On Wed, Sep 25, 2019 at 09:49:32AM -0700, Sean Christopherson wrote: > Correct, only X86_FEATURE_SGX_LC is cleared. The idea is to have SGX_LC > reflect whether or not flexible launch control is fully enabled, no more > no less. So we do not disable SGX when the MSRs are read-only - we disable only launch control. > Functionally, this doesn't impact support for native enclaves as the > driver will refuse to load if SGX_LC=0. So why aren't we clearing all feature bits then? What's the purpose for leaving them set if we're not going to support hardcoded OEM vendor hash in the MSRs anyway? > Looking forward, this *will* affect KVM. As proposed, KVM would expose > SGX to a guest regardless of SGX_LC support. > > https://lkml.kernel.org/r/20190727055214.9282-17-sean.j.christopherson@xxxxxxxxx ... which would do what exactly? Guests can execute SGX only when signed by the Intel key, when LC is disabled? -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette
