Commit 1f6f68fc authored Sep 19, 2025 by Sean Christopherson

KVM: x86: Disable support for Shadow Stacks if TDP is disabled

Make TDP a hard requirement for Shadow Stacks, as there are no plans to
add Shadow Stack support to the Shadow MMU. E.g. KVM hasn't been taught
to understand the magic Writable=0,Dirty=1 combination that is required
for Shadow Stack accesses, and so enabling Shadow Stacks when using
shadow paging will put the guest into an infinite #PF loop (KVM thinks the
shadow page tables have a valid mapping, hardware says otherwise).

Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-27-seanjc@google.com

Signed-off-by: Sean Christopherson <seanjc@google.com>

parent 69cc3e88

arch/x86/kvm/cpuid.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -955,6 +955,14 @@ void kvm_set_cpu_caps(void)
		if (!tdp_enabled \|\| !boot_cpu_has(X86_FEATURE_OSPKE))
		kvm_cpu_cap_clear(X86_FEATURE_PKU);

		/*
		* Shadow Stacks aren't implemented in the Shadow MMU. Shadow Stack
		* accesses require "magic" Writable=0,Dirty=1 protection, which KVM
		* doesn't know how to emulate or map.
		*/
		if (!tdp_enabled)
		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);

		kvm_cpu_cap_init(CPUID_7_EDX,
		F(AVX512_4VNNIW),
		F(AVX512_4FMAPS),