On 10.06.20 06:31, David Gibson wrote: > On Tue, Jun 09, 2020 at 12:44:39PM -0400, Michael S. Tsirkin wrote: >> On Tue, Jun 09, 2020 at 06:28:39PM +0200, Halil Pasic wrote: >>> On Tue, 9 Jun 2020 17:47:47 +0200 >>> Claudio Imbrenda <imbre...@linux.ibm.com> wrote: >>> >>>> On Tue, 9 Jun 2020 11:41:30 +0200 >>>> Halil Pasic <pa...@linux.ibm.com> wrote: >>>> >>>> [...] >>>> >>>>> I don't know. Janosch could answer that, but he is on vacation. Adding >>>>> Claudio maybe he can answer. My understanding is, that while it might >>>>> be possible, it is ugly at best. The ability to do a transition is >>>>> indicated by a CPU model feature. Indicating the feature to the guest >>>>> and then failing the transition sounds wrong to me. >>>> >>>> I agree. If the feature is advertised, then it has to work. I don't >>>> think we even have an architected way to fail the transition for that >>>> reason. >>>> >>>> What __could__ be done is to prevent qemu from even starting if an >>>> incompatible device is specified together with PV. >>> >>> AFAIU, the "specified together with PV" is the problem here. Currently >>> we don't "specify PV" but PV is just a capability that is managed by the >>> CPU model (like so many other). >> >> So if we want to keep it user friendly, there could be >> protection property with values on/off/auto, and auto >> would poke at host capability to figure out whether >> it's supported. >> >> Both virtio and CPU would inherit from that. > > Right, that's what I have in mind for my 'host-trust-limitation' > property (a generalized version of the existing 'memory-encryption' > machine option). My draft patches already set virtio properties > accordingly, it should be possible to set (default) cpu properties as > well.
No crazy CPU model hacks please (at least speaking for the s390x). -- Thanks, David / dhildenb
