Alexey Kardashevskiy wrote: [..] > To own IDE, the guest will have to have exclusive access to the portion > of RC responsible for the IDE keys. Which is doable but requires passing > through both RC and the device and probably everything between these > two. It is going to be quite different "host-native" and > "guest-native". How IDE keys are going to be programmed into the RC on > Intel? I do not think the guest can "own IDE" in any meaningful. It is always going to be a PF level policy coordinated either by the host or the platform-TSM, and as far as I can see all end user interest currently lies in the platform-TSM case. Now, there is definitely value in considering how a guest can maximize security in the absence of a platform-TSM in the code design, but that does not diminish the need for a path for the guest to coordinate the life-cycle through the platform-TSM. Otherwise, as you mention, passing through the host-bridge resources and the VF has challenges.