On Fri, Mar 17, 2017 at 12:03:31PM +0100, Paolo Bonzini wrote: > If it is possible to do it in a fairly hypervisor-independent manner, > I'm all for it. That is, only by looking at AMD-specified CPUID leaves > and at kernel ELF sections. Not even that. What that needs to be able to do is: kvm_map_percpu_hv_shared(st, sizeof(*st))) where st is the percpu steal time ptr: struct kvm_steal_time *st = &per_cpu(steal_time, cpu); Underneath, what it does basically is it clears the encryption mask from the pte, see patch 16/32. And I keep talking about SEV-ES because this is going to expand on the need of having a shared memory region which the hypervisor and the guest needs to access, thus unencrypted. See http://support.amd.com/TechDocs/Protecting%20VM%20Register%20State%20with%20SEV-ES.pdf This is where you come in and say what would be the best approach there... -- Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) --