@@ -77,6 +77,22 @@ every time when an enclave is launched. This does not scale because for
generic case because BIOS might lock down the MSRs before handover to
the OS.
+Virtualization
+--------------
+
+The values for IA32_SGXLEPUBKEYHASHn MSRs cannot be emulated for a virtual
+machine guest. It would easily seem feasible to hold virtual values for these
+MSRs, trap EINIT and use the host LE to generate token when guest LE is
+initialized.
+
+However, looking at the pseudo code of ENCLS(EINIT) from the SDM there is
+constraint that the instruction will fail if ATTRIBUTES.EINITTOKENKEY is
+set (the documentation does not tell the reason why the constraint exists
+but it exists).
+
+Thus, only on when the MSRs are left unlocked efore handover to the OS the
+setting of these MSRs can be supported for VM guests.
+
Debug enclaves
--------------
Updated documentation to document the constraint, which prevents emulating the MSR values for VM guests. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- Documentation/x86/intel_sgx.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)