
Although previously there's the special check for the dependencies of
AVX512F OR AVX10 on their respective XSAVE components (in
cpuid_has_xsave_feature()), to make the code more general and avoid
adding more special cases, make ExtSaveArea store a features array
instead of a single feature, so that it can describe multiple
dependencies.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 71 ++++++++++++++++++++++++++++++++++-------------
target/i386/cpu.h | 9 +++++-
2 files changed, 59 insertions(+), 21 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index b9a5a0400dea..cd269d15ce0b 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2020,53 +2020,77 @@ static const X86RegisterInfo32 x86_reg_info_32[CPU_NB_REGS32] = {
ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
[XSTATE_FP_BIT] = {
/* x87 FP state component is always enabled if XSAVE is supported */
- .feature = FEAT_1_ECX, .bits = CPUID_EXT_XSAVE,
.size = sizeof(X86LegacyXSaveArea) + sizeof(X86XSaveHeader),
+ .features = {
+ { FEAT_1_ECX, CPUID_EXT_XSAVE },
+ },
},
[XSTATE_SSE_BIT] = {
/* SSE state component is always enabled if XSAVE is supported */
- .feature = FEAT_1_ECX, .bits = CPUID_EXT_XSAVE,
.size = sizeof(X86LegacyXSaveArea) + sizeof(X86XSaveHeader),
+ .features = {
+ { FEAT_1_ECX, CPUID_EXT_XSAVE },
+ },
},
[XSTATE_YMM_BIT] = {
- .feature = FEAT_1_ECX, .bits = CPUID_EXT_AVX,
.size = sizeof(XSaveAVX),
+ .features = {
+ { FEAT_1_ECX, CPUID_EXT_AVX },
+ },
},
[XSTATE_BNDREGS_BIT] = {
- .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
.size = sizeof(XSaveBNDREG),
+ .features = {
+ { FEAT_7_0_EBX, CPUID_7_0_EBX_MPX },
+ },
},
[XSTATE_BNDCSR_BIT] = {
- .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
.size = sizeof(XSaveBNDCSR),
+ .features = {
+ { FEAT_7_0_EBX, CPUID_7_0_EBX_MPX },
+ },
},
[XSTATE_OPMASK_BIT] = {
- .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
.size = sizeof(XSaveOpmask),
+ .features = {
+ { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
+ },
},
[XSTATE_ZMM_Hi256_BIT] = {
- .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
.size = sizeof(XSaveZMM_Hi256),
+ .features = {
+ { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
+ },
},
[XSTATE_Hi16_ZMM_BIT] = {
- .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
.size = sizeof(XSaveHi16_ZMM),
+ .features = {
+ { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
+ },
},
[XSTATE_PKRU_BIT] = {
- .feature = FEAT_7_0_ECX, .bits = CPUID_7_0_ECX_PKU,
.size = sizeof(XSavePKRU),
+ .features = {
+ { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU },
+ },
},
[XSTATE_ARCH_LBR_BIT] = {
- .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
.size = sizeof(XSaveArchLBR),
+ .features = {
+ { FEAT_7_0_EDX, CPUID_7_0_EDX_ARCH_LBR },
+ },
},
[XSTATE_XTILE_CFG_BIT] = {
- .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
.size = sizeof(XSaveXTILECFG),
+ .features = {
+ { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE },
+ },
},
[XSTATE_XTILE_DATA_BIT] = {
- .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
.size = sizeof(XSaveXTILEDATA),
+ .features = {
+ { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE },
+ },
},
};
@@ -7137,10 +7161,13 @@ static const char *x86_cpu_feature_name(FeatureWord w, int bitnr)
if (w == FEAT_XSAVE_XCR0_LO || w == FEAT_XSAVE_XCR0_HI) {
int comp = (w == FEAT_XSAVE_XCR0_HI) ? bitnr + 32 : bitnr;
- if (comp < ARRAY_SIZE(x86_ext_save_areas) &&
- x86_ext_save_areas[comp].bits) {
- w = x86_ext_save_areas[comp].feature;
- bitnr = ctz32(x86_ext_save_areas[comp].bits);
+ if (comp < ARRAY_SIZE(x86_ext_save_areas)) {
+ /* Present the first feature as the default. */
+ const FeatureMask *fm = &x86_ext_save_areas[comp].features[0];
+ if (fm->mask != 0) {
+ w = fm->index;
+ bitnr = ctz32(fm->mask);
+ }
}
}
@@ -8610,11 +8637,15 @@ static bool cpuid_has_xsave_feature(CPUX86State *env, const ExtSaveArea *esa)
return false;
}
- if (env->features[esa->feature] & esa->bits) {
- return true;
+ for (int i = 0; i < ARRAY_SIZE(esa->features); i++) {
+ if (env->features[esa->features[i].index] & esa->features[i].mask) {
+ return true;
+ }
}
- if (esa->feature == FEAT_7_0_EBX && esa->bits == CPUID_7_0_EBX_AVX512F
- && (env->features[FEAT_7_1_EDX] & CPUID_7_1_EDX_AVX10)) {
+
+ if (esa->features[0].index == FEAT_7_0_EBX &&
+ esa->features[0].mask == CPUID_7_0_EBX_AVX512F &&
+ (env->features[FEAT_7_1_EDX] & CPUID_7_1_EDX_AVX10)) {
return true;
}
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index ac527971d8cd..6537affcf067 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1769,9 +1769,16 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
typedef struct ExtSaveArea {
- uint32_t feature, bits;
uint32_t offset, size;
uint32_t ecx;
+ /*
+ * The dependencies in the array work as OR relationships, which
+ * means having just one of those features is enough.
+ *
+ * At most two features are sharing the same xsave area.
+ * Number of features can be adjusted if necessary.
+ */
+ const FeatureMask features[2];
} ExtSaveArea;
#define XSAVE_STATE_AREA_COUNT (XSTATE_XTILE_DATA_BIT + 1)
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 06/20] i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (4 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 05/20] i386/cpu: Make ExtSaveArea store an array of dependencies Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-27 7:05 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state Zhao Liu
` (13 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
With feature array in ExtSaveArea, add avx10 as the second dependency
for Opmask/ZMM_Hi256/Hi16_ZMM xsave components, and drop the special
check in cpuid_has_xsave_feature().
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index cd269d15ce0b..236a2f3a9426 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2054,18 +2054,21 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
.size = sizeof(XSaveOpmask),
.features = {
{ FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
+ { FEAT_7_1_EDX, CPUID_7_1_EDX_AVX10 },
},
},
[XSTATE_ZMM_Hi256_BIT] = {
.size = sizeof(XSaveZMM_Hi256),
.features = {
{ FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
+ { FEAT_7_1_EDX, CPUID_7_1_EDX_AVX10 },
},
},
[XSTATE_Hi16_ZMM_BIT] = {
.size = sizeof(XSaveHi16_ZMM),
.features = {
{ FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
+ { FEAT_7_1_EDX, CPUID_7_1_EDX_AVX10 },
},
},
[XSTATE_PKRU_BIT] = {
@@ -8643,12 +8646,6 @@ static bool cpuid_has_xsave_feature(CPUX86State *env, const ExtSaveArea *esa)
}
}
- if (esa->features[0].index == FEAT_7_0_EBX &&
- esa->features[0].mask == CPUID_7_0_EBX_AVX512F &&
- (env->features[FEAT_7_1_EDX] & CPUID_7_1_EDX_AVX10)) {
- return true;
- }
-
return false;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (5 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 06/20] i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-24 18:21 ` Chen, Zide
2025-10-27 7:40 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding Zhao Liu
` (12 subsequent siblings)
19 siblings, 2 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
The arch lbr state has 2 dependencies:
* Arch lbr feature bit (CPUID 0x7.0x0:EDX[bit 19]):
This bit also depends on pmu property. Mask it off if pmu is disabled
in x86_cpu_expand_features(), so that it is not needed to repeatedly
check whether this bit is set as well as pmu is enabled.
Note this doesn't need compat option, since even KVM hasn't support
arch lbr yet.
The supported xstate is constructed based such dependency in
cpuid_has_xsave_feature(), so if pmu is disabled and arch lbr bit is
masked off, then arch lbr state won't be included in supported
xstates.
Thus it's safe to drop the check on arch lbr bit in CPUID 0xD
encoding.
* XSAVES feature bit (CPUID 0xD.0x1.EAX[bit 3]):
Arch lbr state is a supervisor state, which requires the XSAVES
feature support. Enumerate supported supervisor state based on XSAVES
feature bit in x86_cpu_enable_xsave_components().
Then it's safe to drop the check on XSAVES feature support during
CPUID 0XD encoding.
Suggested-by: Zide Chen <zide.chen@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 236a2f3a9426..5b7a81fcdb1b 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -8174,16 +8174,6 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
*ebx = xsave_area_size(xstate, true);
*ecx = env->features[FEAT_XSAVE_XSS_LO];
*edx = env->features[FEAT_XSAVE_XSS_HI];
- if (kvm_enabled() && cpu->enable_pmu &&
- (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR) &&
- (*eax & CPUID_XSAVE_XSAVES)) {
- *ecx |= XSTATE_ARCH_LBR_MASK;
- } else {
- *ecx &= ~XSTATE_ARCH_LBR_MASK;
- }
- } else if (count == 0xf && cpu->enable_pmu
- && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
- x86_cpu_get_supported_cpuid(0xD, count, eax, ebx, ecx, edx);
} else if (count < ARRAY_SIZE(x86_ext_save_areas)) {
const ExtSaveArea *esa = &x86_ext_save_areas[count];
@@ -8902,6 +8892,12 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
mask = 0;
for (i = 0; i < ARRAY_SIZE(x86_ext_save_areas); i++) {
+ /* Skip supervisor states if XSAVES is not supported. */
+ if (CPUID_XSTATE_XSS_MASK & (1 << i) &&
+ !(env->features[FEAT_XSAVE] & CPUID_XSAVE_XSAVES)) {
+ continue;
+ }
+
const ExtSaveArea *esa = &x86_ext_save_areas[i];
if (cpuid_has_xsave_feature(env, esa)) {
mask |= (1ULL << i);
@@ -9019,11 +9015,13 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
}
}
- if (!cpu->pdcm_on_even_without_pmu) {
+ if (!cpu->enable_pmu) {
/* PDCM is fixed1 bit for TDX */
- if (!cpu->enable_pmu && !is_tdx_vm()) {
+ if (!cpu->pdcm_on_even_without_pmu && !is_tdx_vm()) {
env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM;
}
+
+ env->features[FEAT_7_0_EDX] &= ~CPUID_7_0_EDX_ARCH_LBR;
}
for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (6 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-24 18:21 ` Chen, Zide
2025-10-27 7:51 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization Zhao Liu
` (11 subsequent siblings)
19 siblings, 2 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Since CPUID_7_0_EDX_ARCH_LBR will be masked off if pmu is disabled,
there's no need to check CPUID_7_0_EDX_ARCH_LBR feature with pmu.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 5b7a81fcdb1b..5cd335bb5574 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -8275,11 +8275,16 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
}
break;
}
- case 0x1C:
- if (cpu->enable_pmu && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
- x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
- *edx = 0;
+ case 0x1C: /* Last Branch Records Information Leaf */
+ *eax = 0;
+ *ebx = 0;
+ *ecx = 0;
+ *edx = 0;
+ if (!(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
+ break;
}
+ x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
+ *edx = 0; /* EDX is reserved. */
break;
case 0x1D: {
/* AMX TILE, for now hardcoded for Sapphire Rapids*/
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (7 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-27 7:55 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features Zhao Liu
` (10 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
From: Chao Gao <chao.gao@intel.com>
Arch lbr is a supervisor xstate, but its area is not covered in
x86_cpu_init_xsave().
Fix it by checking supported xss bitmap.
In addition, drop the (uint64_t) type casts for supported_xcr0 since
x86_cpu_get_supported_feature_word() returns uint64_t so that the cast
is not needed. Then ensure line length is within 90 characters.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 5cd335bb5574..1917376dbea9 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -9707,20 +9707,23 @@ static void x86_cpu_post_initfn(Object *obj)
static void x86_cpu_init_xsave(void)
{
static bool first = true;
- uint64_t supported_xcr0;
+ uint64_t supported_xcr0, supported_xss;
int i;
if (first) {
first = false;
supported_xcr0 =
- ((uint64_t) x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_HI) << 32) |
+ x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_HI) |
x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_LO);
+ supported_xss =
+ x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XSS_HI) << 32 |
+ x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XSS_LO);
for (i = XSTATE_SSE_BIT + 1; i < XSAVE_STATE_AREA_COUNT; i++) {
ExtSaveArea *esa = &x86_ext_save_areas[i];
- if (!(supported_xcr0 & (1 << i))) {
+ if (!((supported_xcr0 | supported_xss) & (1 << i))) {
esa->size = 0;
}
}
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (8 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-27 8:42 ` Xiaoyao Li
2025-10-27 11:36 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states Zhao Liu
` (9 subsequent siblings)
19 siblings, 2 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Xtile-cfg & xtile-data are both user xstates. Their xstates are cached
in X86CPUState, and there's a related vmsd "vmstate_amx_xtile", so that
it's safe to mark them as migratable.
Arch lbr xstate is a supervisor xstate, and it is save & load by saving
& loading related arch lbr MSRs, which are cached in X86CPUState, and
there's a related vmsd "vmstate_arch_lbr". So it's also safe to mark it
as migratable (even though KVM hasn't supported it - its migration
support is completed in QEMU).
PT is still unmigratable since KVM disabled it and there's no vmsd and
no other emulation/simulation support.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 1917376dbea9..b01729ad36d2 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
- XSTATE_PKRU_MASK,
+ XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
+ XSTATE_XTILE_DATA_MASK,
},
[FEAT_XSAVE_XCR0_HI] = {
.type = CPUID_FEATURE_WORD,
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (9 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 8:00 ` Xiaoyao Li
2025-10-29 4:58 ` Chao Gao
2025-10-24 6:56 ` [PATCH v3 12/20] i386/cpu: Add CET support in CR4 Zhao Liu
` (8 subsequent siblings)
19 siblings, 2 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu, Yang Weijiang
From: Yang Weijiang <weijiang.yang@intel.com>
Add CET_U/S bits in xstate area and report support in xstate
feature mask.
MSR_XSS[bit 11] corresponds to CET user mode states.
MSR_XSS[bit 12] corresponds to CET supervisor mode states.
CET Shadow Stack(SHSTK) and Indirect Branch Tracking(IBT) features
are enumerated via CPUID.(EAX=07H,ECX=0H):ECX[7] and EDX[20]
respectively, two features share the same state bits in XSS, so
if either of the features is enabled, set CET_U and CET_S bits
together.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Co-developed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Changes Since v2:
- Rename XSavesCETU/XSavesCETS to XSaveCETU/XSaveCETS.
- Refine the comments.
- Drop ".offset = 0" and its comment.
- Re-describe xstate dependencies via features array.
- Drop "cet-u" & "cet-s" enumeration from FEAT_XSAVE_XSS_LO's
feat_name array sicne currently xsave doesn't use named features.
---
target/i386/cpu.c | 14 ++++++++++++++
target/i386/cpu.h | 26 +++++++++++++++++++++++++-
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index b01729ad36d2..0bb65e8c5321 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2078,6 +2078,20 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
{ FEAT_7_0_ECX, CPUID_7_0_ECX_PKU },
},
},
+ [XSTATE_CET_U_BIT] = {
+ .size = sizeof(XSaveCETU),
+ .features = {
+ { FEAT_7_0_ECX, CPUID_7_0_ECX_CET_SHSTK },
+ { FEAT_7_0_EDX, CPUID_7_0_EDX_CET_IBT },
+ },
+ },
+ [XSTATE_CET_S_BIT] = {
+ .size = sizeof(XSaveCETS),
+ .features = {
+ { FEAT_7_0_ECX, CPUID_7_0_ECX_CET_SHSTK },
+ { FEAT_7_0_EDX, CPUID_7_0_EDX_CET_IBT },
+ },
+ },
[XSTATE_ARCH_LBR_BIT] = {
.size = sizeof(XSaveArchLBR),
.features = {
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 6537affcf067..7584cddb5917 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -589,6 +589,8 @@ typedef enum X86Seg {
#define XSTATE_Hi16_ZMM_BIT 7
#define XSTATE_PT_BIT 8
#define XSTATE_PKRU_BIT 9
+#define XSTATE_CET_U_BIT 11
+#define XSTATE_CET_S_BIT 12
#define XSTATE_ARCH_LBR_BIT 15
#define XSTATE_XTILE_CFG_BIT 17
#define XSTATE_XTILE_DATA_BIT 18
@@ -603,6 +605,8 @@ typedef enum X86Seg {
#define XSTATE_Hi16_ZMM_MASK (1ULL << XSTATE_Hi16_ZMM_BIT)
#define XSTATE_PT_MASK (1ULL << XSTATE_PT_BIT)
#define XSTATE_PKRU_MASK (1ULL << XSTATE_PKRU_BIT)
+#define XSTATE_CET_U_MASK (1ULL << XSTATE_CET_U_BIT)
+#define XSTATE_CET_S_MASK (1ULL << XSTATE_CET_S_BIT)
#define XSTATE_ARCH_LBR_MASK (1ULL << XSTATE_ARCH_LBR_BIT)
#define XSTATE_XTILE_CFG_MASK (1ULL << XSTATE_XTILE_CFG_BIT)
#define XSTATE_XTILE_DATA_MASK (1ULL << XSTATE_XTILE_DATA_BIT)
@@ -625,7 +629,8 @@ typedef enum X86Seg {
XSTATE_XTILE_CFG_MASK | XSTATE_XTILE_DATA_MASK)
/* CPUID feature bits available in XSS */
-#define CPUID_XSTATE_XSS_MASK (XSTATE_ARCH_LBR_MASK)
+#define CPUID_XSTATE_XSS_MASK (XSTATE_ARCH_LBR_MASK | XSTATE_CET_U_MASK | \
+ XSTATE_CET_S_MASK)
#define CPUID_XSTATE_MASK (CPUID_XSTATE_XCR0_MASK | CPUID_XSTATE_XSS_MASK)
@@ -904,6 +909,8 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w);
#define CPUID_7_0_ECX_WAITPKG (1U << 5)
/* Additional AVX-512 Vector Byte Manipulation Instruction */
#define CPUID_7_0_ECX_AVX512_VBMI2 (1U << 6)
+/* Control-flow enforcement technology: shadow stack */
+#define CPUID_7_0_ECX_CET_SHSTK (1U << 7)
/* Galois Field New Instructions */
#define CPUID_7_0_ECX_GFNI (1U << 8)
/* Vector AES Instructions */
@@ -951,6 +958,8 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w);
#define CPUID_7_0_EDX_TSX_LDTRK (1U << 16)
/* Architectural LBRs */
#define CPUID_7_0_EDX_ARCH_LBR (1U << 19)
+/* Control-flow enforcement technology: indirect branch tracking */
+#define CPUID_7_0_EDX_CET_IBT (1U << 20)
/* AMX_BF16 instruction */
#define CPUID_7_0_EDX_AMX_BF16 (1U << 22)
/* AVX512_FP16 instruction */
@@ -1737,6 +1746,19 @@ typedef struct XSavePKRU {
uint32_t padding;
} XSavePKRU;
+/* Ext. save area 11: CET_U state */
+typedef struct XSaveCETU {
+ uint64_t u_cet;
+ uint64_t pl3_ssp;
+} XSaveCETU;
+
+/* Ext. save area 12: CET_S state */
+typedef struct XSaveCETS {
+ uint64_t pl0_ssp;
+ uint64_t pl1_ssp;
+ uint64_t pl2_ssp;
+} XSaveCETS;
+
/* Ext. save area 15: Arch LBR state */
typedef struct XSaveArchLBR {
uint64_t lbr_ctl;
@@ -1764,6 +1786,8 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveOpmask) != 0x40);
QEMU_BUILD_BUG_ON(sizeof(XSaveZMM_Hi256) != 0x200);
QEMU_BUILD_BUG_ON(sizeof(XSaveHi16_ZMM) != 0x400);
QEMU_BUILD_BUG_ON(sizeof(XSavePKRU) != 0x8);
+QEMU_BUILD_BUG_ON(sizeof(XSaveCETU) != 0x10);
+QEMU_BUILD_BUG_ON(sizeof(XSaveCETS) != 0x18);
QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 12/20] i386/cpu: Add CET support in CR4
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (10 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 2:04 ` Chenyi Qiang
2025-10-24 6:56 ` [PATCH v3 13/20] i386/kvm: Add save/load support for CET MSRs Zhao Liu
` (7 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
CR4.CET bit (bit 23) is as master enable for CET.
