From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49FAD22370F;
	Fri, 23 May 2025 09:53:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994006; cv=none;
 b=gGN2wY1Hnd5/giyVT+HKBc/NI5OogO85NtvZ/bBldX9phDOxULeIk99ZuIwd/GiVOUYCG5mH2gdDrmeuIuVxD91c4YjiPAJZUOU1cifFjhC4ewQByuKiUWzHypcKXt657el6uQy5+ID2zH8sxWFCm3jWz2kQHzlZG1eTlkduaR4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994006; c=relaxed/simple;
	bh=sOkw1JG9iRLRW+PGBK0WHlQW7LGgtjnpZzL8wyQuJY4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=qJ7xPqSjIcY8ItpTOQ9s7LcKCNQCc+MsjmO6SlumOzN4CyGCDMeimYWtt793llTnYMBN9w7DFsEsaYrf4kVaR4kiVeWRkGIRtZN9xApWM4sCZYoLP+TpTMdjVsQej+wAShhiGXMgbgg/UH3HByhOueMnhc5e/48BdXJ+v28luhc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=ffVXNUw2; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="ffVXNUw2"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994005; x=1779530005;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=sOkw1JG9iRLRW+PGBK0WHlQW7LGgtjnpZzL8wyQuJY4=;
  b=ffVXNUw2In4z2PwzVspyM0PZdWzpdHrvxuzVm95DzW7H5b4WQ5EyGO4c
   xOWmzoMHsYAZB6GfazojFbvmbNotbINbdtNotNDxtkPjSCU5XYpX+pNON
   5T91rELA/TwHbYga4H4d1B4FtpzRN2psj0PQxCt8QVGA0hUfdlhaDn6Rv
   LPvOhBK8v6zuCAMRqsjbMGgJk5XwE7p/F1/F8e25vPFUzsZXmscHgbXdb
   DsRGlpsJlqIGNULVT2Mb2LtbAXvlD8FhkvOovontquXFJl8U+xfY36wVP
   rF91wmIDxE4MqyFxQV1EYBy8qDrHomAciiUYbKf91I4luH7ALygNzq+VZ
   Q==;
X-CSE-ConnectionGUID: vaEtmKAyStqXmMRnmO02hA==
X-CSE-MsgGUID: uuQUse4aQh2s7hoimbv8XA==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444091"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444091"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:24 -0700
X-CSE-ConnectionGUID: LWnOCfaCS6O6i9s/kN5tgQ==
X-CSE-MsgGUID: DKR8vC3TTPe3/tFWKLB7PQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315034"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:23 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 01/20] x86/virt/tdx: Print SEAMCALL leaf numbers in
 decimal
Date: Fri, 23 May 2025 02:52:24 -0700
Message-ID: <20250523095322.88774-2-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Both TDX spec and kernel defines SEAMCALL leaf numbers as decimal. Printing
them in hex makes no sense. Correct it.

Suggested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/tdx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index f5e2a937c1e7..49267c865f18 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -62,7 +62,7 @@ typedef void (*sc_err_func_t)(u64 fn, u64 err, struct tdx=
_module_args *args);
=20
 static inline void seamcall_err(u64 fn, u64 err, struct tdx_module_args *a=
rgs)
 {
-	pr_err("SEAMCALL (0x%016llx) failed: 0x%016llx\n", fn, err);
+	pr_err("SEAMCALL (%lld) failed: 0x%016llx\n", fn, err);
 }
=20
 static inline void seamcall_err_ret(u64 fn, u64 err,
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D41AB22576E;
	Fri, 23 May 2025 09:53:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994008; cv=none;
 b=BckJh66uTo4PBgwgenUlLkvehvAbpFjNzUTaE9JnO2dimnS8N84Sc+uYI3mYGPsQCKwubxCH9ZzSONxAvS11qe+mgcTWV8ZcWrUtTBq2Wi0p5ijKdQB1XvHN6ipx+q81D4VmSiFs9i2VkC30fpuiSzjcpDE1pgFbPiI9k15rFXE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994008; c=relaxed/simple;
	bh=uDOwhjWlC6SFw0oeKfCiUA109BTevkrEVCjc1t3wJ94=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=eTxjMQYsOksO73XG6tK/eKttQZBFXmXBMElCDSIt7IDPqsHDk4JgGm7B39zwsMyZ+jlSTg+FzG7Dw/UvnfoAFg0FvsWQSY7z1hX1c5uAMV0rBA5EHjHbvDOBnphHfgOI1NZjyQyHufOTUAMGtzfcDeNIAfKiTNz6RC8yQ8fEC8g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=NRUNpqzB; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="NRUNpqzB"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994006; x=1779530006;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=uDOwhjWlC6SFw0oeKfCiUA109BTevkrEVCjc1t3wJ94=;
  b=NRUNpqzBnJrT5BAs1Z0MCb1upVAM+S1ATibO94EUxfI4MYPMRyeneREn
   ELdNrnmfzL85TTUqy7oUkvzNrU5n0uCvPddBDYb9teyGWU7a0KWo3dS/6
   9ZRMpjRCpmHErbMzv9p5leLRYUkZnGlVBqQURlGl4xxljH6ZUSXfs/09u
   ejh49kegSEDxVn263ZutnSCoWH7TF8vgq66L2HmKuj4jHsVs7XhDtObVn
   AWEgaZqWTBa4WNFitdyk4dsQQVvmDuM23jpwDZfur/cxRCqieV22DCWaJ
   SEPPliftQrXtvldL/lcL9E7gXa4DRm8LUQ1by6gWwpywqiRA/KSiV3zfq
   g==;
X-CSE-ConnectionGUID: O2v2YXSLR0yd7UsRzcxTCQ==
X-CSE-MsgGUID: ZLXjeRTKSxO61uX/AX8L3Q==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444099"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444099"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:24 -0700
X-CSE-ConnectionGUID: 6fstuCAeSlqDa5moTDEeGg==
X-CSE-MsgGUID: ADIJxU13R5OExswirUOP7w==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315038"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:24 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 02/20] x86/virt/tdx: Prepare to support P-SEAMLDR
 SEAMCALLs
Date: Fri, 23 May 2025 02:52:25 -0700
Message-ID: <20250523095322.88774-3-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

