On Wed, Feb 12, 2020 at 5:18 PM Ashish Kalra <Ashish.Kalra@xxxxxxx> wrote: > > From: Brijesh Singh <brijesh.singh@xxxxxxx> > > Invoke a hypercall when a memory region is changed from encrypted -> > decrypted and vice versa. Hypervisor need to know the page encryption > status during the guest migration. One messy aspect, which I think is fine in practice, is that this presumes that pages are either treated as encrypted or decrypted. If also done on SEV, the in-place re-encryption supported by SME would break SEV migration. Linux doesn't do this now on SEV, and I don't have an intuition for why Linux might want this, but we will need to ensure it is never done in order to ensure that migration works down the line. I don't believe the AMD manual promises this will work anyway. Something feels a bit wasteful about having all future kernels universally announce c-bit status when SEV is enabled, even if KVM isn't listening, since it may be too old (or just not want to know). Might be worth eliding the hypercalls if you get ENOSYS back? There might be a better way of passing paravirt config metadata across than just trying and seeing if the hypercall succeeds, but I'm not super familiar with it.
