The definition of BIT0 in policy element comes from TDX spec, but it makes
confusion for some customers whether 0 or 1 activates debug:
1. We know that "off-TD debug mode" basically means debug from outside the
TD --> 1 activates debug.
2. But when a customer is not aware of the term "off-TD debug" it is very
easy to misinterpret this as "TD debug mode off" --> 1 deactivates debug.
Given that the policy example uses "0x10000001", the second interpretation
even becomes more likely, because a customer may assume that security by
default is applied in the example.
Thus, change the policy in example configuration to "0x10000000" and update
BIT0 definition to be more explicit.
Suggested-by: Fuhry Benny <benny.fuhry@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
docs/formatdomain.rst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 1a4bd4c6e9..b589fc9429 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -9834,7 +9834,7 @@ Example configuration:
<domain>
...
<launchSecurity type='tdx'>
- <policy>0x10000001</policy>
+ <policy>0x10000000</policy>
<mrConfigId>xxx</mrConfigId>
<mrOwner>xxx</mrOwner>
<mrOwnerConfig>xxx</mrOwnerConfig>
@@ -9855,7 +9855,9 @@ Example configuration:
====== ====================================================================================
Bit(s) Description
====== ====================================================================================
- 0 Guest TD runs in off-TD debug mode when set
+ 0 Activate off-TD debug when set, i.e., activate debug from outside the TD. Its VCPU
+ state and private memory are accessible by the host VMM.
+ Deactivate off-TD debug when clear, i.e., deactivate debug from outside the TD.
1:27 reserved
28 Disable EPT violation conversion to #VE on guest TD access of PENDING pages when set
29:63 reserved
--
2.47.3