From: Roman Kisel <[email protected]> Sent: Monday, July 14, 2025 3:16 PM > > Define what the confidential VMBus is and describe what advantages > it offers on the capable hardware. > > Signed-off-by: Roman Kisel <[email protected]> > Reviewed-by: Alok Tiwari <[email protected]>
Overall, this version looks good. I'm good with the overall characterization of the scenarios where Confidential VMBus is beneficial, and with the overview of how it works. I've noted one nit below. But otherwise, Reviewed-by: Michael Kelley <[email protected]> > --- > Documentation/virt/hyperv/coco.rst | 140 ++++++++++++++++++++++++++++- > 1 file changed, 139 insertions(+), 1 deletion(-) > > diff --git a/Documentation/virt/hyperv/coco.rst > b/Documentation/virt/hyperv/coco.rst > index c15d6fe34b4e..e8515acfe306 100644 > --- a/Documentation/virt/hyperv/coco.rst > +++ b/Documentation/virt/hyperv/coco.rst [snip] > + > +The data won't ever leave the VM when a device is attached to VTL2, and the Two things: 1) At face value, saying "the data won't ever leave the VM" is counter to what I/O is supposed to be doing -- the data leaves the VM to go to the device! I guess the wording here struck me as funny. :-) 2) Being more precise about "attached to VTL2" would be helpful. This specifically means a vPCI device assigned to VTL2. I'd suggest something like: The data is transferred directly between the VM and a vPCI device (a.k.a. a PCI pass-thru device) that is directly assigned to VTL2 and that supports encrypted memory. In such a case, neither the host partition nor the hypervisor has any access to the data. You could even include a link to the documentation topic on Hyper-V vPCI devices. > +device supports encrypted memory. Therefore, neither the host partition nor > the > +hypervisor can access the data being processed at all. The guest needs to > +establish a VMBus connection only with the paravisor for the channels that > +process sensitive data, and the paravisor abstracts the details of > +communicating with the specific devices away providing the guest with the > +well-established VSP (Virtual Service Provider) interface that has had > support > +in the Hyper-V drivers for a decade. > +
