On Mon, Jun 24, 2024 at 03:59:53AM +0800, Xu Yilun wrote:

...

But it also seems to me that VFIO should be able to support putting the device into the RUN state

Firstly I think VFIO should support putting device into *LOCKED* state. From LOCKED to RUN, there are many evidence fetching and attestation things that only guest cares. I don't think VFIO needs to opt-in.

VFIO is not just about running VMs. If someone wants to run DPDK on VFIO they should be able to get the device into a RUN state and work with secure memory without requiring a KVM. Yes there are many steps to this, but we should imagine how it can work.

...

without involving KVM or cVMs.

It may not be feasible for all vendors.

It must be. A CC guest with an in kernel driver can definately get the PCI device into RUN, so VFIO running in the guest should be able as well.

I believe AMD would have one firmware call that requires cVM handle *AND* move device into LOCKED state. It really depends on firmware implementation.

IMHO, you would not use the secure firmware if you are not using VMs.

Yes, the secure EPT is in the secure world and managed by TDX firmware. Now a SW Mirror Secure EPT is introduced in KVM and managed by KVM directly, and KVM will finally use firmware calls to propagate Mirror Secure EPT changes to secure EPT.

If the secure world managed it then the secure world can have rules that work with the IOMMU as well..

Jason