So you don't need any guest_memfd games to protect from that -- and one
doesn't have to travel back in time to have memory that isn't
swappable/migratable and only comes in one page size.
[I'm not up-to-date which obscure corner-cases CCA requirement the s390x
implementation cannot fulfill -- like replacing pages in page tables and
such; I suspect pKVM also cannot cover all these corner-cases]
Thanks for this. I'll do some more reading on how things work with s390x.
Right, and of course, one key difference of course is that pKVM
doesn't encrypt anything, and only relies on stage-2 protection to
protect the guest.
I don't remember what exactly s390x does, but I recall that it might
only encrypt the memory content as it transitions a page from secure to
non-secure.
Something like that could also be implemented using pKVM (unless I am
missing something), but it might not be that trivial, of course :)
--
Cheers,
David / dhildenb