On Sun, 2022-08-07 at 15:01 -0700, isaku.yamahata@xxxxxxxxx wrote: > From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> > > For TD guest, the current way to emulate MMIO doesn't work any more, as KVM > is not able to access the private memory of TD guest and do the emulation. > Instead, TD guest expects to receive #VE when it accesses the MMIO and then > it can explicitly makes hypercall to KVM to get the expected information. > > To achieve this, the TDX module always enables "EPT-violation #VE" in the > VMCS control. And accordingly, KVM needs to configure the MMIO spte to > trigger EPT violation (instead of misconfiguration) and at the same time, > also clear the "suppress #VE" bit so the TD guest can get the #VE instead > of causing actual EPT violation to KVM. > > In order for KVM to be able to have chance to set up the correct SPTE for > MMIO for TD guest, the default non-present SPTE must have the "suppress > guest accesses the MMIO. > > Also, when TD guest accesses the actual shared memory, it should continue > to trigger EPT violation to the KVM instead of receiving the #VE (the TDX > module guarantees KVM will receive EPT violation for private memory > access). This means for the shared memory, the SPTE also must have the > "suppress #VE" bit set for the non-present SPTE. > > Add support to allow a non-zero value for the non-present SPTE (i.e. when > the page table is firstly allocated, and when the SPTE is zapped) to allow > setting "suppress #VE" bit for the non-present SPTE. > > Introduce a new macro SHADOW_NONPRESENT_VALUE to be the "suppress #VE" bit. > Unconditionally set the "suppress #VE" bit (which is bit 63) for both AMD > and Intel as: 1) AMD hardware doesn't use this bit; 2) for normal VMX > guest, KVM never enables the "EPT-violation #VE" in VMCS control and > "suppress #VE" bit is ignored by hardware. > Sorry I made a mistake on why always setting bit 63 on AMD is OK. It turns out the bit 63 on AMD is NX bit, so "AMD hardware doesn't use this bit" is absolutely wrong. More information please see: https://lore.kernel.org/lkml/Yl8TlMTQGq5R69E6@xxxxxxxxxx/ -- Thanks, -Kai