On Fri, 2022-07-08 at 16:42 +0200, Vitaly Kuznetsov wrote: > SECONDARY_EXEC_ENCLS_EXITING is conditionally added to the 'optional' > checklist in setup_vmcs_config() but there's little value in doing so. > First, as the control is optional, we can always check for its > presence, no harm done. Second, the only real value cpu_has_sgx() check > gives is that on the CPUs which support SECONDARY_EXEC_ENCLS_EXITING but > don't support SGX, the control is not getting enabled. It's highly unlikely > such CPUs exist but it's possible that some hypervisors expose broken vCPU > models. > > Preserve cpu_has_sgx() check but filter the result of adjust_vmx_controls() > instead of the input. > > Reviewed-by: Jim Mattson <jmattson@xxxxxxxxxx> > Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx> > --- > arch/x86/kvm/vmx/vmx.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c > index ce54f13d8da1..566be73c6509 100644 > --- a/arch/x86/kvm/vmx/vmx.c > +++ b/arch/x86/kvm/vmx/vmx.c > @@ -2528,9 +2528,9 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf, > SECONDARY_EXEC_PT_CONCEAL_VMX | > SECONDARY_EXEC_ENABLE_VMFUNC | > SECONDARY_EXEC_BUS_LOCK_DETECTION | > - SECONDARY_EXEC_NOTIFY_VM_EXITING; > - if (cpu_has_sgx()) > - opt2 |= SECONDARY_EXEC_ENCLS_EXITING; > + SECONDARY_EXEC_NOTIFY_VM_EXITING | > + SECONDARY_EXEC_ENCLS_EXITING; > + > if (adjust_vmx_controls(min2, opt2, > MSR_IA32_VMX_PROCBASED_CTLS2, > &_cpu_based_2nd_exec_control) < 0) > @@ -2577,6 +2577,9 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf, > vmx_cap->vpid = 0; > } > > + if (!cpu_has_sgx()) > + _cpu_based_2nd_exec_control &= ~SECONDARY_EXEC_ENCLS_EXITING; > + > if (_cpu_based_exec_control & CPU_BASED_ACTIVATE_TERTIARY_CONTROLS) { > u64 opt3 = TERTIARY_EXEC_IPI_VIRT; > Reviewed-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx> Best regards, Maxim Levitsky