Follow up on this: 1. The plan is to just always inject the #VEs for private and shared GPAs that exceed GPAW. (i.e. not pass the subset of EPT violations that could be handled by the VMM by clearing suppress #VE) 2. There was some concern that exposing non-zero bits in [23:16] could confuse existing TDs. Of course KVM doesn't support any TDs today, but if this feature comes after initial KVM support for TDX and KVM wants to set it by default, then it could be an issue. For normal VMs, is there any concern that guests might not be masking the bits correctly? TDX module folks were pushing for a guest opt-in out of concern some breakages could result. Of course it requires additional enabling in the guest OS and vBIOS then. I was thinking it should be a host opt-in without guest control. If there was a problem it could be a host userspace opt-in. Any concerns there? Thanks, Rick
