See upstream bug here: https://gitlab.com/qemu-project/qemu/-/issues/2251

[jferlan] Copy/Pasted from upstream bug:

• Operating system: rhcos
• OS/kernel version: 5.14.0-284.57.1.el9_2.x86_64
• Architecture: X86
• QEMU flavor: Not sure. How can I find out?
• QEMU version: Using API: QEMU 9.0.0 Running hypervisor: QEMU 7.2.0
• QEMU command line:
   {{-cpu Cascadelake-Server,ss=on,vmx=on,pdcm=on,hypervisor=on,tsc-adjust=on,umip=on,pku=on,md-clear=on,stibp=on,arch-capabilities=on,xsaves=on,ibpb=on,ibrs=on,amd-stibp=on,amd-ssbd=on,rdctl-no=on,ibrs-all=on,skip-l1dfl-vmentry=on,mds-no=on,pschange-mc-no=on,tsx-ctrl=on,hle=off,rtm=off,hv-time=on,tsc-frequency=2095077000,hv-relaxed=on,hv-vapic=on,hv-spinlocks=0x1fff,hv-vpindex=on,hv-runtime=on,hv-synic=on,hv-stimer=on,hv-stimer-direct=on,hv-reset=on,hv-frequencies=on,hv-reenlightenment=on,hv-tlbflush=on,hv-ipi=on -global driver=cfi.pflash01,property=secure,value=on -m 4096 -object {"qom-type":"memory-backend-ram","id":"pc.ram","size":4294967296} -overcommit mem-lock=off -smp 2,sockets=1,dies=1,cores=2,threads=1 }}

Emulated/Virtualized environment

• Operating system: Windows 11
• OS/kernel version: Windows 11
• Architecture: X86

Description of problem

Steps to reproduce

1. Run a Windows 11 VM on a node (both VM domain XML and node capabilities XML is provided below).
2. Enable VBS on the guest. For doing so you can use https://github.com/MicrosoftDocs/windows-itpro-docs/files/4020040/DG_Readinessv3.7.zip. Then, in Windows terminal, run DG_Readiness_Tool_{version}.ps1 -Enable.
3. Reboot the guest.
4. Windows cannot start (see picture below).

Additional information

• Domain Capabilities: https://pastebin.com/GdQGQ639
• VMX capabilities: https://pastebin.com/5nbUH0ev
• contents of /proc/cpuinfo: https://pastebin.com/xZM4x89z
• Domain XML: https://pastebin.com/s4VehTXK
• Windows crash at boot: https://ibb.co/Ny1xRbz
   

For more information, look at the slack conversation here: https://redhat-internal.slack.com/archives/C04KFKV2SE9/p1711628502109649

[jferlan] reposted from slack link:

 
vkuznets  08:21

@iholder101 So if I understood @jdenemar correctly, we need two FRs against libvirt: 'vmx-*' features support and versioned CPU models support so e.g. virsh domcapabilities has all this stuff (I'm certainly not the best person to describe what's needed but it seems some of this is already available upstream). We need this to better handle situations like that and to make nesting (on Intel) more stable. I'm not sure if disabling certain non-vmx features would help: it seems the logic in Windows is to look at CPU model/stepping/.. and NOT at CPUID bits sometimes. I have no proof but it certainly feels like it. Last but not least, I can certainly try this and we can ask QE to try to reproduce, don't hesitate to open 'Win11 VM with VBS enabled crashes' against e.g. QEMU. It would be ideal if you can put your Win qcow2 somewhere and provide the exact QEMU command line.