On Sat, Aug 16, 2025, Adrian Hunter wrote: > TDX support for using the MWAIT instruction in a guest has issues, so > disable it for now. > > Background > > Like VMX, TDX can allow the MWAIT instruction to be executed in a guest. > Unlike VMX, TDX cannot necessarily provide for virtualization of MSRs that > a guest might reasonably expect to exist as well. > > For example, in the case of a Linux guest, the default idle driver > intel_idle may access MSR_POWER_CTL or MSR_PKG_CST_CONFIG_CONTROL. To > virtualize those, KVM would need the guest not to enable #VE reduction, > which is not something that KVM can control or even be aware of. Note, > however, that the consequent unchecked MSR access errors might be harmless. > > Without #VE reduction enabled, the TDX Module will inject #VE for MSRs that > it does not virtualize itself. The guest can then hypercall the host VMM > for a resolution. > > With #VE reduction enabled, accessing MSRs such as the 2 above, results in > the TDX Module injecting #GP. > > Currently, Linux guest opts for #VE reduction unconditionally if it is > available, refer reduce_unnecessary_ve(). However, the #VE reduction > feature was not added to the TDX Module until versions 1.5.09 and 2.0.04. > Refer https://github.com/intel/tdx-module/releases > > There is also a further issue experienced by a Linux guest. Prior to > TDX Module versions 1.5.09 and 2.0.04, the Always-Running-APIC-Timer (ARAT) > feature (CPUID leaf 6: EAX bit 2) is not exposed. That results in cpuidle > disabling the timer interrupt and invoking the Tick Broadcast framework > to provide a wake-up. Currently, that falls back to the PIT timer which > does not work for TDX, resulting in the guest becoming stuck in the idle > loop. > > Conclusion > > User's may expect TDX support of MWAIT in a guest to be similar to VMX > support, but KVM cannot ensure that. Consequently KVM should not expose > the capability. > > Fixes: 0186dd29a2518 ("KVM: TDX: add ioctl to initialize VM with TDX specific parameters") > Signed-off-by: Adrian Hunter <adrian.hunter@xxxxxxxxx> > --- NAK. Fix the guest, or wherever else in the pile there are issues. KVM is NOT carrying hack-a-fixes to workaround buggy software/firmware. Been there, done that.
