[PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default

[PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default

[Fiona Ebner]

As reported by David on the Linux kernel mailing list [0], the cet-ibt
and cet-ss flags cause boot issues for Windows guests with VBS
enabled. The problem also affects some other configurations, as
reported in the community forum [1]. The flags are exposed by default
since QEMU 11.0 (commit 5cb89cad7f ("i386/cpu: Enable cet-ss & cet-ibt
for supported CPU models")) and kernel 7.x.

The flags are specific to recent Intel CPUs as a defense-in-depth
measure (Control-flow enforcement shadow stack and indirect branch
tracking), so can be disabled without affecting actual functionality.
Once the issue is properly fixed in the kernel, the flags can be
re-enabled (guarded by machine version). But since the issue is still
being diagnosed that could take a while.

Disabling the flags only for the relevant models would require
querying the CPU model expansion first, which is costly as it requires
starting a dummy VM or hard-coding a list which would become outdated.
Until we ship a static list of such expansions to make checking
practical, disable the flags for all CPU models for Windows 11
machines. If it was disabled for a specific model implicitly, it will
just have no effect.

[0]: https://lore.kernel.org/kvm/85548beb-1486-40f9-beb4-632c78e3360b@proxmox.com/
[1]: https://forum.proxmox.com/threads/183349/post-851858

Reported-by: David Riley <d.riley@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer.pm                         |  9 +++++-
 src/PVE/QemuServer/CPUConfig.pm               | 28 +++++++++++++++++--
 src/test/cfg2cmd/q35-windows-pinning.conf.cmd |  2 +-
 src/test/cfg2cmd/startdate-win11.conf.cmd     |  2 +-
 4 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index a894684a..c86c10cd 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3397,7 +3397,14 @@ sub config_to_command {
     } else {
         push @$cmd,
             get_cpu_options(
-                $conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough,
+                $conf,
+                $arch,
+                $kvm,
+                $kvm_off,
+                $machine_version,
+                $winversion,
+                $gpu_passthrough,
+                $kvmver,
             );
     }
 
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index fb9af277..8bc5f895 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -896,7 +896,16 @@ my sub check_phys_bits_above_40_compat {
 
 # Calculate QEMU's '-cpu' argument from a given VM configuration
 sub get_cpu_options {
-    my ($conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough) = @_;
+    my (
+        $conf,
+        $arch,
+        $kvm,
+        $kvm_off,
+        $machine_version,
+        $winversion,
+        $gpu_passthrough,
+        $qemu_binary_version,
+    ) = @_;
 
     my $cputype = get_default_cpu_type($arch, $kvm);
 
@@ -933,7 +942,9 @@ sub get_cpu_options {
     die "CPU model '$cputype' does not exist for configured vCPU architecture '$arch'\n"
         if !defined(get_cpu_models_by_arch($arch)->{$cputype});
 
-    my $pve_flags = get_pve_cpu_flags($conf, $kvm, $cputype, $arch, $machine_version);
+    my $pve_flags = get_pve_cpu_flags(
+        $conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version,
+    );
 
     my $hv_flags;
     if ($kvm && $arch eq 'x86_64') {
@@ -1021,7 +1032,7 @@ sub get_cpu_options {
 
 # Some hardcoded flags required by certain configurations
 sub get_pve_cpu_flags {
-    my ($conf, $kvm, $cputype, $arch, $machine_version) = @_;
+    my ($conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version) = @_;
 
     my $pve_flags = {};
     my $pve_msg = "set by PVE;";
@@ -1065,6 +1076,17 @@ sub get_pve_cpu_flags {
         };
     }
 
+    if ($arch eq 'x86_64' && min_version($qemu_binary_version, 11, 0) && $winversion >= 11) {
+        $pve_flags->{'cet-ibt'} = {
+            op => '-',
+            reason => "$pve_msg to avoid issues with certain Windows configurations like VBS",
+        };
+        $pve_flags->{'cet-ss'} = {
+            op => '-',
+            reason => "$pve_msg to avoid issues with certain Windows configurations like VBS",
+        };
+    }
+
     return $pve_flags;
 }
 
diff --git a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
index 986c485e..c9c3d83e 100644
--- a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
+++ b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
@@ -13,7 +13,7 @@
   -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
   -vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \
   -global 'kvm-pit.lost_tick_policy=discard' \
-  -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
+  -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
   -m 512 \
   -readconfig /usr/share/qemu-server/pve-q35-4.0.cfg \
   -device 'usb-tablet,id=tablet,bus=ehci.0,port=1' \
diff --git a/src/test/cfg2cmd/startdate-win11.conf.cmd b/src/test/cfg2cmd/startdate-win11.conf.cmd
index a15dc213..9522e315 100644
--- a/src/test/cfg2cmd/startdate-win11.conf.cmd
+++ b/src/test/cfg2cmd/startdate-win11.conf.cmd
@@ -13,7 +13,7 @@
   -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
   -vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \
   -global 'kvm-pit.lost_tick_policy=discard' \
-  -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
+  -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
   -m 512 \
   -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' \
   -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' \
-- 
2.47.3

applied: [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default

[Thomas Lamprecht]

On Fri, 15 May 2026 17:55:24 +0200, Fiona Ebner wrote:
> As reported by David on the Linux kernel mailing list [0], the cet-ibt
> and cet-ss flags cause boot issues for Windows guests with VBS
> enabled. The problem also affects some other configurations, as
> reported in the community forum [1]. The flags are exposed by default
> since QEMU 11.0 (commit 5cb89cad7f ("i386/cpu: Enable cet-ss & cet-ibt
> for supported CPU models")) and kernel 7.x.
> 
> [...]

Applied, thanks!

[1/1] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default
      commit: 140b30ac23dbdf0ee1c2b17d93aecc0beaeb6bd1