From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default
Date: Fri, 15 May 2026 17:55:24 +0200 [thread overview]
Message-ID: <20260515155810.229819-1-f.ebner@proxmox.com> (raw)
As reported by David on the Linux kernel mailing list [0], the cet-ibt
and cet-ss flags cause boot issues for Windows guests with VBS
enabled. The problem also affects some other configurations, as
reported in the community forum [1]. The flags are exposed by default
since QEMU 11.0 (commit 5cb89cad7f ("i386/cpu: Enable cet-ss & cet-ibt
for supported CPU models")) and kernel 7.x.
The flags are specific to recent Intel CPUs as a defense-in-depth
measure (Control-flow enforcement shadow stack and indirect branch
tracking), so can be disabled without affecting actual functionality.
Once the issue is properly fixed in the kernel, the flags can be
re-enabled (guarded by machine version). But since the issue is still
being diagnosed that could take a while.
Disabling the flags only for the relevant models would require
querying the CPU model expansion first, which is costly as it requires
starting a dummy VM or hard-coding a list which would become outdated.
Until we ship a static list of such expansions to make checking
practical, disable the flags for all CPU models for Windows 11
machines. If it was disabled for a specific model implicitly, it will
just have no effect.
[0]: https://lore.kernel.org/kvm/85548beb-1486-40f9-beb4-632c78e3360b@proxmox.com/
[1]: https://forum.proxmox.com/threads/183349/post-851858
Reported-by: David Riley <d.riley@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/QemuServer.pm | 9 +++++-
src/PVE/QemuServer/CPUConfig.pm | 28 +++++++++++++++++--
src/test/cfg2cmd/q35-windows-pinning.conf.cmd | 2 +-
src/test/cfg2cmd/startdate-win11.conf.cmd | 2 +-
4 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index a894684a..c86c10cd 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3397,7 +3397,14 @@ sub config_to_command {
} else {
push @$cmd,
get_cpu_options(
- $conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough,
+ $conf,
+ $arch,
+ $kvm,
+ $kvm_off,
+ $machine_version,
+ $winversion,
+ $gpu_passthrough,
+ $kvmver,
);
}
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index fb9af277..8bc5f895 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -896,7 +896,16 @@ my sub check_phys_bits_above_40_compat {
# Calculate QEMU's '-cpu' argument from a given VM configuration
sub get_cpu_options {
- my ($conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough) = @_;
+ my (
+ $conf,
+ $arch,
+ $kvm,
+ $kvm_off,
+ $machine_version,
+ $winversion,
+ $gpu_passthrough,
+ $qemu_binary_version,
+ ) = @_;
my $cputype = get_default_cpu_type($arch, $kvm);
@@ -933,7 +942,9 @@ sub get_cpu_options {
die "CPU model '$cputype' does not exist for configured vCPU architecture '$arch'\n"
if !defined(get_cpu_models_by_arch($arch)->{$cputype});
- my $pve_flags = get_pve_cpu_flags($conf, $kvm, $cputype, $arch, $machine_version);
+ my $pve_flags = get_pve_cpu_flags(
+ $conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version,
+ );
my $hv_flags;
if ($kvm && $arch eq 'x86_64') {
@@ -1021,7 +1032,7 @@ sub get_cpu_options {
# Some hardcoded flags required by certain configurations
sub get_pve_cpu_flags {
- my ($conf, $kvm, $cputype, $arch, $machine_version) = @_;
+ my ($conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version) = @_;
my $pve_flags = {};
my $pve_msg = "set by PVE;";
@@ -1065,6 +1076,17 @@ sub get_pve_cpu_flags {
};
}
+ if ($arch eq 'x86_64' && min_version($qemu_binary_version, 11, 0) && $winversion >= 11) {
+ $pve_flags->{'cet-ibt'} = {
+ op => '-',
+ reason => "$pve_msg to avoid issues with certain Windows configurations like VBS",
+ };
+ $pve_flags->{'cet-ss'} = {
+ op => '-',
+ reason => "$pve_msg to avoid issues with certain Windows configurations like VBS",
+ };
+ }
+
return $pve_flags;
}
diff --git a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
index 986c485e..c9c3d83e 100644
--- a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
+++ b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
@@ -13,7 +13,7 @@
-boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
-vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \
-global 'kvm-pit.lost_tick_policy=discard' \
- -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
+ -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
-m 512 \
-readconfig /usr/share/qemu-server/pve-q35-4.0.cfg \
-device 'usb-tablet,id=tablet,bus=ehci.0,port=1' \
diff --git a/src/test/cfg2cmd/startdate-win11.conf.cmd b/src/test/cfg2cmd/startdate-win11.conf.cmd
index a15dc213..9522e315 100644
--- a/src/test/cfg2cmd/startdate-win11.conf.cmd
+++ b/src/test/cfg2cmd/startdate-win11.conf.cmd
@@ -13,7 +13,7 @@
-boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
-vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \
-global 'kvm-pit.lost_tick_policy=discard' \
- -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
+ -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
-m 512 \
-device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' \
-device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' \
--
2.47.3
next reply other threads:[~2026-05-15 15:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 15:55 Fiona Ebner [this message]
2026-05-16 18:41 ` applied: [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515155810.229819-1-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.