From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id F3C071FF136 for ; Mon, 18 May 2026 14:41:00 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3A79A113DE; Mon, 18 May 2026 14:40:57 +0200 (CEST) From: Fiona Ebner To: pve-devel@lists.proxmox.com Subject: [PATCH qemu-server] cpu config: expose CPU 'level' property required for certain host/guest configurations Date: Mon, 18 May 2026 14:40:09 +0200 Message-ID: <20260518124018.148829-1-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1779108009544 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.009 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [cpuconfig.pm,8006.pid,proxmox.com] Message-ID-Hash: I2TXYYHEHMM2BA2ZJVAQD6IRWKBI5N5K X-Message-ID-Hash: I2TXYYHEHMM2BA2ZJVAQD6IRWKBI5N5K X-MailFrom: f.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: As reported in the community forum in 2024 [0] already, with somewhat recent Intel CPUs, Windows guests with Hyper-V enabled will fail to boot with certain CPU types like 'host' or 'max'. A workaround is using 'level=30' in the '-cpu' QEMU commandline. The 'level' property is currently not exposed, so users were forced to use custom 'args', which means they lose other CPU configuration made by Proxmox VE. Expose the 'level' setting, so it can be done without custom args. While the problem is not new, it will become more common, since virtualization-based security is being adapted more broadly. [0]: https://forum.proxmox.com/threads/131950/post-642093 Signed-off-by: Fiona Ebner --- src/PVE/QemuServer/CPUConfig.pm | 18 ++++++++++++++++++ src/test/cfg2cmd/cpu-level.conf | 6 ++++++ src/test/cfg2cmd/cpu-level.conf.cmd | 26 ++++++++++++++++++++++++++ 3 files changed, 50 insertions(+) create mode 100644 src/test/cfg2cmd/cpu-level.conf create mode 100644 src/test/cfg2cmd/cpu-level.conf.cmd diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm index 2c30a5db..39d1767f 100644 --- a/src/PVE/QemuServer/CPUConfig.pm +++ b/src/PVE/QemuServer/CPUConfig.pm @@ -355,6 +355,16 @@ my $cpu_fmt = { . " note that doing so will break live migration to CPUs with other values.", optional => 1, }, + 'level' => { + type => 'integer', + minimum => 0, + maximum => 4294967295, # It's a uint32_t in QEMU + description => + "The CPUID topology level. Limits the topology presented by the virtual CPU, in " + . " particular, limits the set of CPUID leaves. Only applies when the vCPU architecture" + . " is x86_64.", + optional => 1, + }, }; PVE::JSONSchema::register_standard_option('pve-qm-custom-cpu-model', $cpu_fmt); @@ -910,6 +920,14 @@ sub get_cpu_options( my $cpu_str = $cputype; + if (defined(my $level = $cpu->{level} // $custom_cpu->{level})) { + if ($arch eq 'x86_64') { + $cpu_str .= ",level=${level}"; + } else { + warn "CPU 'level' property is ignored for architecture '$arch'\n"; + } + } + # will be resolved in parameter order my $resolved_flags = resolve_cpu_flags( $pve_flags, diff --git a/src/test/cfg2cmd/cpu-level.conf b/src/test/cfg2cmd/cpu-level.conf new file mode 100644 index 00000000..1ce1e6a9 --- /dev/null +++ b/src/test/cfg2cmd/cpu-level.conf @@ -0,0 +1,6 @@ +# TEST: Test for a configuration where the 'level' option and some flags are set for a CPU +cpu: host,level=30,flags=+md-clear;+pdpe1gb;-hv-tlbflush +memory: 768 +numa: 0 +ostype: win11 +sockets: 1 diff --git a/src/test/cfg2cmd/cpu-level.conf.cmd b/src/test/cfg2cmd/cpu-level.conf.cmd new file mode 100644 index 00000000..d276a6de --- /dev/null +++ b/src/test/cfg2cmd/cpu-level.conf.cmd @@ -0,0 +1,26 @@ +/usr/bin/kvm \ + -id 8006 \ + -name vm8006 \ + -no-shutdown \ + -chardev 'socket,id=qmp,path=/var/run/qemu-server/8006.qmp,server=on,wait=off' \ + -mon 'chardev=qmp,mode=control' \ + -chardev 'socket,id=qmp-event,path=/var/run/qmeventd.sock,reconnect-ms=5000' \ + -mon 'chardev=qmp-event,mode=control' \ + -pidfile /var/run/qemu-server/8006.pid \ + -daemonize \ + -smp '1,sockets=1,cores=1,maxcpus=1' \ + -nodefaults \ + -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \ + -vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \ + -global 'kvm-pit.lost_tick_policy=discard' \ + -cpu 'host,level=30,-cet-ibt,-cet-ss,-hv-tlbflush,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+md-clear,+pdpe1gb' \ + -m 768 \ + -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' \ + -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' \ + -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' \ + -device 'usb-tablet,id=tablet,bus=uhci.0,port=1' \ + -device 'VGA,id=vga,bus=pci.0,addr=0x2,edid=off' \ + -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3' \ + -iscsi 'initiator-name=iqn.1993-08.org.debian:01:aabbccddeeff' \ + -rtc 'driftfix=slew,base=localtime' \ + -machine 'hpet=off,type=pc-i440fx-5.1+pve0' -- 2.47.3