From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27970C6FD1F for ; Thu, 16 Mar 2023 12:49:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7B5E1900003; Thu, 16 Mar 2023 08:49:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 765B0900002; Thu, 16 Mar 2023 08:49:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5E0E2900003; Thu, 16 Mar 2023 08:49:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 48BB8900002 for ; Thu, 16 Mar 2023 08:49:04 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id E99CF16076D for ; Thu, 16 Mar 2023 12:49:03 +0000 (UTC) X-FDA: 80574741366.07.783F498 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf13.hostedemail.com (Postfix) with ESMTP id 6D30320003 for ; Thu, 16 Mar 2023 12:49:01 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KTpsRVs6; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf13.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678970941; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wep6XHXzYN0UhAG1ks9ds3OGXXSxIe57lGj0K9uT3Fc=; b=yHcY9Zv3BYjcepd7w2iM9nYsfLIsnTiGGLPs+nJ32zLy1PqKn7ya2/d5GVHtu1hOac0zfK 4Vd60ZJw3b3wDFC+WxphnMvmYeg2Npe+LcVRBb18fKRi0fT3alVpKSTnm3xVwd3KmIseb9 iXwa+ihgl3RYVwTxR0C8zMoZyXaf83k= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KTpsRVs6; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf13.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678970941; a=rsa-sha256; cv=none; b=mvIYrj9caHvq1XwChfK6ujcEUsfZkw6glLwxIg42HICju0hpYn9dAU0W5Fvf8rOKX8RAYZ I49hs56tYMSOkS5SKfF6bufhuE3a64g66SnaROdbGpJrHl6fMW7KZ/kGB7p9AuqSQaVfXd lLS6RH7ekZJas5nj3uocsXuxaCGJzzU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1678970940; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wep6XHXzYN0UhAG1ks9ds3OGXXSxIe57lGj0K9uT3Fc=; b=KTpsRVs6yG+R4Ln7ojrPH6gI5u/8E1DKvVRa0EsvAKaMNsQuXyhVilJuOP5BuI9cr7ZHfi +gPRlwuI+ULXUXRxEQVw2KoHycJSAamTLaemWNcG2f9YEo1QWoKIQkBqulCFZZPQjLlnV1 eoLCCHlzvNHlH9uG0gUcm7L1mEmR1bs= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-609-nQiaiyOAMxGEEww4D827Qg-1; Thu, 16 Mar 2023 08:48:57 -0400 X-MC-Unique: nQiaiyOAMxGEEww4D827Qg-1 Received: by mail-wm1-f71.google.com with SMTP id l17-20020a05600c1d1100b003ed29ba093cso613368wms.6 for ; Thu, 16 Mar 2023 05:48:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678970936; h=content-transfer-encoding:in-reply-to:subject:organization:from :references:cc:to:content-language:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wep6XHXzYN0UhAG1ks9ds3OGXXSxIe57lGj0K9uT3Fc=; b=iApKqxkpETv5zmLDeaG8FQG+mBO6Uz8/8aAmo+BKbHuL/S69LJngk1lfvWjlaHgg+J tLAGOVtKtqWU7B/+t/AwRmNbaLml0DdArbOzW5X4L4F4wa4D+3xospnfBYIjqLWPsUSp nRabijIPCZyTi75dmXzWH2DCZmmr59R5hw0UbLAJ/fJSY3dspBqoAaV1i0Vi8RcKtCzk 18HCSpZS7IW2kgTY0Mucl3Y3nbe/JaHuUA80UJaX/EkttjgV6WjtpG95bR00x3PVYiVr 31UKaPaGPZh06maKbtZN2/HxgkMyKQTZQ6qQ0jgOqXQObTLZHJaBBkGg7CyeOowL9hxO kVGg== X-Gm-Message-State: AO0yUKXJ3sv/DoEZFyt4DeQChBp8rjecn8UIPJWAuuqcOpJ1v3JxsKGG