On 28/03/2017 20:39, Borislav Petkov wrote: >> 2) Since the encryption attributes works on PAGE_SIZE hence add some extra >> padding to 'struct kvm-steal-time' to make it PAGE_SIZE and then at runtime >> clear the encryption attribute of the full PAGE. The downside of this was >> now we need to modify structure which may break the compatibility. > From SEV-ES whitepaper: > > "To facilitate this communication, the SEV-ES architecture defines > a Guest Hypervisor Communication Block (GHCB). The GHCB resides in > page of shared memory so it is accessible to both the guest VM and the > hypervisor." > > So this is kinda begging to be implemented with a shared page between > guest and host. And then put steal-time, ... etc in there too. Provided > there's enough room in the single page for the GHCB *and* our stuff. The GHCB would have to be allocated much earlier, possibly even by firmware depending on how things will be designed. I think it's premature to consider SEV-ES requirements. Paolo