On Thu, 2024-07-18 at 08:28 -0700, Isaku Yamahata wrote: > Although it's a bit late, it's for record. > > It's to optimize the destruction Secure-EPT. Free HKID early and destruct > Secure-EPT by TDH.PHYMEM.PAGE.RECLAIM(). QEMU doesn't close any KVM file > descriptors on exit. (gmem fd references KVM VM fd. so vm destruction happens > after all gmem fds are closed. Closing gmem fd causes secure-EPT zapping > befure > releasing HKID.) > > Because we're ignoring such optimization for now, we can simply defer > releasing > HKID following Seans's call. Thanks for the background. > > > > But static_call_cond(kvm_x86_vm_destroy) happens before kvm_destroy_vcpus, > > so we > > could maybe actually just do the tdx_mmu_release_hkid() part there. Then > > drop > > the flush_shadow_all_private x86 op. See the (not thoroughly checked) diff > > at > > the bottom of this mail. > > Yep, we can release HKID at vm destruction with potential too slow zapping of > Secure-EPT. The following change basically looks good to me. > (The callback for Secure-EPT can be simplified.)
