* [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default
@ 2026-05-15 15:55 Fiona Ebner
2026-05-16 18:41 ` applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Fiona Ebner @ 2026-05-15 15:55 UTC (permalink / raw)
To: pve-devel
As reported by David on the Linux kernel mailing list [0], the cet-ibt
and cet-ss flags cause boot issues for Windows guests with VBS
enabled. The problem also affects some other configurations, as
reported in the community forum [1]. The flags are exposed by default
since QEMU 11.0 (commit 5cb89cad7f ("i386/cpu: Enable cet-ss & cet-ibt
for supported CPU models")) and kernel 7.x.
The flags are specific to recent Intel CPUs as a defense-in-depth
measure (Control-flow enforcement shadow stack and indirect branch
tracking), so can be disabled without affecting actual functionality.
Once the issue is properly fixed in the kernel, the flags can be
re-enabled (guarded by machine version). But since the issue is still
being diagnosed that could take a while.
Disabling the flags only for the relevant models would require
querying the CPU model expansion first, which is costly as it requires
starting a dummy VM or hard-coding a list which would become outdated.
Until we ship a static list of such expansions to make checking
practical, disable the flags for all CPU models for Windows 11
machines. If it was disabled for a specific model implicitly, it will
just have no effect.
[0]: https://lore.kernel.org/kvm/85548beb-1486-40f9-beb4-632c78e3360b@proxmox.com/
[1]: https://forum.proxmox.com/threads/183349/post-851858
Reported-by: David Riley <d.riley@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/QemuServer.pm | 9 +++++-
src/PVE/QemuServer/CPUConfig.pm | 28 +++++++++++++++++--
src/test/cfg2cmd/q35-windows-pinning.conf.cmd | 2 +-
src/test/cfg2cmd/startdate-win11.conf.cmd | 2 +-
4 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index a894684a..c86c10cd 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3397,7 +3397,14 @@ sub config_to_command {
} else {
push @$cmd,
get_cpu_options(
- $conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough,
+ $conf,
+ $arch,
+ $kvm,
+ $kvm_off,
+ $machine_version,
+ $winversion,
+ $gpu_passthrough,
+ $kvmver,
);
}
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index fb9af277..8bc5f895 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -896,7 +896,16 @@ my sub check_phys_bits_above_40_compat {
# Calculate QEMU's '-cpu' argument from a given VM configuration
sub get_cpu_options {
- my ($conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough) = @_;
+ my (
+ $conf,
+ $arch,
+ $kvm,
+ $kvm_off,
+ $machine_version,
+ $winversion,
+ $gpu_passthrough,
+ $qemu_binary_version,
+ ) = @_;
my $cputype = get_default_cpu_type($arch, $kvm);
@@ -933,7 +942,9 @@ sub get_cpu_options {
die "CPU model '$cputype' does not exist for configured vCPU architecture '$arch'\n"
if !defined(get_cpu_models_by_arch($arch)->{$cputype});
- my $pve_flags = get_pve_cpu_flags($conf, $kvm, $cputype, $arch, $machine_version);
+ my $pve_flags = get_pve_cpu_flags(
+ $conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version,
+ );
my $hv_flags;
if ($kvm && $arch eq 'x86_64') {
@@ -1021,7 +1032,7 @@ sub get_cpu_options {
# Some hardcoded flags required by certain configurations
sub get_pve_cpu_flags {
- my ($conf, $kvm, $cputype, $arch, $machine_version) = @_;
+ my ($conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version) = @_;
my $pve_flags = {};
my $pve_msg = "set by PVE;";
@@ -1065,6 +1076,17 @@ sub get_pve_cpu_flags {
};
}
+ if ($arch eq 'x86_64' && min_version($qemu_binary_version, 11, 0) && $winversion >= 11) {
+ $pve_flags->{'cet-ibt'} = {
+ op => '-',
+ reason => "$pve_msg to avoid issues with certain Windows configurations like VBS",
+ };
+ $pve_flags->{'cet-ss'} = {
+ op => '-',
+ reason => "$pve_msg to avoid issues with certain Windows configurations like VBS",
+ };
+ }
+
return $pve_flags;
}
diff --git a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
index 986c485e..c9c3d83e 100644
--- a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
+++ b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd
@@ -13,7 +13,7 @@
-boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
-vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \
-global 'kvm-pit.lost_tick_policy=discard' \
- -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
+ -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
-m 512 \
-readconfig /usr/share/qemu-server/pve-q35-4.0.cfg \
-device 'usb-tablet,id=tablet,bus=ehci.0,port=1' \
diff --git a/src/test/cfg2cmd/startdate-win11.conf.cmd b/src/test/cfg2cmd/startdate-win11.conf.cmd
index a15dc213..9522e315 100644
--- a/src/test/cfg2cmd/startdate-win11.conf.cmd
+++ b/src/test/cfg2cmd/startdate-win11.conf.cmd
@@ -13,7 +13,7 @@
-boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
-vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \
-global 'kvm-pit.lost_tick_policy=discard' \
- -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
+ -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \
-m 512 \
-device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' \
-device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' \
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* applied: [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default
2026-05-15 15:55 [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default Fiona Ebner
@ 2026-05-16 18:41 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2026-05-16 18:41 UTC (permalink / raw)
To: pve-devel, Fiona Ebner
On Fri, 15 May 2026 17:55:24 +0200, Fiona Ebner wrote:
> As reported by David on the Linux kernel mailing list [0], the cet-ibt
> and cet-ss flags cause boot issues for Windows guests with VBS
> enabled. The problem also affects some other configurations, as
> reported in the community forum [1]. The flags are exposed by default
> since QEMU 11.0 (commit 5cb89cad7f ("i386/cpu: Enable cet-ss & cet-ibt
> for supported CPU models")) and kernel 7.x.
>
> [...]
Applied, thanks!
[1/1] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default
commit: 140b30ac23dbdf0ee1c2b17d93aecc0beaeb6bd1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-16 18:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 15:55 [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default Fiona Ebner
2026-05-16 18:41 ` applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox