+ rsb

+.. SPDX-License-Identifier: GPL-2.0

+

+=======================

+RSB-related mitigations

+=======================

+

+.. warning::

+ Please keep this document up-to-date, otherwise you will be

+ volunteered to update it and convert it to a very long comment in

+ bugs.c!

+

+Since 2018 there have been many Spectre CVEs related to the Return Stack

+Buffer (RSB) (sometimes referred to as the Return Address Stack (RAS) or

+Return Address Predictor (RAP) on AMD).

+

+Information about these CVEs and how to mitigate them is scattered

+amongst a myriad of microarchitecture-specific documents.

+

+This document attempts to consolidate all the relevant information in

+once place and clarify the reasoning behind the current RSB-related

+mitigations. It's meant to be as concise as possible, focused only on

+the current kernel mitigations: what are the RSB-related attack vectors

+and how are they currently being mitigated?

+

+It's *not* meant to describe how the RSB mechanism operates or how the

+exploits work. More details about those can be found in the references

+below.

+

+Rather, this is basically a glorified comment, but too long to actually

+be one. So when the next CVE comes along, a kernel developer can

+quickly refer to this as a refresher to see what we're actually doing

+and why.

+

+At a high level, there are two classes of RSB attacks: RSB poisoning

+(Intel and AMD) and RSB underflow (Intel only). They must each be

+considered individually for each attack vector (and microarchitecture

+where applicable).

+

+----

+

+RSB poisoning (Intel and AMD)

+=============================

+

+SpectreRSB

+~~~~~~~~~~

+

+RSB poisoning is a technique used by SpectreRSB [#spectre-rsb]_ where

+an attacker poisons an RSB entry to cause a victim's return instruction

+to speculate to an attacker-controlled address. This can happen when

+there are unbalanced CALLs/RETs after a context switch or VMEXIT.

+

+* All attack vectors can potentially be mitigated by flushing out any

+ poisoned RSB entries using an RSB filling sequence

+ [#intel-rsb-filling]_ [#amd-rsb-filling]_ when transitioning between

+ untrusted and trusted domains. But this has a performance impact and

+ should be avoided whenever possible.

+

+ .. DANGER::

+ **FIXME**: Currently we're flushing 32 entries. However, some CPU

+ models have more than 32 entries. The loop count needs to be

+ increased for those. More detailed information is needed about RSB

+ sizes.

+

+* On context switch, the user->user mitigation requires ensuring the

+ RSB gets filled or cleared whenever IBPB gets written [#cond-ibpb]_

+ during a context switch:

+

+ * AMD:

+ On Zen 4+, IBPB (or SBPB [#amd-sbpb]_ if used) clears the RSB.

+ This is indicated by IBPB_RET in CPUID [#amd-ibpb-rsb]_.

+

+ On Zen < 4, the RSB filling sequence [#amd-rsb-filling]_ must be

+ always be done in addition to IBPB [#amd-ibpb-no-rsb]_. This is

+ indicated by X86_BUG_IBPB_NO_RET.

+

+ * Intel:

+ IBPB always clears the RSB:

+

+ "Software that executed before the IBPB command cannot control

+ the predicted targets of indirect branches executed after the

+ command on the same logical processor. The term indirect branch

+ in this context includes near return instructions, so these

+ predicted targets may come from the RSB." [#intel-ibpb-rsb]_

+

+* On context switch, user->kernel attacks are prevented by SMEP. User

+ space can only insert user space addresses into the RSB. Even

+ non-canonical addresses can't be inserted due to the page gap at the

+ end of the user canonical address space reserved by TASK_SIZE_MAX.

+ A SMEP #PF at instruction fetch prevents the kernel from speculatively

+ executing user space.

+

+ * AMD:

+ "Finally, branches that are predicted as 'ret' instructions get

+ their predicted targets from the Return Address Predictor (RAP).

+ AMD recommends software use a RAP stuffing sequence (mitigation

+ V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP)

+ to ensure that the addresses in the RAP are safe for

+ speculation. Collectively, we refer to these mitigations as "RAP

+ Protection"." [#amd-smep-rsb]_

+

+ * Intel:

+ "On processors with enhanced IBRS, an RSB overwrite sequence may

+ not suffice to prevent the predicted target of a near return

+ from using an RSB entry created in a less privileged predictor

+ mode. Software can prevent this by enabling SMEP (for

+ transitions from user mode to supervisor mode) and by having

+ IA32_SPEC_CTRL.IBRS set during VM exits." [#intel-smep-rsb]_

+

+* On VMEXIT, guest->host attacks are mitigated by eIBRS (and PBRSB

+ mitigation if needed):

+

+ * AMD:

+ "When Automatic IBRS is enabled, the internal return address

+ stack used for return address predictions is cleared on VMEXIT."

+ [#amd-eibrs-vmexit]_

+

+ * Intel:

+ "On processors with enhanced IBRS, an RSB overwrite sequence may

+ not suffice to prevent the predicted target of a near return

+ from using an RSB entry created in a less privileged predictor

+ mode. Software can prevent this by enabling SMEP (for

+ transitions from user mode to supervisor mode) and by having

+ IA32_SPEC_CTRL.IBRS set during VM exits. Processors with

+ enhanced IBRS still support the usage model where IBRS is set

+ only in the OS/VMM for OSes that enable SMEP. To do this, such

+ processors will ensure that guest behavior cannot control the

+ RSB after a VM exit once IBRS is set, even if IBRS was not set

+ at the time of the VM exit." [#intel-eibrs-vmexit]_

+

+ Note that some Intel CPUs are susceptible to Post-barrier Return

+ Stack Buffer Predictions (PBRSB) [#intel-pbrsb]_, where the last

+ CALL from the guest can be used to predict the first unbalanced RET.

+ In this case the PBRSB mitigation is needed in addition to eIBRS.

