Sean Christopherson wrote: > On Fri, Jun 30, 2023, Isaku Yamahata wrote: > > On Fri, Jun 30, 2023 at 08:30:20PM +0200, > > Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote: [..] > On the flip side, limited hardware availability (unless Intel has changed its > tune) and the amount of enabling that's required in BIOS and whatnot makes it > highly unlikely that random Linux users are going to unknowingly boot with TDX > enabled. > > That said, if this is a sticking point, let's just make enable_tdx off by default, > i.e. force userspace to opt-in. Deployments that *know* they may want to schedule > TDX VMs on the host can simply force the module param. And for everyone else, > since KVM is typically configured as a module by distros, KVM can be unloaded and > reload if the user realizes they want TDX well after the system is up and running. Another potential option that also avoids the concern that module parameters are unwieldy [1] is to have kvm_intel have a soft-dependency on something like a kvm_intel_tdx module. That affords both a BIOS *and* userspace policy opt-out where kvm_intel.ko can check that kvm_intel_tdx.ko is present at init time, or proceed with tdx disabled. [1]: http://lore.kernel.org/r/Y7z99mf1M5edxV4A@xxxxxxxxx