From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web10.6222.1631261983152827568 for ; Fri, 10 Sep 2021 01:19:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=OWsEeWVT; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631261982; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zYpWGZ0BCXx16S0By7HcNtCd1N3GYZZGMmMmXMzHrsA=; b=OWsEeWVT/dHblL/rJJLSsCLe/IR0W0ooU4VQ5cZtnE9TVq4sI3udMaEvggJyWoC8oJtFtj anWWQY3ufn7eAGvmKMLVSFNk8GQ3ZdDbigploqTudjuFUsz+hj6bvct8tY8cf32DkJfY6p xDfweIEG+E04kwdLrgrIUOXEkf45QbM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-397-599athCDOhaRPmhKPBf9oA-1; Fri, 10 Sep 2021 04:19:41 -0400 X-MC-Unique: 599athCDOhaRPmhKPBf9oA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 73BFA91271; Fri, 10 Sep 2021 08:19:39 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.91]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EC50519730; Fri, 10 Sep 2021 08:19:38 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 3F48E18000AA; Fri, 10 Sep 2021 10:19:37 +0200 (CEST) Date: Fri, 10 Sep 2021 10:19:37 +0200 From: "Gerd Hoffmann" To: "Xu, Min M" Cc: "Yao, Jiewen" , "devel@edk2.groups.io" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , Erdem Aktas , James Bottomley , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf Message-ID: <20210910081937.ju4jvrolyschulrl@sirius.home.kraxel.org> References: <81c97a782bbbf83043854ad8a86d14604918d788.1630289827.git.min.m.xu@intel.com> <20210830074058.22gfqmzrha4su6fh@sirius.home.kraxel.org> <20210831053510.ian6sqpefzmrrfi7@sirius.home.kraxel.org> <20210902071812.2qet62x7npu25rht@sirius.home.kraxel.org> <20210903053919.ybkq7imveuxbufao@sirius.home.kraxel.org> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, > > If we can use 4-level paging initially, then we surely should go for option (1) > > and simply not touch the reset vectors paging code. > After PoC I find this option is not a good one. Though the reset > vectors is not touched, there are tricky changes in DxeIpl. To set up > 5-level paging in an 4-level paging, it should first be switched from > 64-bit long mode to 32 protected mode, then turn off the Paging, > disable IA32_ERER.LME, then set the Cr4. The tricky thing is that in > TDX IA32_EFER is not changeable. MdeModulePkg/.../DxeIpl is widely > used and it is high risk to make such changes. Ok. One more question: Do we have to use 5-level paging at all? The only reason I could see is accepting memory with a gpa above 4-level address space. But with the longer-term plan to support lazy acceptance (and passing unaccepted memory ranges to the guest kernel) this reason goes away. So I think we could just leave it to the guest kernel to deal with the switch from 4-level to 5-level paging. Or do I miss something? take care, Gerd