P-SEAMLDR is another component alongside the TDX module within the
protected SEAM range. Software can invoke its functions by executing the
SEAMCALL instruction with the 63 bit of RAX set to 1. P-SEAMLDR SEAMCALLs
differ from those of the TDX module in terms of error codes and the
handling of the current VMCS.

In preparation for calling P-SEAMLDR functions to update the TDX module,
adjust the SEAMCALL infrastructure to support P-SEAMLDR SEAMCALLs and
expose a helper function.

Specifically,
1) P-SEAMLDR SEAMCALLs use a different error code for lack of entropy.
   Tweak sc_retry() to handle this difference.

2) Add a separate function to log the SEAMCALL leaf number and the error
   code.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
checking bit63 in sc_need_retry() may be suboptimal. An alternative is to
pass the "NO ENTROPY" error code from seamcall_prerr* and seamldr_prerr()
to sc_retry(). but this would need more code changes. I am not sure if it
is worthwhile.
---
 arch/x86/include/asm/tdx.h  | 20 +++++++++++++++++++-
 arch/x86/virt/vmx/tdx/tdx.c | 16 ++++++++++++++++
 arch/x86/virt/vmx/tdx/tdx.h |  4 ++++
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
index 26ffc792e673..b507d5233b03 100644
--- a/arch/x86/include/asm/tdx.h
+++ b/arch/x86/include/asm/tdx.h
@@ -32,6 +32,11 @@
 #define TDX_SUCCESS		0ULL
 #define TDX_RND_NO_ENTROPY	0x8000020300000000ULL
=20
+/* SEAMLDR SEAMCALL leaf function error codes */
+#define SEAMLDR_RND_NO_ENTROPY	0x8000000000030001ULL
+
+#define SEAMLDR_SEAMCALL_MASK	_BITUL(63)
+
 #ifndef __ASSEMBLER__
=20
 #include <uapi/asm/mce.h>
@@ -104,6 +109,19 @@ void tdx_init(void);
=20
 typedef u64 (*sc_func_t)(u64 fn, struct tdx_module_args *args);
=20
+static inline bool is_seamldr_call(u64 fn)
+{
+	return fn & SEAMLDR_SEAMCALL_MASK;
+}
+
+static inline bool sc_need_retry(u64 fn, u64 error_code)
+{
+	if (is_seamldr_call(fn))
+		return error_code =3D=3D SEAMLDR_RND_NO_ENTROPY;
+	else
+		return error_code =3D=3D TDX_RND_NO_ENTROPY;
+}
+
 static inline u64 sc_retry(sc_func_t func, u64 fn,
 			   struct tdx_module_args *args)
 {
@@ -112,7 +130,7 @@ static inline u64 sc_retry(sc_func_t func, u64 fn,
=20
 	do {
 		ret =3D func(fn, args);
-	} while (ret =3D=3D TDX_RND_NO_ENTROPY && --retry);
+	} while (sc_need_retry(fn, ret) && --retry);
=20
 	return ret;
 }
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 49267c865f18..b586329dd87d 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -65,6 +65,17 @@ static inline void seamcall_err(u64 fn, u64 err, struct =
tdx_module_args *args)
 	pr_err("SEAMCALL (%lld) failed: 0x%016llx\n", fn, err);
 }
=20
+static inline void seamldr_err(u64 fn, u64 err, struct tdx_module_args *ar=
gs)
+{
+	/*
+	 * Get the actual leaf number. No need to print the bit used to
+	 * differentiate between SEAMLDR and TDX module as the "SEAMLDR"
+	 * string in the error message already provides that information.
+	 */
+	fn &=3D ~SEAMLDR_SEAMCALL_MASK;
+	pr_err("SEAMLDR (%lld) failed: 0x%016llx\n", fn, err);
+}
+
 static inline void seamcall_err_ret(u64 fn, u64 err,
 				    struct tdx_module_args *args)
 {
@@ -102,6 +113,11 @@ static inline int sc_retry_prerr(sc_func_t func, sc_er=
r_func_t err_func,
 #define seamcall_prerr_ret(__fn, __args)					\
 	sc_retry_prerr(__seamcall_ret, seamcall_err_ret, (__fn), (__args))
=20
+int seamldr_prerr(u64 fn, struct tdx_module_args *args)
+{
+	return sc_retry_prerr(__seamcall, seamldr_err, fn, args);
+}
+
 /*
  * Do the module global initialization once and return its result.
