On Mon, Jul 19, 2021 at 02:07:43PM +0100, Matthew Wilcox wrote: > I think this proposal skips (intentionally?) something that s390 already > implemented: the secure guest deliberately allowing the hypervisor to > access certain pages for a period and then re-validating them. I hope x86 > can use the same interface as s390 for this, or if not, the interface can > be modified to be usable by all architectures. See commit f28d43636d6f > ("mm/gup/writeback: add callbacks for inaccessible pages"). Yeah, sharing memory with the Hypervisor is not the main scope of the proposal. The requirement I put in step 8. about returning only validated memory (which means it is not shared with the HV anymore) to the memory allocator slightly touches this. In general, on x86 the hypervisor can only write to eplicitly shared and unencrypted regions of guest memory. The guest decides where those are and is responsible for setting these areas up. For x86 this happens mainly in the DMA-API backend and to some degree in other code which sets up non-DMA shared data structures with the host (like the code setting up the GHCBs for SEV-ES). That said, I don't see an immediate use of the API introduced in the patch above for x86. Regards, Joerg