On Fri, 2025-08-29 at 15:02 -0700, Sean Christopherson wrote: > On Fri, Aug 29, 2025, Rick P Edgecombe wrote: > > On Fri, 2025-08-29 at 13:19 -0700, Sean Christopherson wrote: > > > I'm happy to include more context in the changelog, but I really don't want > > > anyone to walk away from this thinking that pinning pages in random KVM code > > > is at all encouraged. > > > > Sorry for going on a tangent. Defensive programming inside the kernel is a > > little more settled. But for defensive programming against the TDX module, there > > are various schools of thought internally. Currently we rely on some > > undocumented behavior of the TDX module (as in not in the spec) for correctness. > > Examples? I was thinking about the BUSY error code avoidance logic that is now called tdh_do_no_vcpus(). We assume no new conditions will appear that cause a TDX_OPERAND_BUSY. Like a guest opt-in or something. It's on our todo list to transition those assumptions to promises. We just need to formalize them. > > > But I don't think we do for security. But, actually they are some of the same paths. So same pattern. > > > > Speaking for Yan here, I think she was a little more worried about this scenario > > then me, so I read this verbiage and thought to try to close it out.
