On Tue, Sep 09, 2025, Chao Gao wrote:
> void set_cr4_guest_host_mask(struct vcpu_vmx *vmx)
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 79861b7ad44d..d67aef261638 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -9890,6 +9890,18 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops)
> return -EIO;
> }
>
> + if (boot_cpu_has(X86_FEATURE_SHSTK)) {
This needs to check for "|| IBT"
> + rdmsrq(MSR_IA32_S_CET, kvm_host.s_cet);
> + /*
> + * Linux doesn't yet support supervisor shadow stacks (SSS), so
> + * KVM doesn't save/restore the associated MSRs, i.e. KVM may
> + * clobber the host values. Yell and refuse to load if SSS is
> + * unexpectedly enabled, e.g. to avoid crashing the host.
> + */
> + if (WARN_ON_ONCE(kvm_host.s_cet & CET_SHSTK_EN))
> + return -EIO;
> + }
