On 16/03/2017 19:28, Borislav Petkov wrote: > So how hard would it be if the hypervisor allocated that memory for the > guest instead? It would allocate it decrypted and guest would need to > access it decrypted too. All in preparation for SEV-ES which will need a > block of unencrypted memory for the guest anyway... The kvmclock memory is initially zero so there is no need for the hypervisor to allocate anything; the point of these patches is just to access the data in a natural way from Linux source code. I also don't really like the patch as is (plus it fails modpost), but IMO reusing __change_page_attr and __split_large_page is the right thing to do. Paolo
