On Thu, 2024-09-12 at 16:09 +0200, Paolo Bonzini wrote: > > > The problem is, TDX module and the hardware allow these bits be > > configured for TD guest, but KVM doesn't allow. It leads to users cannot > > create a TD with these bits on. > > KVM is not going to have any checks, it's only going to pass the > CPUID to the TDX module and return an error if the check fails > in the TDX module. Ok. > > KVM can have a TDX-specific version of KVM_GET_SUPPORTED_CPUID, so > that we can keep a variant of the "get supported bits and pass them > to KVM_SET_CPUID2" logic, but that's it. Can you clarify what you mean here when you say TDX-specific version of KVM_GET_SUPPORTED_CPUID? We have two things kind of like that implemented in this series: 1. KVM_TDX_GET_CPUID, which returns the CPUID bits actually set in the TD 2. KVM_TDX_CAPABILITIES, which returns CPUID bits that TDX module allows full control over (i.e. what we have been calling directly configurable CPUID bits) KVM_TDX_GET_CPUID->KVM_SET_CPUID2 kind of works like KVM_GET_SUPPORTED_CPUID->KVM_SET_CPUID2, so I think that is what you mean, but just want to confirm. We can't get the needed information (fixed bits, etc) to create a TDX KVM_GET_SUPPORTED_CPUID today from the TDX module, so we would have to encode it into KVM. This was NAKed by Sean at some point. We have started looking into exposing the needed info in the TDX module, but it is just starting.