Re: [RFC PATCH v4 11/36] i386/tdx: Initialize TDX before creating TD vcpus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/1/2022 3:54 PM, Gerd Hoffmann wrote:
On Wed, Jun 01, 2022 at 03:20:46PM +0800, Xiaoyao Li wrote:
On 5/24/2022 2:57 PM, Gerd Hoffmann wrote:
    Hi,
Maybe it's a bit more work to add VM-scope initialization support to
qemu.

If just introducing VM-scope initialization to QEMU, it would be easy. What
matters is what needs to be done inside VM-scope initialization.

For TDX, we need to settle down the features that configured for the TD.
Typically, the features are attributes of cpu object, parsed from "-cpu"
option and stored in cpu object.

2) create a CPU object when initializing machine object and collect all the
info from "-cpu" and drop it in the end; then why not do it when creating
1st vcpu like this patch.

Do VM-scope tdx initialization late enough that cpu objects are already
created at that point, so you can collect the info you need without a
dummy cpu?

new CPU object is created during creating each vcpu. So we have to use mutex and flag to ensure VM-scope initialization is executed only once.

And it's werid to hook VM-scope initialization in the middle of the vcpu creating phase to satisfy "late enough", so we choose to do it just before calling KVM API to initializing vcpu.

I guess it could be helpful for the discussion when you can outine the
'big picture' for tdx initialization.  How does kvm accel setup look
like without TDX, and what additional actions are needed for TDX?  What
ordering requirements and other constrains exist?

To boot a TDX VM, it requires several changes/additional steps in the flow:

 1. specify the vm type KVM_X86_TDX_VM when creating VM with
    IOCTL(KVM_CREATE_VM);
	- When initializing KVM accel

 2. initialize VM scope configuration before creating any VCPU;

 3. initialize VCPU scope configuration;
	- done inside machine_init_done_notifier;

4. initialize virtual firmware in guest private memory before vcpu running;
	- done inside machine_init_done_notifier;

 5. finalize the TD's measurement;
	- done inside machine init_done_notifier;


And we are discussing where to do step 2).

We can find from the code of tdx_pre_create_vcpu(), that it needs
cpuid entries[] and attributes as input to KVM.

  cpuid entries[] is set up by kvm_x86_arch_cpuid() mainly based on
  'CPUX86State *env'

  attributes.pks is retrieved from env->features[]
  and attributes.pmu is retrieved from x86cpu->enable_pmu

to make VM-socpe data is consistent with VCPU data, we do choose the point late enough to ensure all the info/configurations from VCPU are settle down, that just before calling KVM API to do VCPU-scope configuration.

take care,
   Gerd





[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux