Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest

From: Andi Kleen
Date: Thu Jun 03 2021 - 19:33:05 EST



We do not need an increasing pile of kludges

Do you mean disabling features is a kludge?

If yes I disagree with that characterization.


to make TDX and SEV “secure”. We need the actual loaded driver to be secure. The virtio architecture is full of legacy nonsense,
and there is no good reason for SEV and TDX to be a giant special case.

I don't know where you see a "giant special case". Except for the limited feature negotiation all the changes are common, and the disabling of features (which is not new BTW, but already done e.g. with forcing DMA API in some cases) can be of course used by all these other technologies too. But it just cannot be done by default for everything because it would break compatibility. So every technology with such requirements has to explicitly opt-in.



As I said before, real PCIe (Thunderbolt/USB-C or anything else) has the exact same problem. The fact that TDX has encrypted memory is, at best, a poor proxy for the actual condition. The actual condition is that the host does not trust the device to implement the virtio protocol correctly.

Right they can do similar limitations of feature sets. But again it cannot be default.




TDX and SEV use the arch hook to enforce DMA API, so that part is also
solved.

Can you point me to the code you’re referring to?

See 4/8 in this patch kit. It uses an existing hook which is already used in tree by s390.


-Andi