Check and adjust CR4.CET bit based on CET CPUIDs.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.h | 7 ++++++-
target/i386/helper.c | 12 ++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 7584cddb5917..86fbfd5e4023 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -257,6 +257,7 @@ typedef enum X86Seg {
#define CR4_SMEP_MASK (1U << 20)
#define CR4_SMAP_MASK (1U << 21)
#define CR4_PKE_MASK (1U << 22)
+#define CR4_CET_MASK (1U << 23)
#define CR4_PKS_MASK (1U << 24)
#define CR4_LAM_SUP_MASK (1U << 28)
@@ -274,7 +275,7 @@ typedef enum X86Seg {
| CR4_LA57_MASK \
| CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \
| CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK \
- | CR4_LAM_SUP_MASK | CR4_FRED_MASK))
+ | CR4_LAM_SUP_MASK | CR4_FRED_MASK | CR4_CET_MASK))
#define DR6_BD (1 << 13)
#define DR6_BS (1 << 14)
@@ -2945,6 +2946,10 @@ static inline uint64_t cr4_reserved_bits(CPUX86State *env)
if (!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_FRED)) {
reserved_bits |= CR4_FRED_MASK;
}
+ if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK) &&
+ !(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_CET_IBT)) {
+ reserved_bits |= CR4_CET_MASK;
+ }
return reserved_bits;
}
diff --git a/target/i386/helper.c b/target/i386/helper.c
index 72b2e195a31e..3f179c6c11f8 100644
--- a/target/i386/helper.c
+++ b/target/i386/helper.c
@@ -232,6 +232,18 @@ void cpu_x86_update_cr4(CPUX86State *env, uint32_t new_cr4)
new_cr4 &= ~CR4_LAM_SUP_MASK;
}
+ /*
+ * In fact, "CR4.CET can be set only if CR0.WP is set, and it must be
+ * clear before CR0.WP can be cleared". However, here we only check
+ * CR4.CET based on the supported CPUID CET bit, without checking the
+ * dependency on CR4.WP - the latter need to be determined by the
+ * underlying accelerators.
+ */
+ if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK) &&
+ !(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_CET_IBT)) {
+ new_cr4 &= ~CR4_CET_MASK;
+ }
+
env->cr[4] = new_cr4;
env->hflags = hflags;
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 13/20] i386/kvm: Add save/load support for CET MSRs
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (11 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 12/20] i386/cpu: Add CET support in CR4 Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 14/20] i386/kvm: Add save/load support for KVM_REG_GUEST_SSP Zhao Liu
` (6 subsequent siblings)
19 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu, Yang Weijiang
From: Yang Weijiang <weijiang.yang@intel.com>
CET (architectural) MSRs include:
MSR_IA32_U_CET - user mode CET control bits.
MSR_IA32_S_CET - supervisor mode CET control bits.
MSR_IA32_PL{0,1,2,3}_SSP - linear addresses of SSPs for user/kernel modes.
MSR_IA32_SSP_TBL_ADDR - linear address of interrupt SSP table
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Co-developed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Changes Since v2:
- Rename MSR_IA32_SSP_TBL_ADDR to MSR_IA32_INT_SSP_TAB.
- Rename X86CPUState.ssp_table_addr to X86CPUState.int_ssp_table.
- Drop X86CPUStete.guest_ssp since it is not used in current commit.
- Do not check CET-S & CET-U xtates when get/set MSTs since CET
is XSAVE-managed feature but is not XSAVE-enabled.
---
target/i386/cpu.h | 16 +++++++++++
target/i386/kvm/kvm.c | 64 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 86fbfd5e4023..4edb977575e2 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -580,6 +580,14 @@ typedef enum X86Seg {
#define MSR_APIC_START 0x00000800
#define MSR_APIC_END 0x000008ff
+#define MSR_IA32_U_CET 0x000006a0 /* user mode cet */
+#define MSR_IA32_S_CET 0x000006a2 /* kernel mode cet */
+#define MSR_IA32_PL0_SSP 0x000006a4 /* ring-0 shadow stack pointer */
+#define MSR_IA32_PL1_SSP 0x000006a5 /* ring-1 shadow stack pointer */
+#define MSR_IA32_PL2_SSP 0x000006a6 /* ring-2 shadow stack pointer */
+#define MSR_IA32_PL3_SSP 0x000006a7 /* ring-3 shadow stack pointer */
+#define MSR_IA32_INT_SSP_TAB 0x000006a8 /* exception shadow stack table */
+
#define XSTATE_FP_BIT 0
#define XSTATE_SSE_BIT 1
#define XSTATE_YMM_BIT 2
@@ -2090,6 +2098,14 @@ typedef struct CPUArchState {
uint64_t msr_rapl_power_unit;
uint64_t msr_pkg_energy_status;
+ uint64_t u_cet;
+ uint64_t s_cet;
+ uint64_t pl0_ssp;
+ uint64_t pl1_ssp;
+ uint64_t pl2_ssp;
+ uint64_t pl3_ssp;
+ uint64_t int_ssp_table;
+
/* Fields up to this point are cleared by a CPU reset */
struct {} end_reset_fields;
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index f7a6ef650af7..92c2fd6d6aee 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -4255,6 +4255,28 @@ static int kvm_put_msrs(X86CPU *cpu, KvmPutState level)
}
}
+ if (env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK ||
+ env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_CET_IBT) {
+ kvm_msr_entry_add(cpu, MSR_IA32_U_CET, env->u_cet);
+ kvm_msr_entry_add(cpu, MSR_IA32_S_CET, env->s_cet);
+
+ if (env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK) {
+ kvm_msr_entry_add(cpu, MSR_IA32_PL0_SSP, env->pl0_ssp);
+ kvm_msr_entry_add(cpu, MSR_IA32_PL1_SSP, env->pl1_ssp);
+ kvm_msr_entry_add(cpu, MSR_IA32_PL2_SSP, env->pl2_ssp);
+ kvm_msr_entry_add(cpu, MSR_IA32_PL3_SSP, env->pl3_ssp);
+
+ /*
+ * This MSR is not present on processors that do not support
+ * Intel 64 architecture.
+ */
+ if (env->features[FEAT_8000_0001_EDX] & CPUID_EXT2_LM) {
+ kvm_msr_entry_add(cpu, MSR_IA32_INT_SSP_TAB,
+ env->int_ssp_table);
+ }
+ }
+ }
+
return kvm_buf_set_msrs(cpu);
}
@@ -4646,6 +4668,27 @@ static int kvm_get_msrs(X86CPU *cpu)
}
}
+ if (env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK ||
+ env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_CET_IBT) {
+ kvm_msr_entry_add(cpu, MSR_IA32_U_CET, 0);
+ kvm_msr_entry_add(cpu, MSR_IA32_S_CET, 0);
+
+ if (env->features[FEAT_7_0_EDX] & CPUID_7_0_ECX_CET_SHSTK) {
+ kvm_msr_entry_add(cpu, MSR_IA32_PL0_SSP, 0);
+ kvm_msr_entry_add(cpu, MSR_IA32_PL1_SSP, 0);
+ kvm_msr_entry_add(cpu, MSR_IA32_PL2_SSP, 0);
+ kvm_msr_entry_add(cpu, MSR_IA32_PL3_SSP, 0);
+
+ /*
+ * This MSR is not present on processors that do not support
+ * Intel 64 architecture.
+ */
+ if (env->features[FEAT_8000_0001_EDX] & CPUID_EXT2_LM) {
+ kvm_msr_entry_add(cpu, MSR_IA32_INT_SSP_TAB, 0);
+ }
+ }
+ }
+
ret = kvm_vcpu_ioctl(CPU(cpu), KVM_GET_MSRS, cpu->kvm_msr_buf);
if (ret < 0) {
return ret;
@@ -4993,6 +5036,27 @@ static int kvm_get_msrs(X86CPU *cpu)
case MSR_ARCH_LBR_INFO_0 ... MSR_ARCH_LBR_INFO_0 + 31:
env->lbr_records[index - MSR_ARCH_LBR_INFO_0].info = msrs[i].data;
break;
+ case MSR_IA32_U_CET:
+ env->u_cet = msrs[i].data;
+ break;
+ case MSR_IA32_S_CET:
+ env->s_cet = msrs[i].data;
+ break;
+ case MSR_IA32_PL0_SSP:
+ env->pl0_ssp = msrs[i].data;
+ break;
+ case MSR_IA32_PL1_SSP:
+ env->pl1_ssp = msrs[i].data;
+ break;
+ case MSR_IA32_PL2_SSP:
+ env->pl2_ssp = msrs[i].data;
+ break;
+ case MSR_IA32_PL3_SSP:
+ env->pl3_ssp = msrs[i].data;
+ break;
+ case MSR_IA32_INT_SSP_TAB:
+ env->int_ssp_table = msrs[i].data;
+ break;
case MSR_K7_HWCR:
env->msr_hwcr = msrs[i].data;
break;
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 14/20] i386/kvm: Add save/load support for KVM_REG_GUEST_SSP
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (12 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 13/20] i386/kvm: Add save/load support for CET MSRs Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 8:21 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and cet-ibt Zhao Liu
` (5 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu, Yang Weijiang
From: Yang Weijiang <weijiang.yang@intel.com>
CET provides a new architectural register, shadow stack pointer (SSP),
which cannot be directly encoded as a source, destination or memory
operand in instructions. But Intel VMCS & VMCB provide fields to
save/load guest & host's ssp.
It's necessary to save & load Guest's ssp before & after migration. To
support this, KVM implements Guest's SSP as a special KVM internal
register - KVM_REG_GUEST_SSP, and allows QEMU to save & load it via
KVM_GET_ONE_REG/KVM_SET_ONE_REG.
Cache KVM_REG_GUEST_SSP in X86CPUState.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Co-developed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.h | 1 +
target/i386/kvm/kvm.c | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 4edb977575e2..ad4287822831 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -2105,6 +2105,7 @@ typedef struct CPUArchState {
uint64_t pl2_ssp;
uint64_t pl3_ssp;
uint64_t int_ssp_table;
+ uint64_t guest_ssp;
/* Fields up to this point are cleared by a CPU reset */
struct {} end_reset_fields;
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index 92c2fd6d6aee..412e99ba5b53 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -4280,6 +4280,35 @@ static int kvm_put_msrs(X86CPU *cpu, KvmPutState level)
return kvm_buf_set_msrs(cpu);
}
+static int kvm_put_kvm_regs(X86CPU *cpu)
+{
+ CPUX86State *env = &cpu->env;
+ int ret;
+
+ if ((env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK)) {
+ ret = kvm_set_one_reg(CPU(cpu), KVM_X86_REG_KVM(KVM_REG_GUEST_SSP),
+ &env->guest_ssp);
+ if (ret) {
+ return ret;
+ }
+ }
+ return 0;
+}
+
+static int kvm_get_kvm_regs(X86CPU *cpu)
+{
+ CPUX86State *env = &cpu->env;
+ int ret;
+
+ if ((env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK)) {
+ ret = kvm_get_one_reg(CPU(cpu), KVM_X86_REG_KVM(KVM_REG_GUEST_SSP),
+ &env->guest_ssp);
+ if (ret) {
+ return ret;
+ }
+ }
+ return 0;
+}
static int kvm_get_xsave(X86CPU *cpu)
{
@@ -5425,6 +5454,11 @@ int kvm_arch_put_registers(CPUState *cpu, KvmPutState level, Error **errp)
error_setg_errno(errp, -ret, "Failed to set MSRs");
return ret;
}
+ ret = kvm_put_kvm_regs(x86_cpu);
+ if (ret < 0) {
+ error_setg_errno(errp, -ret, "Failed to set KVM type registers");
+ return ret;
+ }
ret = kvm_put_vcpu_events(x86_cpu, level);
if (ret < 0) {
error_setg_errno(errp, -ret, "Failed to set vCPU events");
@@ -5497,6 +5531,11 @@ int kvm_arch_get_registers(CPUState *cs, Error **errp)
error_setg_errno(errp, -ret, "Failed to get MSRs");
goto out;
}
+ ret = kvm_get_kvm_regs(cpu);
+ if (ret < 0) {
+ error_setg_errno(errp, -ret, "Failed to get KVM type registers");
+ goto out;
+ }
ret = kvm_get_apic(cpu);
if (ret < 0) {
error_setg_errno(errp, -ret, "Failed to get APIC");
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and cet-ibt
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (13 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 14/20] i386/kvm: Add save/load support for KVM_REG_GUEST_SSP Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 8:29 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable Zhao Liu
` (4 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu, Yang Weijiang
From: Yang Weijiang <weijiang.yang@intel.com>
Add vmstates for cet-ss and cet-ibt
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Co-developed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Changes Since v2:
- Split a subsection "vmstate_ss" since shstk is user-configurable.
---
target/i386/machine.c | 53 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/target/i386/machine.c b/target/i386/machine.c
index 45b7cea80aa7..3ad07ec82428 100644
--- a/target/i386/machine.c
+++ b/target/i386/machine.c
@@ -1668,6 +1668,58 @@ static const VMStateDescription vmstate_triple_fault = {
}
};
+static bool shstk_needed(void *opaque)
+{
+ X86CPU *cpu = opaque;
+ CPUX86State *env = &cpu->env;
+
+ return !!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK);
+}
+
+static const VMStateDescription vmstate_ss = {
+ .name = "cpu/cet_ss",
+ .version_id = 1,
+ .minimum_version_id = 1,
+ .needed = shstk_needed,
+ .fields = (VMStateField[]) {
+ VMSTATE_UINT64(env.pl0_ssp, X86CPU),
+ VMSTATE_UINT64(env.pl1_ssp, X86CPU),
+ VMSTATE_UINT64(env.pl2_ssp, X86CPU),
+ VMSTATE_UINT64(env.pl3_ssp, X86CPU),
+#ifdef TARGET_X86_64
+ /* This MSR is only present on Intel 64 architecture. */
+ VMSTATE_UINT64(env.int_ssp_table, X86CPU),
+#endif
+ VMSTATE_UINT64(env.guest_ssp, X86CPU),
+ VMSTATE_END_OF_LIST()
+ }
+};
+
+static bool cet_needed(void *opaque)
+{
+ X86CPU *cpu = opaque;
+ CPUX86State *env = &cpu->env;
+
+ return !!((env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK) ||
+ (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_CET_IBT));
+}
+
+static const VMStateDescription vmstate_cet = {
+ .name = "cpu/cet",
+ .version_id = 1,
+ .minimum_version_id = 1,
+ .needed = cet_needed,
+ .fields = (VMStateField[]) {
+ VMSTATE_UINT64(env.u_cet, X86CPU),
+ VMSTATE_UINT64(env.s_cet, X86CPU),
+ VMSTATE_END_OF_LIST()
+ },
+ .subsections = (const VMStateDescription * const []) {
+ &vmstate_ss,
+ NULL,
+ },
+};
+
const VMStateDescription vmstate_x86_cpu = {
.name = "cpu",
.version_id = 12,
@@ -1817,6 +1869,7 @@ const VMStateDescription vmstate_x86_cpu = {
#endif
&vmstate_arch_lbr,
&vmstate_triple_fault,
+ &vmstate_cet,
NULL
}
};
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (14 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and cet-ibt Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-27 11:34 ` Zhao Liu
2025-10-29 6:10 ` Chao Gao
2025-10-24 6:56 ` [PATCH v3 17/20] i386/cpu: Advertise CET related flags in feature words Zhao Liu
` (3 subsequent siblings)
19 siblings, 2 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Cet-u and cet-s are supervisor xstates. Their states are saved/loaded by
saving/loading related CET MSRs. And there's a vmsd "vmstate_cet" to
migrate these MSRs.