  * It can be done on any cpu.  It's always called with interrupts
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index 82bb82be8567..48c0a850c621 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -4,6 +4,8 @@
=20
 #include <linux/bits.h>
=20
+#include <asm/tdx.h>
+
 /*
  * This file contains both macros and data structures defined by the TDX
  * architecture and Linux defined software data structures and functions.
@@ -118,4 +120,6 @@ struct tdmr_info_list {
 	int max_tdmrs;	/* How many 'tdmr_info's are allocated */
 };
=20
+int seamldr_prerr(u64 fn, struct tdx_module_args *args);
+
 #endif
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEDD1227EA7;
	Fri, 23 May 2025 09:53:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994009; cv=none;
 b=gD5A2uXkcgEfgpwYvnvqA7xUJA+qPWieexM4qDCxXZuKDKqPV9Q8Gepy4IhzoqML3uXgTwmNTVBGLHzHfibcQ6+PvJVU+WRvaf5Qws/2eNA6J6Y8qG2UAX4MtDmeAgxlu9t6tFiqcyKGDt07mZ+/lvSlIZLDawm0KUeJoZaBWvk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994009; c=relaxed/simple;
	bh=E8Dj8QvY/mQqCZ11f0OqSrNtR2Ru7HYcMeZzbwXrfKo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=FQWxXsaJfBLU9ut9sh57ALUC4hzuelnGxIskVairfJi3KxdlX4ZAHaLK4Chhh4Mgw7xr3APFQmQDsYSdD/f3JkCj8YROb7/SQ8/mf/lqm624pPLgx9gPvLtW/fohyb19bjwQK12OFQRh3fvfdYGldrE8dQcJ2QQ9zL0qvi7wckk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=iiWpNMS7; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="iiWpNMS7"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994008; x=1779530008;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=E8Dj8QvY/mQqCZ11f0OqSrNtR2Ru7HYcMeZzbwXrfKo=;
  b=iiWpNMS7EBWeteLqvu6TfCvJZP0DL0P1+afuqPQygKlrY74FIU9VZMXB
   KAJAoTCyiwazm4ch/zoa/1TQJO6fSRr8HyZVZ7Gk9JtMPCvoH0FWIT9M6
   Wt0e+kk4ISD4208YdL2lfwpcId6p99l9JDauGbej+FNVAtCnWmktAijHw
   gROroIe0hmEmUnZcsqXoHIytd/nSvyhIk72VDGkGJ9wdoLR7V7gWO+pBk
   /WUfLN5FLEhpdPl1JoQdWtIpU8ji1KcoEpQ1xAH58203ZMX7lu12q3yJM
   ChX7pHY3HE1QEYt9uX+quwIqZhBTxcclhais/jkfT0k5hRDY1bR+cW+cK
   g==;
X-CSE-ConnectionGUID: NtqWYq77QfOvvcLCvw94rA==
X-CSE-MsgGUID: SMDxq3EAQli6RWe28DQE+A==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444108"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444108"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:27 -0700
X-CSE-ConnectionGUID: lJEL/6V4TKy7qsLSCmkjqw==
X-CSE-MsgGUID: edaiM/tORZi0rW7Sou53HA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315041"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:27 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 03/20] x86/virt/seamldr: Introduce a wrapper for P-SEAMLDR
 SEAMCALLs
Date: Fri, 23 May 2025 02:52:26 -0700
Message-ID: <20250523095322.88774-4-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

P-SEAMLDR is another component alongside the TDX module within the
protected SEAM range. Software can invoke its functions by executing the
SEAMCALL instruction with the 63 bit of RAX set to 1. P-SEAMLDR SEAMCALLs
differ from those of the TDX module in terms of error codes and the
handling of the current VMCS.

Add a wrapper for P-SEAMLDR SEAMCALLs based on the SEAMCALL infrastructure.

Intel=C2=AE Trust Domain CPU Architectural Extensions (May 2021 edition)
Chapter 2.3 states:

SEAMRET from the P-SEAMLDR clears the current VMCS structure pointed to by
the current-VMCS pointer. A VMM that invokes the P-SEAMLDR using SEAMCALL
must reload the current-VMCS, if required, using the VMPTRLD instruction.

So, save and restore the current-VMCS pointer using VMPTRST and VMPTRLD
instructions to avoid breaking KVM, which manages the current-VMCS.