+

+AMD RETBleed / SRSO / Branch Type Confusion

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

+On AMD, poisoned RSB entries can also be created by the AMD RETBleed

+variant [#retbleed-paper]_ [#amd-btc]_ or by Speculative Return Stack

+Overflow [#amd-srso]_ (Inception [#inception-paper]_). The kernel

+protects itself by replacing every RET in the kernel with a branch to a

+single safe RET.

+

+----

+

+RSB underflow (Intel only)

+==========================

+

+RSB Alternate (RSBA) ("Intel Retbleed")

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

+Some Intel Skylake-generation CPUs are susceptible to the Intel variant

+of RETBleed [#retbleed-paper]_ (Return Stack Buffer Underflow

+[#intel-rsbu]_). If a RET is executed when the RSB buffer is empty due

+to mismatched CALLs/RETs or returning from a deep call stack, the branch

+predictor can fall back to using the Branch Target Buffer (BTB). If a

+user forces a BTB collision then the RET can speculatively branch to a

+user-controlled address.

+

+* Note that RSB filling doesn't fully mitigate this issue. If there

+ are enough unbalanced RETs, the RSB may still underflow and fall back

+ to using a poisoned BTB entry.

+

+* On context switch, user->user underflow attacks are mitigated by the

+ conditional IBPB [#cond-ibpb]_ on context switch which effectively

+ clears the BTB:

+

+ * "The indirect branch predictor barrier (IBPB) is an indirect branch

+ control mechanism that establishes a barrier, preventing software

+ that executed before the barrier from controlling the predicted

+ targets of indirect branches executed after the barrier on the same

+ logical processor." [#intel-ibpb-btb]_

+

+* On context switch and VMEXIT, user->kernel and guest->host RSB

+ underflows are mitigated by IBRS or eIBRS:

+

+ * "Enabling IBRS (including enhanced IBRS) will mitigate the "RSBU"

+ attack demonstrated by the researchers. As previously documented,

+ Intel recommends the use of enhanced IBRS, where supported. This

+ includes any processor that enumerates RRSBA but not RRSBA_DIS_S."

+ [#intel-rsbu]_

+

+ However, note that eIBRS and IBRS do not mitigate intra-mode attacks.

+ Like RRSBA below, this is mitigated by clearing the BHB on kernel

+ entry.

+

+ As an alternative to classic IBRS, call depth tracking (combined with

+ retpolines) can be used to track kernel returns and fill the RSB when

+ it gets close to being empty.

+

+Restricted RSB Alternate (RRSBA)

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

+Some newer Intel CPUs have Restricted RSB Alternate (RRSBA) behavior,

+which, similar to RSBA described above, also falls back to using the BTB

+on RSB underflow. The only difference is that the predicted targets are

+restricted to the current domain when eIBRS is enabled:

+

+* "Restricted RSB Alternate (RRSBA) behavior allows alternate branch

+ predictors to be used by near RET instructions when the RSB is

+ empty. When eIBRS is enabled, the predicted targets of these

+ alternate predictors are restricted to those belonging to the

+ indirect branch predictor entries of the current prediction domain.

+ [#intel-eibrs-rrsba]_

+

+When a CPU with RRSBA is vulnerable to Branch History Injection

+[#bhi-paper]_ [#intel-bhi]_, an RSB underflow could be used for an

+intra-mode BTI attack. This is mitigated by clearing the BHB on

+kernel entry.

+

+However if the kernel uses retpolines instead of eIBRS, it needs to

+disable RRSBA:

+

+* "Where software is using retpoline as a mitigation for BHI or

+ intra-mode BTI, and the processor both enumerates RRSBA and

+ enumerates RRSBA_DIS controls, it should disable this behavior."

+ [#intel-retpoline-rrsba]_

+

+----

+

+References

+==========

+

+.. [#spectre-rsb] `Spectre Returns! Speculation Attacks using the Return Stack Buffer <https://arxiv.org/pdf/1807.07940.pdf>`_

+

+.. [#intel-rsb-filling] "Empty RSB Mitigation on Skylake-generation" in `Retpoline: A Branch Target Injection Mitigation <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html#inpage-nav-5-1>`_

+

+.. [#amd-rsb-filling] "Mitigation V2-3" in `Software Techniques for Managing Speculation <https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/software-techniques-for-managing-speculation.pdf>`_

+

+.. [#cond-ibpb] Whether IBPB is written depends on whether the prev and/or next task is protected from Spectre attacks. It typically requires opting in per task or system-wide. For more details see the documentation for the ``spectre_v2_user`` cmdline option in Documentation/admin-guide/kernel-parameters.txt.

+

+.. [#amd-sbpb] IBPB without flushing of branch type predictions. Only exists for AMD.

+

+.. [#amd-ibpb-rsb] "Function 8000_0008h -- Processor Capacity Parameters and Extended Feature Identification" in `AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions <https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24594.pdf>`_. SBPB behaves the same way according to `this email <https://lore.kernel.org/5175b163a3736ca5fd01cedf406735636c99a>`_.

+

+.. [#amd-ibpb-no-rsb] `Spectre Attacks: Exploiting Speculative Execution <https://comsec.ethz.ch/wp-content/files/ibpb_sp25.pdf>`_

+

+.. [#intel-ibpb-rsb] "Introduction" in `Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html>`_

+

+.. [#amd-smep-rsb] "Existing Mitigations" in `Technical Guidance for Mitigating Branch Type Confusion <https://www.amd.com/content/dam/amd/en/documents/resources/technical-guidance-for-mitigating-branch-type-confusion.pdf>`_

+

+.. [#intel-smep-rsb] "Enhanced IBRS" in `Indirect Branch Restricted Speculation <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html>`_

+

+.. [#amd-eibrs-vmexit] "Extended Feature Enable Register (EFER)" in `AMD64 Architecture Programmer's Manual Volume 2: System Programming <https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24593.pdf>`_

+

+.. [#intel-eibrs-vmexit] "Enhanced IBRS" in `Indirect Branch Restricted Speculation <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html>`_

+

+.. [#intel-pbrsb] `Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html>`_

+

+.. [#retbleed-paper] `RETBleed: Arbitrary Speculative Code Execution with Return Instruction <https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf>`_

