On 6/1/2022 3:54 PM, Gerd Hoffmann wrote:
On Wed, Jun 01, 2022 at 03:20:46PM +0800, Xiaoyao Li wrote:
On 5/24/2022 2:57 PM, Gerd Hoffmann wrote:
Hi,
Maybe it's a bit more work to add VM-scope initialization support to
qemu.
If just introducing VM-scope initialization to QEMU, it would be easy. What
matters is what needs to be done inside VM-scope initialization.
For TDX, we need to settle down the features that configured for the TD.
Typically, the features are attributes of cpu object, parsed from "-cpu"
option and stored in cpu object.
2) create a CPU object when initializing machine object and collect all the
info from "-cpu" and drop it in the end; then why not do it when creating
1st vcpu like this patch.
Do VM-scope tdx initialization late enough that cpu objects are already
created at that point, so you can collect the info you need without a
dummy cpu?
new CPU object is created during creating each vcpu. So we have to use
mutex and flag to ensure VM-scope initialization is executed only once.
And it's werid to hook VM-scope initialization in the middle of the
vcpu creating phase to satisfy "late enough", so we choose to do it just
before calling KVM API to initializing vcpu.
I guess it could be helpful for the discussion when you can outine the
'big picture' for tdx initialization. How does kvm accel setup look
like without TDX, and what additional actions are needed for TDX? What
ordering requirements and other constrains exist?
To boot a TDX VM, it requires several changes/additional steps in the flow:
1. specify the vm type KVM_X86_TDX_VM when creating VM with
IOCTL(KVM_CREATE_VM);
- When initializing KVM accel
2. initialize VM scope configuration before creating any VCPU;
3. initialize VCPU scope configuration;
- done inside machine_init_done_notifier;
4. initialize virtual firmware in guest private memory before vcpu
running;
- done inside machine_init_done_notifier;
5. finalize the TD's measurement;
- done inside machine init_done_notifier;
And we are discussing where to do step 2).
We can find from the code of tdx_pre_create_vcpu(), that it needs
cpuid entries[] and attributes as input to KVM.
cpuid entries[] is set up by kvm_x86_arch_cpuid() mainly based on
'CPUX86State *env'
attributes.pks is retrieved from env->features[]
and attributes.pmu is retrieved from x86cpu->enable_pmu
to make VM-socpe data is consistent with VCPU data, we do choose the
point late enough to ensure all the info/configurations from VCPU are
settle down, that just before calling KVM API to do VCPU-scope
configuration.
take care,
Gerd