On Sat, Mar 30, 2024 at 09:41:30PM +0100, Paolo Bonzini wrote: > On 3/29/24 23:58, Michael Roth wrote: > > > > + /* Handle boot vCPU first to ensure consistent measurement of initial state. */ > > + if (!boot_vcpu_handled && vcpu->vcpu_id != 0) > > + continue; > > + > > + if (boot_vcpu_handled && vcpu->vcpu_id == 0) > > + continue; > > Why was this not necessary for KVM_SEV_LAUNCH_UPDATE_VMSA? Do we need it > now? I tried to find the original discussion for more context, but can't seem to locate it. But AIUI, there are cases where a VMM may create AP vCPUs earlier than it does the BSP, in which case kvm_for_each_vcpu() might return an AP as it's first entry and cause that VMSA to get measured before, leading to a different measurement depending on the creation ordering. Measuring the BSP first ensures consistent measurement, since the initial AP contents are all identical so their ordering doesn't matter. For SNP, it makes sense to take the more consistent approach right off the bat. But for SEV-ES, it's possible that there are VMMs/userspaces out there that have already accounted for this in their measurement calculations, so it could cause issues if we should the behavior for all SEV-ES. We could however limit the change to KVM_X86_SEV_ES_VM and document that as part of KVM_SEV_INIT2, since there is similarly chance for measurement changes their WRT to the new FPU/XSAVE sync'ing that was added. > > > +See SEV-SNP specification [snp-fw-abi]_ for SNP_LAUNCH_FINISH further details > > +on launch finish input parameters. > > See SNP_LAUNCH_FINISH in the SEV-SNP specification [snp-fw-abi]_ for further > details on the input parameters in ``struct kvm_sev_snp_launch_finish``. Will make similar changes for the others as well. Thanks! -Mike > > Paolo > >