On Wed, Apr 27, 2022, Kai Huang wrote: > On Tue, 2022-04-26 at 16:28 -0700, Dave Hansen wrote: > > On 4/26/22 16:12, Kai Huang wrote: > > > Hi Dave, > > > > > > Thanks for review! > > > > > > On Tue, 2022-04-26 at 13:21 -0700, Dave Hansen wrote: > > > > > +config INTEL_TDX_HOST > > > > > + bool "Intel Trust Domain Extensions (TDX) host support" > > > > > + default n > > > > > + depends on CPU_SUP_INTEL > > > > > + depends on X86_64 > > > > > + help > > > > > + Intel Trust Domain Extensions (TDX) protects guest VMs from > > > > > malicious > > > > > + host and certain physical attacks. This option enables necessary > > > > > TDX > > > > > + support in host kernel to run protected VMs. > > > > > + > > > > > + If unsure, say N. > > > > > > > > Nothing about KVM? > > > > > > I'll add KVM into the context. How about below? > > > > > > "Intel Trust Domain Extensions (TDX) protects guest VMs from malicious > > > host and certain physical attacks. This option enables necessary TDX > > > support in host kernel to allow KVM to run protected VMs called Trust > > > Domains (TD)." > > > > What about a dependency? Isn't this dead code without CONFIG_KVM=y/m? > > Conceptually, KVM is one user of the TDX module, so it doesn't seem correct to > make CONFIG_INTEL_TDX_HOST depend on CONFIG_KVM. But so far KVM is the only > user of TDX, so in practice the code is dead w/o KVM. > > What's your opinion? Take a dependency on CONFIG_KVM_INTEL, there's already precedence for this specific case of a feature that can't possibly have an in-kernel user. See arch/x86/kernel/cpu/feat_ctl.c, which in the (very) unlikely event IA32_FEATURE_CONTROL is left unlocked by BIOS, will deliberately disable VMX if CONFIG_KVM_INTEL=n.
