Re: [PATCH 04/26] x86/traps: Add #VE support for TDX guest

From: Sean Christopherson
Date: Wed Dec 29 2021 - 12:48:04 EST


On Wed, Dec 29, 2021, Borislav Petkov wrote:
> On Wed, Dec 29, 2021 at 05:07:34PM +0000, Sean Christopherson wrote:
> > FWIW, virtual/guest NMIs are blocked by the TDX module until pending #VE info
> > is retrieved via TDGETVEINFO. Hardware has nothing to do with that behavior.
>
> The TDX module can block NMIs?!

It blocks _virtual_ NMIs, which simply means that it doesn't inject an NMI until
NMIs are unblocked _in the guest_. Hardware NMIs that arrive in the guest are
never blocked and will trigger an exit to the host.

Any hypervisor can do the same, but it requires a contract between the guest and
the hypervisor to define when NMIs are unblocked. TDX extends the historical x86
contract with the #VE info clause, but again that doesn't help with nested NMIs.

> Can we get that functionality exported to baremetal too pls? Then we can get
> rid of the NMI nesting crap.

I believe that's being addressed with FRED[*]. ERET{S,U} unblock NMIs iff a magic
bit is set on the stack, and that magic bit is set by hardware only when delivering
NMIs. I.e. so long as the NMI handler doesn't deliberately set the bit when
returning from other faults/events, NMIs will remain blocked until the NMI handler
returns.

[*] https://www.intel.com/content/www/us/en/develop/download/flexible-return-and-event-delivery-specification.html