On Fri, Feb 12, 2021 at 05:18:49PM +0100, Joerg Roedel wrote: > On Fri, Feb 12, 2021 at 05:12:41PM +0100, Peter Zijlstra wrote: > > On Fri, Feb 12, 2021 at 04:28:13PM +0100, Joerg Roedel wrote: > > > I don't know the details about TDX and #VE, but could a malicious HV not > > > trigger a #VE basically everywhere by mapping around pages? So 'fail' > > > means panic() in this case, right? > > > > Right. > > To fail reliably, doesn't that mean the #VE vector needs to be IST? > "Everywhere" could also be in the SYSCALL entry path before there is a > trusted stack. I really don't want #VE to be IST. I really *really* detests ISTs, they're an unmitigated trainwreck. But you're right, if a HV injects #VE in the syscall gap and gets a concurrent CPU to 'fix' the exception frame (which then lives on the user stack) the handler might never know it went ga-ga. Is this something the TDX thread model covers? A malicous HV and a TDX guest co-operating to bring down the guest kernel.
