On Tue, Jun 02, 2026 at 02:24:40PM +0000, Michael Kelley wrote: > Except that in a normal VM, the "unencrypted" pool attribute does *not* > describe the state of the memory itself. In a normal VM, the memory is > unencrypted, but the "unencrypted" pool attribute is false. That > contradiction is the essence of my concern.
I would argue no.. When CC is enabled the default state of memory in a Linux environment is "encrypted". You have to take a special action to "decrypt" it. Thus the default state of memory in a non-CC environment is also paradoxically "encrypted" too. "decryption" is impossible. Therefore the "unencrypted" state is a special state that only memory inside a CC VM can have. A normal VM can never have "unencrypted" memory at all, so having it be false in the pool is accurate as far as the APIs go. un-encrypted = true means "the memory in this pool was transformed with set_memory_decrypted()" - which is impossible on a normal VM. Jason
