On Thu, Feb 15, 2024 at 6:55 PM Michael Roth <michael.roth@xxxxxxx> wrote: > > The fallout was caused by old kernels not supporting debug-swap and > > now by failing measurements. As far as I know there is no downside of > > leaving it disabled by default, and it will fix booting old guest > > kernels. > > Yah, agreed on older guest kernels, but it's the measurement side of things > where we'd expect some additional fallout. The guidance was essentially that > if you run a newer host kernel with debug-swap support, you need either need > to: > > a) update your measurements to account for the additional VMSA feature > b) disable debug-swap param to maintain previous behavior/measurement Out of curiosity, where was this documented? While debug-swap was a pretty obvious culprit of the failed measurement, I didn't see any mention to it anywhere (and also didn't see any mention that old kernels would fail to boot in the KVM patches---which would have been a pretty clear indication that something like these patches was needed). > So those who'd taken approach a) would see another unexpected measurement > change when they eventually update to a newer kernel. But they'd see it anyway if userspace starts disabling it by default. In general, enabling _anything_ by default is a mistake in either KVM or userspace if you care about guest ABI (which you obviously do in the case of confidential computing). Paolo
