On 22/10/2025 5:39 am, Stefano Stabellini wrote: > diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig > index 3f0f3a0f3a..c2689a3f1c 100644 > --- a/xen/arch/x86/Kconfig > +++ b/xen/arch/x86/Kconfig > @@ -144,8 +144,7 @@ config XEN_IBT > > config SHADOW_PAGING > bool "Shadow Paging" > - default !PV_SHIM_EXCLUSIVE > - depends on PV || HVM > + depends on (PV || HVM) && !PV_SHIM_EXCLUSIVE > help
Committing this would need an XSA to revert it. As stated in the help text, shadow paging is needed for the PV-L1TF security mitigation. This includes PVShim. The default is wrong too. I ran out of energy trying to get it fixed. ~Andrew
