On Wed, Jul 15, 2020 at 12:49:23PM -0700, Kees Cook wrote: > Aaah. I see. Thanks for the details there. So ... can you add a bunch > more comments about why/when the new entry path is being used? I really > don't want to accidentally discover some unrelated refactoring down > the road (in months, years, unrelated to SEV, etc) starts to also skip > verify_cpu() on Intel systems. There had been a lot of BIOSes that set > this MSR to disable NX, and I don't want to repeat that pain: Linux must > never start an Intel CPU with that MSR set. :P Understood :) I added a comment above the label explaining why it is only used for SEV-ES guests and pointing out the importance of running verify_cpu() on all other systems, especially if they are Intel based. Regards, Joerg
