On Tue, Jun 23, 2020 at 01:30:07PM +0200, Joerg Roedel wrote: > Note that this is an issue only with secure nested paging (SNP), which > is not enabled yet with this patch-set. When it gets enabled a stack > recursion check in the #VC handler is needed which panics the VM. That > also fixes the #VC-in-early-NMI problem.
But you cannot do a recursion check in #VC, because the NMI can happen on the first instruction of #VC, before we can increment our counter, and then the #VC can happen on NMI because the IST stack is a goner, and we're fscked again (or on a per-cpu variable we touch in our elaborate NMI setup, etc..). There is no way I can see SNP-#VC 'work'. The best I can come up with is 'mostly', but do you like your bridges/dikes/etc.. to be mostly ok? Or do you want a guarantee they'll actually work? I'll keep repeating this, x86_64 exceptions are a trainwreck, and IST in specific is utter crap.