Thus, it's safe to mark them as migratable.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 0bb65e8c5321..c08066a338a3 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
- XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
+ XSTATE_PKRU_MASK | XSTATE_CET_U_MASK | XSTATE_CET_S_MASK |
+ XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
XSTATE_XTILE_DATA_MASK,
},
[FEAT_XSAVE_XCR0_HI] = {
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 17/20] i386/cpu: Advertise CET related flags in feature words
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (15 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 8:33 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 18/20] i386/cpu: Enable cet-ss & cet-ibt for supported CPU models Zhao Liu
` (2 subsequent siblings)
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu, Yang Weijiang
From: Yang Weijiang <weijiang.yang@intel.com>
Add SHSTK and IBT flags in feature words with entry/exit
control flags.
CET SHSTK and IBT feature are enumerated via CPUID(EAX=7,ECX=0)
ECX[bit 7] and EDX[bit 20]. CET states load/restore at vmentry/
vmexit are controlled by VMX_ENTRY_CTLS[bit 20] and VMX_EXIT_CTLS[bit 28].
Enable these flags so that KVM can enumerate the features properly.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Co-developed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Changes Since v2:
- Rename "shstk"/"ibt" to "cet-ss"/"cet-ibt" to match feature names
in SDM & APM.
- Rename "vmx-exit-save-cet-ctl"/"vmx-entry-load-cet-ctl" to
"vmx-exit-save-cet"/"vmx-entry-load-cet".
- Define the feature mask macro for easier double check.
---
target/i386/cpu.c | 8 ++++----
target/i386/cpu.h | 2 ++
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index c08066a338a3..9a1001c47891 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1221,7 +1221,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.type = CPUID_FEATURE_WORD,
.feat_names = {
NULL, "avx512vbmi", "umip", "pku",
- NULL /* ospke */, "waitpkg", "avx512vbmi2", NULL,
+ NULL /* ospke */, "waitpkg", "avx512vbmi2", "cet-ss",
"gfni", "vaes", "vpclmulqdq", "avx512vnni",
"avx512bitalg", NULL, "avx512-vpopcntdq", NULL,
"la57", NULL, NULL, NULL,
@@ -1244,7 +1244,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"avx512-vp2intersect", NULL, "md-clear", NULL,
NULL, NULL, "serialize", NULL,
"tsx-ldtrk", NULL, NULL /* pconfig */, "arch-lbr",
- NULL, NULL, "amx-bf16", "avx512-fp16",
+ "cet-ibt", NULL, "amx-bf16", "avx512-fp16",
"amx-tile", "amx-int8", "spec-ctrl", "stibp",
"flush-l1d", "arch-capabilities", "core-capability", "ssbd",
},
@@ -1666,7 +1666,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"vmx-exit-save-efer", "vmx-exit-load-efer",
"vmx-exit-save-preemption-timer", "vmx-exit-clear-bndcfgs",
NULL, "vmx-exit-clear-rtit-ctl", NULL, NULL,
- NULL, "vmx-exit-load-pkrs", NULL, "vmx-exit-secondary-ctls",
+ "vmx-exit-save-cet", "vmx-exit-load-pkrs", NULL, "vmx-exit-secondary-ctls",
},
.msr = {
.index = MSR_IA32_VMX_TRUE_EXIT_CTLS,
@@ -1681,7 +1681,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
NULL, "vmx-entry-ia32e-mode", NULL, NULL,
NULL, "vmx-entry-load-perf-global-ctrl", "vmx-entry-load-pat", "vmx-entry-load-efer",
"vmx-entry-load-bndcfgs", NULL, "vmx-entry-load-rtit-ctl", NULL,
- NULL, NULL, "vmx-entry-load-pkrs", "vmx-entry-load-fred",
+ "vmx-entry-load-cet", NULL, "vmx-entry-load-pkrs", "vmx-entry-load-fred",
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
},
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index ad4287822831..fa3e5d87fe50 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1369,6 +1369,7 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w);
#define VMX_VM_EXIT_CLEAR_BNDCFGS 0x00800000
#define VMX_VM_EXIT_PT_CONCEAL_PIP 0x01000000
#define VMX_VM_EXIT_CLEAR_IA32_RTIT_CTL 0x02000000
+#define VMX_VM_EXIT_SAVE_CET 0x10000000
#define VMX_VM_EXIT_LOAD_IA32_PKRS 0x20000000
#define VMX_VM_EXIT_ACTIVATE_SECONDARY_CONTROLS 0x80000000
@@ -1382,6 +1383,7 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w);
#define VMX_VM_ENTRY_LOAD_BNDCFGS 0x00010000
#define VMX_VM_ENTRY_PT_CONCEAL_PIP 0x00020000
#define VMX_VM_ENTRY_LOAD_IA32_RTIT_CTL 0x00040000
+#define VMX_VM_ENTRY_LOAD_CET 0x00100000
#define VMX_VM_ENTRY_LOAD_IA32_PKRS 0x00400000
/* Supported Hyper-V Enlightenments */
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 18/20] i386/cpu: Enable cet-ss & cet-ibt for supported CPU models
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (16 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 17/20] i386/cpu: Advertise CET related flags in feature words Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 8:34 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 19/20] i386/tdx: Fix missing spaces in tdx_xfam_deps[] Zhao Liu
2025-10-24 6:56 ` [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM Zhao Liu
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
Add new versioned CPU models for Sapphire Rapids, Sierra Forest, Granite
Rapids and Clearwater Forest, to enable shadow stack and indirect branch
tracking.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/cpu.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 9a1001c47891..73026d5bce91 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5161,6 +5161,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
{ /* end of list */ },
}
},
+ {
+ .version = 5,
+ .note = "with cet-ss and cet-ibt",
+ .props = (PropValue[]) {
+ { "cet-ss", "on" },
+ { "cet-ibt", "on" },
+ { "vmx-exit-save-cet", "on" },
+ { "vmx-entry-load-cet", "on" },
+ { /* end of list */ },
+ }
+ },
{ /* end of list */ }
}
},
@@ -5323,6 +5334,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
{ /* end of list */ },
}
},
+ {
+ .version = 4,
+ .note = "with cet-ss and cet-ibt",
+ .props = (PropValue[]) {
+ { "cet-ss", "on" },
+ { "cet-ibt", "on" },
+ { "vmx-exit-save-cet", "on" },
+ { "vmx-entry-load-cet", "on" },
+ { /* end of list */ },
+ }
+ },
{ /* end of list */ },
},
},
@@ -5477,6 +5499,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
{ /* end of list */ },
}
},
+ {
+ .version = 4,
+ .note = "with cet-ss and cet-ibt",
+ .props = (PropValue[]) {
+ { "cet-ss", "on" },
+ { "cet-ibt", "on" },
+ { "vmx-exit-save-cet", "on" },
+ { "vmx-entry-load-cet", "on" },
+ { /* end of list */ },
+ }
+ },
{ /* end of list */ },
},
},
@@ -5612,6 +5645,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
.model_id = "Intel Xeon Processor (ClearwaterForest)",
.versions = (X86CPUVersionDefinition[]) {
{ .version = 1 },
+ {
+ .version = 2,
+ .note = "with cet-ss and cet-ibt",
+ .props = (PropValue[]) {
+ { "cet-ss", "on" },
+ { "cet-ibt", "on" },
+ { "vmx-exit-save-cet", "on" },
+ { "vmx-entry-load-cet", "on" },
+ { /* end of list */ },
+ }
+ },
{ /* end of list */ },
},
},
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 19/20] i386/tdx: Fix missing spaces in tdx_xfam_deps[]
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (17 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 18/20] i386/cpu: Enable cet-ss & cet-ibt for supported CPU models Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 8:37 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM Zhao Liu
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
The checkpatch.pl always complains: "ERROR: space required after that
close brace '}'".
Fix this issue.
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/kvm/tdx.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
index dbf0fa2c9180..a3444623657f 100644
--- a/target/i386/kvm/tdx.c
+++ b/target/i386/kvm/tdx.c
@@ -520,15 +520,15 @@ typedef struct TdxXFAMDep {
* supported.
*/
TdxXFAMDep tdx_xfam_deps[] = {
- { XSTATE_YMM_BIT, { FEAT_1_ECX, CPUID_EXT_FMA }},
- { XSTATE_YMM_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX2 }},
- { XSTATE_OPMASK_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_AVX512_VBMI}},
- { XSTATE_OPMASK_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AVX512_FP16}},
- { XSTATE_PT_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_INTEL_PT}},
- { XSTATE_PKRU_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU}},
- { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_BF16 }},
- { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE }},
- { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_INT8 }},
+ { XSTATE_YMM_BIT, { FEAT_1_ECX, CPUID_EXT_FMA } },
+ { XSTATE_YMM_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX2 } },
+ { XSTATE_OPMASK_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_AVX512_VBMI } },
+ { XSTATE_OPMASK_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AVX512_FP16 } },
+ { XSTATE_PT_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_INTEL_PT } },
+ { XSTATE_PKRU_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU } },
+ { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_BF16 } },
+ { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE } },
+ { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_INT8 } },
};
static struct kvm_cpuid_entry2 *find_in_supported_entry(uint32_t function,
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
` (18 preceding siblings ...)
2025-10-24 6:56 ` [PATCH v3 19/20] i386/tdx: Fix missing spaces in tdx_xfam_deps[] Zhao Liu
@ 2025-10-24 6:56 ` Zhao Liu
2025-10-28 8:55 ` Xiaoyao Li
19 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-24 6:56 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen,
Zhao Liu
From: Chenyi Qiang <chenyi.qiang@intel.com>
So that it can be configured in TD guest.
And considerring cet-u and cet-s have the same dependencies, it's enough
to only list cet-u in tdx_xfam_deps[].
Tested-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
target/i386/kvm/tdx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
index a3444623657f..01619857685b 100644
--- a/target/i386/kvm/tdx.c
+++ b/target/i386/kvm/tdx.c
@@ -526,6 +526,8 @@ TdxXFAMDep tdx_xfam_deps[] = {
{ XSTATE_OPMASK_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AVX512_FP16 } },
{ XSTATE_PT_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_INTEL_PT } },
{ XSTATE_PKRU_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU } },
+ { XSTATE_CET_U_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_CET_SHSTK } },
+ { XSTATE_CET_U_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_CET_IBT } },
{ XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_BF16 } },
{ XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE } },
{ XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_INT8 } },
--
2.34.1
^ permalink raw reply related [flat|nested] 64+ messages in thread
* Re: [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions
2025-10-24 6:56 ` [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions Zhao Liu
@ 2025-10-24 18:20 ` Chen, Zide
2025-10-27 6:22 ` Xiaoyao Li
1 sibling, 0 replies; 64+ messages in thread
From: Chen, Zide @ 2025-10-24 18:20 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Chenyi Qiang, Xiaoyao Li, Farrah Chen
On 10/23/2025 11:56 PM, Zhao Liu wrote:
> - Move ARCH_LBR_NR_ENTRIES macro and LBREntry definition before XSAVE
> areas definitions.
> - Reorder XSavesArchLBR (area 15) between XSavePKRU (area 9) and
> XSaveXTILECFG (area 17), and reorder the related QEMU_BUILD_BUG_ON
> check to keep the same ordering.
>
> This makes xsave structures to be organized together and makes them
> clearer.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Zide Chen <zide.chen@intel.com>
> ---
> target/i386/cpu.h | 38 +++++++++++++++++++-------------------
> 1 file changed, 19 insertions(+), 19 deletions(-)
>
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index 886a941e481c..ac527971d8cd 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -1652,6 +1652,14 @@ typedef struct {
>
> #define NB_OPMASK_REGS 8
>
> +typedef struct {
> + uint64_t from;
> + uint64_t to;
> + uint64_t info;
> +} LBREntry;
> +
> +#define ARCH_LBR_NR_ENTRIES 32
> +
> /* CPU can't have 0xFFFFFFFF APIC ID, use that value to distinguish
> * that APIC ID hasn't been set yet
> */
> @@ -1729,24 +1737,6 @@ typedef struct XSavePKRU {
> uint32_t padding;
> } XSavePKRU;
>
> -/* Ext. save area 17: AMX XTILECFG state */
> -typedef struct XSaveXTILECFG {
> - uint8_t xtilecfg[64];
> -} XSaveXTILECFG;
> -
> -/* Ext. save area 18: AMX XTILEDATA state */
> -typedef struct XSaveXTILEDATA {
> - uint8_t xtiledata[8][1024];
> -} XSaveXTILEDATA;
> -
> -typedef struct {
> - uint64_t from;
> - uint64_t to;
> - uint64_t info;
> -} LBREntry;
> -
> -#define ARCH_LBR_NR_ENTRIES 32
> -
> /* Ext. save area 15: Arch LBR state */
> typedef struct XSaveArchLBR {
> uint64_t lbr_ctl;
> @@ -1757,6 +1747,16 @@ typedef struct XSaveArchLBR {
> LBREntry lbr_records[ARCH_LBR_NR_ENTRIES];
> } XSaveArchLBR;
>
> +/* Ext. save area 17: AMX XTILECFG state */
> +typedef struct XSaveXTILECFG {
> + uint8_t xtilecfg[64];
> +} XSaveXTILECFG;
> +
> +/* Ext. save area 18: AMX XTILEDATA state */
> +typedef struct XSaveXTILEDATA {
> + uint8_t xtiledata[8][1024];
> +} XSaveXTILEDATA;
> +
> QEMU_BUILD_BUG_ON(sizeof(XSaveAVX) != 0x100);
> QEMU_BUILD_BUG_ON(sizeof(XSaveBNDREG) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveBNDCSR) != 0x40);
> @@ -1764,9 +1764,9 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveOpmask) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveZMM_Hi256) != 0x200);
> QEMU_BUILD_BUG_ON(sizeof(XSaveHi16_ZMM) != 0x400);
> QEMU_BUILD_BUG_ON(sizeof(XSavePKRU) != 0x8);
> +QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
> -QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
>
> typedef struct ExtSaveArea {
> uint32_t feature, bits;
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment
2025-10-24 6:56 ` [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment Zhao Liu
@ 2025-10-24 18:20 ` Chen, Zide
2025-10-27 6:08 ` Xiaoyao Li
1 sibling, 0 replies; 64+ messages in thread
From: Chen, Zide @ 2025-10-24 18:20 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Chenyi Qiang, Xiaoyao Li, Farrah Chen
On 10/23/2025 11:56 PM, Zhao Liu wrote:
> Arch LBR state is area 15, not 19. Fix this comment. And considerring
> other areas don't mention user or supervisor state, for consistent
> style, remove "Supervisor mode" from its comment.
>
> Moreover, rename XSavesArchLBR to XSaveArchLBR since there's no need to
> emphasize XSAVES in naming; the XSAVE related structure is mainly
> used to represent memory layout.
>
> In addition, arch lbr specifies its offset of xsave component as 0. But
> this cannot help on anything. The offset of ExtSaveArea is initialized
> by accelerators (e.g., hvf_cpu_xsave_init(), kvm_cpu_xsave_init() and
> x86_tcg_cpu_xsave_init()), so explicitly setting the offset doesn't
> work and CPUID 0xD encoding has already ensure supervisor states won't
> have non-zero offsets. Drop the offset initialization and its comment
> from the xsave area of arch lbr.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Zide Chen <zide.chen@intel.com>
> ---
> target/i386/cpu.c | 3 +--
> target/i386/cpu.h | 8 ++++----
> 2 files changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index f0e179c2d235..b9a5a0400dea 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -2058,8 +2058,7 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
> },
> [XSTATE_ARCH_LBR_BIT] = {
> .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
> - .offset = 0 /*supervisor mode component, offset = 0 */,
> - .size = sizeof(XSavesArchLBR),
> + .size = sizeof(XSaveArchLBR),
> },
> [XSTATE_XTILE_CFG_BIT] = {
> .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index d0da9bfe58ce..886a941e481c 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -1747,15 +1747,15 @@ typedef struct {
>
> #define ARCH_LBR_NR_ENTRIES 32
>
> -/* Ext. save area 19: Supervisor mode Arch LBR state */
> -typedef struct XSavesArchLBR {
> +/* Ext. save area 15: Arch LBR state */
> +typedef struct XSaveArchLBR {
> uint64_t lbr_ctl;
> uint64_t lbr_depth;
> uint64_t ler_from;
> uint64_t ler_to;
> uint64_t ler_info;
> LBREntry lbr_records[ARCH_LBR_NR_ENTRIES];
> -} XSavesArchLBR;
> +} XSaveArchLBR;
>
> QEMU_BUILD_BUG_ON(sizeof(XSaveAVX) != 0x100);
> QEMU_BUILD_BUG_ON(sizeof(XSaveBNDREG) != 0x40);
> @@ -1766,7 +1766,7 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveHi16_ZMM) != 0x400);
> QEMU_BUILD_BUG_ON(sizeof(XSavePKRU) != 0x8);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
> -QEMU_BUILD_BUG_ON(sizeof(XSavesArchLBR) != 0x328);
> +QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
>
> typedef struct ExtSaveArea {
> uint32_t feature, bits;
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state
2025-10-24 6:56 ` [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state Zhao Liu
@ 2025-10-24 18:21 ` Chen, Zide
2025-10-27 7:40 ` Xiaoyao Li
1 sibling, 0 replies; 64+ messages in thread
From: Chen, Zide @ 2025-10-24 18:21 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Chenyi Qiang, Xiaoyao Li, Farrah Chen
On 10/23/2025 11:56 PM, Zhao Liu wrote:
> The arch lbr state has 2 dependencies:
> * Arch lbr feature bit (CPUID 0x7.0x0:EDX[bit 19]):
>
> This bit also depends on pmu property. Mask it off if pmu is disabled
> in x86_cpu_expand_features(), so that it is not needed to repeatedly
> check whether this bit is set as well as pmu is enabled.
>
> Note this doesn't need compat option, since even KVM hasn't support
> arch lbr yet.
