On Fri, Feb 12, 2021 at 01:48:36PM -0800, Dave Hansen wrote: > On 2/12/21 1:47 PM, Andy Lutomirski wrote: > >> What about adding a property to the TD, e.g. via a flag set during TD > >> creation, > >> that controls whether unaccepted accesses cause #VE or are, for all > >> intents and > >> purposes, fatal? That would allow Linux to pursue treating EPT #VEs for > >> private > >> GPAs as fatal, but would give us a safety and not prevent others from > >> utilizing > >> #VEs. > > That seems reasonable. > > Ditto. > > We first need to double check to see if the docs are right, though.
I confirmed with the TDX module owners that #VE can only happen for: - unaccepted pages - instructions like MSR access or CPUID - specific instructions that are no in the syscall gap Also if there are future asynchronous #VEs they would only happen with IF=1, which would also protect the gap. So no need to make #VE an IST. -Andi
