From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [intel-sgx-kernel-dev] [PATCH 08/10] kvm: vmx: add guest's
 IA32_SGXLEPUBKEYHASHn runtime switch support
Date: Thu, 18 May 2017 10:58:23 +0200
Message-ID: <b39fd91e-709c-8c0c-8ea1-5d09d9abefed@redhat.com>
References: <20170508052434.3627-1-kai.huang@linux.intel.com>
 <20170508052434.3627-9-kai.huang@linux.intel.com>
 <58dcdb2d-6894-b0a3-8d6f-2ab752fd6d22@linux.intel.com>
 <CALCETrXG6KZEuxzDRwrAC5Wp=tCFaUBt4oPMQE40gdYB4p_A_Q@mail.gmail.com>
 <6ab7ec4e-e0fa-af47-11b2-f26edcb088fb@linux.intel.com>
 <CALCETrUcYfb8E2Ot=WhPH79bVNoPxyBX1ot02o_QvxVsLsQnMg@mail.gmail.com>
 <596dc1ad-eac7-798d-72e5-665eb7f3f2e4@linux.intel.com>
 <0d730428-44fa-67b3-02f4-bd5223a6ec19@redhat.com>
 <0ab082cb-c13d-b62e-9662-6fd32e36d1ac@linux.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: Kai Huang <kaih.linux@gmail.com>,
        Radim Krcmar <rkrcmar@redhat.com>,
        kvm list <kvm@vger.kernel.org>,
        "intel-sgx-kernel-dev@lists.01.org"
        <intel-sgx-kernel-dev@ml01.01.org>, haim.cohen@intel.com
To: "Huang, Kai" <kai.huang@linux.intel.com>,
        Andy Lutomirski <luto@kernel.org>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:44236 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751398AbdERI62 (ORCPT <rfc822;kvm@vger.kernel.org>);
        Thu, 18 May 2017 04:58:28 -0400
In-Reply-To: <0ab082cb-c13d-b62e-9662-6fd32e36d1ac@linux.intel.com>
Content-Language: en-US
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>



On 18/05/2017 09:54, Huang, Kai wrote:
>>
>> I would start with read-only LE hash (same as the host), which is a
>> valid configuration anyway.  Then later we can trap EINIT to emulate
>> IA32_SGXLEPUBKEYHASHn.
> 
> You mean we can start with creating guest without Qemu 'lewr' parameter
> support, and always disallowing guest to change IA32_SGXLEPUBKEYHASHn?
> Even in this way, KVM still needs to emulate IA32_SGXLEPUBKEYHASHn (just
> allow MSR reading but not writing), and write guest's value to physical
> MSRs when running guest (trapping EINIT and write MSRs during EINIT is
> really just performance optimization). Because host can run multiple LEs
> and change MSRs.

Oh, I didn't know this.  So I guess there isn't much benefit in skipping
the trapping of EINIT.

Paolo

> Your suggestion only works when runtime change to
> IA32_SGXLEPUBKEYHASHn is disabled on host (meaning physical machine).