| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aVRZZkAgmdLfudJc@google.com> Date: Tue, 30 Dec 2025 14:59:50 -0800 From: Sean Christopherson <seanjc@...gle.com> To: Xu Yilun <yilun.xu@...ux.intel.com> Cc: dan.j.williams@...el.com, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, Kiryl Shutsemau <kas@...nel.org>, Paolo Bonzini <pbonzini@...hat.com>, linux-kernel@...r.kernel.org, linux-coco@...ts.linux.dev, kvm@...r.kernel.org, Chao Gao <chao.gao@...el.com> Subject: Re: [PATCH v2 2/7] KVM: x86: Extract VMXON and EFER.SVME enablement to kernel On Wed, Dec 24, 2025, Xu Yilun wrote: > On Wed, Dec 10, 2025 at 06:20:17AM -0800, Sean Christopherson wrote: > > On Wed, Dec 10, 2025, dan.j.williams@...el.com wrote: > > > Sean Christopherson wrote: > > > > On Sat, Dec 06, 2025, dan.j.williams@...el.com wrote: > > > > I don't think we need anything at this time. INTEL_TDX_HOST depends on KVM_INTEL, > > > > and so without a user that needs VMXON without KVM_INTEL, I think we're good as-is. > > > > > > > > config INTEL_TDX_HOST > > > > bool "Intel Trust Domain Extensions (TDX) host support" > > > > depends on CPU_SUP_INTEL > > > > depends on X86_64 > > > > depends on KVM_INTEL > > > > > > ...but INTEL_TDX_HOST, it turns out, does not have any functional > > > dependencies on KVM_INTEL. At least, not since I last checked. Yes, it > > > would be silly and result in dead code today to do a build with: > > > > > > CONFIG_INTEL_TDX_HOST=y > > > CONFIG_KVM_INTEL=n > > > > > > However, when the TDX Connect support arrives you could have: > > > > > > CONFIG_INTEL_TDX_HOST=y > > > CONFIG_KVM_INTEL=n > > > CONFIG_TDX_HOST_SERVICES=y > > > > > > Where "TDX Host Services" is a driver for PCIe Link Encryption and TDX > > > Module update. Whether such configuration freedom has any practical > > > value is a separate question. > > > > > > I am ok if the answer is, "wait until someone shows up who really wants > > > PCIe Link Encryption without KVM". > > > > Ya, that's my answer. At the very least, wait until TDX_HOST_SERVICES comes > > along. > > I've tested the PCIe Link Encryption without KVM, with the kernel > config: > > CONFIG_INTEL_TDX_HOST=y > CONFIG_KVM_INTEL=n > CONFIG_TDX_HOST_SERVICES=y > > and > > --- /dev/null > +++ b/drivers/virt/coco/tdx-host/Kconfig > @@ -0,0 +1,10 @@ > +config TDX_HOST_SERVICES > + tristate "TDX Host Services Driver" > + depends on INTEL_TDX_HOST > + default m > > Finally I enabled the combination successfully with a patch below, do we > need the change when TDX_HOST_SERVICES comes? Ya, we'll need something along those lines. What exactly we want the Kconfig soup to look like is TBD though, e.g. it may or may not make sense to have a common config that says "I want virtualization!"?
Powered by blists - more mailing lists