Re: [PATCH 10/11] KVM: Disallow read-only memory for x86 TDX

[Xiaoyao Li]

On 11/13/2021 12:52 AM, Sean Christopherson wrote:
> On Fri, Nov 12, 2021, Xiaoyao Li wrote:
> > From: Isaku Yamahata <isaku.yamahata@xxxxxxxxx>
> >
> > TDX doesn't expose permission bits to the VMM in the SEPT tables, i.e.,
> > doesn't support read-only private memory.
> >
> > Introduce kvm_arch_support_readonly_mem(), which returns true except for
> > x86. x86 has its own implementation based on vm_type that returns faluse
> > for TDX VM.
> >
> > Propagate it to KVM_CAP_READONLY_MEM to allow reporting on a per-VM
> > basis.
>
> Assuming KVM gains support for private memslots (or memslots that _may_ be mapped
> private), this is incorrect, the restriction on read-only memory only applies to
> private memory.  Userspace should still be allowed to create read-only shared memory.
> Ditto for dirty-logging in the next patch.

Yes. I had the same concern before sending it out. :)
But I forgot to mention it.

> When this patch was originally created, it was "correct" because there was no
> (proposed) concept of a private memslot or of a memslot that can be mapped private.
>
> So these two patches at least need to wait until KVM has a defind ABI for managing
> guest private memory.

I'll drop the two patches for next submission.