On 2/13/20 11:23 PM, Joerg Roedel wrote: > Yes, investigating this is on the list for future optimizations (besides > caching CPUID results). My idea is to use alternatives patching for > this. But the exception handling is needed anyway because #VC > exceptions happen very early already, basically the first thing after > setting up a stack is calling verify_cpu(), which uses CPUID. Ahh, bummer. How does a guest know that it's running under SEV-ES? What's the enumeration mechanism if CPUID doesn't "work"? > The other reason is that things like MMIO and IOIO instructions can't be > easily patched by alternatives. Those would work with the runtime > checking you showed above, though. Is there a reason we can't make a rule that you *must* do MMIO through an accessor function so we *can* patch them? I know random drivers might break the rule, but are SEV-ES guests going to be running random drivers? I would think that they mostly if not all want to use virtio.