+

+.. [#amd-btc] `Technical Guidance for Mitigating Branch Type Confusion <https://www.amd.com/content/dam/amd/en/documents/resources/technical-guidance-for-mitigating-branch-type-confusion.pdf>`_

+

+.. [#amd-srso] `Technical Update Regarding Speculative Return Stack Overflow <https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf>`_

+

+.. [#inception-paper] `Inception: Exposing New Attack Surfaces with Training in Transient Execution <https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf>`_

+

+.. [#intel-rsbu] `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702 <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html>`_

+

+.. [#intel-ibpb-btb] `Indirect Branch Predictor Barrier' <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-predictor-barrier.html>`_

+

+.. [#intel-eibrs-rrsba] "Guidance for RSBU" in `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702 <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html>`_

+

+.. [#bhi-paper] `Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks <http://download.vusec.net/papers/bhi-spectre-bhb_sec22.pdf>`_

+

+.. [#intel-bhi] `Branch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598 <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html>`_

+

+.. [#intel-retpoline-rrsba] "Retpoline" in `Branch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598 <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html>`_

+ earlyprintk=mmio32,membase[,{nocfg|baudrate}]

+ nosmt [KNL,MIPS,PPC,EARLY] Disable symmetric multithreading (SMT).

+ [KNL,X86,PPC,S390] Disable symmetric multithreading (SMT).

+ unaligned_scalar_speed=

+ [RISCV]

+ Format: {slow | fast | unsupported}

+ Allow skipping scalar unaligned access speed tests. This

+ is useful for testing alternative code paths and to skip

+ the tests in environments where they run too slowly. All

+ CPUs must have the same scalar unaligned access speed.

+

+ unaligned_vector_speed=

+ [RISCV]

+ Format: {slow | fast | unsupported}

+ Allow skipping vector unaligned access speed tests. This

+ is useful for testing alternative code paths and to skip

+ the tests in environments where they run too slowly. All

+ CPUs must have the same vector unaligned access speed.

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZICNTR`: The Zicntr extension version 2.0

+ is supported as defined in the RISC-V ISA manual.

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZIHPM`: The Zihpm extension version 2.0

+ is supported as defined in the RISC-V ISA manual.

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZAAMO`: The Zaamo extension is supported as

+ defined in the in the RISC-V ISA manual starting from commit e87412e621f1

+ ("integrate Zaamo and Zalrsc text (#1304)").

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZALRSC`: The Zalrsc extension is supported as

+ defined in the in the RISC-V ISA manual starting from commit e87412e621f1

+ ("integrate Zaamo and Zalrsc text (#1304)").

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZFBFMIN`: The Zfbfmin extension is supported as

+ defined in the RISC-V ISA manual starting from commit 4dc23d6229de

+ ("Added Chapter title to BF16").

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZVFBFMIN`: The Zvfbfmin extension is supported as

+ defined in the RISC-V ISA manual starting from commit 4dc23d6229de

+ ("Added Chapter title to BF16").

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZVFBFWMA`: The Zvfbfwma extension is supported as

+ defined in the RISC-V ISA manual starting from commit 4dc23d6229de

+ ("Added Chapter title to BF16").

+

+ * :c:macro:`RISCV_HWPROBE_EXT_ZICBOM`: The Zicbom extension is supported, as

+ ratified in commit 3dd606f ("Create cmobase-v1.0.pdf") of riscv-CMOs.

+

+

+* :c:macro:`RISCV_HWPROBE_KEY_ZICBOM_BLOCK_SIZE`: An unsigned int which

+ represents the size of the Zicbom block in bytes.

+Feature flags can be derived from the contents of CPUID leaves

+--------------------------------------------------------------

+

+Flags can be from scattered CPUID-based features

+------------------------------------------------

+

+Flags can be created synthetically under certain conditions for hardware features

+---------------------------------------------------------------------------------

+

+Flags can represent purely software features

+--------------------------------------------

+Flags do not appear by default in /proc/cpuinfo

+-----------------------------------------------

+

+Feature flags are omitted by default from /proc/cpuinfo as it does not make

+sense for the feature to be exposed to userspace in most cases. For example,

+X86_FEATURE_ALWAYS is defined in cpufeatures.h but that flag is an internal

+kernel feature used in the alternative runtime patching functionality. So the

+flag does not appear in /proc/cpuinfo.

+

+Specify a flag name if absolutely needed

+----------------------------------------

+The hardware does not enumerate support for it

+----------------------------------------------

+

+The kernel does not know about the flag

+---------------------------------------

+

+The kernel disabled support for it at compile-time

+--------------------------------------------------

+

+The feature is disabled at boot-time

+------------------------------------

+The feature was known to be non-functional

+------------------------------------------

+

+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)

+%YAML 1.2

+---

+

+$id: http://devicetree.org/schemas/input/gpio-matrix-keypad.yaml#

+$schema: http://devicetree.org/meta-schemas/core.yaml#

+

+title: GPIO matrix keypad

+

+maintainers:

+ - Marek Vasut <marek.vasut@gmail.com>

+

+description:

+ GPIO driven matrix keypad is used to interface a SoC with a matrix keypad.

+ The matrix keypad supports multiple row and column lines, a key can be

+ placed at each intersection of a unique row and a unique column. The matrix

+ keypad can sense a key-press and key-release by means of GPIO lines and

+ report the event using GPIO interrupts to the cpu.

+

+allOf:

+ - $ref: /schemas/input/matrix-keymap.yaml#

+

+properties:

+ compatible:

+ const: gpio-matrix-keypad

+

+ row-gpios:

+ description:

+ List of GPIOs used as row lines. The gpio specifier for this property

+ depends on the gpio controller to which these row lines are connected.

+

+ col-gpios:

+ description:

+ List of GPIOs used as column lines. The gpio specifier for this property

+ depends on the gpio controller to which these column lines are connected.

+

+ linux,keymap: true

+

+ linux,no-autorepeat:

+ type: boolean

+ description: Do not enable autorepeat feature.

