Add CORE_CAPABILITIES (CPUID.0x7.0.EDX[30]) to the TDX configurable CPUID allowlist to accommodate legacy TDX module behavior. KVM doesn't support MSR_IA32_CORE_CAPS, however, some older TDX specs define CORE_CAPABILITIES CPUID bit as fixed-1. As a result, userspace may expect this bit to be enabled in the TDX module for TDs. When the CPUID bit becomes a directly configurable without reporting to the userspace, it can not be enabled. To avoid confusing userspace, report CORE_CAPABILITIES to userspace via KVM_TDX_CAPABILITIES. Although KVM could determine the real CPUID setting by reading the metadata via SEAMCALL after KVM_TDX_INIT_VM, doing so is overkill to cover such a corner case. If CORE_CAPABILITIES is exposed to a TDX guest, and the guest reads it, simply return 0. Signed-off-by: Binbin Wu --- arch/x86/kvm/vmx/tdx.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index e44a862c6219..58647bb70708 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -175,7 +175,7 @@ static void __init tdx_initialize_cpu_cfg_caps(void) TDX_F(SERIALIZE), TDX_F(TSXLDTRK), /* PCONFIG */ - /* IA32_CORE_CAPABILITIES */ + TDX_F(CORE_CAPABILITIES), ); tdx_cpu_cfg_cap_init(0x7, 1, CPUID_EAX, @@ -2401,6 +2401,14 @@ int tdx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) return 1; msr->data = vcpu->arch.mcg_ext_ctl; return 0; + case MSR_IA32_CORE_CAPS: + /* + * KVM doesn't support MSR_IA32_CORE_CAPS, however, in some old + * TDX modules, CPUID.0x7.0.EDX[30] is fixed-1. As a workaround, + * just return 0 for this MSR. + */ + msr->data = 0; + return 0; default: if (!tdx_has_emulated_msr(msr->index)) return 1; -- 2.46.0