On Fri, Feb 12, 2021 at 04:28:13PM +0100, Joerg Roedel wrote: > On Fri, Feb 12, 2021 at 04:19:22PM +0100, Peter Zijlstra wrote: > > That's the thing, we don't want #VE to happen in noinstr code *ever*. > > > > noinstr covers the whole entry code, things like the syscall gap and nmi > > recursion setup. Getting a #VE there is fail. > > I don't know the details about TDX and #VE, but could a malicious HV not > trigger a #VE basically everywhere by mapping around pages? So 'fail' > means panic() in this case, right? Right. > > So most per-cpu data can be on-demand, but some of it must absolutely > > not be. > > The kernel can validate those itself in the early setup code, the > decompressor shouldn't care about those details. Oh sure, I was just pointing out it needs to be done before normal operation.