Disable interrupts to prevent KVM code from interfering with P-SEAMLDR
SEAMCALLs. For example, if a vCPU is scheduled before the current VMCS is
restored, it may encounter an invalid current VMCS, causing its VMX
instruction to fail. Additionally, if KVM sends IPIs to invalidate a
current VMCS and the invalidation occurs right after the current VMCS is
saved, that VMCS will be reloaded after P-SEAMLDR SEAMCALLs, leading to
unexpected behavior.

NMIs are not a problem, as the only scenario where instructions relying on
the current-VMCS are used is during guest PMI handling in KVM. This occurs
immediately after VM exits with IRQ and NMI disabled, ensuring no
interference with P-SEAMLDR SEAMCALLs.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/Kconfig                | 10 ++++++++
 arch/x86/virt/vmx/tdx/Makefile  |  1 +
 arch/x86/virt/vmx/tdx/seamldr.c | 44 +++++++++++++++++++++++++++++++++
 arch/x86/virt/vmx/vmx.h         | 40 ++++++++++++++++++++++++++++++
 4 files changed, 95 insertions(+)
 create mode 100644 arch/x86/virt/vmx/tdx/seamldr.c
 create mode 100644 arch/x86/virt/vmx/vmx.h

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4b9f378e05f6..8b1e0986b7f8 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1932,6 +1932,16 @@ config INTEL_TDX_HOST
=20
 	  If unsure, say N.
=20
+config INTEL_TDX_MODULE_UPDATE
+	bool "Intel TDX module runtime update"
+	depends on INTEL_TDX_HOST
+	help
+	  This enables the kernel to support TDX module runtime update. This allo=
ws
+	  the admin to upgrade the TDX module to a newer one without the need to
+	  terminate running TDX guests.
+
+	  If unsure, say N.
+
 config EFI
 	bool "EFI runtime service support"
 	depends on ACPI
diff --git a/arch/x86/virt/vmx/tdx/Makefile b/arch/x86/virt/vmx/tdx/Makefile
index 90da47eb85ee..26aea3531c36 100644
--- a/arch/x86/virt/vmx/tdx/Makefile
+++ b/arch/x86/virt/vmx/tdx/Makefile
@@ -1,2 +1,3 @@
 # SPDX-License-Identifier: GPL-2.0-only
 obj-y +=3D seamcall.o tdx.o
+obj-$(CONFIG_INTEL_TDX_MODULE_UPDATE) +=3D seamldr.o
diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
new file mode 100644
index 000000000000..a252f1ae3483
--- /dev/null
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -0,0 +1,44 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright(c) 2025 Intel Corporation.
+ *
+ * Intel TDX module runtime update
+ */
+#define pr_fmt(fmt)	"seamldr: " fmt
+
+#include <linux/cleanup.h>
+
+#include "tdx.h"
+#include "../vmx.h"
+
+static __maybe_unused int seamldr_call(u64 fn, struct tdx_module_args *arg=
s)
+{
+	u64 vmcs;
+	int ret;
+
+	if (!is_seamldr_call(fn))
+		return -EINVAL;
+
+	/*
+	 * SEAMRET from P-SEAMLDR invalidates the current-VMCS pointer.
+	 * Save/restore current-VMCS pointer across P-SEAMLDR SEAMCALLs so
+	 * that VMX instructions won't fail due to an invalid current-VMCS.
+	 *
+	 * Disable interrupt to prevent SMP call functions from seeing the
+	 * invalid current-VMCS.
+	 */
+	guard(irqsave)();
+
+	ret =3D cpu_vmcs_store(&vmcs);
+	if (ret)
+		return ret;
+
+	ret =3D seamldr_prerr(fn, args);
+
+	/* Restore current-VMCS pointer */
+#define INVALID_VMCS   -1ULL
+	if (vmcs !=3D INVALID_VMCS)
+	       WARN_ON_ONCE(cpu_vmcs_load(vmcs));
+
+	return ret;
+}
diff --git a/arch/x86/virt/vmx/vmx.h b/arch/x86/virt/vmx/vmx.h
new file mode 100644
index 000000000000..51e6460fd1fd
--- /dev/null
+++ b/arch/x86/virt/vmx/vmx.h
@@ -0,0 +1,40 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef ARCH_X86_VIRT_VMX_H
+#define ARCH_X86_VIRT_VMX_H
+
+#include <linux/printk.h>
+
+static inline int cpu_vmcs_load(u64 vmcs_pa)
+{
+	asm goto("1: vmptrld %0\n\t"
+			  ".byte 0x2e\n\t" /* branch not taken hint */
+			  "jna %l[error]\n\t"
+			  _ASM_EXTABLE(1b, %l[fault])
+			  : : "m" (vmcs_pa) : "cc" : error, fault);
+	return 0;
+
+error:
+	pr_err_once("vmptrld failed: %llx\n", vmcs_pa);
+	return -EIO;
+fault:
+	pr_err_once("vmptrld faulted\n");
+	return -EIO;
+}
+
+static inline int cpu_vmcs_store(u64 *vmcs_pa)
+{
+	int ret =3D -EIO;
+
+	asm volatile("1: vmptrst %0\n\t"
+		     "mov $0, %1\n\t"
+		     "2:\n\t"
+		     _ASM_EXTABLE(1b, 2b)
+		     : "=3Dm" (*vmcs_pa), "+r" (ret) : :);
+
+	if (ret)
+		pr_err_once("vmptrst faulted\n");
+
+	return ret;
+}
+
+#endif
--=20
2.47.1

