On Wed, Aug 17, 2022 at 10:27:19AM -0500, Michael Roth michael.roth@amd.com wrote:
I think the best approach is to turn KVM_TDX_INIT_MEM_REGION into a generic vCPU-scoped ioctl() that allows userspace to pre-map guest memory. Supporting initializing guest private memory with a source page can be implemented via a flag. That also gives KVM line of sight to in-place "conversion", e.g. another flag could be added to say that the dest is also the source.
So is this proposed ioctl only intended to handle the initial encrypted payload, and the KVM_MEMORY_ENCRYPT_{REG,UNREG}_REGION ioctls would still be used for conversions post-boot?
Yes. It is called before running any vcpu. At run time (after running vcpus), KVM_MEMORY_ENCRYPT_{REG,UNREG}_REGION is used.