On Fri, 2026-01-16 at 09:30 -0800, Vishal Annapurve wrote: > > TDX does some clearing at the direct map mapping for pages that > > comes from gmem, using a special instruction. It also does some > > clflushing at the direct map address for these pages. So I think we > > need to make sure TDs don't pull from gmem fds with this flag. > > Disabling this feature for TDX VMs for now seems ok. I assume TDX > code can establish temporary mappings to the physical memory and > therefore doesn't necessarily have to rely on direct map.
Can, as in, can be changed to? It doesn't now, because the direct map is reliable today. > > Is it safe to say that we can remove direct map for guest memory for > TDX VMs (and ideally other CC VMs as well) in future as needed? Linux code doesn't need to read the cipher text of course, but it does need to help with memory cleaning on the errata systems. Doing a new mapping for each page getting reclaimed would add cost to the shutdown path. Then there is the clfush. It is not actually required for the most part. There is a TDX flag to check to see if you need to do it, so we could probably remove the direct map accesses for some systems and avoid temporary mappings. So long term, I don't see a problem. For the old systems it would have extra cost of temporary mappings at shutdown, but I would have imagined direct map removal would have been costly too.