From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E26F2228CB0;
	Fri, 23 May 2025 09:53:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994010; cv=none;
 b=WvAXeHEjTkaXpeYQHc6biC59bI49E/SJkyfWyWrBTRnRfQyG6mP0pgNBOxfnPv1E4CmQq8weWRhE1qbX+G/ZopheIgTVnm96AVbDm4Z6dg2JRYDncs/pWq64L/zTSY7J8tVmW+8CnY3gT1J8DqEsRYfHfXXur/LgmBcaPleIv9E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994010; c=relaxed/simple;
	bh=sdQjJ6HwjdsvkBELQmptCZa8jJgdqdaQNOVFMbfnneY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=qqZy5SHHzt9EfaVCp4NtkYH03YiP6EPJMGn55nQs1bk81ZR1JqxAx5osgoLbkCAO/zqb1j0owvOChvQt28Em9Nimh+5+68HRkEkWG+Ukv2/n5R34A9gtYXZVfaebJSvdsoL/b0dRjtnAF7lWlsDvWr4+EwHZOUzLAcxS5nq3M6s=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=iQYqhPjo; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="iQYqhPjo"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994009; x=1779530009;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=sdQjJ6HwjdsvkBELQmptCZa8jJgdqdaQNOVFMbfnneY=;
  b=iQYqhPjojiKXtB68meoFPdUQ4gPjsDubMEMsXaNbwhPwSNbXwNbVBRvh
   DHbm9Hatp14aoEaz77lmFxkpo/esOHT2UOJ1I4akzTuW1qimx6v7khuFM
   HDsqb7/3RRPnPOK8CeKEVw6PuxZxpP+5owXTVR/5NQI0xpadAfuhqFLFv
   0ESiylmn6IXfUIxGfh1qMjskVpSpr/Tjm67ZKG1akvF4dMoT0Au171Ued
   mN69hIlcJYTWAxqm7GJrpcyjUhxWQhV1828y2cAn/kUEQxC8m67B2nTcC
   6slrgQ0k8ZpXcyCh/h+oxKN83k2JlHDVkPvE4UH3Y3otoaaY3AonyZciy
   A==;
X-CSE-ConnectionGUID: ycmfmOQlTImhQ/z88Xbfeg==
X-CSE-MsgGUID: bXKqbdg4QN2ZzNFAAoNbiA==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444116"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444116"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:28 -0700
X-CSE-ConnectionGUID: 3TYdgRdgT3asMcfb0LWxmg==
X-CSE-MsgGUID: T62owbfFQjO8aZjqgjhcAA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315044"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:27 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 04/20] x86/virt/tdx: Introduce a "tdx" subsystem and "tsm"
 device
Date: Fri, 23 May 2025 02:52:27 -0700
Message-ID: <20250523095322.88774-5-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

TDX depends on a platform firmware module that is invoked via
instructions similar to vmenter (i.e. enter into a new privileged
"root-mode" context to manage private memory and private device
mechanisms). It is a software construct that depends on the CPU vmxon
state to enable invocation of TDX-module ABIs. Unlike other
Trusted Execution Environment (TEE) platform implementations that employ
a firmware module running on a PCI device with an MMIO mailbox for
communication, TDX has no hardware device to point to as the "TSM".

The "/sys/devices/virtual" hierarchy is intended for "software
constructs which need sysfs interface", which aligns with what TDX
needs.

The new tdx_subsys will export global attributes populated by the
TDX-module "sysinfo". A tdx_tsm device is published on this bus to
enable a typical driver model for the low level "TEE Security Manager"
(TSM) flows that talk TDISP to capable PCIe devices.

For now, this is only the base tdx_subsys and tdx_tsm device
registration with attribute definition and TSM driver to follow later.

