Qemu does not properly pass-through hardware MBEC support

Host environment

• Operating system: Ubuntu Linux 24.04.2 LTS
• OS/kernel version: 6.8.0-63-generic
• Architecture: x86_64
• QEMU flavor: qemu-system-x86_64
• QEMU version: 10.1.50 (v10.1.0-252-g91589bcd9f)
• QEMU command line: ./qemu-system-x86_64 -m 6G -smp 6 -machine q35 -cpu host,vmx=on -accel kvm -...

Emulated/Virtualized environment

• Operating system: Windows 11 24H2
• OS/kernel version: 26100.30335
• Architecture: AMD64

Description of problem

QEMU when running on AMD64 hardware with KVM (Linux server) does not properly pass-through the Hardware MBEC support.

Hardware MBEC is indeed detected thanks to bit 22 of the (Mode-based execute control for EPT) Secondary processor-based VM-Execution Controls.

For some reason the mainline codebase (version 10) does not properly pass it to the guest. There was a patch available but for some reason it never came to the mainline: https://lists.gnu.org/archive/html/qemu-devel/2023-11/msg02909.html

Hardware MBEC is very important for HVCI (Hypervisor-Protected Code Integrity), since it must ensure that physical pages are executable in user-mode, but not in kernel. Otherwise the OS will use a shadow EPT which will dynamically switch every time code execution change between user and kernel. This will make things ultra-slow.

Is there a reason why QEMU does not pass-through MBEC via KVM? Note that the "+mbec" command line after -cpu does not work, yielding me back the following error: qemu-system-x86_64: can't apply global host-x86_64-cpu.mbec=on: Property 'host-x86_64-cpu.mbec' not found