On Thu, 2021-03-18 at 16:35 +0000, Sean Christopherson wrote: > On Thu, Mar 18, 2021, Joerg Roedel wrote: > > On Thu, Mar 18, 2021 at 11:24:25AM +0200, Maxim Levitsky wrote: > > > But again this is a debug feature, and it is intended to allow the user > > > to shoot himself in the foot. > > > > And one can't debug SEV-ES guests with it, so what is the point of > > enabling it for them too? You can create a special SEV-ES guest which does handle all exceptions via #VC, or just observe it fail which can be useful for some whatever reason. > > Agreed. I can see myself enabling debug features by default, it would be nice > to not having to go out of my way to disable them for SEV-ES/SNP guests. This does sound like a valid reason to disable this for SEV-ES. > > Skipping SEV-ES guests should not be difficult; KVM could probably even > print a message stating that the debug hook is being ignored. One thought would > be to snapshot debug_intercept_exceptions at VM creation, and simply zero it out > for incompatible guests. That would also allow changing debug_intercept_exceptions > without reloading KVM, which IMO would be very convenient. > So all right I'll disable this for SEV-ES. The idea to change the debug_intercept_exceptions on the fly is also a good idea, I will implement it in next version of the patches. Thanks for the review, Best regards, Maxim Levitsky
