Wang, Shane wrote: > Jan Kiszka wrote: >> If TXT is on and VT is locked but KVM sees tboot_enabled == 0, it >> won't check for FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX during setup >> and may consider VT unavailable. > > If vt is locked, txt is on, tboot_enabled = 0, then it will check VMXON_OUTSIDE_SMX. > But at this point, if vt is on (still locked), the fn will return 0, which means vmx is not disabled by bios, correct? > > >> Moreover, if VT is not locked in that case, KVM will also not set >> FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX during hardware_enable, >> likely leaving VT off then, no? > > Sure, KVM will not set VMXON_INSIDE_SMX, but will set VMXON_OUTSIDE_SMX. > In that case, this means vt is on. > >> So my question is: Would it cause any harm to assume TXT being always >> on, even if it wasn't? > > A bit confused. > Do you mean hardware TXT always on, i.e. set FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX = 1 always? > That's fine. No problem. No harm. > Or, do you mean set tboot_enabled = 1 always? The latter. As we have no clue about the actual state (tboot is not exported on older kernels), we are forced to assume some reasonable state. > if so, in case that the hardware TXT is disabled > (FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX = 0), then KVM will think vmx is disabled if feature msr is locked. Then let's leave it as it was before the tboot changes to VMX: assume !tboot_enabled(). Thanks for explaining, Jan -- Siemens AG, Corporate Technology, CT T DE IT 1 Corporate Competence Center Embedded Linux -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