+

+ gpio-activelow:

+ type: boolean

+ description:

+ Force GPIO polarity to active low.

+ In the absence of this property GPIOs are treated as active high.

+

+ debounce-delay-ms:

+ description: Debounce interval in milliseconds.

+ default: 0

+

+ col-scan-delay-us:

+ description:

+ Delay, measured in microseconds, that is needed

+ before we can scan keypad after activating column gpio.

+ default: 0

+

+ all-cols-on-delay-us:

+ description:

+ Delay, measured in microseconds, that is needed

+ after activating all column gpios.

+ default: 0

+

+ drive-inactive-cols:

+ type: boolean

+ description:

+ Drive inactive columns during scan,

+ default is to turn inactive columns into inputs.

+

+ wakeup-source: true

+

+required:

+ - compatible

+ - row-gpios

+ - col-gpios

+ - linux,keymap

+

+additionalProperties: false

+

+examples:

+ - |

+ matrix-keypad {

+ compatible = "gpio-matrix-keypad";

+ debounce-delay-ms = <5>;

+ col-scan-delay-us = <2>;

+

+ row-gpios = <&gpio2 25 0

+ &gpio2 26 0

+ &gpio2 27 0>;

+

+ col-gpios = <&gpio2 21 0

+ &gpio2 22 0>;

+

+ linux,keymap = <0x0000008B

+ 0x0100009E

+ 0x02000069

+ 0x0001006A

+ 0x0101001C

+ 0x0201006C>;

+

+ wakeup-source;

+ };

+ #include <dt-bindings/input/input.h>

+ #include <dt-bindings/interrupt-controller/irq.h>

+ pmic {

+ #address-cells = <1>;

+ #size-cells = <0>;

+ keypad@148 {

+ compatible = "qcom,pm8921-keypad";

+ reg = <0x148>;

+ interrupt-parent = <&pmicintc>;

+ interrupts = <74 IRQ_TYPE_EDGE_RISING>, <75 IRQ_TYPE_EDGE_RISING>;

+ linux,keymap = <

+ MATRIX_KEY(0, 0, KEY_VOLUMEUP)

+ MATRIX_KEY(0, 1, KEY_VOLUMEDOWN)

+ MATRIX_KEY(0, 2, KEY_CAMERA_FOCUS)

+ MATRIX_KEY(0, 3, KEY_CAMERA)

+ >;

+ keypad,num-rows = <1>;

+ keypad,num-columns = <5>;

+ debounce = <15>;

+ scan-delay = <32>;

+ row-hold = <91500>;

+ };

+ };

+ #include <dt-bindings/interrupt-controller/irq.h>

+ ssbi {

+ #address-cells = <1>;

+ #size-cells = <0>;

+ pmic@0 {

+ reg = <0x0>;

+ #address-cells = <1>;

+ #size-cells = <0>;

+ pwrkey@1c {

+ compatible = "qcom,pm8921-pwrkey";

+ reg = <0x1c>;

+ interrupt-parent = <&pmicint>;

+ interrupts = <50 IRQ_TYPE_EDGE_RISING>, <51 IRQ_TYPE_EDGE_RISING>;

+ debounce = <15625>;

+ pull-up;

+ };

+ };

+ };

+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)

+%YAML 1.2

+---

+$id: http://devicetree.org/schemas/input/touchscreen/apple,z2-multitouch.yaml#

+$schema: http://devicetree.org/meta-schemas/core.yaml#

+

+title: Apple touchscreens attached using the Z2 protocol

+

+maintainers:

+ - Sasha Finkelstein <fnkl.kernel@gmail.com>

+

+description: A series of touschscreen controllers used in Apple products

+

+allOf:

+ - $ref: touchscreen.yaml#

+ - $ref: /schemas/spi/spi-peripheral-props.yaml#

+

+properties:

+ compatible:

+ enum:

+ - apple,j293-touchbar

+ - apple,j493-touchbar

+

+ interrupts:

+ maxItems: 1

+

+ reset-gpios:

+ maxItems: 1

+

+ firmware-name:

+ maxItems: 1

+

+ apple,z2-cal-blob:

+ $ref: /schemas/types.yaml#/definitions/uint8-array

+ maxItems: 4096

+ description:

+ Calibration blob supplied by the bootloader

+

+required:

+ - compatible

+ - interrupts

+ - reset-gpios

+ - firmware-name

+ - touchscreen-size-x

+ - touchscreen-size-y

+

+unevaluatedProperties: false

+

+examples:

+ - |

+ #include <dt-bindings/gpio/gpio.h>

+ #include <dt-bindings/interrupt-controller/irq.h>

+

+ spi {

+ #address-cells = <1>;

+ #size-cells = <0>;

+

+ touchscreen@0 {

+ compatible = "apple,j293-touchbar";

+ reg = <0>;

+ spi-max-frequency = <11500000>;

+ reset-gpios = <&pinctrl_ap 139 GPIO_ACTIVE_LOW>;

+ interrupts-extended = <&pinctrl_ap 194 IRQ_TYPE_EDGE_FALLING>;

+ firmware-name = "apple/dfrmtfw-j293.bin";

+ touchscreen-size-x = <23045>;

+ touchscreen-size-y = <640>;

+ };

+ };

+

+...

+ - goodix,gt9897

+ compatible = "ti,tsc2046";

+ reg = <0>; /* CS0 */

+ interrupt-parent = <&gpio1>;

+ interrupts = <8 0>; /* BOOT6 / GPIO 8 */

+ pendown-gpio = <&gpio1 8 0>;

+ spi-max-frequency = <1000000>;

+ vcc-supply = <&reg_vcc3>;

+ wakeup-source;

+

+ ti,pressure-max = /bits/ 16 <255>;

+ ti,x-max = /bits/ 16 <8000>;

+ ti,x-min = /bits/ 16 <0>;

+ ti,x-plate-ohms = /bits/ 16 <40>;

+ ti,y-max = /bits/ 16 <4800>;

+ ti,y-min = /bits/ 16 <0>;

+ };

+3. "linux,wakeup" Documentation/devicetree/bindings/input/gpio-matrix-keypad.yaml

+ - const: zaamo

+ description: |

+ The standard Zaamo extension for atomic memory operations as

+ ratified at commit e87412e621f1 ("integrate Zaamo and Zalrsc text

+ (#1304)") of the unprivileged ISA specification.