>
> The supported xstate is constructed based such dependency in
> cpuid_has_xsave_feature(), so if pmu is disabled and arch lbr bit is
> masked off, then arch lbr state won't be included in supported
> xstates.
>
> Thus it's safe to drop the check on arch lbr bit in CPUID 0xD
> encoding.
>
> * XSAVES feature bit (CPUID 0xD.0x1.EAX[bit 3]):
>
> Arch lbr state is a supervisor state, which requires the XSAVES
> feature support. Enumerate supported supervisor state based on XSAVES
> feature bit in x86_cpu_enable_xsave_components().
>
> Then it's safe to drop the check on XSAVES feature support during
> CPUID 0XD encoding.
>
> Suggested-by: Zide Chen <zide.chen@intel.com>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Zide Chen <zide.chen@intel.com>
> ---
> target/i386/cpu.c | 22 ++++++++++------------
> 1 file changed, 10 insertions(+), 12 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 236a2f3a9426..5b7a81fcdb1b 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -8174,16 +8174,6 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
> *ebx = xsave_area_size(xstate, true);
> *ecx = env->features[FEAT_XSAVE_XSS_LO];
> *edx = env->features[FEAT_XSAVE_XSS_HI];
> - if (kvm_enabled() && cpu->enable_pmu &&
> - (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR) &&
> - (*eax & CPUID_XSAVE_XSAVES)) {
> - *ecx |= XSTATE_ARCH_LBR_MASK;
> - } else {
> - *ecx &= ~XSTATE_ARCH_LBR_MASK;
> - }
> - } else if (count == 0xf && cpu->enable_pmu
> - && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> - x86_cpu_get_supported_cpuid(0xD, count, eax, ebx, ecx, edx);
> } else if (count < ARRAY_SIZE(x86_ext_save_areas)) {
> const ExtSaveArea *esa = &x86_ext_save_areas[count];
>
> @@ -8902,6 +8892,12 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
>
> mask = 0;
> for (i = 0; i < ARRAY_SIZE(x86_ext_save_areas); i++) {
> + /* Skip supervisor states if XSAVES is not supported. */
> + if (CPUID_XSTATE_XSS_MASK & (1 << i) &&
> + !(env->features[FEAT_XSAVE] & CPUID_XSAVE_XSAVES)) {
> + continue;
> + }
> +
> const ExtSaveArea *esa = &x86_ext_save_areas[i];
> if (cpuid_has_xsave_feature(env, esa)) {
> mask |= (1ULL << i);
> @@ -9019,11 +9015,13 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
> }
> }
>
> - if (!cpu->pdcm_on_even_without_pmu) {
> + if (!cpu->enable_pmu) {
> /* PDCM is fixed1 bit for TDX */
> - if (!cpu->enable_pmu && !is_tdx_vm()) {
> + if (!cpu->pdcm_on_even_without_pmu && !is_tdx_vm()) {
> env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM;
> }
> +
> + env->features[FEAT_7_0_EDX] &= ~CPUID_7_0_EDX_ARCH_LBR;
> }
>
> for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding
2025-10-24 6:56 ` [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding Zhao Liu
@ 2025-10-24 18:21 ` Chen, Zide
2025-10-27 7:51 ` Xiaoyao Li
1 sibling, 0 replies; 64+ messages in thread
From: Chen, Zide @ 2025-10-24 18:21 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Chenyi Qiang, Xiaoyao Li, Farrah Chen
On 10/23/2025 11:56 PM, Zhao Liu wrote:
> Since CPUID_7_0_EDX_ARCH_LBR will be masked off if pmu is disabled,
> there's no need to check CPUID_7_0_EDX_ARCH_LBR feature with pmu.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Zide Chen <zide.chen@intel.com>
> ---
> target/i386/cpu.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 5b7a81fcdb1b..5cd335bb5574 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -8275,11 +8275,16 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
> }
> break;
> }
> - case 0x1C:
> - if (cpu->enable_pmu && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> - x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
> - *edx = 0;
> + case 0x1C: /* Last Branch Records Information Leaf */
> + *eax = 0;
> + *ebx = 0;
> + *ecx = 0;
> + *edx = 0;
> + if (!(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> + break;
> }
> + x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
> + *edx = 0; /* EDX is reserved. */
> break;
> case 0x1D: {
> /* AMX TILE, for now hardcoded for Sapphire Rapids*/
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 02/20] i386/cpu: Clean up indent style of x86_ext_save_areas[]
2025-10-24 6:56 ` [PATCH v3 02/20] i386/cpu: Clean up indent style of x86_ext_save_areas[] Zhao Liu
@ 2025-10-27 5:47 ` Xiaoyao Li
2025-10-30 15:11 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 5:47 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
<empty commit message> isn't good.
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.c | 58 +++++++++++++++++++++++++++--------------------
> 1 file changed, 33 insertions(+), 25 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 0a66e1fec939..f0e179c2d235 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -2028,38 +2028,46 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
> .feature = FEAT_1_ECX, .bits = CPUID_EXT_XSAVE,
> .size = sizeof(X86LegacyXSaveArea) + sizeof(X86XSaveHeader),
> },
> - [XSTATE_YMM_BIT] =
> - { .feature = FEAT_1_ECX, .bits = CPUID_EXT_AVX,
> - .size = sizeof(XSaveAVX) },
> - [XSTATE_BNDREGS_BIT] =
> - { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
> - .size = sizeof(XSaveBNDREG) },
> - [XSTATE_BNDCSR_BIT] =
> - { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
> - .size = sizeof(XSaveBNDCSR) },
> - [XSTATE_OPMASK_BIT] =
> - { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> - .size = sizeof(XSaveOpmask) },
> - [XSTATE_ZMM_Hi256_BIT] =
> - { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> - .size = sizeof(XSaveZMM_Hi256) },
> - [XSTATE_Hi16_ZMM_BIT] =
> - { .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> - .size = sizeof(XSaveHi16_ZMM) },
> - [XSTATE_PKRU_BIT] =
> - { .feature = FEAT_7_0_ECX, .bits = CPUID_7_0_ECX_PKU,
> - .size = sizeof(XSavePKRU) },
> + [XSTATE_YMM_BIT] = {
> + .feature = FEAT_1_ECX, .bits = CPUID_EXT_AVX,
> + .size = sizeof(XSaveAVX),
> + },
> + [XSTATE_BNDREGS_BIT] = {
> + .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
> + .size = sizeof(XSaveBNDREG),
> + },
> + [XSTATE_BNDCSR_BIT] = {
> + .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
> + .size = sizeof(XSaveBNDCSR),
> + },
> + [XSTATE_OPMASK_BIT] = {
> + .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> + .size = sizeof(XSaveOpmask),
> + },
> + [XSTATE_ZMM_Hi256_BIT] = {
> + .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> + .size = sizeof(XSaveZMM_Hi256),
> + },
> + [XSTATE_Hi16_ZMM_BIT] = {
> + .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> + .size = sizeof(XSaveHi16_ZMM),
> + },
> + [XSTATE_PKRU_BIT] = {
> + .feature = FEAT_7_0_ECX, .bits = CPUID_7_0_ECX_PKU,
> + .size = sizeof(XSavePKRU),
> + },
> [XSTATE_ARCH_LBR_BIT] = {
> - .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
> - .offset = 0 /*supervisor mode component, offset = 0 */,
> - .size = sizeof(XSavesArchLBR) },
> + .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
> + .offset = 0 /*supervisor mode component, offset = 0 */,
> + .size = sizeof(XSavesArchLBR),
> + },
> [XSTATE_XTILE_CFG_BIT] = {
> .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
> .size = sizeof(XSaveXTILECFG),
> },
> [XSTATE_XTILE_DATA_BIT] = {
> .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
> - .size = sizeof(XSaveXTILEDATA)
> + .size = sizeof(XSaveXTILEDATA),
> },
> };
>
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment
2025-10-24 6:56 ` [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment Zhao Liu
2025-10-24 18:20 ` Chen, Zide
@ 2025-10-27 6:08 ` Xiaoyao Li
1 sibling, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 6:08 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> Arch LBR state is area 15, not 19. Fix this comment. And considerring
> other areas don't mention user or supervisor state, for consistent
> style, remove "Supervisor mode" from its comment.
>
> Moreover, rename XSavesArchLBR to XSaveArchLBR since there's no need to
> emphasize XSAVES in naming; the XSAVE related structure is mainly
> used to represent memory layout.
>
> In addition, arch lbr specifies its offset of xsave component as 0. But
> this cannot help on anything. The offset of ExtSaveArea is initialized
> by accelerators (e.g., hvf_cpu_xsave_init(), kvm_cpu_xsave_init() and
> x86_tcg_cpu_xsave_init()), so explicitly setting the offset doesn't
> work and CPUID 0xD encoding has already ensure supervisor states won't
> have non-zero offsets. Drop the offset initialization and its comment
> from the xsave area of arch lbr.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.c | 3 +--
> target/i386/cpu.h | 8 ++++----
> 2 files changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index f0e179c2d235..b9a5a0400dea 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -2058,8 +2058,7 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
> },
> [XSTATE_ARCH_LBR_BIT] = {
> .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
> - .offset = 0 /*supervisor mode component, offset = 0 */,
> - .size = sizeof(XSavesArchLBR),
> + .size = sizeof(XSaveArchLBR),
> },
> [XSTATE_XTILE_CFG_BIT] = {
> .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index d0da9bfe58ce..886a941e481c 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -1747,15 +1747,15 @@ typedef struct {
>
> #define ARCH_LBR_NR_ENTRIES 32
>
> -/* Ext. save area 19: Supervisor mode Arch LBR state */
> -typedef struct XSavesArchLBR {
> +/* Ext. save area 15: Arch LBR state */
> +typedef struct XSaveArchLBR {
> uint64_t lbr_ctl;
> uint64_t lbr_depth;
> uint64_t ler_from;
> uint64_t ler_to;
> uint64_t ler_info;
> LBREntry lbr_records[ARCH_LBR_NR_ENTRIES];
> -} XSavesArchLBR;
> +} XSaveArchLBR;
>
> QEMU_BUILD_BUG_ON(sizeof(XSaveAVX) != 0x100);
> QEMU_BUILD_BUG_ON(sizeof(XSaveBNDREG) != 0x40);
> @@ -1766,7 +1766,7 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveHi16_ZMM) != 0x400);
> QEMU_BUILD_BUG_ON(sizeof(XSavePKRU) != 0x8);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
> -QEMU_BUILD_BUG_ON(sizeof(XSavesArchLBR) != 0x328);
> +QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
>
> typedef struct ExtSaveArea {
> uint32_t feature, bits;
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions
2025-10-24 6:56 ` [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions Zhao Liu
2025-10-24 18:20 ` Chen, Zide
@ 2025-10-27 6:22 ` Xiaoyao Li
1 sibling, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 6:22 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> - Move ARCH_LBR_NR_ENTRIES macro and LBREntry definition before XSAVE
> areas definitions.
personally, I prefer not moving them. Putting them together is friendly
and convenient when reading the code rather than bouncing through
different parts.
But considering the existing cases of BNDReg and BNDCSReg, I'm fine with
the movement.
> - Reorder XSavesArchLBR (area 15) between XSavePKRU (area 9) and
> XSaveXTILECFG (area 17), and reorder the related QEMU_BUILD_BUG_ON
> check to keep the same ordering.
This reorder is good.
> This makes xsave structures to be organized together and makes them
> clearer.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.h | 38 +++++++++++++++++++-------------------
> 1 file changed, 19 insertions(+), 19 deletions(-)
>
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index 886a941e481c..ac527971d8cd 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -1652,6 +1652,14 @@ typedef struct {
>
> #define NB_OPMASK_REGS 8
>
> +typedef struct {
> + uint64_t from;
> + uint64_t to;
> + uint64_t info;
> +} LBREntry;
> +
> +#define ARCH_LBR_NR_ENTRIES 32
> +
> /* CPU can't have 0xFFFFFFFF APIC ID, use that value to distinguish
> * that APIC ID hasn't been set yet
> */
> @@ -1729,24 +1737,6 @@ typedef struct XSavePKRU {
> uint32_t padding;
> } XSavePKRU;
>
> -/* Ext. save area 17: AMX XTILECFG state */
> -typedef struct XSaveXTILECFG {
> - uint8_t xtilecfg[64];
> -} XSaveXTILECFG;
> -
> -/* Ext. save area 18: AMX XTILEDATA state */
> -typedef struct XSaveXTILEDATA {
> - uint8_t xtiledata[8][1024];
> -} XSaveXTILEDATA;
> -
> -typedef struct {
> - uint64_t from;
> - uint64_t to;
> - uint64_t info;
> -} LBREntry;
> -
> -#define ARCH_LBR_NR_ENTRIES 32
> -
> /* Ext. save area 15: Arch LBR state */
> typedef struct XSaveArchLBR {
> uint64_t lbr_ctl;
> @@ -1757,6 +1747,16 @@ typedef struct XSaveArchLBR {
> LBREntry lbr_records[ARCH_LBR_NR_ENTRIES];
> } XSaveArchLBR;
>
> +/* Ext. save area 17: AMX XTILECFG state */
> +typedef struct XSaveXTILECFG {
> + uint8_t xtilecfg[64];
> +} XSaveXTILECFG;
> +
> +/* Ext. save area 18: AMX XTILEDATA state */
> +typedef struct XSaveXTILEDATA {
> + uint8_t xtiledata[8][1024];
> +} XSaveXTILEDATA;
> +
> QEMU_BUILD_BUG_ON(sizeof(XSaveAVX) != 0x100);
> QEMU_BUILD_BUG_ON(sizeof(XSaveBNDREG) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveBNDCSR) != 0x40);
> @@ -1764,9 +1764,9 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveOpmask) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveZMM_Hi256) != 0x200);
> QEMU_BUILD_BUG_ON(sizeof(XSaveHi16_ZMM) != 0x400);
> QEMU_BUILD_BUG_ON(sizeof(XSavePKRU) != 0x8);
> +QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
> -QEMU_BUILD_BUG_ON(sizeof(XSaveArchLBR) != 0x328);
>
> typedef struct ExtSaveArea {
> uint32_t feature, bits;
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 05/20] i386/cpu: Make ExtSaveArea store an array of dependencies
2025-10-24 6:56 ` [PATCH v3 05/20] i386/cpu: Make ExtSaveArea store an array of dependencies Zhao Liu
@ 2025-10-27 7:04 ` Xiaoyao Li
2025-10-27 10:09 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 7:04 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> Some XSAVE components depend on multiple features. For example, Opmask/
> ZMM_Hi256/Hi16_ZMM depend on avx512f OR avx10, and for CET (which will
> be supported later), cet_u/cet_s will depend on shstk OR ibt.
>
> Although previously there's the special check for the dependencies of
> AVX512F OR AVX10 on their respective XSAVE components (in
> cpuid_has_xsave_feature()), to make the code more general and avoid
> adding more special cases, make ExtSaveArea store a features array
> instead of a single feature, so that it can describe multiple
> dependencies.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---> target/i386/cpu.c | 71
++++++++++++++++++++++++++++++++++-------------
> target/i386/cpu.h | 9 +++++-
> 2 files changed, 59 insertions(+), 21 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index b9a5a0400dea..cd269d15ce0b 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -2020,53 +2020,77 @@ static const X86RegisterInfo32 x86_reg_info_32[CPU_NB_REGS32] = {
> ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
> [XSTATE_FP_BIT] = {
> /* x87 FP state component is always enabled if XSAVE is supported */
> - .feature = FEAT_1_ECX, .bits = CPUID_EXT_XSAVE,
> .size = sizeof(X86LegacyXSaveArea) + sizeof(X86XSaveHeader),
> + .features = {
> + { FEAT_1_ECX, CPUID_EXT_XSAVE },
> + },
> },
> [XSTATE_SSE_BIT] = {
> /* SSE state component is always enabled if XSAVE is supported */
> - .feature = FEAT_1_ECX, .bits = CPUID_EXT_XSAVE,
> .size = sizeof(X86LegacyXSaveArea) + sizeof(X86XSaveHeader),
> + .features = {
> + { FEAT_1_ECX, CPUID_EXT_XSAVE },
> + },
> },
> [XSTATE_YMM_BIT] = {
> - .feature = FEAT_1_ECX, .bits = CPUID_EXT_AVX,
> .size = sizeof(XSaveAVX),
> + .features = {
> + { FEAT_1_ECX, CPUID_EXT_AVX },
> + },
> },
> [XSTATE_BNDREGS_BIT] = {
> - .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
> .size = sizeof(XSaveBNDREG),
> + .features = {
> + { FEAT_7_0_EBX, CPUID_7_0_EBX_MPX },
> + },
> },
> [XSTATE_BNDCSR_BIT] = {
> - .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_MPX,
> .size = sizeof(XSaveBNDCSR),
> + .features = {
> + { FEAT_7_0_EBX, CPUID_7_0_EBX_MPX },
> + },
> },
> [XSTATE_OPMASK_BIT] = {
> - .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> .size = sizeof(XSaveOpmask),
> + .features = {
> + { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
> + },
> },
> [XSTATE_ZMM_Hi256_BIT] = {
> - .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> .size = sizeof(XSaveZMM_Hi256),
> + .features = {
> + { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
> + },
> },
> [XSTATE_Hi16_ZMM_BIT] = {
> - .feature = FEAT_7_0_EBX, .bits = CPUID_7_0_EBX_AVX512F,
> .size = sizeof(XSaveHi16_ZMM),
> + .features = {
> + { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
> + },
> },
> [XSTATE_PKRU_BIT] = {
> - .feature = FEAT_7_0_ECX, .bits = CPUID_7_0_ECX_PKU,
> .size = sizeof(XSavePKRU),
> + .features = {
> + { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU },
> + },
> },
> [XSTATE_ARCH_LBR_BIT] = {
> - .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_ARCH_LBR,
> .size = sizeof(XSaveArchLBR),
> + .features = {
> + { FEAT_7_0_EDX, CPUID_7_0_EDX_ARCH_LBR },
> + },
> },
> [XSTATE_XTILE_CFG_BIT] = {
> - .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
> .size = sizeof(XSaveXTILECFG),
> + .features = {
> + { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE },
> + },
> },
> [XSTATE_XTILE_DATA_BIT] = {
> - .feature = FEAT_7_0_EDX, .bits = CPUID_7_0_EDX_AMX_TILE,
> .size = sizeof(XSaveXTILEDATA),
> + .features = {
> + { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE },
> + },
> },
> };
>
> @@ -7137,10 +7161,13 @@ static const char *x86_cpu_feature_name(FeatureWord w, int bitnr)
> if (w == FEAT_XSAVE_XCR0_LO || w == FEAT_XSAVE_XCR0_HI) {
> int comp = (w == FEAT_XSAVE_XCR0_HI) ? bitnr + 32 : bitnr;
>
> - if (comp < ARRAY_SIZE(x86_ext_save_areas) &&
> - x86_ext_save_areas[comp].bits) {
> - w = x86_ext_save_areas[comp].feature;
> - bitnr = ctz32(x86_ext_save_areas[comp].bits);
> + if (comp < ARRAY_SIZE(x86_ext_save_areas)) {
> + /* Present the first feature as the default. */
> + const FeatureMask *fm = &x86_ext_save_areas[comp].features[0];
It doesn't look right to me.
