On Thu, Jun 16, 2022 at 04:46:24AM -0400, Yang Weijiang wrote: > To minimize the impact to exiting kernel/KVM code, most of KVM patch > code can be bypassed during runtime.Uncheck "CONFIG_X86_KERNEL_IBT" > and "CONFIG_X86_SHADOW_STACK" in Kconfig before kernel build to get > rid of CET featrures in KVM. If both of them are not enabled, KVM > clears related feature bits as well as CET user bit in supported_xss, > this makes CET related checks stop at the first points. Since most of > the patch code runs on the none-hot path of KVM, it's expected to > introduce little impact to existing code. Do I understand this right in that a host without X86_KERNEL_IBT cannot run a guest with X86_KERNEL_IBT on? That seems unfortunate, since that was exactly what I did while developing the X86_KERNEL_IBT patches. I'm thinking that if the hardware supports it, KVM should expose it, irrespective of the host kernel using it.