+

+ - const: zalrsc

+ description: |

+ The standard Zalrsc extension for load-reserved/store-conditional as

+ ratified at commit e87412e621f1 ("integrate Zaamo and Zalrsc text

+ (#1304)") of the unprivileged ISA specification.

+

+ - const: zfbfmin

+ description:

+ The standard Zfbfmin extension which provides minimal support for

+ 16-bit half-precision brain floating-point instructions, as ratified

+ in commit 4dc23d62 ("Added Chapter title to BF16") of riscv-isa-manual.

+

+ - const: zvfbfmin

+ description:

+ The standard Zvfbfmin extension for minimal support for vectored

+ 16-bit half-precision brain floating-point instructions, as ratified

+ in commit 4dc23d62 ("Added Chapter title to BF16") of riscv-isa-manual.

+

+ - const: zvfbfwma

+ description:

+ The standard Zvfbfwma extension for vectored half-precision brain

+ floating-point widening multiply-accumulate instructions, as ratified

+ in commit 4dc23d62 ("Added Chapter title to BF16") of riscv-isa-manual.

+

+ - if:

+ contains:

+ const: d

+ then:

+ contains:

+ const: f

+ # Zfbfmin depends on F

+ - if:

+ contains:

+ const: zfbfmin

+ then:

+ contains:

+ const: f

+ # Zvfbfmin depends on V or Zve32f

+ - if:

+ contains:

+ const: zvfbfmin

+ then:

+ oneOf:

+ - contains:

+ const: v

+ - contains:

+ const: zve32f

+ # Zvfbfwma depends on Zfbfmin and Zvfbfmin

+ - if:

+ contains:

+ const: zvfbfwma

+ then:

+ allOf:

+ - contains:

+ const: zfbfmin

+ - contains:

+ const: zvfbfmin

+ # Zacas depends on Zaamo

+ - if:

+ contains:

+ const: zacas

+ then:

+ contains:

+ const: zaamo

+

+ - if:

+ contains:

+ const: zve32x

+ then:

+ contains:

+ const: zicsr

+

+ - if:

+ contains:

+ const: zve32f

+ then:

+ allOf:

+ - contains:

+ const: f

+ - contains:

+ const: zve32x

+

+ - if:

+ contains:

+ const: zve64x

+ then:

+ contains:

+ const: zve32x

+

+ - if:

+ contains:

+ const: zve64f

+ then:

+ allOf:

+ - contains:

+ const: f

+ - contains:

+ const: zve32f

+ - contains:

+ const: zve64x

+

+ - if:

+ contains:

+ const: zve64d

+ then:

+ allOf:

+ - contains:

+ const: d

+ - contains:

+ const: zve64f

+

+ - if:

+ contains:

+ anyOf:

+ - const: zvbc

+ - const: zvkn

+ - const: zvknc

+ - const: zvkng

+ - const: zvknhb

+ - const: zvksc

+ then:

+ contains:

+ anyOf:

+ - const: v

+ - const: zve64x

+

+ - if:

+ contains:

+ anyOf:

+ - const: zvbb

+ - const: zvkb

+ - const: zvkg

+ - const: zvkned

+ - const: zvknha

+ - const: zvksed

+ - const: zvksh

+ - const: zvks

+ - const: zvkt

+ then:

+ contains:

+ anyOf:

+ - const: v

+ - const: zve32x

+.. SPDX-License-Identifier: GPL-2.0-only

+

+==========================

+Bash completion for Kbuild

+==========================

+

+The kernel build system is written using Makefiles, and Bash completion

+for the `make` command is available through the `bash-completion`_ project.

+

+However, the Makefiles for the kernel build are complex. The generic completion

+rules for the `make` command do not provide meaningful suggestions for the

+kernel build system, except for the options of the `make` command itself.

+

+To enhance completion for various variables and targets, the kernel source

+includes its own completion script at `scripts/bash-completion/make`.

+

+This script provides additional completions when working within the kernel tree.

+Outside the kernel tree, it defaults to the generic completion rules for the

+`make` command.

+

+Prerequisites

+=============

+

+The script relies on helper functions provided by `bash-completion`_ project.

+Please ensure it is installed on your system. On most distributions, you can

+install the `bash-completion` package through the standard package manager.

+

+How to use

+==========

+

+You can source the script directly::

+

+ $ source scripts/bash-completion/make

+

+Or, you can copy it into the search path for Bash completion scripts.

+For example::

+

+ $ mkdir -p ~/.local/share/bash-completion/completions

+ $ cp scripts/bash-completion/make ~/.local/share/bash-completion/completions/

+

+Details

+=======

+

+The additional completion for Kbuild is enabled in the following cases:

+

+ - You are in the root directory of the kernel source.

+ - You are in the top-level build directory created by the O= option

+ (checked via the `source` symlink pointing to the kernel source).

+ - The -C make option specifies the kernel source or build directory.

+ - The -f make option specifies a file in the kernel source or build directory.

+

+If none of the above are met, it falls back to the generic completion rules.

+

+The completion supports:

+

+ - Commonly used targets, such as `all`, `menuconfig`, `dtbs`, etc.

+ - Make (or environment) variables, such as `ARCH`, `LLVM`, etc.

+ - Single-target builds (`foo/bar/baz.o`)

+ - Configuration files (`*_defconfig` and `*.config`)

+

+Some variables offer intelligent behavior. For instance, `CROSS_COMPILE=`

+followed by a TAB displays installed toolchains. The list of defconfig files

+shown depends on the value of the `ARCH=` variable.