E.g., when users are requesting IBT, thus CET_U and CET_S, they might
get "shstk" not avaiable.
> + if (fm->mask != 0) {
Nit: if (fm->mask) is enough
> + w = fm->index;
> + bitnr = ctz32(fm->mask);
> + }
> }
> }
>
> @@ -8610,11 +8637,15 @@ static bool cpuid_has_xsave_feature(CPUX86State *env, const ExtSaveArea *esa)
> return false;
> }
>
> - if (env->features[esa->feature] & esa->bits) {
> - return true;
> + for (int i = 0; i < ARRAY_SIZE(esa->features); i++) {
> + if (env->features[esa->features[i].index] & esa->features[i].mask) {
> + return true;
> + }
> }
> - if (esa->feature == FEAT_7_0_EBX && esa->bits == CPUID_7_0_EBX_AVX512F
> - && (env->features[FEAT_7_1_EDX] & CPUID_7_1_EDX_AVX10)) {
> +
> + if (esa->features[0].index == FEAT_7_0_EBX &&
> + esa->features[0].mask == CPUID_7_0_EBX_AVX512F &&
> + (env->features[FEAT_7_1_EDX] & CPUID_7_1_EDX_AVX10)) {
> return true;
> }
>
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index ac527971d8cd..6537affcf067 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -1769,9 +1769,16 @@ QEMU_BUILD_BUG_ON(sizeof(XSaveXTILECFG) != 0x40);
> QEMU_BUILD_BUG_ON(sizeof(XSaveXTILEDATA) != 0x2000);
>
> typedef struct ExtSaveArea {
> - uint32_t feature, bits;
> uint32_t offset, size;
> uint32_t ecx;
> + /*
> + * The dependencies in the array work as OR relationships, which
> + * means having just one of those features is enough.
> + *
> + * At most two features are sharing the same xsave area.
> + * Number of features can be adjusted if necessary.
> + */
> + const FeatureMask features[2];
> } ExtSaveArea;
>
> #define XSAVE_STATE_AREA_COUNT (XSTATE_XTILE_DATA_BIT + 1)
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 06/20] i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM
2025-10-24 6:56 ` [PATCH v3 06/20] i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM Zhao Liu
@ 2025-10-27 7:05 ` Xiaoyao Li
0 siblings, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 7:05 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> With feature array in ExtSaveArea, add avx10 as the second dependency
> for Opmask/ZMM_Hi256/Hi16_ZMM xsave components, and drop the special
> check in cpuid_has_xsave_feature().
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index cd269d15ce0b..236a2f3a9426 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -2054,18 +2054,21 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
> .size = sizeof(XSaveOpmask),
> .features = {
> { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
> + { FEAT_7_1_EDX, CPUID_7_1_EDX_AVX10 },
> },
> },
> [XSTATE_ZMM_Hi256_BIT] = {
> .size = sizeof(XSaveZMM_Hi256),
> .features = {
> { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
> + { FEAT_7_1_EDX, CPUID_7_1_EDX_AVX10 },
> },
> },
> [XSTATE_Hi16_ZMM_BIT] = {
> .size = sizeof(XSaveHi16_ZMM),
> .features = {
> { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX512F },
> + { FEAT_7_1_EDX, CPUID_7_1_EDX_AVX10 },
> },
> },
> [XSTATE_PKRU_BIT] = {
> @@ -8643,12 +8646,6 @@ static bool cpuid_has_xsave_feature(CPUX86State *env, const ExtSaveArea *esa)
> }
> }
>
> - if (esa->features[0].index == FEAT_7_0_EBX &&
> - esa->features[0].mask == CPUID_7_0_EBX_AVX512F &&
> - (env->features[FEAT_7_1_EDX] & CPUID_7_1_EDX_AVX10)) {
> - return true;
> - }
> -
> return false;
> }
>
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state
2025-10-24 6:56 ` [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state Zhao Liu
2025-10-24 18:21 ` Chen, Zide
@ 2025-10-27 7:40 ` Xiaoyao Li
2025-10-27 10:12 ` Zhao Liu
1 sibling, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 7:40 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> The arch lbr state has 2 dependencies:
> * Arch lbr feature bit (CPUID 0x7.0x0:EDX[bit 19]):
>
> This bit also depends on pmu property. Mask it off if pmu is disabled
> in x86_cpu_expand_features(), so that it is not needed to repeatedly
> check whether this bit is set as well as pmu is enabled.
>
> Note this doesn't need compat option, since even KVM hasn't support
> arch lbr yet.
>
> The supported xstate is constructed based such dependency in
> cpuid_has_xsave_feature(), so if pmu is disabled and arch lbr bit is
> masked off, then arch lbr state won't be included in supported
> xstates.
>
> Thus it's safe to drop the check on arch lbr bit in CPUID 0xD
> encoding.
>
> * XSAVES feature bit (CPUID 0xD.0x1.EAX[bit 3]):
>
> Arch lbr state is a supervisor state, which requires the XSAVES
> feature support. Enumerate supported supervisor state based on XSAVES
> feature bit in x86_cpu_enable_xsave_components().
>
> Then it's safe to drop the check on XSAVES feature support during
> CPUID 0XD encoding.
>
> Suggested-by: Zide Chen <zide.chen@intel.com>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.c | 22 ++++++++++------------
> 1 file changed, 10 insertions(+), 12 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 236a2f3a9426..5b7a81fcdb1b 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -8174,16 +8174,6 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
> *ebx = xsave_area_size(xstate, true);
> *ecx = env->features[FEAT_XSAVE_XSS_LO];
> *edx = env->features[FEAT_XSAVE_XSS_HI];
> - if (kvm_enabled() && cpu->enable_pmu &&
> - (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR) &&
> - (*eax & CPUID_XSAVE_XSAVES)) {
> - *ecx |= XSTATE_ARCH_LBR_MASK;
> - } else {
> - *ecx &= ~XSTATE_ARCH_LBR_MASK;
> - }
> - } else if (count == 0xf && cpu->enable_pmu
> - && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> - x86_cpu_get_supported_cpuid(0xD, count, eax, ebx, ecx, edx);
This chunk needs to be a separate patch. It's a functional change.
> } else if (count < ARRAY_SIZE(x86_ext_save_areas)) {
> const ExtSaveArea *esa = &x86_ext_save_areas[count];
>
> @@ -8902,6 +8892,12 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
>
> mask = 0;
> for (i = 0; i < ARRAY_SIZE(x86_ext_save_areas); i++) {
> + /* Skip supervisor states if XSAVES is not supported. */
> + if (CPUID_XSTATE_XSS_MASK & (1 << i) &&
> + !(env->features[FEAT_XSAVE] & CPUID_XSAVE_XSAVES)) {
> + continue;
> + }
> +
> const ExtSaveArea *esa = &x86_ext_save_areas[i];
> if (cpuid_has_xsave_feature(env, esa)) {
> mask |= (1ULL << i);
> @@ -9019,11 +9015,13 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
> }
> }
>
> - if (!cpu->pdcm_on_even_without_pmu) {
> + if (!cpu->enable_pmu) {
> /* PDCM is fixed1 bit for TDX */
> - if (!cpu->enable_pmu && !is_tdx_vm()) {
> + if (!cpu->pdcm_on_even_without_pmu && !is_tdx_vm()) {
> env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM;
> }
> +
> + env->features[FEAT_7_0_EDX] &= ~CPUID_7_0_EDX_ARCH_LBR;
> }
>
> for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding
2025-10-24 6:56 ` [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding Zhao Liu
2025-10-24 18:21 ` Chen, Zide
@ 2025-10-27 7:51 ` Xiaoyao Li
2025-10-27 11:01 ` Zhao Liu
1 sibling, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 7:51 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> Since CPUID_7_0_EDX_ARCH_LBR will be masked off if pmu is disabled,
> there's no need to check CPUID_7_0_EDX_ARCH_LBR feature with pmu.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 5b7a81fcdb1b..5cd335bb5574 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -8275,11 +8275,16 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
> }
> break;
> }
> - case 0x1C:
> - if (cpu->enable_pmu && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> - x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
> - *edx = 0;
> + case 0x1C: /* Last Branch Records Information Leaf */
> + *eax = 0;
> + *ebx = 0;
> + *ecx = 0;
> + *edx = 0;
Could you help write a patch to move the initialization-to-0 operation
out to the switch() handling as the common first handling. So that each
case doesn't need to set them to 0 individually.
> + if (!(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> + break;
> }
> + x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
> + *edx = 0; /* EDX is reserved. */
Not the fault of this series. I think just presenting what KVM returns
to guest (i.e., directly passthrough) isn't correct. Once leaf 0x1c gets
more bits defined and KVM starts to support and report them, then the
bits presented to guest get changed automatically between different KVM.
the leaf 0x1c needs to be configurable and QEMU needs to ensure the same
configuration outputs the constant result of leaf 0x1c, to ensure safe
migration.
It's not urgent though. KVM doesn't even support ArchLBR yet.
> break;
> case 0x1D: {
> /* AMX TILE, for now hardcoded for Sapphire Rapids*/
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization
2025-10-24 6:56 ` [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization Zhao Liu
@ 2025-10-27 7:55 ` Xiaoyao Li
2025-10-27 10:13 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 7:55 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> From: Chao Gao <chao.gao@intel.com>
>
> Arch lbr is a supervisor xstate, but its area is not covered in
> x86_cpu_init_xsave().
>
> Fix it by checking supported xss bitmap.
>
> In addition, drop the (uint64_t) type casts for supported_xcr0 since
> x86_cpu_get_supported_feature_word() returns uint64_t so that the cast
> is not needed. Then ensure line length is within 90 characters.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Chao Gao <chao.gao@intel.com>
> Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> target/i386/cpu.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 5cd335bb5574..1917376dbea9 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -9707,20 +9707,23 @@ static void x86_cpu_post_initfn(Object *obj)
> static void x86_cpu_init_xsave(void)
> {
> static bool first = true;
> - uint64_t supported_xcr0;
> + uint64_t supported_xcr0, supported_xss;
> int i;
>
> if (first) {
> first = false;
>
> supported_xcr0 =
> - ((uint64_t) x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_HI) << 32) |
> + x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_HI) |
missing the "<< 32" here,
with it fixed,
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_LO);
> + supported_xss =
> + x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XSS_HI) << 32 |
> + x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XSS_LO);
>
> for (i = XSTATE_SSE_BIT + 1; i < XSAVE_STATE_AREA_COUNT; i++) {
> ExtSaveArea *esa = &x86_ext_save_areas[i];
>
> - if (!(supported_xcr0 & (1 << i))) {
> + if (!((supported_xcr0 | supported_xss) & (1 << i))) {
> esa->size = 0;
> }
> }
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features
2025-10-24 6:56 ` [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features Zhao Liu
@ 2025-10-27 8:42 ` Xiaoyao Li
2025-10-27 10:19 ` Zhao Liu
2025-10-27 11:36 ` Zhao Liu
1 sibling, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 8:42 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> Xtile-cfg & xtile-data are both user xstates. Their xstates are cached
> in X86CPUState, and there's a related vmsd "vmstate_amx_xtile", so that
> it's safe to mark them as migratable.
>
> Arch lbr xstate is a supervisor xstate, and it is save & load by saving
> & loading related arch lbr MSRs, which are cached in X86CPUState, and
> there's a related vmsd "vmstate_arch_lbr". So it's also safe to mark it
> as migratable (even though KVM hasn't supported it - its migration
> support is completed in QEMU).
>
> PT is still unmigratable since KVM disabled it and there's no vmsd and
> no other emulation/simulation support.
The patch itself looks reasonable.
I'm wondering why there is no issue reported since I believe folks
tested the functionality of AMX live migration when AMX support was
upstreamed. So I explore a bit and find that the
migrable_flags/ungratable_flags in XCR0/XSS leaf don't take any effect
because of the
x86_cpu_enable_xsave_components()
Though the feature expansion in x86_cpu_expand_features() under
if (xcc->max_features) {
...
}
only enables migratable features when cpu->migratable is true,
x86_cpu_enable_xsave_components() overwrite the value later.
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> target/i386/cpu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 1917376dbea9..b01729ad36d2 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
> XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
> XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
> - XSTATE_PKRU_MASK,
> + XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
> + XSTATE_XTILE_DATA_MASK,
> },
> [FEAT_XSAVE_XCR0_HI] = {
> .type = CPUID_FEATURE_WORD,
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 05/20] i386/cpu: Make ExtSaveArea store an array of dependencies
2025-10-27 7:04 ` Xiaoyao Li
@ 2025-10-27 10:09 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 10:09 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
> > @@ -7137,10 +7161,13 @@ static const char *x86_cpu_feature_name(FeatureWord w, int bitnr)
> > if (w == FEAT_XSAVE_XCR0_LO || w == FEAT_XSAVE_XCR0_HI) {
> > int comp = (w == FEAT_XSAVE_XCR0_HI) ? bitnr + 32 : bitnr;
> > - if (comp < ARRAY_SIZE(x86_ext_save_areas) &&
> > - x86_ext_save_areas[comp].bits) {
> > - w = x86_ext_save_areas[comp].feature;
> > - bitnr = ctz32(x86_ext_save_areas[comp].bits);
> > + if (comp < ARRAY_SIZE(x86_ext_save_areas)) {
> > + /* Present the first feature as the default. */
> > + const FeatureMask *fm = &x86_ext_save_areas[comp].features[0];
>
> It doesn't look right to me.
>
> E.g., when users are requesting IBT, thus CET_U and CET_S, they might get
> "shstk" not avaiable.
This was intentional. This patch only introduces a new dependency array
without attempting to change the existing state. The series is already
quite large, so I didn't include all the cleanup within it.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state
2025-10-27 7:40 ` Xiaoyao Li
@ 2025-10-27 10:12 ` Zhao Liu
2025-10-27 11:15 ` Xiaoyao Li
0 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 10:12 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
> > * XSAVES feature bit (CPUID 0xD.0x1.EAX[bit 3]):
> >
> > Arch lbr state is a supervisor state, which requires the XSAVES
> > feature support. Enumerate supported supervisor state based on XSAVES
> > feature bit in x86_cpu_enable_xsave_components().
> >
> > Then it's safe to drop the check on XSAVES feature support during
> > CPUID 0XD encoding.
...
> > +++ b/target/i386/cpu.c
> > @@ -8174,16 +8174,6 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
> > *ebx = xsave_area_size(xstate, true);
> > *ecx = env->features[FEAT_XSAVE_XSS_LO];
> > *edx = env->features[FEAT_XSAVE_XSS_HI];
> > - if (kvm_enabled() && cpu->enable_pmu &&
> > - (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR) &&
> > - (*eax & CPUID_XSAVE_XSAVES)) {
> > - *ecx |= XSTATE_ARCH_LBR_MASK;
> > - } else {
> > - *ecx &= ~XSTATE_ARCH_LBR_MASK;
> > - }
>
> > - } else if (count == 0xf && cpu->enable_pmu
> > - && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> > - x86_cpu_get_supported_cpuid(0xD, count, eax, ebx, ecx, edx);
>
> This chunk needs to be a separate patch. It's a functional change.
Already mentioned this in commit message.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization
2025-10-27 7:55 ` Xiaoyao Li
@ 2025-10-27 10:13 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 10:13 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
On Mon, Oct 27, 2025 at 03:55:30PM +0800, Xiaoyao Li wrote:
> Date: Mon, 27 Oct 2025 15:55:30 +0800
> From: Xiaoyao Li <xiaoyao.li@intel.com>
> Subject: Re: [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization
>
> On 10/24/2025 2:56 PM, Zhao Liu wrote:
> > From: Chao Gao <chao.gao@intel.com>
> >
> > Arch lbr is a supervisor xstate, but its area is not covered in
> > x86_cpu_init_xsave().
> >
> > Fix it by checking supported xss bitmap.
> >
> > In addition, drop the (uint64_t) type casts for supported_xcr0 since
> > x86_cpu_get_supported_feature_word() returns uint64_t so that the cast
> > is not needed. Then ensure line length is within 90 characters.
> >
> > Tested-by: Farrah Chen <farrah.chen@intel.com>
> > Signed-off-by: Chao Gao <chao.gao@intel.com>
> > Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > target/i386/cpu.c | 9 ++++++---
> > 1 file changed, 6 insertions(+), 3 deletions(-)
> >
> > diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> > index 5cd335bb5574..1917376dbea9 100644
> > --- a/target/i386/cpu.c
> > +++ b/target/i386/cpu.c
> > @@ -9707,20 +9707,23 @@ static void x86_cpu_post_initfn(Object *obj)
> > static void x86_cpu_init_xsave(void)
> > {
> > static bool first = true;
> > - uint64_t supported_xcr0;
> > + uint64_t supported_xcr0, supported_xss;
> > int i;
> > if (first) {
> > first = false;
> > supported_xcr0 =
> > - ((uint64_t) x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_HI) << 32) |
> > + x86_cpu_get_supported_feature_word(NULL, FEAT_XSAVE_XCR0_HI) |
>
> missing the "<< 32" here,
Yes, good catch.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features
2025-10-27 8:42 ` Xiaoyao Li
@ 2025-10-27 10:19 ` Zhao Liu
2025-10-27 11:18 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 10:19 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
> Though the feature expansion in x86_cpu_expand_features() under
>
> if (xcc->max_features) {
> ...