oGwlvggnaSS00nxrvnXSU+RFbQyOtJJ6QXt2TNoO+FH3WXUAg74aVTx6cxcVcxecV5Sru1xzq17 u6jU4Zk3filM= X-Received: by 2002:a05:6000:1109:b0:2ce:aa62:ff73 with SMTP id z9-20020a056000110900b002ceaa62ff73mr4500582wrw.54.1678970936320; Thu, 16 Mar 2023 05:48:56 -0700 (PDT) X-Google-Smtp-Source: AK7set9F8FY56GyHEMl2L8uie+xP3SHy7uoJAaOPrsQGYeCNBSq+KiOqmz4HY4GTIvLIKRLlytqolQ== X-Received: by 2002:a05:6000:1109:b0:2ce:aa62:ff73 with SMTP id z9-20020a056000110900b002ceaa62ff73mr4500548wrw.54.1678970935961; Thu, 16 Mar 2023 05:48:55 -0700 (PDT) Received: from ?IPV6:2a09:80c0:192:0:5dac:bf3d:c41:c3e7? ([2a09:80c0:192:0:5dac:bf3d:c41:c3e7]) by smtp.gmail.com with ESMTPSA id d12-20020a056000114c00b002c6d0462163sm7162991wrx.100.2023.03.16.05.48.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 16 Mar 2023 05:48:55 -0700 (PDT) Message-ID: <90f6a15c-0dec-4a19-7a21-b18b73932a21@redhat.com> Date: Thu, 16 Mar 2023 13:48:54 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 To: Kai Huang , linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: linux-mm@kvack.org, dave.hansen@intel.com, peterz@infradead.org, tglx@linutronix.de, seanjc@google.com, pbonzini@redhat.com, dan.j.williams@intel.com, rafael.j.wysocki@intel.com, kirill.shutemov@linux.intel.com, ying.huang@intel.com, reinette.chatre@intel.com, len.brown@intel.com, tony.luck@intel.com, ak@linux.intel.com, isaku.yamahata@intel.com, chao.gao@intel.com, sathyanarayanan.kuppuswamy@linux.intel.com, bagasdotme@gmail.com, sagis@google.com, imammedo@redhat.com References: <35a2421ca97d9e8dd938dcd744674602f4faa617.1678111292.git.kai.huang@intel.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH v10 02/16] x86/virt/tdx: Detect TDX during kernel boot In-Reply-To: <35a2421ca97d9e8dd938dcd744674602f4faa617.1678111292.git.kai.huang@intel.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 6D30320003 X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: a56zar5qsq8bjrby5i9n457xbmf9em8f X-HE-Tag: 1678970941-957499 X-HE-Meta: U2FsdGVkX1+7HzIPI1KFxWAJVK64mavhR74UUWwUuVyCwOmyDyg1Pngwj2E0A2Es1ttrtZ4YLaTrX2Iy6DR43vu145q6Szv/m4yUHnjVKYKNoscr3grBcyWw0ju102E7QKnMkV18VupNw+FFawXx3HRp4tiWHUQ009/J/BYF3//ze82tb5CXpOmGu4NbfBWepxY8lt6X+PCDQq7qnxD5P/Xbrk90ylONIlXwOmfHoj1G6wFIoMQ/0X/yvECMGh0YoRIidxZfF5Z2MbDulxRMdNF2B4Q3ez8StEn+90bxwgrlCjJ1S4eYQmyC1pT7F31/4A+EZk+1CTMOols+rYit2E9xfqKVtoGudJ06xCenY6tZSBC9pSbDkrS4u7d2VxB7/PROFjFkdurRi67l1TLWqifHCMcojkJpxurx07dxVjlSt4PAsKAtWcDMrG9hew5zcGRyDTBmeuHPZoXPYSaKB8ehQf6thJ/GfwD14kMNQOMn3O68WXjBUslZYqxT20ZYM2kU4tjZMLM/0FoQI3w+CrtnXn0QbF/lzswxkNyswXo5YFXGPlNFwsU74nKzKXBuCEEaKIaYBgW3F/cvp7GTGb2jKaV5LEQjh70IlswhH77aF3uccW9eBVR+ZfDksPwV8vfEYoLdZD8pZhwEvTk9U5Ou/5mORuyVWEpJwpIzgP3onopoFW9OA9n62shAvislVXEzSVCp0UO8NtQhRkQ+xV0lQgKMxqHmqvRr4zl6JQzqy+fyoiwhursEAlutbyA2Mks+u5yfd4vO3esx4ncqogxGmb6YC3H82oM+eAipmtcwLwGixruS777mMJ0nbImCnXDJoOvDtGtZ3XHO5KElcxQkHHJQl4Fgv1/Teabn1PdQwAgDaAseh5cfGO+qDWNUrlU1PfsAE1c7X5C8FajDrH2Lz6JKvOXeovFW/XdDyQvN20F8tbme1zzHVuJkP46UV21G2Z/6kVTj0hyCWSB