Co-developed-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/tdx.c | 75 +++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index b586329dd87d..9719df2f2634 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -28,6 +28,8 @@
 #include <linux/log2.h>
 #include <linux/acpi.h>
 #include <linux/suspend.h>
+#include <linux/device.h>
+#include <linux/cleanup.h>
 #include <linux/idr.h>
 #include <asm/page.h>
 #include <asm/special_insns.h>
@@ -1080,6 +1082,77 @@ static int init_tdmrs(struct tdmr_info_list *tdmr_li=
st)
 	return 0;
 }
=20
+static const struct bus_type tdx_subsys =3D {
+	.name =3D "tdx",
+};
+
+struct tdx_tsm {
+	struct device dev;
+};
+
+static struct tdx_tsm *alloc_tdx_tsm(void)
+{
+	struct tdx_tsm *tsm =3D kzalloc(sizeof(*tsm), GFP_KERNEL);
+	struct device *dev;
+
+	if (!tsm)
+		return ERR_PTR(-ENOMEM);
+
+	dev =3D &tsm->dev;
+	dev->bus =3D &tdx_subsys;
+	device_initialize(dev);
+
+	return tsm;
+}
+
+DEFINE_FREE(tdx_tsm_put, struct tdx_tsm *,
+	    if (!IS_ERR_OR_NULL(_T)) put_device(&_T->dev))
+static struct tdx_tsm *init_tdx_tsm(void)
+{
+	struct device *dev;
+	int ret;
+
+	struct tdx_tsm *tsm __free(tdx_tsm_put) =3D alloc_tdx_tsm();
+	if (IS_ERR(tsm))
+		return tsm;
+
+	dev =3D &tsm->dev;
+	ret =3D dev_set_name(dev, "tdx_tsm");
+	if (ret)
+		return ERR_PTR(ret);
+
+	ret =3D device_add(dev);
+	if (ret)
+		return ERR_PTR(ret);
+
+	return no_free_ptr(tsm);
+}
+
+static void tdx_subsys_init(void)
+{
+	struct tdx_tsm *tdx_tsm;
+	int err;
+
+	/* Establish subsystem for global TDX module attributes */
+	err =3D subsys_virtual_register(&tdx_subsys, NULL);
+	if (err) {
+		pr_err("failed to register tdx_subsys %d\n", err);
+		return;
+	}
+
+	/* Register 'tdx_tsm' for driving optional TDX Connect functionality */
+	tdx_tsm =3D init_tdx_tsm();
+	if (IS_ERR(tdx_tsm)) {
+		pr_err("failed to initialize TSM device (%pe)\n", tdx_tsm);
+		goto err_bus;
+	}
+
+	return;
+
+err_bus:
+	bus_unregister(&tdx_subsys);
+}
+
 static int init_tdx_module(void)
 {
 	int ret;
@@ -1136,6 +1209,8 @@ static int init_tdx_module(void)
=20
 	pr_info("%lu KB allocated for PAMT\n", tdmrs_count_pamt_kb(&tdx_tdmr_list=
));
=20
+	tdx_subsys_init();
+
 out_put_tdxmem:
 	/*
 	 * @tdx_memlist is written here and read at memory hotplug time.
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A87022A811;
	Fri, 23 May 2025 09:53:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994012; cv=none;
 b=kZQIw+4RQDgq9fZSXFC/LjuJs8edPeo0ZZz+sQ3HoBQT5lb1wrytGefkNR2mHLHiD9J/zAkDj3FZP0EDwY9k9baXD9YI0KL3LySRcrgEGBOgUStN41c7L6r4JjlUdz3M/h5c1xk2eBX8A4q84t50Kb0PsIlmXI17jHdnmULUGP4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994012; c=relaxed/simple;
	bh=OibNJt1km/E8jMW2mZIujvgR8XYQKYqW9ezu6qz/Fms=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=XmlbxDM6h58L0g4o3CY2eCD2l3aOEnM/QMyzSBXrvhJS6l4KgI8S7mwt+RLyssk2dKqCZEW5zeGjJ0UpwR8eCTyQaotbxttw4Kb0wQdN6F3F/Y8isPj3Aq7bKxcRAncERpw0bhyleEyYtzX+5YTojTqNKg9yPhhq6k8pg7E7jaU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=F+Wj8gfM; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="F+Wj8gfM"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994011; x=1779530011;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=OibNJt1km/E8jMW2mZIujvgR8XYQKYqW9ezu6qz/Fms=;
  b=F+Wj8gfMfxF3dRVADwtOHinMpTMUen9X3NFWE0GjmDF8447xpv/j9BC2
   WKxUGOJbd+QN1Zi/fu5hqs5syymJELTcio3i0Dd66xOj5drsI5oW3yRBT
   yPgkM6USrkN/M6S6TD+GAojKXtBtzJzACKpa6QUoZyT/jkY9hBfbC+PSr
   LSePfFzAeOewiCfO7wTMoyVOFjj3opx+WkXGybOwWSO1Sq1ULx74Ry4Np
   flNLQCztYp7Rq1kqwy8SCjH61dnnA7/0APRgqbx6dq4x7MKkTnw3AsBWJ
   f08iGE4vwDdzXkqrJuJkId6+mMYohILMwyWDSGz7iEpnWtXvhwjuuy1nH
   w==;
X-CSE-ConnectionGUID: ZilhcLM+T4yNIANJXbXbJw==
X-CSE-MsgGUID: sC7fCO0gRR2YdLEGta2/3w==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444124"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444124"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:31 -0700
X-CSE-ConnectionGUID: LVwKt817Sh+O4MHA8NEgIA==
X-CSE-MsgGUID: VkEOvRNdTJiz7rIPsRTvJg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315052"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:30 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 05/20] x86/virt/tdx: Export tdx module attributes via
 sysfs
Date: Fri, 23 May 2025 02:52:28 -0700
Message-ID: <20250523095322.88774-6-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

TD-Preserving updates depend on a userspace tool to select the appropriate
module to load. To facilitate this decision-making process, expose the
necessary information to userspace.