> }
>
> only enables migratable features when cpu->migratable is true,
> x86_cpu_enable_xsave_components() overwrite the value later.
I have not changed the related logic, and this was intentional...too,
which is planed to be cleaned up after CET.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding
2025-10-27 7:51 ` Xiaoyao Li
@ 2025-10-27 11:01 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 11:01 UTC (permalink / raw)
To: Xiaoyao Li, Zide Chen, Dapeng Mi
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Chenyi Qiang, Farrah Chen
> > diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> > index 5b7a81fcdb1b..5cd335bb5574 100644
> > --- a/target/i386/cpu.c
> > +++ b/target/i386/cpu.c
> > @@ -8275,11 +8275,16 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
> > }
> > break;
> > }
> > - case 0x1C:
> > - if (cpu->enable_pmu && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> > - x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
> > - *edx = 0;
> > + case 0x1C: /* Last Branch Records Information Leaf */
> > + *eax = 0;
> > + *ebx = 0;
> > + *ecx = 0;
> > + *edx = 0;
>
> Could you help write a patch to move the initialization-to-0 operation out
> to the switch() handling as the common first handling. So that each case
> doesn't need to set them to 0 individually.
Yes, this way could eliminate some redundant code, but explicitly
initializing each leaf currently helps prevent missing something.
Moreover, such cleanup would affect almost all CPUID leaves.
I'm afraid this would make it inconvenient for cherry-picking and
backporting. So the benefits are relatively limited. :-(
> > + if (!(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
> > + break;
> > }
> > + x86_cpu_get_supported_cpuid(0x1C, 0, eax, ebx, ecx, edx);
> > + *edx = 0; /* EDX is reserved. */
>
> Not the fault of this series. I think just presenting what KVM returns to
> guest (i.e., directly passthrough) isn't correct. Once leaf 0x1c gets more
> bits defined and KVM starts to support and report them, then the bits
> presented to guest get changed automatically between different KVM.
>
> the leaf 0x1c needs to be configurable and QEMU needs to ensure the same
> configuration outputs the constant result of leaf 0x1c, to ensure safe
> migration.
>
> It's not urgent though. KVM doesn't even support ArchLBR yet.
I agree, the feature bits enumeration is necessary. Before KVM (or other
accelerators) supports the arch LBR, there's no need to make too many
logic changes - so in this series I try to not change functionality of
arch lbr as much as possible; Let's wait and see the new arch LBR series
from Zide in future.
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state
2025-10-27 10:12 ` Zhao Liu
@ 2025-10-27 11:15 ` Xiaoyao Li
2025-10-30 15:40 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 11:15 UTC (permalink / raw)
To: Zhao Liu
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
On 10/27/2025 6:12 PM, Zhao Liu wrote:
>>> * XSAVES feature bit (CPUID 0xD.0x1.EAX[bit 3]):
>>>
>>> Arch lbr state is a supervisor state, which requires the XSAVES
>>> feature support. Enumerate supported supervisor state based on XSAVES
>>> feature bit in x86_cpu_enable_xsave_components().
>>>
>>> Then it's safe to drop the check on XSAVES feature support during
>>> CPUID 0XD encoding.
>
> ...
>
>>> +++ b/target/i386/cpu.c
>>> @@ -8174,16 +8174,6 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
>>> *ebx = xsave_area_size(xstate, true);
>>> *ecx = env->features[FEAT_XSAVE_XSS_LO];
>>> *edx = env->features[FEAT_XSAVE_XSS_HI];
>>> - if (kvm_enabled() && cpu->enable_pmu &&
>>> - (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR) &&
>>> - (*eax & CPUID_XSAVE_XSAVES)) {
>>> - *ecx |= XSTATE_ARCH_LBR_MASK;
>>> - } else {
>>> - *ecx &= ~XSTATE_ARCH_LBR_MASK;
>>> - }
>>
>>> - } else if (count == 0xf && cpu->enable_pmu
>>> - && (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
>>> - x86_cpu_get_supported_cpuid(0xD, count, eax, ebx, ecx, edx);
>>
>> This chunk needs to be a separate patch. It's a functional change.
>
> Already mentioned this in commit message.
Before this patch, if pmu is enabled and ARCH_LBR is configured, the
leaf (0xd, 0xf) is constructed by
x86_cpu_get_supported_cpuid()
after this patch, it's constructed to
*eax = esa->size;
*ebx = 0;
*ecx = 1;
I'm not sure which part of the commit message mention it and clarify it.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features
2025-10-27 10:19 ` Zhao Liu
@ 2025-10-27 11:18 ` Zhao Liu
2025-10-27 12:02 ` Xiaoyao Li
0 siblings, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 11:18 UTC (permalink / raw)
To: Paolo Bonzini, Xiaoyao Li
Cc: Marcelo Tosatti, qemu-devel, kvm, Chao Gao, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Farrah Chen
On Mon, Oct 27, 2025 at 06:19:40PM +0800, Zhao Liu wrote:
> Date: Mon, 27 Oct 2025 18:19:40 +0800
> From: Zhao Liu <zhao1.liu@intel.com>
> Subject: Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave
> features
>
> > Though the feature expansion in x86_cpu_expand_features() under
> >
> > if (xcc->max_features) {
> > ...
> > }
> >
> > only enables migratable features when cpu->migratable is true,
> > x86_cpu_enable_xsave_components() overwrite the value later.
>
> I have not changed the related logic, and this was intentional...too,
> which is planed to be cleaned up after CET.
There's only 1 use case of migratable_flags, so I would try to drop
it directly.
The xsave-managed/enabled feature is not suitable as the configurable
feature. Therefore, it is best to keep it non-configurable as it is
currently.
At least with this fix, the support for the new xsave feature —
including APX next — will not be broken, and the migratable flag
refactoring will become a separate RFC.
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable
2025-10-24 6:56 ` [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable Zhao Liu
@ 2025-10-27 11:34 ` Zhao Liu
2025-10-29 6:13 ` Chao Gao
2025-10-29 6:10 ` Chao Gao
1 sibling, 1 reply; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 11:34 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen
On Fri, Oct 24, 2025 at 02:56:28PM +0800, Zhao Liu wrote:
> Date: Fri, 24 Oct 2025 14:56:28 +0800
> From: Zhao Liu <zhao1.liu@intel.com>
> Subject: [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable
> X-Mailer: git-send-email 2.34.1
>
> Cet-u and cet-s are supervisor xstates. Their states are saved/loaded by
> saving/loading related CET MSRs. And there's a vmsd "vmstate_cet" to
> migrate these MSRs.
>
> Thus, it's safe to mark them as migratable.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> target/i386/cpu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 0bb65e8c5321..c08066a338a3 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
> XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
> XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
> - XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
> + XSTATE_PKRU_MASK | XSTATE_CET_U_MASK | XSTATE_CET_S_MASK |
CET-U & CET-S should be added to FEAT_XSAVE_XSS_LO.
> + XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
> XSTATE_XTILE_DATA_MASK,
> },
> [FEAT_XSAVE_XCR0_HI] = {
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features
2025-10-24 6:56 ` [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features Zhao Liu
2025-10-27 8:42 ` Xiaoyao Li
@ 2025-10-27 11:36 ` Zhao Liu
1 sibling, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-27 11:36 UTC (permalink / raw)
To: Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Xiaoyao Li, Farrah Chen
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 1917376dbea9..b01729ad36d2 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
> XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
> XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
> - XSTATE_PKRU_MASK,
> + XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
ARCH LBR belongs to FEAT_XSAVE_XSS_LO.
> + XSTATE_XTILE_DATA_MASK,
> },
> [FEAT_XSAVE_XCR0_HI] = {
> .type = CPUID_FEATURE_WORD,
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features
2025-10-27 11:18 ` Zhao Liu
@ 2025-10-27 12:02 ` Xiaoyao Li
2025-10-30 15:56 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-27 12:02 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini
Cc: Marcelo Tosatti, qemu-devel, kvm, Chao Gao, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Farrah Chen
On 10/27/2025 7:18 PM, Zhao Liu wrote:
> On Mon, Oct 27, 2025 at 06:19:40PM +0800, Zhao Liu wrote:
>> Date: Mon, 27 Oct 2025 18:19:40 +0800
>> From: Zhao Liu <zhao1.liu@intel.com>
>> Subject: Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave
>> features
>>
>>> Though the feature expansion in x86_cpu_expand_features() under
>>>
>>> if (xcc->max_features) {
>>> ...
>>> }
>>>
>>> only enables migratable features when cpu->migratable is true,
>>> x86_cpu_enable_xsave_components() overwrite the value later.
>>
>> I have not changed the related logic, and this was intentional...too,
>> which is planed to be cleaned up after CET.
>
> There's only 1 use case of migratable_flags, so I would try to drop
> it directly.
>
> The xsave-managed/enabled feature is not suitable as the configurable
> feature. Therefore, it is best to keep it non-configurable as it is
> currently.
>
> At least with this fix, the support for the new xsave feature —
> including APX next — will not be broken,
can you elaborate what will be broken without the patch?
As I see, we can drop the .migratable_flags directly.
migrable_flags is only used in x86_cpu_get_migratable_flags(), which is
only called by x86_cpu_get_supported_feature_word() when passed @cpu is
not null and cpu->migratable is true. So it only affects the case of
x86_cpu_expand_features()
-> x86_cpu_get_supported_feature_word()
And only FEAT_XSAVE_XCR0_LO defines .migratable_flags
As I commented earlier, though the .migrable_flags determines the return
value of x86_cpu_get_supported_feature_word() for
features[FEAT_XSAVE_XCR0_LO] in x86_cpu_expand_features(), eventually
the x86_cpu_enable_xsave_components() overwrites
features[FEAT_XSAVE_XCR0_LO]. So even we set the migratable_flags to 0
for FEAT_XSAVE_XCR0_LO, it doesn't have any issue.
So I think we can remove migratable_flags totally.
> and the migratable flag
> refactoring will become a separate RFC.
>
> Regards,
> Zhao
>
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 12/20] i386/cpu: Add CET support in CR4
2025-10-24 6:56 ` [PATCH v3 12/20] i386/cpu: Add CET support in CR4 Zhao Liu
@ 2025-10-28 2:04 ` Chenyi Qiang
2025-10-30 15:57 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Chenyi Qiang @ 2025-10-28 2:04 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Xiaoyao Li, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> CR4.CET bit (bit 23) is as master enable for CET.
> Check and adjust CR4.CET bit based on CET CPUIDs.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> target/i386/cpu.h | 7 ++++++-
> target/i386/helper.c | 12 ++++++++++++
> 2 files changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index 7584cddb5917..86fbfd5e4023 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -257,6 +257,7 @@ typedef enum X86Seg {
> #define CR4_SMEP_MASK (1U << 20)
> #define CR4_SMAP_MASK (1U << 21)
> #define CR4_PKE_MASK (1U << 22)
> +#define CR4_CET_MASK (1U << 23)
> #define CR4_PKS_MASK (1U << 24)
> #define CR4_LAM_SUP_MASK (1U << 28)
>
> @@ -274,7 +275,7 @@ typedef enum X86Seg {
> | CR4_LA57_MASK \
> | CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \
> | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK \
> - | CR4_LAM_SUP_MASK | CR4_FRED_MASK))
> + | CR4_LAM_SUP_MASK | CR4_FRED_MASK | CR4_CET_MASK))
Maybe put CR4_CET_MASK between PKE and PKS to keep it in order.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states
2025-10-24 6:56 ` [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states Zhao Liu
@ 2025-10-28 8:00 ` Xiaoyao Li
2025-10-29 4:58 ` Chao Gao
1 sibling, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-28 8:00 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen, Yang Weijiang
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> From: Yang Weijiang <weijiang.yang@intel.com>
>
> Add CET_U/S bits in xstate area and report support in xstate
> feature mask.
> MSR_XSS[bit 11] corresponds to CET user mode states.
> MSR_XSS[bit 12] corresponds to CET supervisor mode states.
>
> CET Shadow Stack(SHSTK) and Indirect Branch Tracking(IBT) features
> are enumerated via CPUID.(EAX=07H,ECX=0H):ECX[7] and EDX[20]
> respectively, two features share the same state bits in XSS, so
> if either of the features is enabled, set CET_U and CET_S bits
> together.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
> Co-developed-by: Chao Gao <chao.gao@intel.com>
> Signed-off-by: Chao Gao <chao.gao@intel.com>
> Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 14/20] i386/kvm: Add save/load support for KVM_REG_GUEST_SSP
2025-10-24 6:56 ` [PATCH v3 14/20] i386/kvm: Add save/load support for KVM_REG_GUEST_SSP Zhao Liu
@ 2025-10-28 8:21 ` Xiaoyao Li
0 siblings, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-28 8:21 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen, Yang Weijiang
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> From: Yang Weijiang <weijiang.yang@intel.com>
>
> CET provides a new architectural register, shadow stack pointer (SSP),
> which cannot be directly encoded as a source, destination or memory
> operand in instructions. But Intel VMCS & VMCB provide fields to
> save/load guest & host's ssp.
>
> It's necessary to save & load Guest's ssp before & after migration. To
> support this, KVM implements Guest's SSP as a special KVM internal
> register - KVM_REG_GUEST_SSP, and allows QEMU to save & load it via
> KVM_GET_ONE_REG/KVM_SET_ONE_REG.
>
> Cache KVM_REG_GUEST_SSP in X86CPUState.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
> Co-developed-by: Chao Gao <chao.gao@intel.com>
> Signed-off-by: Chao Gao <chao.gao@intel.com>
> Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.h | 1 +
> target/i386/kvm/kvm.c | 39 +++++++++++++++++++++++++++++++++++++++
> 2 files changed, 40 insertions(+)
>
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index 4edb977575e2..ad4287822831 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -2105,6 +2105,7 @@ typedef struct CPUArchState {
> uint64_t pl2_ssp;
> uint64_t pl3_ssp;
> uint64_t int_ssp_table;
> + uint64_t guest_ssp;
>
> /* Fields up to this point are cleared by a CPU reset */
> struct {} end_reset_fields;
> diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
> index 92c2fd6d6aee..412e99ba5b53 100644
> --- a/target/i386/kvm/kvm.c
> +++ b/target/i386/kvm/kvm.c
> @@ -4280,6 +4280,35 @@ static int kvm_put_msrs(X86CPU *cpu, KvmPutState level)
> return kvm_buf_set_msrs(cpu);
> }
>
> +static int kvm_put_kvm_regs(X86CPU *cpu)
> +{
> + CPUX86State *env = &cpu->env;
> + int ret;
> +
> + if ((env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK)) {
> + ret = kvm_set_one_reg(CPU(cpu), KVM_X86_REG_KVM(KVM_REG_GUEST_SSP),
> + &env->guest_ssp);
> + if (ret) {
> + return ret;
> + }
> + }
> + return 0;
> +}
> +
> +static int kvm_get_kvm_regs(X86CPU *cpu)
> +{
> + CPUX86State *env = &cpu->env;
> + int ret;
> +
> + if ((env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK)) {
> + ret = kvm_get_one_reg(CPU(cpu), KVM_X86_REG_KVM(KVM_REG_GUEST_SSP),
> + &env->guest_ssp);
> + if (ret) {
> + return ret;
> + }
> + }
> + return 0;
> +}
>
> static int kvm_get_xsave(X86CPU *cpu)
> {
> @@ -5425,6 +5454,11 @@ int kvm_arch_put_registers(CPUState *cpu, KvmPutState level, Error **errp)
> error_setg_errno(errp, -ret, "Failed to set MSRs");
> return ret;
> }
> + ret = kvm_put_kvm_regs(x86_cpu);
> + if (ret < 0) {
> + error_setg_errno(errp, -ret, "Failed to set KVM type registers");
> + return ret;
> + }
> ret = kvm_put_vcpu_events(x86_cpu, level);
> if (ret < 0) {
> error_setg_errno(errp, -ret, "Failed to set vCPU events");
> @@ -5497,6 +5531,11 @@ int kvm_arch_get_registers(CPUState *cs, Error **errp)
> error_setg_errno(errp, -ret, "Failed to get MSRs");
> goto out;
> }
> + ret = kvm_get_kvm_regs(cpu);
> + if (ret < 0) {
> + error_setg_errno(errp, -ret, "Failed to get KVM type registers");
> + goto out;
> + }
> ret = kvm_get_apic(cpu);
> if (ret < 0) {
> error_setg_errno(errp, -ret, "Failed to get APIC");
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and cet-ibt
2025-10-24 6:56 ` [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and cet-ibt Zhao Liu
@ 2025-10-28 8:29 ` Xiaoyao Li
2025-10-30 16:04 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-28 8:29 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen, Yang Weijiang
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> From: Yang Weijiang <weijiang.yang@intel.com>
>
> Add vmstates for cet-ss and cet-ibt
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
> Co-developed-by: Chao Gao <chao.gao@intel.com>
> Signed-off-by: Chao Gao <chao.gao@intel.com>
> Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> Changes Since v2:
> - Split a subsection "vmstate_ss" since shstk is user-configurable.