edyWVAsO KEKZSubJYq5mFKD07IH/jNV6zTJxnFARRfSCkO/qRukWcohcuX3bLbqXjLUBDEXG8cVXDo3Nz+xThADhDSii3aR2yvBuFdXLo87GkI+Xw+w+0Ao8mDPzUL6J3L265bIgaet9vYN3Oo7SdA3E89/850bzb1HzS0zsT1043iH9RtxFfl0y09sflLk0dORm9PUmHCYOVlY8U4zluvKORJzFPIguOme2XmYZVVcc9IJntfZjHftbu4Po5fQgoMHI3GceUWeFQTNL4lhhgXDOqqRoGj2ZMQONiR3EMhRikMbw9ONUq6oy8yH7v353NyfBiHU+HLTX8UoMIekFEhLUROM5o1zZIPvLjC81LdHhCcP91smrJh76I1vcI9Qniu1aC1c3MQiRRpZrBtRVSCVqNuipM8i5mMvUV48B2/P1l4XsNijaFJ1hsPpy33bJSmO3G1iOctXL94EkF6aiuLWQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 06.03.23 15:13, Kai Huang wrote: > Intel Trust Domain Extensions (TDX) protects guest VMs from malicious > host and certain physical attacks. A CPU-attested software module > called 'the TDX module' runs inside a new isolated memory range as a > trusted hypervisor to manage and run protected VMs. > > Pre-TDX Intel hardware has support for a memory encryption architecture > called MKTME. The memory encryption hardware underpinning MKTME is also > used for Intel TDX. TDX ends up "stealing" some of the physical address > space from the MKTME architecture for crypto-protection to VMs. The > BIOS is responsible for partitioning the "KeyID" space between legacy > MKTME and TDX. The KeyIDs reserved for TDX are called 'TDX private > KeyIDs' or 'TDX KeyIDs' for short. > > TDX doesn't trust the BIOS. During machine boot, TDX verifies the TDX > private KeyIDs are consistently and correctly programmed by the BIOS > across all CPU packages before it enables TDX on any CPU core. A valid > TDX private KeyID range on BSP indicates TDX has been enabled by the > BIOS, otherwise the BIOS is buggy. So we don't trust the BIOS, but trust the BIOS that it won't hot-remove physical memory or hotplug physical CPUS (if I understood the cover letter correctly)? :) > > The TDX module is expected to be loaded by the BIOS when it enables TDX, > but the kernel needs to properly initialize it before it can be used to > create and run any TDX guests. The TDX module will be initialized by > the KVM subsystem when KVM wants to use TDX. > > Add a new early_initcall(tdx_init) to detect the TDX by detecting TDX > private KeyIDs. Also add a function to report whether TDX is enabled by > the BIOS. Similar to AMD SME, kexec() will use it to determine whether > cache flush is needed. > > The TDX module itself requires one TDX KeyID as the 'TDX global KeyID' > to protect its metadata. Each TDX guest also needs a TDX KeyID for its > own protection. Just use the first TDX KeyID as the global KeyID and > leave the rest for TDX guests. If no TDX KeyID is left for TDX guests, > disable TDX as initializing the TDX module alone is useless. Does that really happen in practice that we care about that at all? Seems weird and rather like