+

+.. _bash-completion: https://github.com/scop/bash-completion/

+ bash-completion

+

+the combination of FOO=y with BAR=m, or BAR is completely disabled. The BAR

+module must provide all the stubs for !BAR case.

+

+Much less favorable way to express optional dependency is IS_REACHABLE() within

+the module code, useful for example when the module BAR does not provide

+!BAR stubs::

+

+ foo_init()

+ {

+ if (IS_REACHABLE(CONFIG_BAR))

+ bar_register(&foo);

+ ...

+ }

+

+IS_REACHABLE() is generally discouraged, because the code will be silently

+discarded, when CONFIG_BAR=m and this code is built-in. This is not what users

+usually expect when enabling BAR as module.

+

+$(RUSTC) support functions

+--------------------------

+

+rustc-min-version

+ rustc-min-version tests if the value of $(CONFIG_RUSTC_VERSION) is greater

+ than or equal to the provided value and evaluates to y if so.

+

+ Example::

+

+ rustflags-$(call rustc-min-version, 108500) := -Cfoo

+

+ In this example, rustflags-y will be assigned the value -Cfoo if

+ $(CONFIG_RUSTC_VERSION) is >= 1.85.0.

+

+ |__ complex.h

+there are two sets of interfaces: ``dev_xxx``/``netdev_xxx`` and ``netif_xxx``

+(e.g., ``dev_set_mtu`` and ``netif_set_mtu``). The ``dev_xxx``/``netdev_xxx``

+functions handle acquiring the instance lock themselves, while the

+``netif_xxx`` functions assume that the driver has already acquired

+the instance lock.

+* ``NETDEV_CHANGE``

+ hrtimer_setup

+ hrtimer_setup

+6.76 KVM_CAP_HYPERV_SYNIC

+-------------------------

+

+:Architectures: x86

+:Target: vcpu

+

+This capability, if KVM_CHECK_EXTENSION indicates that it is

+available, means that the kernel has an implementation of the

+Hyper-V Synthetic interrupt controller(SynIC). Hyper-V SynIC is

+used to support Windows Hyper-V based guest paravirt drivers(VMBus).

+

+In order to use SynIC, it has to be activated by setting this

+capability via KVM_ENABLE_CAP ioctl on the vcpu fd. Note that this

+will disable the use of APIC hardware virtualization even if supported

+by the CPU, as it's incompatible with SynIC auto-EOI behavior.

+

+6.77 KVM_CAP_HYPERV_SYNIC2

+--------------------------

+

+:Architectures: x86

+:Target: vcpu

+

+This capability enables a newer version of Hyper-V Synthetic interrupt

+controller (SynIC). The only difference with KVM_CAP_HYPERV_SYNIC is that KVM

+doesn't clear SynIC message and event flags pages when they are enabled by

+writing to the respective MSRs.

+

+6.78 KVM_CAP_HYPERV_DIRECT_TLBFLUSH

+-----------------------------------

+

+:Architectures: x86

+:Target: vcpu

+

+This capability indicates that KVM running on top of Hyper-V hypervisor

+enables Direct TLB flush for its guests meaning that TLB flush

+hypercalls are handled by Level 0 hypervisor (Hyper-V) bypassing KVM.

+Due to the different ABI for hypercall parameters between Hyper-V and

+KVM, enabling this capability effectively disables all hypercall

+handling by KVM (as some KVM hypercall may be mistakenly treated as TLB

+flush hypercalls by Hyper-V) so userspace should disable KVM identification

+in CPUID and only exposes Hyper-V identification. In this case, guest

+thinks it's running on Hyper-V and only use Hyper-V hypercalls.

+

+6.79 KVM_CAP_HYPERV_ENFORCE_CPUID

+---------------------------------

+

+:Architectures: x86

+:Target: vcpu

+

+When enabled, KVM will disable emulated Hyper-V features provided to the

+guest according to the bits Hyper-V CPUID feature leaves. Otherwise, all

+currently implemented Hyper-V features are provided unconditionally when

+Hyper-V identification is set in the HYPERV_CPUID_INTERFACE (0x40000001)

+leaf.

+

+6.80 KVM_CAP_ENFORCE_PV_FEATURE_CPUID

+-------------------------------------

+

+:Architectures: x86

+:Target: vcpu

+

+When enabled, KVM will disable paravirtual features provided to the

+guest according to the bits in the KVM_CPUID_FEATURES CPUID leaf

+(0x40000001). Otherwise, a guest may use the paravirtual features

+regardless of what has actually been exposed through the CPUID leaf.

+

+.. _KVM_CAP_DIRTY_LOG_RING:

+

+

+:Architectures: x86 SEV enabled

+:Type: vm

+:Parameters: args[0] is the fd of the source vm

+:Returns: 0 on success; ENOTTY on error

+7.36 KVM_CAP_DIRTY_LOG_RING/KVM_CAP_DIRTY_LOG_RING_ACQ_REL

+----------------------------------------------------------

+

+:Architectures: x86, arm64

+:Type: vm

+:Parameters: args[0] - size of the dirty log ring

+

+KVM is capable of tracking dirty memory using ring buffers that are

+mmapped into userspace; there is one dirty ring per vcpu.

+

+The dirty ring is available to userspace as an array of

+``struct kvm_dirty_gfn``. Each dirty entry is defined as::

+

+ struct kvm_dirty_gfn {

+ __u32 flags;

+ __u32 slot; /* as_id | slot_id */

+ __u64 offset;

+ };

+

+The following values are defined for the flags field to define the

+current state of the entry::

+

+ #define KVM_DIRTY_GFN_F_DIRTY BIT(0)

+ #define KVM_DIRTY_GFN_F_RESET BIT(1)

+ #define KVM_DIRTY_GFN_F_MASK 0x3

+

+Userspace should call KVM_ENABLE_CAP ioctl right after KVM_CREATE_VM

+ioctl to enable this capability for the new guest and set the size of

+the rings. Enabling the capability is only allowed before creating any

+vCPU, and the size of the ring must be a power of two. The larger the

+ring buffer, the less likely the ring is full and the VM is forced to

+exit to userspace. The optimal size depends on the workload, but it is

+recommended that it be at least 64 KiB (4096 entries).