> ---
> target/i386/machine.c | 53 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 53 insertions(+)
>
> diff --git a/target/i386/machine.c b/target/i386/machine.c
> index 45b7cea80aa7..3ad07ec82428 100644
> --- a/target/i386/machine.c
> +++ b/target/i386/machine.c
> @@ -1668,6 +1668,58 @@ static const VMStateDescription vmstate_triple_fault = {
> }
> };
>
> +static bool shstk_needed(void *opaque)
> +{
> + X86CPU *cpu = opaque;
> + CPUX86State *env = &cpu->env;
> +
> + return !!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK);
> +}
> +
> +static const VMStateDescription vmstate_ss = {
> + .name = "cpu/cet_ss",
> + .version_id = 1,
> + .minimum_version_id = 1,
> + .needed = shstk_needed,
> + .fields = (VMStateField[]) {
> + VMSTATE_UINT64(env.pl0_ssp, X86CPU),
> + VMSTATE_UINT64(env.pl1_ssp, X86CPU),
> + VMSTATE_UINT64(env.pl2_ssp, X86CPU),
> + VMSTATE_UINT64(env.pl3_ssp, X86CPU),
> +#ifdef TARGET_X86_64
> + /* This MSR is only present on Intel 64 architecture. */
> + VMSTATE_UINT64(env.int_ssp_table, X86CPU),
> +#endif
It seems we need to split int_ssp_table into a separate vmstate_*
Its .needed function needs to check both CPUID_7_0_ECX_CET_SHSTK &&
CPUID_EXT2_LM.
> + VMSTATE_UINT64(env.guest_ssp, X86CPU),
> + VMSTATE_END_OF_LIST()
> + }
> +};
> +
> +static bool cet_needed(void *opaque)
> +{
> + X86CPU *cpu = opaque;
> + CPUX86State *env = &cpu->env;
> +
> + return !!((env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK) ||
> + (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_CET_IBT));
> +}
> +
> +static const VMStateDescription vmstate_cet = {
> + .name = "cpu/cet",
> + .version_id = 1,
> + .minimum_version_id = 1,
> + .needed = cet_needed,
> + .fields = (VMStateField[]) {
> + VMSTATE_UINT64(env.u_cet, X86CPU),
> + VMSTATE_UINT64(env.s_cet, X86CPU),
> + VMSTATE_END_OF_LIST()
> + },
> + .subsections = (const VMStateDescription * const []) {
> + &vmstate_ss,
> + NULL,
> + },
> +};
> +
> const VMStateDescription vmstate_x86_cpu = {
> .name = "cpu",
> .version_id = 12,
> @@ -1817,6 +1869,7 @@ const VMStateDescription vmstate_x86_cpu = {
> #endif
> &vmstate_arch_lbr,
> &vmstate_triple_fault,
> + &vmstate_cet,
missing &vmstate_ss
> NULL
> }
> };
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 17/20] i386/cpu: Advertise CET related flags in feature words
2025-10-24 6:56 ` [PATCH v3 17/20] i386/cpu: Advertise CET related flags in feature words Zhao Liu
@ 2025-10-28 8:33 ` Xiaoyao Li
0 siblings, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-28 8:33 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen, Yang Weijiang
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> From: Yang Weijiang <weijiang.yang@intel.com>
>
> Add SHSTK and IBT flags in feature words with entry/exit
> control flags.
>
> CET SHSTK and IBT feature are enumerated via CPUID(EAX=7,ECX=0)
> ECX[bit 7] and EDX[bit 20]. CET states load/restore at vmentry/
> vmexit are controlled by VMX_ENTRY_CTLS[bit 20] and VMX_EXIT_CTLS[bit 28].
> Enable these flags so that KVM can enumerate the features properly.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
> Co-developed-by: Chao Gao <chao.gao@intel.com>
> Signed-off-by: Chao Gao <chao.gao@intel.com>
> Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> Changes Since v2:
> - Rename "shstk"/"ibt" to "cet-ss"/"cet-ibt" to match feature names
> in SDM & APM.
> - Rename "vmx-exit-save-cet-ctl"/"vmx-entry-load-cet-ctl" to
> "vmx-exit-save-cet"/"vmx-entry-load-cet".
> - Define the feature mask macro for easier double check.
> ---
> target/i386/cpu.c | 8 ++++----
> target/i386/cpu.h | 2 ++
> 2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index c08066a338a3..9a1001c47891 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -1221,7 +1221,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> .type = CPUID_FEATURE_WORD,
> .feat_names = {
> NULL, "avx512vbmi", "umip", "pku",
> - NULL /* ospke */, "waitpkg", "avx512vbmi2", NULL,
> + NULL /* ospke */, "waitpkg", "avx512vbmi2", "cet-ss",
> "gfni", "vaes", "vpclmulqdq", "avx512vnni",
> "avx512bitalg", NULL, "avx512-vpopcntdq", NULL,
> "la57", NULL, NULL, NULL,
> @@ -1244,7 +1244,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> "avx512-vp2intersect", NULL, "md-clear", NULL,
> NULL, NULL, "serialize", NULL,
> "tsx-ldtrk", NULL, NULL /* pconfig */, "arch-lbr",
> - NULL, NULL, "amx-bf16", "avx512-fp16",
> + "cet-ibt", NULL, "amx-bf16", "avx512-fp16",
> "amx-tile", "amx-int8", "spec-ctrl", "stibp",
> "flush-l1d", "arch-capabilities", "core-capability", "ssbd",
> },
> @@ -1666,7 +1666,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> "vmx-exit-save-efer", "vmx-exit-load-efer",
> "vmx-exit-save-preemption-timer", "vmx-exit-clear-bndcfgs",
> NULL, "vmx-exit-clear-rtit-ctl", NULL, NULL,
> - NULL, "vmx-exit-load-pkrs", NULL, "vmx-exit-secondary-ctls",
> + "vmx-exit-save-cet", "vmx-exit-load-pkrs", NULL, "vmx-exit-secondary-ctls",
> },
> .msr = {
> .index = MSR_IA32_VMX_TRUE_EXIT_CTLS,
> @@ -1681,7 +1681,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> NULL, "vmx-entry-ia32e-mode", NULL, NULL,
> NULL, "vmx-entry-load-perf-global-ctrl", "vmx-entry-load-pat", "vmx-entry-load-efer",
> "vmx-entry-load-bndcfgs", NULL, "vmx-entry-load-rtit-ctl", NULL,
> - NULL, NULL, "vmx-entry-load-pkrs", "vmx-entry-load-fred",
> + "vmx-entry-load-cet", NULL, "vmx-entry-load-pkrs", "vmx-entry-load-fred",
> NULL, NULL, NULL, NULL,
> NULL, NULL, NULL, NULL,
> },
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index ad4287822831..fa3e5d87fe50 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -1369,6 +1369,7 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w);
> #define VMX_VM_EXIT_CLEAR_BNDCFGS 0x00800000
> #define VMX_VM_EXIT_PT_CONCEAL_PIP 0x01000000
> #define VMX_VM_EXIT_CLEAR_IA32_RTIT_CTL 0x02000000
> +#define VMX_VM_EXIT_SAVE_CET 0x10000000
> #define VMX_VM_EXIT_LOAD_IA32_PKRS 0x20000000
> #define VMX_VM_EXIT_ACTIVATE_SECONDARY_CONTROLS 0x80000000
>
> @@ -1382,6 +1383,7 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w);
> #define VMX_VM_ENTRY_LOAD_BNDCFGS 0x00010000
> #define VMX_VM_ENTRY_PT_CONCEAL_PIP 0x00020000
> #define VMX_VM_ENTRY_LOAD_IA32_RTIT_CTL 0x00040000
> +#define VMX_VM_ENTRY_LOAD_CET 0x00100000
> #define VMX_VM_ENTRY_LOAD_IA32_PKRS 0x00400000
>
> /* Supported Hyper-V Enlightenments */
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 18/20] i386/cpu: Enable cet-ss & cet-ibt for supported CPU models
2025-10-24 6:56 ` [PATCH v3 18/20] i386/cpu: Enable cet-ss & cet-ibt for supported CPU models Zhao Liu
@ 2025-10-28 8:34 ` Xiaoyao Li
0 siblings, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-28 8:34 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> Add new versioned CPU models for Sapphire Rapids, Sierra Forest, Granite
> Rapids and Clearwater Forest, to enable shadow stack and indirect branch
> tracking.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/cpu.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 44 insertions(+)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 9a1001c47891..73026d5bce91 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -5161,6 +5161,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
> { /* end of list */ },
> }
> },
> + {
> + .version = 5,
> + .note = "with cet-ss and cet-ibt",
> + .props = (PropValue[]) {
> + { "cet-ss", "on" },
> + { "cet-ibt", "on" },
> + { "vmx-exit-save-cet", "on" },
> + { "vmx-entry-load-cet", "on" },
> + { /* end of list */ },
> + }
> + },
> { /* end of list */ }
> }
> },
> @@ -5323,6 +5334,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
> { /* end of list */ },
> }
> },
> + {
> + .version = 4,
> + .note = "with cet-ss and cet-ibt",
> + .props = (PropValue[]) {
> + { "cet-ss", "on" },
> + { "cet-ibt", "on" },
> + { "vmx-exit-save-cet", "on" },
> + { "vmx-entry-load-cet", "on" },
> + { /* end of list */ },
> + }
> + },
> { /* end of list */ },
> },
> },
> @@ -5477,6 +5499,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
> { /* end of list */ },
> }
> },
> + {
> + .version = 4,
> + .note = "with cet-ss and cet-ibt",
> + .props = (PropValue[]) {
> + { "cet-ss", "on" },
> + { "cet-ibt", "on" },
> + { "vmx-exit-save-cet", "on" },
> + { "vmx-entry-load-cet", "on" },
> + { /* end of list */ },
> + }
> + },
> { /* end of list */ },
> },
> },
> @@ -5612,6 +5645,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
> .model_id = "Intel Xeon Processor (ClearwaterForest)",
> .versions = (X86CPUVersionDefinition[]) {
> { .version = 1 },
> + {
> + .version = 2,
> + .note = "with cet-ss and cet-ibt",
> + .props = (PropValue[]) {
> + { "cet-ss", "on" },
> + { "cet-ibt", "on" },
> + { "vmx-exit-save-cet", "on" },
> + { "vmx-entry-load-cet", "on" },
> + { /* end of list */ },
> + }
> + },
> { /* end of list */ },
> },
> },
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 19/20] i386/tdx: Fix missing spaces in tdx_xfam_deps[]
2025-10-24 6:56 ` [PATCH v3 19/20] i386/tdx: Fix missing spaces in tdx_xfam_deps[] Zhao Liu
@ 2025-10-28 8:37 ` Xiaoyao Li
0 siblings, 0 replies; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-28 8:37 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> The checkpatch.pl always complains: "ERROR: space required after that
> close brace '}'".
>
> Fix this issue.
>
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/kvm/tdx.c | 18 +++++++++---------
> 1 file changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
> index dbf0fa2c9180..a3444623657f 100644
> --- a/target/i386/kvm/tdx.c
> +++ b/target/i386/kvm/tdx.c
> @@ -520,15 +520,15 @@ typedef struct TdxXFAMDep {
> * supported.
> */
> TdxXFAMDep tdx_xfam_deps[] = {
> - { XSTATE_YMM_BIT, { FEAT_1_ECX, CPUID_EXT_FMA }},
> - { XSTATE_YMM_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX2 }},
> - { XSTATE_OPMASK_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_AVX512_VBMI}},
> - { XSTATE_OPMASK_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AVX512_FP16}},
> - { XSTATE_PT_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_INTEL_PT}},
> - { XSTATE_PKRU_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU}},
> - { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_BF16 }},
> - { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE }},
> - { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_INT8 }},
> + { XSTATE_YMM_BIT, { FEAT_1_ECX, CPUID_EXT_FMA } },
> + { XSTATE_YMM_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_AVX2 } },
> + { XSTATE_OPMASK_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_AVX512_VBMI } },
> + { XSTATE_OPMASK_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AVX512_FP16 } },
> + { XSTATE_PT_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_INTEL_PT } },
> + { XSTATE_PKRU_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU } },
> + { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_BF16 } },
> + { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE } },
> + { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_INT8 } },
> };
>
> static struct kvm_cpuid_entry2 *find_in_supported_entry(uint32_t function,
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM
2025-10-24 6:56 ` [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM Zhao Liu
@ 2025-10-28 8:55 ` Xiaoyao Li
2025-10-30 16:07 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-28 8:55 UTC (permalink / raw)
To: Zhao Liu, Paolo Bonzini, Marcelo Tosatti
Cc: qemu-devel, kvm, Chao Gao, John Allen, Babu Moger, Mathias Krause,
Dapeng Mi, Zide Chen, Chenyi Qiang, Farrah Chen
On 10/24/2025 2:56 PM, Zhao Liu wrote:
> From: Chenyi Qiang <chenyi.qiang@intel.com>
>
> So that it can be configured in TD guest.
>
> And considerring cet-u and cet-s have the same dependencies, it's enough
> to only list cet-u in tdx_xfam_deps[].
In fact, this is not the reason.
The reason is that CET_U and CET_S bits are always same in supported
XFAM reported by TDX module, i.e., either 00 or 11. So, we only need to
choose one of them.
> Tested-by: Farrah Chen <farrah.chen@intel.com>
> Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
With commit message updated,
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
> target/i386/kvm/tdx.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
> index a3444623657f..01619857685b 100644
> --- a/target/i386/kvm/tdx.c
> +++ b/target/i386/kvm/tdx.c
> @@ -526,6 +526,8 @@ TdxXFAMDep tdx_xfam_deps[] = {
> { XSTATE_OPMASK_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AVX512_FP16 } },
> { XSTATE_PT_BIT, { FEAT_7_0_EBX, CPUID_7_0_EBX_INTEL_PT } },
> { XSTATE_PKRU_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_PKU } },
> + { XSTATE_CET_U_BIT, { FEAT_7_0_ECX, CPUID_7_0_ECX_CET_SHSTK } },
> + { XSTATE_CET_U_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_CET_IBT } },
> { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_BF16 } },
> { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_TILE } },
> { XSTATE_XTILE_CFG_BIT, { FEAT_7_0_EDX, CPUID_7_0_EDX_AMX_INT8 } },
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states
2025-10-24 6:56 ` [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states Zhao Liu
2025-10-28 8:00 ` Xiaoyao Li
@ 2025-10-29 4:58 ` Chao Gao
2025-10-30 4:29 ` Xiaoyao Li
1 sibling, 1 reply; 64+ messages in thread
From: Chao Gao @ 2025-10-29 4:58 UTC (permalink / raw)
To: Zhao Liu
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Xiaoyao Li, Farrah Chen, Yang Weijiang
On Fri, Oct 24, 2025 at 02:56:23PM +0800, Zhao Liu wrote:
>From: Yang Weijiang <weijiang.yang@intel.com>
>
>Add CET_U/S bits in xstate area and report support in xstate
>feature mask.
>MSR_XSS[bit 11] corresponds to CET user mode states.
>MSR_XSS[bit 12] corresponds to CET supervisor mode states.
>
>CET Shadow Stack(SHSTK) and Indirect Branch Tracking(IBT) features
>are enumerated via CPUID.(EAX=07H,ECX=0H):ECX[7] and EDX[20]
>respectively, two features share the same state bits in XSS, so
>if either of the features is enabled, set CET_U and CET_S bits
>together.
>
>Tested-by: Farrah Chen <farrah.chen@intel.com>
>Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
>Co-developed-by: Chao Gao <chao.gao@intel.com>
>Signed-off-by: Chao Gao <chao.gao@intel.com>
>Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
>Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
It just occurred to me that KVM_GET/SET_XSAVE don't save/restore supervisor
states. Supervisor states need to be saved/restored via MSR APIs. So, there
is no need to add supervisor states (including ARCH_LBR states) to
x86_ext_save_areas[].
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable
2025-10-24 6:56 ` [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable Zhao Liu
2025-10-27 11:34 ` Zhao Liu
@ 2025-10-29 6:10 ` Chao Gao
2025-10-30 16:09 ` Zhao Liu
1 sibling, 1 reply; 64+ messages in thread
From: Chao Gao @ 2025-10-29 6:10 UTC (permalink / raw)
To: Zhao Liu
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Xiaoyao Li, Farrah Chen
On Fri, Oct 24, 2025 at 02:56:28PM +0800, Zhao Liu wrote:
>Cet-u and cet-s are supervisor xstates. Their states are saved/loaded by
>saving/loading related CET MSRs. And there's a vmsd "vmstate_cet" to
>migrate these MSRs.
>
>Thus, it's safe to mark them as migratable.
>
>Tested-by: Farrah Chen <farrah.chen@intel.com>
>Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
>---
> target/i386/cpu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/target/i386/cpu.c b/target/i386/cpu.c
>index 0bb65e8c5321..c08066a338a3 100644
>--- a/target/i386/cpu.c
>+++ b/target/i386/cpu.c
>@@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
> XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
> XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
>- XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
>+ XSTATE_PKRU_MASK | XSTATE_CET_U_MASK | XSTATE_CET_S_MASK |
>+ XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
> XSTATE_XTILE_DATA_MASK,
Supervisor states are enumerated via CPUID[EAX=0xd,ECX=1].ECX/EDX while user
states are enumerated via CPUID[EAX=0xd,ECX=0].EAX/EDX. So, maybe we need to
two new feature words?
> },
> [FEAT_XSAVE_XCR0_HI] = {
>--
>2.34.1
>
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable
2025-10-27 11:34 ` Zhao Liu
@ 2025-10-29 6:13 ` Chao Gao
0 siblings, 0 replies; 64+ messages in thread
From: Chao Gao @ 2025-10-29 6:13 UTC (permalink / raw)
To: Zhao Liu
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Xiaoyao Li, Farrah Chen
On Mon, Oct 27, 2025 at 07:34:56PM +0800, Zhao Liu wrote:
>On Fri, Oct 24, 2025 at 02:56:28PM +0800, Zhao Liu wrote:
>> Date: Fri, 24 Oct 2025 14:56:28 +0800
>> From: Zhao Liu <zhao1.liu@intel.com>
>> Subject: [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable
>> X-Mailer: git-send-email 2.34.1
>>
>> Cet-u and cet-s are supervisor xstates. Their states are saved/loaded by
>> saving/loading related CET MSRs. And there's a vmsd "vmstate_cet" to
>> migrate these MSRs.
>>
>> Thus, it's safe to mark them as migratable.
>>
>> Tested-by: Farrah Chen <farrah.chen@intel.com>
>> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
>> ---
>> target/i386/cpu.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
>> index 0bb65e8c5321..c08066a338a3 100644
>> --- a/target/i386/cpu.c
>> +++ b/target/i386/cpu.c
>> @@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
>> .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
>> XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
>> XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
>> - XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
>> + XSTATE_PKRU_MASK | XSTATE_CET_U_MASK | XSTATE_CET_S_MASK |
>
>CET-U & CET-S should be added to FEAT_XSAVE_XSS_LO.
