On Tue, Apr 20, 2021, Paolo Bonzini wrote: > On 20/04/21 22:16, Sean Christopherson wrote: > > On Tue, Apr 20, 2021, Sean Christopherson wrote: > > > On Tue, Apr 20, 2021, Paolo Bonzini wrote: > > > > In this particular case, if userspace sets the bit in CPUID2 but doesn't > > > > handle KVM_EXIT_HYPERCALL, the guest will probably trigger some kind of > > > > assertion failure as soon as it invokes the HC_PAGE_ENC_STATUS hypercall. > > > > Oh! Almost forgot my hail mary idea. Instead of a new capability, can we > > reject the hypercall if userspace has _not_ set KVM_CAP_ENFORCE_PV_FEATURE_CPUID? > > > > if (vcpu->arch.pv_cpuid.enforce && > > !guest_pv_has(vcpu, KVM_FEATURE_HC_PAGE_ENC_STATUS) > > break; > > Couldn't userspace enable that capability and _still_ copy the supported > CPUID blindly to the guest CPUID, without supporting the hypercall? Yes. I was going to argue that we get to define the behavior, but that's not true because it would break existing VMMs that blindly copy. Capability it is...