+

+Just like for dirty page bitmaps, the buffer tracks writes to

+all user memory regions for which the KVM_MEM_LOG_DIRTY_PAGES flag was

+set in KVM_SET_USER_MEMORY_REGION. Once a memory region is registered

+with the flag set, userspace can start harvesting dirty pages from the

+ring buffer.

+

+An entry in the ring buffer can be unused (flag bits ``00``),

+dirty (flag bits ``01``) or harvested (flag bits ``1X``). The

+state machine for the entry is as follows::

+

+ dirtied harvested reset

+ 00 -----------> 01 -------------> 1X -------+

+ ^ |

+ | |

+ +------------------------------------------+

+

+To harvest the dirty pages, userspace accesses the mmapped ring buffer

+to read the dirty GFNs. If the flags has the DIRTY bit set (at this stage

+the RESET bit must be cleared), then it means this GFN is a dirty GFN.

+The userspace should harvest this GFN and mark the flags from state

+``01b`` to ``1Xb`` (bit 0 will be ignored by KVM, but bit 1 must be set

+to show that this GFN is harvested and waiting for a reset), and move

+on to the next GFN. The userspace should continue to do this until the

+flags of a GFN have the DIRTY bit cleared, meaning that it has harvested

+all the dirty GFNs that were available.

+

+Note that on weakly ordered architectures, userspace accesses to the

+ring buffer (and more specifically the 'flags' field) must be ordered,

+using load-acquire/store-release accessors when available, or any

+other memory barrier that will ensure this ordering.

+

+It's not necessary for userspace to harvest the all dirty GFNs at once.

+However it must collect the dirty GFNs in sequence, i.e., the userspace

+program cannot skip one dirty GFN to collect the one next to it.

+

+After processing one or more entries in the ring buffer, userspace

+calls the VM ioctl KVM_RESET_DIRTY_RINGS to notify the kernel about

+it, so that the kernel will reprotect those collected GFNs.

+Therefore, the ioctl must be called *before* reading the content of

+the dirty pages.

+

+The dirty ring can get full. When it happens, the KVM_RUN of the

+vcpu will return with exit reason KVM_EXIT_DIRTY_LOG_FULL.

+

+The dirty ring interface has a major difference comparing to the

+KVM_GET_DIRTY_LOG interface in that, when reading the dirty ring from

+userspace, it's still possible that the kernel has not yet flushed the

+processor's dirty page buffers into the kernel buffer (with dirty bitmaps, the

+flushing is done by the KVM_GET_DIRTY_LOG ioctl). To achieve that, one

+needs to kick the vcpu out of KVM_RUN using a signal. The resulting

+vmexit ensures that all dirty GFNs are flushed to the dirty rings.

+

+NOTE: KVM_CAP_DIRTY_LOG_RING_ACQ_REL is the only capability that

+should be exposed by weakly ordered architecture, in order to indicate

+the additional memory ordering requirements imposed on userspace when

+reading the state of an entry and mutating it from DIRTY to HARVESTED.

+Architecture with TSO-like ordering (such as x86) are allowed to

+expose both KVM_CAP_DIRTY_LOG_RING and KVM_CAP_DIRTY_LOG_RING_ACQ_REL

+to userspace.

+

+After enabling the dirty rings, the userspace needs to detect the

+capability of KVM_CAP_DIRTY_LOG_RING_WITH_BITMAP to see whether the

+ring structures can be backed by per-slot bitmaps. With this capability

+advertised, it means the architecture can dirty guest pages without

+vcpu/ring context, so that some of the dirty information will still be

+maintained in the bitmap structure. KVM_CAP_DIRTY_LOG_RING_WITH_BITMAP

+can't be enabled if the capability of KVM_CAP_DIRTY_LOG_RING_ACQ_REL

+hasn't been enabled, or any memslot has been existing.

+

+Note that the bitmap here is only a backup of the ring structure. The

+use of the ring and bitmap combination is only beneficial if there is

+only a very small amount of memory that is dirtied out of vcpu/ring

+context. Otherwise, the stand-alone per-slot bitmap mechanism needs to

+be considered.

+

+To collect dirty bits in the backup bitmap, userspace can use the same

+KVM_GET_DIRTY_LOG ioctl. KVM_CLEAR_DIRTY_LOG isn't needed as long as all

+the generation of the dirty bits is done in a single pass. Collecting

+the dirty bitmap should be the very last thing that the VMM does before

+considering the state as complete. VMM needs to ensure that the dirty

+state is final and avoid missing dirty pages from another ioctl ordered

+after the bitmap collection.

+

+NOTE: Multiple examples of using the backup bitmap: (1) save vgic/its

+tables through command KVM_DEV_ARM_{VGIC_GRP_CTRL, ITS_SAVE_TABLES} on

+KVM device "kvm-arm-vgic-its". (2) restore vgic/its tables through

+command KVM_DEV_ARM_{VGIC_GRP_CTRL, ITS_RESTORE_TABLES} on KVM device

+"kvm-arm-vgic-its". VGICv3 LPI pending status is restored. (3) save

+vgic3 pending table through KVM_DEV_ARM_VGIC_{GRP_CTRL, SAVE_PENDING_TABLES}

+command on KVM device "kvm-arm-vgic-v3".

+

+7.37 KVM_CAP_PMU_CAPABILITY

+---------------------------

+:Type: vm

+:Parameters: arg[0] is bitmask of PMU virtualization capabilities.

+:Returns: 0 on success, -EINVAL when arg[0] contains invalid bits

+This capability alters PMU virtualization in KVM.

+Calling KVM_CHECK_EXTENSION for this capability returns a bitmask of

+PMU virtualization capabilities that can be adjusted on a VM.

+

+The argument to KVM_ENABLE_CAP is also a bitmask and selects specific

+PMU virtualization capabilities to be applied to the VM. This can

+only be invoked on a VM prior to the creation of VCPUs.

