Re: [PATCH v8 02/11] x86/tdx: Introduce INTEL_TDX_GUEST config option
From: Sathyanarayanan Kuppuswamy Natarajan
Date: Tue Oct 05 2021 - 09:31:13 EST
On Mon, Oct 4, 2021 at 9:53 PM Randy Dunlap <rdunlap@xxxxxxxxxxxxx> wrote:
>
> On 10/4/21 7:51 PM, Kuppuswamy Sathyanarayanan wrote:
> > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > index 2b2a9639d8ae..c42dd8a2d1f4 100644
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -865,6 +865,20 @@ config ACRN_GUEST
> > IOT with small footprint and real-time features. More details can be
> > found inhttps://projectacrn.org/.
> >
> > +config INTEL_TDX_GUEST
> > + bool "Intel Trusted Domain eXtensions Guest Support"
> > + depends on X86_64 && CPU_SUP_INTEL && PARAVIRT
> > + depends on SECURITY
> > + select X86_X2APIC
>
> Apparently some Intel CPUs don't have the x2apic feature, since the
> Kconfig help text for X86_X2APIC says:
>
> This enables x2apic support on CPUs that have this feature.
>
> so how is it safe to set/enable/select that kconfig symbol?
>
> Will the x2apic code just safely not work if the h/w feature is
> missing?
For the TDX guest, x2apic will be emulated. So it will exist in our
case. Even if x2apic or TDX guest is not supported by CPU, it will
boot just fine.
>
> > + select SECURITY_LOCKDOWN_LSM
> > + help
> > + Provide support for running in a trusted domain on Intel processors
> > + equipped with Trusted Domain eXtensions. TDX is a Intel technology
> > + that extends VMX and Memory Encryption with a new kind of virtual
> > + machine guest called Trust Domain (TD). A TD is designed to run in
> > + a CPU mode that protects the confidentiality of TD memory contents
> > + and the TD’s CPU state from other software, including VMM.
>
>
> thanks.
> --
> ~Randy
--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer