On April 26, 2025 3:08:29 AM GMT+03:00, Sean Christopherson seanjc@google.com wrote:
The kernel already can enforce policy. Setting host breakpoints on guest code is done through a dedicated ioctl(), and access to said ioctl() can be restricted through various sandboxing methods, e.g. seccomp.
Ok, makes sense.
No, that would defeat the purpose of the check. The X86_FEATURE_HYPERVISOR has nothing to do with correctness, it's all about performance. Critically, it's a static check that gets patched at runtime. It's a micro-optimization for bare metal to avoid a single cache miss (the __this_cpu_read(cpu_dr7)). Routing through cc_platform_has() would be far, far heavier than calling hw_breakpoint_active().
Huh, we care so much about speed here?