RE: [PATCH v5 04/15] x86/mtrr: support setting MTRR state for software defined MTRRs
From: Michael Kelley (LINUX)
Date: Tue Apr 11 2023 - 10:00:03 EST
From: Borislav Petkov <bp@xxxxxxxxx> Sent: Tuesday, April 11, 2023 6:21 AM
>
> On Sat, Apr 01, 2023 at 08:36:41AM +0200, Juergen Gross wrote:
[snip]
> >
> > +
> > + /*
> > + * Only allowed for special virtualization cases:
> > + * - when running as SEV-SNP guest
> > + * - when running as Hyper-V isolated guest
>
> when running as a SEV-SNP guest on a HyperV with vTOM enabled
>
> that's a single condition.
>
> > + * - when running as Xen PV guest
> > + * - when running as TSX guest
> > + */
> > + if (!cc_platform_has(CC_ATTR_GUEST_SEV_SNP) &&
> > + !hv_is_isolation_supported() &&
> > + !cpu_feature_enabled(X86_FEATURE_XENPV) &&
> > + !cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
>
> IOW:
>
> if (!(hv_is_isolation_supported() && cc_platform_has(CC_ATTR_GUEST_SEV_SNP)) &&
> !cpu_feature_enabled(X86_FEATURE_XENPV) &&
> !cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
>
That's doesn't work. Hyper-V guests with vTOM don't have
CC_ATTR_GUEST_SEV_SNP. As previously discussed, the SEV-SNP
machinery is handled by the paravisor, and the Linux guest doesn't
see it. Enabling CC_ATTR_GUEST_SEV_SNP in a vTOM guest would
trigger Linux to do a bunch of SNP stuff that the paravisor has already
done and would break things. The standalone hv_is_isolation_supported()
test is sufficient to detect this case.
I really wanted to avoid calls to hv_is_isolation_supported() outside
of Hyper-V specific code in the kernel. The alternative is to create
another CC_ATTR_ value that is set in the vTOM case, but that reopens
the naming can-of-worms.
Michael