On 4/28/22 19:58, Dan Williams wrote: > That only seems possible if the kernel is given a TDX capable physical > address map at the beginning of time. TDX actually brings along its own memory map. The "EAS"[1]. has a lot of info on it, if you know where to find it. Here's the relevant chunk: CMR - Convertible Memory Range - A range of physical memory configured by BIOS and verified by MCHECK. MCHECK verificatio n is intended to help ensure that a CMR may be used to hold TDX memory pages encrypted with a private HKID. So, the BIOS has the platform knowledge to enumerate this range. It stashes the information off somewhere that the TDX module can find it. Then, during OS boot, the OS makes a SEAMCALL (TDH.SYS.CONFIG) to the TDX module and gets the list of CMRs. The OS then has to reconcile this CMR "memory map" against the regular old BIOS-provided memory map, tossing out any memory regions which are RAM, but not covered by a CMR, or disabling TDX entirely. Fun, eh? I'm still grappling with how this series handles the policy of what memory to throw away when. 1. https://www.intel.com/content/dam/develop/external/us/en/documents/intel-tdx-module-1eas.pdf
