On 4/2/21 2:32 PM, Andi Kleen wrote: >> If we go this route, what are the rules and restrictions? Do we have to >> say "no MMIO in #VE"? > > All we have to say is "No MMIO in #VE before getting thd TDVEINFO arguments" > After that it can nest without problems.
Well, not exactly. You still can't do things that will could cause a n unbounded recusive #VE. It doesn't seem *that* far fetched to think that someone might try to defer some work or dump data to the console. > If you nest before that the TDX will cause a triple fault. > > The code that cannot do it is a few lines in the early handler which > runs with interrupts off. >> Which brings up another related point: How do you debug TD guests? Does >> earlyprintk work? > > Today it works actually because serial ports are allowed. But I expect it to > be closed eventually because serial code is a lot of code to audit. > But you can always disable the filtering with a command line option and > then it will always work for debugging. Do we need a TDX-specific earlyprintk? I would imagine it's pretty easy to implement.
