On 10/9/2024 9:38 PM, Dave Hansen wrote: > On 10/9/24 02:28, Nikunj A Dadhania wrote: >> Secure TSC allows guests to securely use RDTSC/RDTSCP instructions as the >> parameters being used cannot be changed by hypervisor once the guest is >> launched. More details in the AMD64 APM Vol 2, Section "Secure TSC". >> >> In order to enable secure TSC, SEV-SNP guests need to send a TSC_INFO guest >> message before the APs are booted. > > Superficially, this seems kinda silly. If you ask someone, do you want > more security or less, they usually say "more". All SNP features are opt-in by default. The option is left to the VMM. It is similar to having a legacy vs secure VM, the option is left to the user. > Why do guests need to turn this on instead of just always having a > secure TSC? There must be _some_ compromise, either backward > compatibility or performance or... Secure TSC has been there since the introduction of Milan when SEV-SNP was introduced. It wasnt enabled in the kernel yet. Regards Nikunj
