On Tue May 7, 2024 at 4:16 PM UTC, Sean Christopherson wrote: > > If yes, that would indeed require a *lot* of work for something we're not > > sure will be accepted later on. > > Yes and no. The AWS folks are pursuing VSM support in KVM+QEMU, and SVSM support > is trending toward the paired VM+vCPU model. IMO, it's entirely feasible to > design KVM support such that much of the development load can be shared between > the projects. And having 2+ use cases for a feature (set) makes it _much_ more > likely that the feature(s) will be accepted. Since Sean mentioned our VSM efforts, a small update. We were able to validate the concept of one KVM VM per VTL as discussed in LPC. Right now only for single CPU guests, but are in the late stages of bringing up MP support. The resulting KVM code is small, and most will be uncontroversial (I hope). If other obligations allow it, we plan on having something suitable for review in the coming months. Our implementation aims to implement all the VSM spec necessary to run with Microsoft Credential Guard. But note that some aspects necessary for HVCI are not covered, especially the ones that depend on MBEC support, or some categories of secure intercepts. Development happens https://github.com/vianpl/{linux,qemu,kvm-unit-tests} and the vsm-next branch, but I'd advice against looking into it until we add some order to the rework. Regardless, feel free to get in touch. Nicolas
