On Thu, Mar 18, 2021, Joerg Roedel wrote: > On Thu, Mar 18, 2021 at 11:24:25AM +0200, Maxim Levitsky wrote: > > But again this is a debug feature, and it is intended to allow the user > > to shoot himself in the foot. > > And one can't debug SEV-ES guests with it, so what is the point of > enabling it for them too?
Agreed. I can see myself enabling debug features by default, it would be nice to not having to go out of my way to disable them for SEV-ES/SNP guests. Skipping SEV-ES guests should not be difficult; KVM could probably even print a message stating that the debug hook is being ignored. One thought would be to snapshot debug_intercept_exceptions at VM creation, and simply zero it out for incompatible guests. That would also allow changing debug_intercept_exceptions without reloading KVM, which IMO would be very convenient.