Expose the current module versions so that userspace can verify
compatibility with new modules. version information is also valuable for
debugging, as knowing the exact module version can help reproduce
TDX-related issues.

Attach the TDX module attributes to the virtual TDX_TSM device, which
represents the TDX module and its features, such as TDX Connect.

Note changes to tdx_global_metadata.{hc} are auto-generated by following
the instructions detailed in [1], after modifying "version" to "versions"
in the TDX_STRUCT of tdx.py to accurately reflect that it is a collection
of versions.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Link: https://lore.kernel.org/kvm/20250226181453.2311849-12-pbonzini@redhat=
.com/ [1]
Tested-by: Sagi Shahar <sagis@google.com>
---
 Documentation/ABI/testing/sysfs-devices-tdx |  8 ++++++++
 MAINTAINERS                                 |  1 +
 arch/x86/include/asm/tdx_global_metadata.h  |  7 +++++++
 arch/x86/virt/vmx/tdx/tdx.c                 | 19 +++++++++++++++++++
 arch/x86/virt/vmx/tdx/tdx_global_metadata.c | 16 ++++++++++++++++
 5 files changed, 51 insertions(+)
 create mode 100644 Documentation/ABI/testing/sysfs-devices-tdx

diff --git a/Documentation/ABI/testing/sysfs-devices-tdx b/Documentation/AB=
I/testing/sysfs-devices-tdx
new file mode 100644
index 000000000000..ccbe6431241e
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-devices-tdx
@@ -0,0 +1,8 @@
+What:		/sys/devices/virtual/tdx/tdx_tsm/version
+Date:		March 2025
+KernelVersion:	v6.15
+Contact:	linux-coco@lists.linux.dev
+Description:	(RO) Report the version of the loaded TDX module. The TDX mod=
ule
+		version is formatted as x.y.z, where "x" is the major version,
+		"y" is the minor version and "z" is the update version. Versions
+		are used for bug reporting, TD-Preserving updates and etc.
diff --git a/MAINTAINERS b/MAINTAINERS
index c59316109e3f..0d58256c765b 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -26227,6 +26227,7 @@ L:	x86@kernel.org
 L:	linux-coco@lists.linux.dev
 S:	Supported
 T:	git git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git x86/tdx
+F:	Documentation/ABI/testing/sysfs-devices-tdx
 F:	arch/x86/boot/compressed/tdx*
 F:	arch/x86/coco/tdx/
 F:	arch/x86/include/asm/shared/tdx.h
diff --git a/arch/x86/include/asm/tdx_global_metadata.h b/arch/x86/include/=
asm/tdx_global_metadata.h
index 060a2ad744bf..ce0370f4a5b9 100644
--- a/arch/x86/include/asm/tdx_global_metadata.h
+++ b/arch/x86/include/asm/tdx_global_metadata.h
@@ -5,6 +5,12 @@
=20
 #include <linux/types.h>
=20
+struct tdx_sys_info_versions {
+	u16 minor_version;
+	u16 major_version;
+	u16 update_version;
+};
+
 struct tdx_sys_info_features {
 	u64 tdx_features0;
 };
@@ -35,6 +41,7 @@ struct tdx_sys_info_td_conf {
 };
=20
 struct tdx_sys_info {
+	struct tdx_sys_info_versions versions;
 	struct tdx_sys_info_features features;
 	struct tdx_sys_info_tdmr tdmr;
 	struct tdx_sys_info_td_ctrl td_ctrl;
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 9719df2f2634..5f1f463ddfe1 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -1090,6 +1090,24 @@ struct tdx_tsm {
 	struct device dev;
 };
=20
+static ssize_t version_show(struct device *dev, struct device_attribute *a=
ttr,
+			    char *buf)
+{
+	const struct tdx_sys_info_versions *v =3D &tdx_sysinfo.versions;
+
+	return sysfs_emit(buf, "%u.%u.%u\n", v->major_version,
+					     v->minor_version,
+					     v->update_version);
+}
+
+static DEVICE_ATTR_RO(version);
+
+static struct attribute *tdx_module_attrs[] =3D {
+	&dev_attr_version.attr,
+	NULL,
+};
+ATTRIBUTE_GROUPS(tdx_module);
+
 static struct tdx_tsm *alloc_tdx_tsm(void)
 {
 	struct tdx_tsm *tsm =3D kzalloc(sizeof(*tsm), GFP_KERNEL);
@@ -1117,6 +1135,7 @@ static struct tdx_tsm *init_tdx_tsm(void)