Yes. XSTATE_ARCH_LBR_MASK as well.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states
2025-10-29 4:58 ` Chao Gao
@ 2025-10-30 4:29 ` Xiaoyao Li
2025-10-30 16:39 ` Zhao Liu
0 siblings, 1 reply; 64+ messages in thread
From: Xiaoyao Li @ 2025-10-30 4:29 UTC (permalink / raw)
To: Chao Gao, Zhao Liu
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Farrah Chen, Yang Weijiang
On 10/29/2025 12:58 PM, Chao Gao wrote:
> On Fri, Oct 24, 2025 at 02:56:23PM +0800, Zhao Liu wrote:
>> From: Yang Weijiang <weijiang.yang@intel.com>
>>
>> Add CET_U/S bits in xstate area and report support in xstate
>> feature mask.
>> MSR_XSS[bit 11] corresponds to CET user mode states.
>> MSR_XSS[bit 12] corresponds to CET supervisor mode states.
>>
>> CET Shadow Stack(SHSTK) and Indirect Branch Tracking(IBT) features
>> are enumerated via CPUID.(EAX=07H,ECX=0H):ECX[7] and EDX[20]
>> respectively, two features share the same state bits in XSS, so
>> if either of the features is enabled, set CET_U and CET_S bits
>> together.
>>
>> Tested-by: Farrah Chen <farrah.chen@intel.com>
>> Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
>> Co-developed-by: Chao Gao <chao.gao@intel.com>
>> Signed-off-by: Chao Gao <chao.gao@intel.com>
>> Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
>> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
>
> It just occurred to me that KVM_GET/SET_XSAVE don't save/restore supervisor
> states. Supervisor states need to be saved/restored via MSR APIs. So, there
> is no need to add supervisor states (including ARCH_LBR states) to
> x86_ext_save_areas[].
x86_ext_save_areas[] is not used only for xsave state, it's also used
for the setup of xsave features, i.e., CPUID leaf 0xD.
And you did catch the missing part of this series, it lacks the
save/restore of CET XSAVE state in
x86_cpu_xsave_all_areas()/x86_cpu_xrstor_all_areas()
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 02/20] i386/cpu: Clean up indent style of x86_ext_save_areas[]
2025-10-27 5:47 ` Xiaoyao Li
@ 2025-10-30 15:11 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 15:11 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
On Mon, Oct 27, 2025 at 01:47:53PM +0800, Xiaoyao Li wrote:
> Date: Mon, 27 Oct 2025 13:47:53 +0800
> From: Xiaoyao Li <xiaoyao.li@intel.com>
> Subject: Re: [PATCH v3 02/20] i386/cpu: Clean up indent style of
> x86_ext_save_areas[]
>
> On 10/24/2025 2:56 PM, Zhao Liu wrote:
>
> <empty commit message> isn't good.
Yeah, will add the description.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state
2025-10-27 11:15 ` Xiaoyao Li
@ 2025-10-30 15:40 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 15:40 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
> Before this patch, if pmu is enabled and ARCH_LBR is configured, the leaf
> (0xd, 0xf) is constructed by
>
> x86_cpu_get_supported_cpuid()
>
> after this patch, it's constructed to
>
> *eax = esa->size;
> *ebx = 0;
> *ecx = 1;
Ah, there should be another 2 cases which need refactor/cleanup:
* fill all registers with info from x86_ext_save_areas
* fill info of x86_ext_save_areas from x86_cpu_get_supported_cpuid()
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features
2025-10-27 12:02 ` Xiaoyao Li
@ 2025-10-30 15:56 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 15:56 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
> can you elaborate what will be broken without the patch?
Obviously, the migratable_flags has been broken.
> As I commented earlier, though the .migrable_flags determines the return
> value of x86_cpu_get_supported_feature_word() for
> features[FEAT_XSAVE_XCR0_LO] in x86_cpu_expand_features(), eventually the
> x86_cpu_enable_xsave_components() overwrites features[FEAT_XSAVE_XCR0_LO].
> So even we set the migratable_flags to 0 for FEAT_XSAVE_XCR0_LO, it doesn't
> have any issue.
No. this seemingly 'correct' result what you see is just due to
different bugs influencing each other: the flags are wrong, the code
path is wrong, and the impact produced by the flags is also wrong.
> So I think we can remove migratable_flags totally.
migratable_flags is used for feature leaves that are non-migratable by
default, while unmigratable_flags is used for feature leaves that are
migratable by default. Simply removing it doesn't need much effort, but
additional clarification is needed - about whether and how it affects
the migratable/unmigratable feature setting. Therefore, it's better to
do such refactor in the separate thread rather than combining it with
CET for now.
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 12/20] i386/cpu: Add CET support in CR4
2025-10-28 2:04 ` Chenyi Qiang
@ 2025-10-30 15:57 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 15:57 UTC (permalink / raw)
To: Chenyi Qiang
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Xiaoyao Li, Farrah Chen
> > @@ -274,7 +275,7 @@ typedef enum X86Seg {
> > | CR4_LA57_MASK \
> > | CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \
> > | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK \
> > - | CR4_LAM_SUP_MASK | CR4_FRED_MASK))
> > + | CR4_LAM_SUP_MASK | CR4_FRED_MASK | CR4_CET_MASK))
>
> Maybe put CR4_CET_MASK between PKE and PKS to keep it in order.
Sure, good idea.
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and cet-ibt
2025-10-28 8:29 ` Xiaoyao Li
@ 2025-10-30 16:04 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 16:04 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen, Yang Weijiang
On Tue, Oct 28, 2025 at 04:29:58PM +0800, Xiaoyao Li wrote:
> Date: Tue, 28 Oct 2025 16:29:58 +0800
> From: Xiaoyao Li <xiaoyao.li@intel.com>
> Subject: Re: [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and
> cet-ibt
>
> On 10/24/2025 2:56 PM, Zhao Liu wrote:
> > From: Yang Weijiang <weijiang.yang@intel.com>
> >
> > Add vmstates for cet-ss and cet-ibt
> >
> > Tested-by: Farrah Chen <farrah.chen@intel.com>
> > Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
> > Co-developed-by: Chao Gao <chao.gao@intel.com>
> > Signed-off-by: Chao Gao <chao.gao@intel.com>
> > Co-developed-by: Zhao Liu <zhao1.liu@intel.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > Changes Since v2:
> > - Split a subsection "vmstate_ss" since shstk is user-configurable.
> > ---
> > target/i386/machine.c | 53 +++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 53 insertions(+)
> >
> > diff --git a/target/i386/machine.c b/target/i386/machine.c
> > index 45b7cea80aa7..3ad07ec82428 100644
> > --- a/target/i386/machine.c
> > +++ b/target/i386/machine.c
> > @@ -1668,6 +1668,58 @@ static const VMStateDescription vmstate_triple_fault = {
> > }
> > };
> > +static bool shstk_needed(void *opaque)
> > +{
> > + X86CPU *cpu = opaque;
> > + CPUX86State *env = &cpu->env;
> > +
> > + return !!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK);
> > +}
> > +
> > +static const VMStateDescription vmstate_ss = {
> > + .name = "cpu/cet_ss",
> > + .version_id = 1,
> > + .minimum_version_id = 1,
> > + .needed = shstk_needed,
> > + .fields = (VMStateField[]) {
> > + VMSTATE_UINT64(env.pl0_ssp, X86CPU),
> > + VMSTATE_UINT64(env.pl1_ssp, X86CPU),
> > + VMSTATE_UINT64(env.pl2_ssp, X86CPU),
> > + VMSTATE_UINT64(env.pl3_ssp, X86CPU),
> > +#ifdef TARGET_X86_64
> > + /* This MSR is only present on Intel 64 architecture. */
> > + VMSTATE_UINT64(env.int_ssp_table, X86CPU),
> > +#endif
>
> It seems we need to split int_ssp_table into a separate vmstate_*
>
> Its .needed function needs to check both CPUID_7_0_ECX_CET_SHSTK &&
> CPUID_EXT2_LM.
Ok, will split this entry into a subsection. Thanks.
> > + VMSTATE_UINT64(env.guest_ssp, X86CPU),
> > + VMSTATE_END_OF_LIST()
> > + }
> > +};
> > +
> > +static bool cet_needed(void *opaque)
> > +{
> > + X86CPU *cpu = opaque;
> > + CPUX86State *env = &cpu->env;
> > +
> > + return !!((env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_CET_SHSTK) ||
> > + (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_CET_IBT));
> > +}
> > +
> > +static const VMStateDescription vmstate_cet = {
> > + .name = "cpu/cet",
> > + .version_id = 1,
> > + .minimum_version_id = 1,
> > + .needed = cet_needed,
> > + .fields = (VMStateField[]) {
> > + VMSTATE_UINT64(env.u_cet, X86CPU),
> > + VMSTATE_UINT64(env.s_cet, X86CPU),
> > + VMSTATE_END_OF_LIST()
> > + },
> > + .subsections = (const VMStateDescription * const []) {
> > + &vmstate_ss,
here: ^^^^^^^^^^^^^
> > + NULL,
> > + },
> > +};
> > +
> > const VMStateDescription vmstate_x86_cpu = {
> > .name = "cpu",
> > .version_id = 12,
> > @@ -1817,6 +1869,7 @@ const VMStateDescription vmstate_x86_cpu = {
> > #endif
> > &vmstate_arch_lbr,
> > &vmstate_triple_fault,
> > + &vmstate_cet,
>
> missing &vmstate_ss
I made vmstate_ss as a subsection in vmstate_cet
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM
2025-10-28 8:55 ` Xiaoyao Li
@ 2025-10-30 16:07 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 16:07 UTC (permalink / raw)
To: Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, Chao Gao,
John Allen, Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen,
Chenyi Qiang, Farrah Chen
On Tue, Oct 28, 2025 at 04:55:25PM +0800, Xiaoyao Li wrote:
> Date: Tue, 28 Oct 2025 16:55:25 +0800
> From: Xiaoyao Li <xiaoyao.li@intel.com>
> Subject: Re: [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the
> supported CPUID by XFAM
>
> On 10/24/2025 2:56 PM, Zhao Liu wrote:
> > From: Chenyi Qiang <chenyi.qiang@intel.com>
> >
> > So that it can be configured in TD guest.
> >
> > And considerring cet-u and cet-s have the same dependencies, it's enough
> > to only list cet-u in tdx_xfam_deps[].
>
> In fact, this is not the reason.
>
> The reason is that CET_U and CET_S bits are always same in supported XFAM
> reported by TDX module, i.e., either 00 or 11. So, we only need to choose
> one of them.
Good words. Will update.
> > Tested-by: Farrah Chen <farrah.chen@intel.com>
> > Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
>
> With commit message updated,
>
> Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Thanks!
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable
2025-10-29 6:10 ` Chao Gao
@ 2025-10-30 16:09 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 16:09 UTC (permalink / raw)
To: Chao Gao
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Xiaoyao Li, Farrah Chen
On Wed, Oct 29, 2025 at 02:10:08PM +0800, Chao Gao wrote:
> Date: Wed, 29 Oct 2025 14:10:08 +0800
> From: Chao Gao <chao.gao@intel.com>
> Subject: Re: [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as
> migratable
>
> On Fri, Oct 24, 2025 at 02:56:28PM +0800, Zhao Liu wrote:
> >Cet-u and cet-s are supervisor xstates. Their states are saved/loaded by
> >saving/loading related CET MSRs. And there's a vmsd "vmstate_cet" to
> >migrate these MSRs.
> >
> >Thus, it's safe to mark them as migratable.
> >
> >Tested-by: Farrah Chen <farrah.chen@intel.com>
> >Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> >---
> > target/i386/cpu.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> >diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> >index 0bb65e8c5321..c08066a338a3 100644
> >--- a/target/i386/cpu.c
> >+++ b/target/i386/cpu.c
> >@@ -1522,7 +1522,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> > .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
> > XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
> > XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
> >- XSTATE_PKRU_MASK | XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
> >+ XSTATE_PKRU_MASK | XSTATE_CET_U_MASK | XSTATE_CET_S_MASK |
> >+ XSTATE_ARCH_LBR_MASK | XSTATE_XTILE_CFG_MASK |
> > XSTATE_XTILE_DATA_MASK,
>
> Supervisor states are enumerated via CPUID[EAX=0xd,ECX=1].ECX/EDX while user
> states are enumerated via CPUID[EAX=0xd,ECX=0].EAX/EDX. So, maybe we need to
> two new feature words?
Yes, I added the mask into wrong place...
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states
2025-10-30 4:29 ` Xiaoyao Li
@ 2025-10-30 16:39 ` Zhao Liu
0 siblings, 0 replies; 64+ messages in thread
From: Zhao Liu @ 2025-10-30 16:39 UTC (permalink / raw)
To: Chao Gao, Xiaoyao Li
Cc: Paolo Bonzini, Marcelo Tosatti, qemu-devel, kvm, John Allen,
Babu Moger, Mathias Krause, Dapeng Mi, Zide Chen, Chenyi Qiang,
Farrah Chen, Yang Weijiang
> > It just occurred to me that KVM_GET/SET_XSAVE don't save/restore supervisor
> > states. Supervisor states need to be saved/restored via MSR APIs. So, there
> > is no need to add supervisor states (including ARCH_LBR states) to
> > x86_ext_save_areas[].
>
> x86_ext_save_areas[] is not used only for xsave state, it's also used for
> the setup of xsave features, i.e., CPUID leaf 0xD.
Yes. And it can also maintain dependencies.
> And you did catch the missing part of this series, it lacks the save/restore
> of CET XSAVE state in x86_cpu_xsave_all_areas()/x86_cpu_xrstor_all_areas()
Not a missing part. CET's xstates contain CET related MSRs and actually
is saved/restored via MSR ioctls, not KVM_GET/SET_XSAVE.
Regards,
Zhao
^ permalink raw reply [flat|nested] 64+ messages in thread
end of thread, other threads:[~2025-10-30 16:19 UTC | newest]
Thread overview: 64+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-24 6:56 [PATCH v3 00/20] i386: Support CET for KVM Zhao Liu
2025-10-24 6:56 ` [PATCH v3 01/20] linux-headers: Update to v6.18-rc2 Zhao Liu
2025-10-24 6:56 ` [PATCH v3 02/20] i386/cpu: Clean up indent style of x86_ext_save_areas[] Zhao Liu
2025-10-27 5:47 ` Xiaoyao Li
2025-10-30 15:11 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 03/20] i386/cpu: Clean up arch lbr xsave struct and comment Zhao Liu
2025-10-24 18:20 ` Chen, Zide
2025-10-27 6:08 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 04/20] i386/cpu: Reorganize arch lbr structure definitions Zhao Liu
2025-10-24 18:20 ` Chen, Zide
2025-10-27 6:22 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 05/20] i386/cpu: Make ExtSaveArea store an array of dependencies Zhao Liu
2025-10-27 7:04 ` Xiaoyao Li
2025-10-27 10:09 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 06/20] i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM Zhao Liu
2025-10-27 7:05 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 07/20] i386/cpu: Reorganize dependency check for arch lbr state Zhao Liu
2025-10-24 18:21 ` Chen, Zide
2025-10-27 7:40 ` Xiaoyao Li
2025-10-27 10:12 ` Zhao Liu
2025-10-27 11:15 ` Xiaoyao Li
2025-10-30 15:40 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 08/20] i386/cpu: Drop pmu check in CPUID 0x1C encoding Zhao Liu
2025-10-24 18:21 ` Chen, Zide
2025-10-27 7:51 ` Xiaoyao Li
2025-10-27 11:01 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 09/20] i386/cpu: Fix supervisor xstate initialization Zhao Liu
2025-10-27 7:55 ` Xiaoyao Li
2025-10-27 10:13 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 10/20] i386/cpu: Add missing migratable xsave features Zhao Liu
2025-10-27 8:42 ` Xiaoyao Li
2025-10-27 10:19 ` Zhao Liu
2025-10-27 11:18 ` Zhao Liu
2025-10-27 12:02 ` Xiaoyao Li
2025-10-30 15:56 ` Zhao Liu
2025-10-27 11:36 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 11/20] i386/cpu: Enable xsave support for CET states Zhao Liu
2025-10-28 8:00 ` Xiaoyao Li
2025-10-29 4:58 ` Chao Gao
2025-10-30 4:29 ` Xiaoyao Li
2025-10-30 16:39 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 12/20] i386/cpu: Add CET support in CR4 Zhao Liu
2025-10-28 2:04 ` Chenyi Qiang
2025-10-30 15:57 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 13/20] i386/kvm: Add save/load support for CET MSRs Zhao Liu
2025-10-24 6:56 ` [PATCH v3 14/20] i386/kvm: Add save/load support for KVM_REG_GUEST_SSP Zhao Liu
2025-10-28 8:21 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 15/20] i386/machine: Add vmstate for cet-ss and cet-ibt Zhao Liu
2025-10-28 8:29 ` Xiaoyao Li
2025-10-30 16:04 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 16/20] i386/cpu: Mark cet-u & cet-s xstates as migratable Zhao Liu
2025-10-27 11:34 ` Zhao Liu
2025-10-29 6:13 ` Chao Gao
2025-10-29 6:10 ` Chao Gao
2025-10-30 16:09 ` Zhao Liu
2025-10-24 6:56 ` [PATCH v3 17/20] i386/cpu: Advertise CET related flags in feature words Zhao Liu
2025-10-28 8:33 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 18/20] i386/cpu: Enable cet-ss & cet-ibt for supported CPU models Zhao Liu
2025-10-28 8:34 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 19/20] i386/tdx: Fix missing spaces in tdx_xfam_deps[] Zhao Liu
2025-10-28 8:37 ` Xiaoyao Li
2025-10-24 6:56 ` [PATCH v3 20/20] i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM Zhao Liu
2025-10-28 8:55 ` Xiaoyao Li
2025-10-30 16:07 ` Zhao Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).