From: Borislav Petkov <bp@xxxxxxxxx> Sent: Monday, November 21, 2022 5:51 AM > > On Wed, Nov 16, 2022 at 10:41:25AM -0800, Michael Kelley wrote: > > Current code always maps the IOAPIC as shared (decrypted) in a > > confidential VM. But Hyper-V guest VMs on AMD SEV-SNP with vTOM > > enabled use a paravisor running in VMPL0 to emulate the IOAPIC. > > "IO-APIC" I guess, in all your text. > > > In such a case, the IOAPIC must be accessed as private (encrypted). > > So the condition for the IO-APIC is pretty specific but the naming > CC_ATTR_EMULATED_IOAPIC too generic. Other HVs emulate IO-APICs too, > right? > > If you have to be precise, the proper check should be (pseudo code): > > if (cc_vendor(HYPERV) && > SNP enabled && > SNP features has vTOM && > paravisor in use) > > so I guess you're probably better off calling it > > CC_ATTR_ACCESS_IOAPIC_ENCRYPTED > > which then gets set on exactly those guests and nothing else. > > I'd say. > I'm OK with naming it very narrowly. When/if there's a more general case later, we can generalize to whatever degree is appropriate. Michael
