On Thu, Jun 15, 2023, Alexey Kardashevskiy wrote: > @@ -2976,6 +2977,16 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm) > svm_set_intercept(svm, TRAP_CR4_WRITE); > svm_set_intercept(svm, TRAP_CR8_WRITE); > > + /* > + * DR7 access must remain intercepted for an SEV-ES guest to disallow > + * the guest kernel set up a #DB on memory that's needed to vector a #DB > + * as otherwise the CPU gets stuck in an infinite #DB loop. > + */ This isn't correct. Letting the guest configuring breakpoints would be weird and nonsensical, but it wouldn't lead to infinite #DBs so long as KVM intercepts #DB. KVM intercepts DR7 when DebugSwap isn't enabled because otherwise KVM has no way of context switching DR[0-3] for the guest. At least, I assume that's the case, AFAICT the APM never actually says what happens with DR[0-3] when DebugSwap is disabled.
