From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 545A51FF14C for ; Fri, 15 May 2026 17:58:21 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 533BE1362F; Fri, 15 May 2026 17:58:19 +0200 (CEST) From: Fiona Ebner To: pve-devel@lists.proxmox.com Subject: [PATCH qemu-server] cpu config: disable cet-ibt and cet-ss flags for modern Windows by default Date: Fri, 15 May 2026 17:55:24 +0200 Message-ID: <20260515155810.229819-1-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1778860685051 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.009 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: NRMT4FWHMLFKC2MNQNOPFGLIDZYJGDCU X-Message-ID-Hash: NRMT4FWHMLFKC2MNQNOPFGLIDZYJGDCU X-MailFrom: f.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: As reported by David on the Linux kernel mailing list [0], the cet-ibt and cet-ss flags cause boot issues for Windows guests with VBS enabled. The problem also affects some other configurations, as reported in the community forum [1]. The flags are exposed by default since QEMU 11.0 (commit 5cb89cad7f ("i386/cpu: Enable cet-ss & cet-ibt for supported CPU models")) and kernel 7.x. The flags are specific to recent Intel CPUs as a defense-in-depth measure (Control-flow enforcement shadow stack and indirect branch tracking), so can be disabled without affecting actual functionality. Once the issue is properly fixed in the kernel, the flags can be re-enabled (guarded by machine version). But since the issue is still being diagnosed that could take a while. Disabling the flags only for the relevant models would require querying the CPU model expansion first, which is costly as it requires starting a dummy VM or hard-coding a list which would become outdated. Until we ship a static list of such expansions to make checking practical, disable the flags for all CPU models for Windows 11 machines. If it was disabled for a specific model implicitly, it will just have no effect. [0]: https://lore.kernel.org/kvm/85548beb-1486-40f9-beb4-632c78e3360b@proxmox.com/ [1]: https://forum.proxmox.com/threads/183349/post-851858 Reported-by: David Riley Signed-off-by: Fiona Ebner --- src/PVE/QemuServer.pm | 9 +++++- src/PVE/QemuServer/CPUConfig.pm | 28 +++++++++++++++++-- src/test/cfg2cmd/q35-windows-pinning.conf.cmd | 2 +- src/test/cfg2cmd/startdate-win11.conf.cmd | 2 +- 4 files changed, 35 insertions(+), 6 deletions(-) diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm index a894684a..c86c10cd 100644 --- a/src/PVE/QemuServer.pm +++ b/src/PVE/QemuServer.pm @@ -3397,7 +3397,14 @@ sub config_to_command { } else { push @$cmd, get_cpu_options( - $conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough, + $conf, + $arch, + $kvm, + $kvm_off, + $machine_version, + $winversion, + $gpu_passthrough, + $kvmver, ); } diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm index fb9af277..8bc5f895 100644 --- a/src/PVE/QemuServer/CPUConfig.pm +++ b/src/PVE/QemuServer/CPUConfig.pm @@ -896,7 +896,16 @@ my sub check_phys_bits_above_40_compat { # Calculate QEMU's '-cpu' argument from a given VM configuration sub get_cpu_options { - my ($conf, $arch, $kvm, $kvm_off, $machine_version, $winversion, $gpu_passthrough) = @_; + my ( + $conf, + $arch, + $kvm, + $kvm_off, + $machine_version, + $winversion, + $gpu_passthrough, + $qemu_binary_version, + ) = @_; my $cputype = get_default_cpu_type($arch, $kvm); @@ -933,7 +942,9 @@ sub get_cpu_options { die "CPU model '$cputype' does not exist for configured vCPU architecture '$arch'\n" if !defined(get_cpu_models_by_arch($arch)->{$cputype}); - my $pve_flags = get_pve_cpu_flags($conf, $kvm, $cputype, $arch, $machine_version); + my $pve_flags = get_pve_cpu_flags( + $conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version, + ); my $hv_flags; if ($kvm && $arch eq 'x86_64') { @@ -1021,7 +1032,7 @@ sub get_cpu_options { # Some hardcoded flags required by certain configurations sub get_pve_cpu_flags { - my ($conf, $kvm, $cputype, $arch, $machine_version) = @_; + my ($conf, $kvm, $cputype, $arch, $machine_version, $winversion, $qemu_binary_version) = @_; my $pve_flags = {}; my $pve_msg = "set by PVE;"; @@ -1065,6 +1076,17 @@ sub get_pve_cpu_flags { }; } + if ($arch eq 'x86_64' && min_version($qemu_binary_version, 11, 0) && $winversion >= 11) { + $pve_flags->{'cet-ibt'} = { + op => '-', + reason => "$pve_msg to avoid issues with certain Windows configurations like VBS", + }; + $pve_flags->{'cet-ss'} = { + op => '-', + reason => "$pve_msg to avoid issues with certain Windows configurations like VBS", + }; + } + return $pve_flags; } diff --git a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd index 986c485e..c9c3d83e 100644 --- a/src/test/cfg2cmd/q35-windows-pinning.conf.cmd +++ b/src/test/cfg2cmd/q35-windows-pinning.conf.cmd @@ -13,7 +13,7 @@ -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \ -vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \ -global 'kvm-pit.lost_tick_policy=discard' \ - -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \ + -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \ -m 512 \ -readconfig /usr/share/qemu-server/pve-q35-4.0.cfg \ -device 'usb-tablet,id=tablet,bus=ehci.0,port=1' \ diff --git a/src/test/cfg2cmd/startdate-win11.conf.cmd b/src/test/cfg2cmd/startdate-win11.conf.cmd index a15dc213..9522e315 100644 --- a/src/test/cfg2cmd/startdate-win11.conf.cmd +++ b/src/test/cfg2cmd/startdate-win11.conf.cmd @@ -13,7 +13,7 @@ -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \ -vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \ -global 'kvm-pit.lost_tick_policy=discard' \ - -cpu 'kvm64,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \ + -cpu 'kvm64,-cet-ibt,-cet-ss,enforce,hv_ipi,hv_relaxed,hv_reset,hv_runtime,hv_spinlocks=0x1fff,hv_stimer,hv_synic,hv_time,hv_vapic,hv_vpindex,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep' \ -m 512 \ -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' \ -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' \ -- 2.47.3