On 11/27/25 16:20, Andrew Cooper wrote:
> On 27/11/2025 2:31 pm, Julian Vetter wrote:
>> Currently Intel CPUs in EFI mode with the "Execute Disable Bit" disabled
>> and the 'CONFIG_REQUIRE_NX=y' fail to boot, because this check is
>> performed before trampoline_setup is called, which determines if NX is
>> supported or if it's hidden by 'MSR_IA32_MISC_ENABLE[34] = 1' (if so,
>> re-enables NX).
>>
>> Signed-off-by: Julian Vetter <[email protected]>
>
> Lovely... This isn't the only bug; there's another one from the Vates
> forums about AMD CPUs which I haven't gotten around to fixing yet.
>
Thank you. I will have a look. I haven't seen this thread.
> Do you have any more information about which system looks like this?
>
I'm not sure if I understand your question correctly, but I was just
booting an Intel based machine newer than ~2012. I have tested this on 4
different machines, on which 3 hit this code path. One was a HPE
ProLiant m510 Server with a XEON CPU, second was a Mini PC with Celeron
CPU, and third was an old Intel NUC DCCP847DYE also with a Celeron CPU.
The only system where I couldn't reproduce the issue was an old
workstation with a Gigabyte mainboard. It has the flag in the Bios to
set MSR_IA32_MISC_ENABLE, but I'm not sure if it was actually booting
via UEFI. I will verify this on monday. I booted all the 3 other systems
via UEFI -> Grub -> multiboot2. My grub entry looks like this:
multiboot2 /boot/xen.gz dom0_mem=2656M,max:2656M watchdog ucode=scan
dom0_max_vcpus=1-8 crashkernel=256M,below=4G console=vga vga=mode-0x0311
module2 boot/vmlinuz console=hvc0 console=tty0 init=/bin/sh
module2 boot/initrd-dom0
> trampoline_setup isn't executed on all EFI boots. I had a different fix
> in mind, but it's a little more complicated.
Aha. yes, I didn't thought about other code paths. But I'm wondering if
we couldn't do the whole dance with XD and NX directly in the
efi-boot.h. Then maybe we could even remove the part in trampoline_setup
or are there other systems that hit only the trampoline_setup but not
the efi_multiboot2?
@@ -747,16 +748,27 @@ static void __init efi_arch_cpu(void)
if ( (eax >> 16) == 0x8000 && eax > 0x80000000U )
{
- caps[FEATURESET_e1d] = cpuid_edx(0x80000001U);
-
/*
* This check purposefully doesn't use cpu_has_nx because
* cpu_has_nx bypasses the boot_cpu_data read if Xen was compiled
* with CONFIG_REQUIRE_NX
*/
- if ( IS_ENABLED(CONFIG_REQUIRE_NX) &&
- !boot_cpu_has(X86_FEATURE_NX) )
- blexit(L"This build of Xen requires NX support");
+ if (IS_ENABLED(CONFIG_REQUIRE_NX)) {
+
+ msr_ia32 = rdmsr(MSR_IA32_MISC_ENABLE);
+ /* NX is hidden */
+ if (msr_ia32 & MSR_IA32_MISC_ENABLE_XD_DISABLE) {
+ msr_ia32 &= ~MSR_IA32_MISC_ENABLE_XD_DISABLE;
+
+ wrmsr(MSR_IA32_MISC_ENABLE_XD_DISABLE, msr_ia32);
+
+ /* Re-check for NX */
+ caps[FEATURESET_e1d] = cpuid_edx(0x80000001U);
+ }
+
+ if (!boot_cpu_has(X86_FEATURE_NX))
+ blexit(L"This build of Xen requires NX support");
+ }
if ( cpu_has_nx )
trampoline_efer |= EFER_NXE;
>
> If I do the key prep patch, would you mind trying to tackle the AMD side
> too?
Yes of course. I will have a look into it. Thank you.
>
> ~Andrew
--
Julian Vetter | Vates Hypervisor & Kernel Developer
XCP-ng & Xen Orchestra - Vates solutions
web: https://vates.tech
