>+static void tdx_restore_host_xsave_state(struct kvm_vcpu *vcpu)
>+{
>+ struct kvm_tdx *kvm_tdx = to_kvm_tdx(vcpu->kvm);
>+
>+ if (static_cpu_has(X86_FEATURE_XSAVE) &&
>+ kvm_host.xcr0 != (kvm_tdx->xfam & kvm_caps.supported_xcr0))
>+ xsetbv(XCR_XFEATURE_ENABLED_MASK, kvm_host.xcr0);
>+ if (static_cpu_has(X86_FEATURE_XSAVES) &&
>+ /* PT can be exposed to TD guest regardless of KVM's XSS support */
>+ kvm_host.xss != (kvm_tdx->xfam &
>+ (kvm_caps.supported_xss | XFEATURE_MASK_PT |
>+ XFEATURE_MASK_CET_USER | XFEATURE_MASK_CET_KERNEL)))
Should we drop CET/PT from this series? I think they are worth a new
patch/series.
>+ wrmsrl(MSR_IA32_XSS, kvm_host.xss);
>+ if (static_cpu_has(X86_FEATURE_PKU) &&
How about using cpu_feature_enabled()? It is used in kvm_load_host_xsave_state()
It handles the case where CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS is not
enabled.
>+ (kvm_tdx->xfam & XFEATURE_MASK_PKRU))
>+ write_pkru(vcpu->arch.host_pkru);
If host_pkru happens to match the hardware value after TD-exits, the write can
be omitted, similar to what is done above for xss and xcr0.
>+}