a broken firmware or sth like that ... > > To start to support TDX, create a new arch/x86/virt/vmx/tdx/tdx.c for > TDX host kernel support. Add a new Kconfig option CONFIG_INTEL_TDX_HOST > to opt-in TDX host kernel support (to distinguish with TDX guest kernel > support). So far only KVM uses TDX. Make the new config option depend > on KVM_INTEL. > > Signed-off-by: Kai Huang > Reviewed-by: Kirill A. Shutemov [...] > --- > arch/x86/Kconfig | 12 ++++ > arch/x86/Makefile | 2 + > arch/x86/include/asm/msr-index.h | 3 + > arch/x86/include/asm/tdx.h | 7 +++ > arch/x86/virt/Makefile | 2 + > arch/x86/virt/vmx/Makefile | 2 + > arch/x86/virt/vmx/tdx/Makefile | 2 + > arch/x86/virt/vmx/tdx/tdx.c | 105 +++++++++++++++++++++++++++++++ > 8 files changed, 135 insertions(+) > create mode 100644 arch/x86/virt/Makefile > create mode 100644 arch/x86/virt/vmx/Makefile > create mode 100644 arch/x86/virt/vmx/tdx/Makefile > create mode 100644 arch/x86/virt/vmx/tdx/tdx.c > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 3604074a878b..fc010973a6ff 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1952,6 +1952,18 @@ config X86_SGX > > If unsure, say N. > > +config INTEL_TDX_HOST > + bool "Intel Trust Domain Extensions (TDX) host support" > + depends on CPU_SUP_INTEL > + depends on X86_64 > + depends on KVM_INTEL > + help > + Intel Trust Domain Extensions (TDX) protects guest VMs from malicious > + host and certain physical attacks. This option enables necessary TDX > + support in host kernel to run protected VMs. s/in host/in the host/ ? Also, is "protected VMs" the right term to use here? "Encrypted VMs", "Confidential VMs" ... ? > + > + If unsure, say N. > + > config EFI > bool "EFI runtime service support" > depends on ACPI > diff --git a/arch/x86/Makefile b/arch/x86/Makefile > index 9cf07322875a..972b5a64ce38 100644 > --- a/arch/x86/Makefile > +++ b/arch/x86/Makefile > @@ -252,6 +252,8 @@ archheaders: > > libs-y += arch/x86/lib/ > > +core-y += arch/x86/virt/ > + > # drivers-y are linked after core-y > drivers-$(CONFIG_MATH_EMULATION) += arch/x86/math-emu/ > drivers-$(CONFIG_PCI) += arch/x86/pci/ > diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h > index 37ff47552bcb..952374ddb167 100644 > --- a/arch/x86/include/asm/msr-index.h > +++ b/arch/x86/include/asm/msr-index.h > @@ -512,6 +512,9 @@ > #define MSR_RELOAD_PMC0 0x000014c1 > #define MSR_RELOAD_FIXED_CTR0 0x00001309 > > +/* KeyID partitioning between MKTME and TDX */ > +#define MSR_IA32_MKTME_KEYID_PARTITIONING 0x00000087 > + > /* > * AMD64 MSRs. Not complete. See the architecture manual for a more > * complete list. > diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h > index 25fd6070dc0b..4dfe2e794411 100644 > --- a/arch/x86/include/asm/tdx.h > +++ b/arch/x86/include/asm/tdx.h > @@ -94,5 +94,12 @@ static inline long tdx_kvm_hypercall(unsigned int nr, unsigned long p1, > return -ENODEV; > } > #endif /* CONFIG_INTEL_TDX_GUEST && CONFIG_KVM_GUEST */ > + > +#ifdef CONFIG_INTEL_TDX_HOST > +bool platform_tdx_enabled(void); > +#else /* !CONFIG_INTEL_TDX_HOST */ > +static inline bool platform_tdx_enabled(void) { return false; } > +#endif /* CONFIG_INTEL_TDX_HOST */ > + > #endif /* !