On Tue, May 30, 2023, Thomas Gleixner wrote: > On Tue, May 30 2023 at 15:29, Kirill A. Shutemov wrote: > > On Tue, May 30, 2023 at 02:09:17PM +0200, Thomas Gleixner wrote: > >> The decision to allow parallel bringup of secondary CPUs checks > >> CC_ATTR_GUEST_STATE_ENCRYPT to detect encrypted guests. Those cannot use > >> parallel bootup because accessing the local APIC is intercepted and raises > >> a #VC or #VE, which cannot be handled at that point. > >> > >> The check works correctly, but only for AMD encrypted guests. TDX does not > >> set that flag. > >> > >> Check for cc_vendor != CC_VENDOR_NONE instead. That might be overbroad, but > >> definitely works for both AMD and Intel. > > > > It boots fine with TDX, but I think it is wrong. cc_get_vendor() will > > report CC_VENDOR_AMD even on bare metal if SME is enabled. I don't think > > we want it. > > Right. Did not think about that. > > But the same way is CC_ATTR_GUEST_MEM_ENCRYPT overbroad for AMD. Only > SEV-ES traps RDMSR if I'm understandig that maze correctly. Ya, regular SEV doesn't encrypt register state.
