On Tue, May 30, 2023, Kirill A. Shutemov wrote: > On Tue, May 30, 2023 at 06:00:46PM +0200, Thomas Gleixner wrote: > > On Tue, May 30 2023 at 15:29, Kirill A. Shutemov wrote: > > > On Tue, May 30, 2023 at 02:09:17PM +0200, Thomas Gleixner wrote: > > >> The decision to allow parallel bringup of secondary CPUs checks > > >> CC_ATTR_GUEST_STATE_ENCRYPT to detect encrypted guests. Those cannot use > > >> parallel bootup because accessing the local APIC is intercepted and raises > > >> a #VC or #VE, which cannot be handled at that point. > > >> > > >> The check works correctly, but only for AMD encrypted guests. TDX does not > > >> set that flag. > > >> > > >> Check for cc_vendor != CC_VENDOR_NONE instead. That might be overbroad, but > > >> definitely works for both AMD and Intel. > > > > > > It boots fine with TDX, but I think it is wrong. cc_get_vendor() will > > > report CC_VENDOR_AMD even on bare metal if SME is enabled. I don't think > > > we want it. > > > > Right. Did not think about that. > > > > But the same way is CC_ATTR_GUEST_MEM_ENCRYPT overbroad for AMD. Only > > SEV-ES traps RDMSR if I'm understandig that maze correctly. > > I don't know difference between SEV flavours that well. > > I see there's that on SEV-SNP access to x2APIC MSR range (MSR 0x800-0x8FF) > is intercepted regardless if MSR_AMD64_SNP_ALT_INJ feature is present. But > I'm not sure what the state on SEV or SEV-ES. With SEV-ES, if the hypervisor intercepts an MSR access, the VM-Exit is instead morphed to a #VC (except for EFER). The guest needs to do an explicit VMGEXIT (i.e. a hypercall) to explicitly request MSR emulation (this *can* be done in the #VC handler, but the guest can also do VMGEXIT directly, e.g. in lieu of a RDMSR). With regular SEV, VM-Exits aren't reflected into the guest. Register state isn't encrypted so the hypervisor can emulate MSR accesses (and other instructions) without needing an explicit hypercall from the guest.