On Mon, Feb 21, 2022 at 01:52:58PM +0000, Wei Liu wrote: > Hi Boris and Kirill, I only see VBS mentioned here so I don't have much > context, but VBS likely means virtualization-based security. There is a > public document for it. > > https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs > > Whether it needs a new isolation type or not, I am not sure. Perhaps > Tianyu can provide more context. Right, this came in with c789b90a6904 ("x86/hyper-v: Add hyperv Isolation VM check in the cc_platform_has()") which says Hyper-V provides Isolation VM for confidential computing support and guest memory is encrypted in it. Places checking cc_platform_has() with GUEST_MEM_ENCRYPT attr should return "True" in Isolation VM. I'm guessing this was done because you "need to adjust the SWIOTLB size just like SEV guests." So my question is, does this VBS thing do guest memory encryption or does it only use hw virt features? Because you guys have HV_ISOLATION_TYPE_SNP already. And so, the check hv_get_isolation_type() != HV_ISOLATION_TYPE_NONE; includes VBS because VBS is only interested in the SWIOTLB buffer size adjustment and not the rest of the cc_* stuff. Or? But let's see what Tianyu says. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette
