[PATCH 6/6] x86: Restrict KVM-induced symbol exports to KVM modules where obvious/possible

[Huang, Kai]

On Tue, 2025-07-29 at 10:42 -0700, Sean Christopherson wrote:
> Extend KVM's export macro framework to provide EXPORT_SYMBOL_GPL_FOR_KVM(),
> and use the helper macro to export symbols for KVM throughout x86 if and
> only if KVM will build one or more modules, and only for those modules.
> 
> To avoid unnecessary exports when CONFIG_KVM=m but kvm.ko will not be
> built (because no vendor modules are selected), let arch code #define
> EXPORT_SYMBOL_GPL_FOR_KVM to suppress/override the exports.
> 
> Note, the set of symbols to restrict to KVM was generated by manual search
> and audit; any "misses" are due to human error, not some grand plan.
> 
> Signed-off-by: Sean Christopherson <seanjc at google.com>
> ---

[...]

>  arch/x86/kernel/cpu/sgx/main.c     |  3 +-
>  arch/x86/kernel/cpu/sgx/virt.c     |  5 ++-
> 

[...]

>  arch/x86/virt/vmx/tdx/tdx.c        | 65 +++++++++++++++---------------
>  include/linux/kvm_types.h          | 14 +++++++
>  31 files changed, 140 insertions(+), 101 deletions(-)
> 

[...]

> 
> --- a/include/linux/kvm_types.h
> +++ b/include/linux/kvm_types.h
> @@ -11,8 +11,22 @@
>  #ifdef KVM_SUB_MODULES
>  #define EXPORT_SYMBOL_GPL_FOR_KVM_INTERNAL(symbol) \
>  	EXPORT_SYMBOL_GPL_FOR_MODULES(symbol, __stringify(KVM_SUB_MODULES))
> +#define EXPORT_SYMBOL_GPL_FOR_KVM(symbol) \
> +	EXPORT_SYMBOL_GPL_FOR_MODULES(symbol, "kvm," __stringify(KVM_SUB_MODULES))
> 

I was thinking to send out separate patches for SGX and TDX by just
changing to use EXPORT_SYMBOL_GPL_FOR_MODULES(.., "kvm,kvm-intel")
unconditionally, but yeah I agree having EXPORT_SYMBOL_GPL_FOR_KVM() and
only having the actual export when KVM sub module is enabled is better.

I tested that with this series I can still successfully create TDX and SGX
guests, so for TDX and SGX bits:

Acked-by: Kai Huang <kai.huang at intel.com>
Tested-by: Kai Huang <kai.huang at intel.com>