Re: [RFC PATCH 08/21] KVM: TDX: Increase/decrease folio ref for huge pages

[Edgecombe, Rick P]

On Tue, 2025-06-24 at 14:29 -0700, Ackerley Tng wrote:
> I have another option h to add: if there is a unmapping error from TDX,
> can it be an indication of compromise, in terms of security? Should TDX
> continue to be trusted to run the TD or other TDs securely? If there is
> some unmapping error, could correctness in the entire host be in
> question?

Maybe, but it's the TDX module's job to do something about this. The threat
model of TDX doesn't involve the host VMM ensuring integrity of the TD.

> 
> If either correctness or security is broken, would it be acceptable to
> do a full BUG_ON and crash the system, since neither TDX nor regular VMs
> on the host should trusted to run correctly after this kind of error?

BUG_ON() won't be acceptable. See Linus' opinion on the subject. The standard
practice is to warn and let people run panic_on_warn if they want to be
paranoid. And we already will generate a warning so it's possible to configure
for this behavior today.