On Wed, Sep 16, 2020 at 10:11:10AM -0500, Tom Lendacky wrote: > On 9/15/20 3:13 PM, Tom Lendacky wrote: > > On 9/15/20 11:30 AM, Sean Christopherson wrote: > >> I don't quite follow the "doesn't mean debugging can't be done in the future". > >> Does that imply that debugging could be supported for SEV-ES guests, even if > >> they have an encrypted VMSA? > > > > Almost anything can be done with software. It would require a lot of > > hypervisor and guest code and changes to the GHCB spec, etc. So given > > that, probably just the check for arch.guest_state_protected is enough for > > now. I'll just need to be sure none of the debugging paths can be taken > > before the VMSA is encrypted. > > So I don't think there's any guarantee that the KVM_SET_GUEST_DEBUG ioctl > couldn't be called before the VMSA is encrypted, meaning I can't check the > arch.guest_state_protected bit for that call. So if we really want to get > rid of the allow_debug() op, I'd need some other way to indicate that this > is an SEV-ES / protected state guest. Would anything break if KVM "speculatively" set guest_state_protected before LAUNCH_UPDATE_VMSA? E.g. does KVM need to emulate before LAUNCH_UPDATE_VMSA? > How are you planning on blocking this ioctl for TDX? Would the > arch.guest_state_protected bit be sit earlier than is done for SEV-ES? Yep, guest_state_protected is set from time zero (kvm_x86_ops.vm_init) as guest state is encrypted/inaccessible from the get go. The flag actually gets turned off for debuggable TDX guests, but that's also forced to happen before the KVM_RUN can be invoked (TDX architecture) and is a one-time configuration, i.e. userspace can flip the switch exactly once, and only at a very specific point in time.