__ASSEMBLY__ */ > #endif /* _ASM_X86_TDX_H */ > diff --git a/arch/x86/virt/Makefile b/arch/x86/virt/Makefile > new file mode 100644 > index 000000000000..1e36502cd738 > --- /dev/null > +++ b/arch/x86/virt/Makefile > @@ -0,0 +1,2 @@ > +# SPDX-License-Identifier: GPL-2.0-only > +obj-y += vmx/ > diff --git a/arch/x86/virt/vmx/Makefile b/arch/x86/virt/vmx/Makefile > new file mode 100644 > index 000000000000..feebda21d793 > --- /dev/null > +++ b/arch/x86/virt/vmx/Makefile > @@ -0,0 +1,2 @@ > +# SPDX-License-Identifier: GPL-2.0-only > +obj-$(CONFIG_INTEL_TDX_HOST) += tdx/ > diff --git a/arch/x86/virt/vmx/tdx/Makefile b/arch/x86/virt/vmx/tdx/Makefile > new file mode 100644 > index 000000000000..93ca8b73e1f1 > --- /dev/null > +++ b/arch/x86/virt/vmx/tdx/Makefile > @@ -0,0 +1,2 @@ > +# SPDX-License-Identifier: GPL-2.0-only > +obj-y += tdx.o > diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c > new file mode 100644 > index 000000000000..a600b5d0879d > --- /dev/null > +++ b/arch/x86/virt/vmx/tdx/tdx.c > @@ -0,0 +1,105 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright(c) 2023 Intel Corporation. > + * > + * Intel Trusted Domain Extensions (TDX) support > + */ > + > +#define pr_fmt(fmt) "tdx: " fmt > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +static u32 tdx_global_keyid __ro_after_init; > +static u32 tdx_guest_keyid_start __ro_after_init; > +static u32 tdx_nr_guest_keyids __ro_after_init; > + > +/* > + * Use tdx_global_keyid to indicate that TDX is uninitialized. > + * This is used in TDX initialization error paths to take it from > + * initialized -> uninitialized. > + */ > +static void __init clear_tdx(void) > +{ > + tdx_global_keyid = 0; > +} Why not set "tdx_global_keyid" last, such that you don't have to clear when anything goes wrong before that? Seems more straight forward. > + > +static int __init record_keyid_partitioning(u32 *tdx_keyid_start, > + u32 *nr_tdx_keyids) > +{ > + u32 _nr_mktme_keyids, _tdx_keyid_start, _nr_tdx_keyids; > + int ret; > + > + /* > + * IA32_MKTME_KEYID_PARTIONING: > + * Bit [31:0]: Number of MKTME KeyIDs. > + * Bit [63:32]: Number of TDX private KeyIDs. > + */ > + ret = rdmsr_safe(MSR_IA32_MKTME_KEYID_PARTITIONING, &_nr_mktme_keyids, > + &_nr_tdx_keyids); > + if (ret) > + return -ENODEV; > + > + if (!_nr_tdx_keyids) > + return -ENODEV; > + > + /* TDX KeyIDs start after the last MKTME KeyID. */ > + _tdx_keyid_start = _nr_mktme_keyids + 1; > + > + *tdx_keyid_start = _tdx_keyid_start; > + *nr_tdx_keyids = _nr_tdx_keyids; > + > + return 0; > +} -- Thanks, David / dhildenb