On Thu, Feb 15, 2024 at 06:28:18PM +0100, Paolo Bonzini wrote: > On Thu, Feb 15, 2024 at 3:44 PM Michael Roth <michael.roth@xxxxxxx> wrote: > > What I mean is that if userspace is modified for these checks, it's > > reasonable to also inform them that only VMSA features present in > > those older kernels (i.e. debug-swap) will be available via KVM_SEV_INIT, > > and for anything else they will need to use KVM_SEV_INIT. > > > > That way we can provide clear documentation on what to expect regarding > > VMSA features for KVM_SEV_INIT and not have to have the "undefined" > > wording: it'll never use anything other than debug-swap depending on the > > module param setting. > > Ah, I agree. > > > That seems reasonable, but the main thing I was hoping to avoid was > > another round of VMSA features changing out from underneath the covers > > again. The module param setting is something we've needed to convey > > internally/externally a good bit due to the fallout and making this > > change would lead to another repeat. Not the end of the world but would > > be nice to avoid if possible. > > The fallout was caused by old kernels not supporting debug-swap and > now by failing measurements. As far as I know there is no downside of > leaving it disabled by default, and it will fix booting old guest > kernels. Yah, agreed on older guest kernels, but it's the measurement side of things where we'd expect some additional fallout. The guidance was essentially that if you run a newer host kernel with debug-swap support, you need either need to: a) update your measurements to account for the additional VMSA feature b) disable debug-swap param to maintain previous behavior/measurement So those who'd taken approach a) would see another unexpected measurement change when they eventually update to a newer kernel. -Mike > > Paolo >