+

+At this time, KVM_PMU_CAP_DISABLE is the only capability. Setting

+this capability will disable PMU virtualization for that VM. Usermode

+should adjust CPUID leaf 0xA to reflect that the PMU is disabled.

+

+7.38 KVM_CAP_VM_DISABLE_NX_HUGE_PAGES

+-------------------------------------

+

+:Architectures: x86

+:Type: vm

+:Parameters: arg[0] must be 0.

+:Returns: 0 on success, -EPERM if the userspace process does not

+ have CAP_SYS_BOOT, -EINVAL if args[0] is not 0 or any vCPUs have been

+ created.

+

+This capability disables the NX huge pages mitigation for iTLB MULTIHIT.

+

+The capability has no effect if the nx_huge_pages module parameter is not set.

+

+This capability may only be set before any vCPUs are created.

+

+7.39 KVM_CAP_ARM_EAGER_SPLIT_CHUNK_SIZE

+---------------------------------------

+

+:Architectures: arm64

+:Type: vm

+:Parameters: arg[0] is the new split chunk size.

+:Returns: 0 on success, -EINVAL if any memslot was already created.

+

+This capability sets the chunk size used in Eager Page Splitting.

+

+Eager Page Splitting improves the performance of dirty-logging (used

+in live migrations) when guest memory is backed by huge-pages. It

+avoids splitting huge-pages (into PAGE_SIZE pages) on fault, by doing

+it eagerly when enabling dirty logging (with the

+KVM_MEM_LOG_DIRTY_PAGES flag for a memory region), or when using

+KVM_CLEAR_DIRTY_LOG.

+

+The chunk size specifies how many pages to break at a time, using a

+single allocation for each chunk. Bigger the chunk size, more pages

+need to be allocated ahead of time.

+

+The chunk size needs to be a valid block size. The list of acceptable

+block sizes is exposed in KVM_CAP_ARM_SUPPORTED_BLOCK_SIZES as a

+64-bit bitmap (each bit describing a block size). The default value is

+0, to disable the eager page splitting.

+

+7.40 KVM_CAP_EXIT_HYPERCALL

+---------------------------

+

+:Architectures: x86

+:Type: vm

+

+This capability, if enabled, will cause KVM to exit to userspace

+with KVM_EXIT_HYPERCALL exit reason to process some hypercalls.

+

+Calling KVM_CHECK_EXTENSION for this capability will return a bitmask

+of hypercalls that can be configured to exit to userspace.

+Right now, the only such hypercall is KVM_HC_MAP_GPA_RANGE.

+

+The argument to KVM_ENABLE_CAP is also a bitmask, and must be a subset

+of the result of KVM_CHECK_EXTENSION. KVM will forward to userspace

+the hypercalls whose corresponding bit is in the argument, and return

+ENOSYS for the others.

+

+7.41 KVM_CAP_ARM_SYSTEM_SUSPEND

+-------------------------------

+

+:Architectures: arm64

+:Type: vm

+

+When enabled, KVM will exit to userspace with KVM_EXIT_SYSTEM_EVENT of

+type KVM_SYSTEM_EVENT_SUSPEND to process the guest suspend request.

+8.31 KVM_CAP_SPAPR_MULTITCE

+---------------------------

+8.42 KVM_CAP_PPC_RPT_INVALIDATE

+-------------------------------

+

+:Architectures: ppc

+

+This capability indicates that the kernel is capable of handling

+H_RPT_INVALIDATE hcall.

+

+In order to enable the use of H_RPT_INVALIDATE in the guest,

+user space might have to advertise it for the guest. For example,

+IBM pSeries (sPAPR) guest starts using it if "hcall-rpt-invalidate" is

+present in the "ibm,hypertas-functions" device-tree property.

+

+This capability is enabled for hypervisors on platforms like POWER9

+that support radix MMU.

+

+8.43 KVM_CAP_PPC_AIL_MODE_3

+---------------------------

+

+:Architectures: ppc

+

+This capability indicates that the kernel supports the mode 3 setting for the

+"Address Translation Mode on Interrupt" aka "Alternate Interrupt Location"

+resource that is controlled with the H_SET_MODE hypercall.

+

+This capability allows a guest kernel to use a better-performance mode for

+handling interrupts and system calls.

+

+8.44 KVM_CAP_MEMORY_FAULT_INFO

+------------------------------

+

+:Architectures: x86

+

+The presence of this capability indicates that KVM_RUN will fill

+kvm_run.memory_fault if KVM cannot resolve a guest page fault VM-Exit, e.g. if

+there is a valid memslot but no backing VMA for the corresponding host virtual

+address.

+

+The information in kvm_run.memory_fault is valid if and only if KVM_RUN returns

+an error with errno=EFAULT or errno=EHWPOISON *and* kvm_run.exit_reason is set

+to KVM_EXIT_MEMORY_FAULT.

+

+Note: Userspaces which attempt to resolve memory faults so that they can retry

+KVM_RUN are encouraged to guard against repeatedly receiving the same

+error/annotated fault.

+

+See KVM_EXIT_MEMORY_FAULT for more information.

+

+8.45 KVM_CAP_X86_GUEST_MODE

+---------------------------

+

+:Architectures: x86

+

+The presence of this capability indicates that KVM_RUN will update the

+KVM_RUN_X86_GUEST_MODE bit in kvm_run.flags to indicate whether the

+vCPU was executing nested guest code when it exited.

+

+KVM exits with the register state of either the L1 or L2 guest

+depending on which executed at the time of an exit. Userspace must

+take care to differentiate between these cases.

+

+On older versions of Linux, CPU[EAX=1]:ECX[24] (TSC_DEADLINE) is not reported by

+``KVM_GET_SUPPORTED_CPUID``, but it can be enabled if ``KVM_CAP_TSC_DEADLINE_TIMER``

+is present and the kernel has enabled in-kernel emulation of the local APIC.

+On newer versions, ``KVM_GET_SUPPORTED_CPUID`` does report the bit as available.