On Mon, Jan 20, 2025 at 08:45:51PM +1100, Alexey Kardashevskiy wrote:

...

For CC I'm expecting the KVM fd to be the handle for the cVM, so any RPCs that want to call into the secure world need the KVM FD to get the cVM's identifier. Ie a "bind to cVM" RPC will need the PCI information and the cVM's handle.

And keep KVM fd open until unbind? Or just for the short time to call the PSP?

iommufd will keep the KVM fd alive so long as the vIOMMU object exists. Other uses for kvm require it to work like this.

...

But it also seems to me that VFIO should be able to support putting the device into the RUN state without involving KVM or cVMs.

AMD's TDI bind handler in the PSP wants a guest handle ("GCTX") and a guest device BDFn, and VFIO has no desire to dive into this KVM business beyond IOMMUFD.

As in my other email, VFIO is not restricted to running VMs, useful things should be available to apps like DPDK.

There is a use case for using TDISP and getting devices up into an ecrypted/attested state on pure bare metal without any KVM, VFIO should work in that use case too.

Jason