On (Wed) 20 Aug 2025 [10:10:16], Sean Christopherson wrote:
[...]
> > + if (tdp_enabled)
> > + kvm_cpu_cap_check_and_set(X86_FEATURE_ERAPS);
>
> _If_ ERAPS is conditionally enabled, then it probably makes sense to do this in
> svm_set_cpu_caps(). But I think we can just support ERAPS unconditionally.
[...]
> @@ -2560,6 +2563,8 @@ static int cr_interception(struct kvm_vcpu *vcpu)
> break;
> case 3:
> err = kvm_set_cr3(vcpu, val);
> + if (!err && nested && kvm_cpu_cap_has(X86_FEATURE_ERAPS))
> + svm->vmcb->control.erap_ctl |= ERAP_CONTROL_FLUSH_RAP;
I missed this part in my reply earlier.
Enabling ERAPS for a guest is trickier in the no-NPT case: *if* the guest is
enlightened, notices the CPUID for ERAPS, and drops the mitigations, KVM needs
to ensure the FLUSH_RAP bit is set in the VMCB on guest CR3 changes all the
time. Your change adds it - but only for the nested case. It needs to do it
for the non-nested case as well.
I steered away from enabling it in the !npt case in the first place because it
was such a niche configuration that wasn't worth bothering and getting right
-- but since you've added it here, I'll go with it and drop the '&& nested'
part of the hunk above.
Amit
