Hi, > > I guess it could be helpful for the discussion when you can outine the > > 'big picture' for tdx initialization. How does kvm accel setup look > > like without TDX, and what additional actions are needed for TDX? What > > ordering requirements and other constrains exist? > > To boot a TDX VM, it requires several changes/additional steps in the flow: > > 1. specify the vm type KVM_X86_TDX_VM when creating VM with > IOCTL(KVM_CREATE_VM); > - When initializing KVM accel > > 2. initialize VM scope configuration before creating any VCPU; > > 3. initialize VCPU scope configuration; > - done inside machine_init_done_notifier; > > 4. initialize virtual firmware in guest private memory before vcpu running; > - done inside machine_init_done_notifier; > > 5. finalize the TD's measurement; > - done inside machine init_done_notifier; > > > And we are discussing where to do step 2). > > We can find from the code of tdx_pre_create_vcpu(), that it needs > cpuid entries[] and attributes as input to KVM. > > cpuid entries[] is set up by kvm_x86_arch_cpuid() mainly based on > 'CPUX86State *env' > > attributes.pks is retrieved from env->features[] > and attributes.pmu is retrieved from x86cpu->enable_pmu > > to make VM-socpe data is consistent with VCPU data, we do choose the point > late enough to ensure all the info/configurations from VCPU are settle down, > that just before calling KVM API to do VCPU-scope configuration. So essentially tdx defines (some) vcpu properties at vm scope? Given that all vcpus typically identical (and maybe tdx even enforces this) this makes sense. A comment in the source code explaining this would be good. thanks, Gerd
