On 12/4/23 13:00, Huang, Kai wrote: >> tl;dr: I think even looking a #MC on the PAMT after the kvm module is >> removed is a fool's errand. > Sorry I wasn't clear enough. KVM actually turns off VMX when it destroys the > last VM, so the KVM module doesn't need to be removed to turn off VMX. I used > "KVM can be unloaded" as an example to explain the PAMT can be working when VMX > is off. Can't we just fix this by having KVM do an "extra" hardware_enable_all() before initializing the TDX module? It's not wrong to say that TDX is a KVM user. If KVm wants 'kvm_usage_count' to go back to 0, it can shut down the TDX module. Then there's no PAMT to worry about. The shutdown would be something like: 1. TDX module shutdown 2. Deallocate/Convert PAMT 3. vmxoff Then, no SEAMCALL failure because of vmxoff can cause a PAMT-induced #MC to be missed.
