On Thu, Feb 15, 2024 at 07:08:06PM +0100, Paolo Bonzini wrote: > On Thu, Feb 15, 2024 at 6:55 PM Michael Roth <michael.roth@xxxxxxx> wrote: > > > The fallout was caused by old kernels not supporting debug-swap and > > > now by failing measurements. As far as I know there is no downside of > > > leaving it disabled by default, and it will fix booting old guest > > > kernels. > > > > Yah, agreed on older guest kernels, but it's the measurement side of things > > where we'd expect some additional fallout. The guidance was essentially that > > if you run a newer host kernel with debug-swap support, you need either need > > to: > > > > a) update your measurements to account for the additional VMSA feature > > b) disable debug-swap param to maintain previous behavior/measurement > > Out of curiosity, where was this documented? While debug-swap was a > pretty obvious culprit of the failed measurement, I didn't see any > mention to it anywhere (and also didn't see any mention that old > kernels would fail to boot in the KVM patches---which would have been > a pretty clear indication that something like these patches was > needed). Yes, this was reactive rather than proactive guidance unfortunately, resulting from various internal/external bug reports where we needed to suggest the above-mentioned options. In retrospect, I think we would've handled things differently as well. Which is why I'm hoping it's possible to ease the pain of another potential measurement change for those who've since incorporated debug-swap into their measurement workflow. But maybe it's not realistic... > > > So those who'd taken approach a) would see another unexpected measurement > > change when they eventually update to a newer kernel. > > But they'd see it anyway if userspace starts disabling it by default. My thinking was that this wording would be specific to KVM_SEV_INIT, as opposed to KVM_SEV_INIT2 where disabling all features by default should absolutely be the way to go. But realistically, it's not easy for a user to tell whether their VMM is using KVM_SEV_INIT vs KVM_SEV_INIT2, and it does seem possible that having the defaults be different between the 2 would also cause some pain down the road since even in looking at the documentation it wouldn't be immediately clear whether or not debug-swap would be enabled. So maybe your approach of always disabling by default and requiring userspace to opt-in would be better in the long-run since this behavior is fairly new from a distro perspective and it's likely only developers/early adopters that we'd be sticking the genie back in the bottle for. -Mike > In general, enabling _anything_ by default is a mistake in either KVM > or userspace if you care about guest ABI (which you obviously do in > the case of confidential computing). > > Paolo >