 		return tsm;
=20
 	dev =3D &tsm->dev;
+	dev->groups =3D tdx_module_groups;
 	ret =3D dev_set_name(dev, "tdx_tsm");
 	if (ret)
 		return ERR_PTR(ret);
diff --git a/arch/x86/virt/vmx/tdx/tdx_global_metadata.c b/arch/x86/virt/vm=
x/tdx/tdx_global_metadata.c
index 13ad2663488b..088e5bff4025 100644
--- a/arch/x86/virt/vmx/tdx/tdx_global_metadata.c
+++ b/arch/x86/virt/vmx/tdx/tdx_global_metadata.c
@@ -7,6 +7,21 @@
  * Include this file to other C file instead.
  */
=20
+static int get_tdx_sys_info_versions(struct tdx_sys_info_versions *sysinfo=
_versions)
+{
+	int ret =3D 0;
+	u64 val;
+
+	if (!ret && !(ret =3D read_sys_metadata_field(0x0800000100000003, &val)))
+		sysinfo_versions->minor_version =3D val;
+	if (!ret && !(ret =3D read_sys_metadata_field(0x0800000100000004, &val)))
+		sysinfo_versions->major_version =3D val;
+	if (!ret && !(ret =3D read_sys_metadata_field(0x0800000100000005, &val)))
+		sysinfo_versions->update_version =3D val;
+
+	return ret;
+}
+
 static int get_tdx_sys_info_features(struct tdx_sys_info_features *sysinfo=
_features)
 {
 	int ret =3D 0;
@@ -89,6 +104,7 @@ static int get_tdx_sys_info(struct tdx_sys_info *sysinfo)
 {
 	int ret =3D 0;
=20
+	ret =3D ret ?: get_tdx_sys_info_versions(&sysinfo->versions);
 	ret =3D ret ?: get_tdx_sys_info_features(&sysinfo->features);
 	ret =3D ret ?: get_tdx_sys_info_tdmr(&sysinfo->tdmr);
 	ret =3D ret ?: get_tdx_sys_info_td_ctrl(&sysinfo->td_ctrl);
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9418D226D08;
	Fri, 23 May 2025 09:53:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994029; cv=none;
 b=iNasifbLtHfArCXxmk/0Tud30RrAAe8b6sHdt6xkw7B8QJaS9zuMBYHQ/zQ/p2Z+8A0BqgkUUwqlQmpADlYXCZ7PYzPHGvMlqHVTDkXAHtnRUf4hY6SwXahZT0tN2+jAvarZu3U/3kHFWPSdwAGrqmbjSHBWa/0hJtKhoShfWHw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994029; c=relaxed/simple;
	bh=1m8EIlm1cRb4xIyW10yQKIUYeauJTU6kBjI91qIj5dw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=XGau7tPibgPPcuQUvame5SNismk+lqwbQNdBNdKsvwU9oFZPvjpXKn/TJTzmdhCNOwRBpEu6t0uYyDlAczSbpeZwS/sHt9YV2wM6CxYOKQ20cnhpTug1vKeC2a71B7v9Va71epzOyjipnTnFnBOfYt1aVggepqybzyMC5rjwUnA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=lU5B3ALj; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="lU5B3ALj"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994027; x=1779530027;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=1m8EIlm1cRb4xIyW10yQKIUYeauJTU6kBjI91qIj5dw=;
  b=lU5B3ALjAQzndRLofJjb2S5wgsJ9LzExfKR5JHcD7dXD+sVVk4tt6dHJ
   EhKYJyv6e+13VBZaYBolled4FkmMbd6Cc6UocjFNVCmyp6GJT1pTSOy2u
   q0gBnGu8TBz9pLRVmcxq7MNUKDfl5K07UvYPDWjn4uxh0dfJSw1O4f/cO
   X0BVYUG1UsFho+rW/u4VwuYWYWKM5IplUYUsvSrQGv2vjFDhRX+lWWt+C
   2i/0wnk9CIk0f5Ob/BRD29GhZfzNukQGkZ1oSOzOCdIt2YB7WfTw2gTK0
   OIwelavs9MLUHKVtwp6SkV/4xWyjsEEcYsVJPfRM6d6mhrkybfoUd9Qyy
   w==;
X-CSE-ConnectionGUID: NOuA4EceS/KyAZBfoGL7Jg==
X-CSE-MsgGUID: NTprloCFRaKgYVEHQlJYRw==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444141"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444141"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:47 -0700
X-CSE-ConnectionGUID: VqDtvH2ERuu8+4xtxItzog==
X-CSE-MsgGUID: s7KpNDfuQXeJ235mYDcYCQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315057"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:46 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 06/20] x86/virt/seamldr: Add a helper to read P-SEAMLDR
 information
Date: Fri, 23 May 2025 02:52:29 -0700
Message-ID: <20250523095322.88774-7-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a helper function to retrieve P-SEAMLDR information, including its
version and features, using the dedicated P_SEAMLDR_INFO API. This is in
preparation for exposing this information to userspace. Userspace will
utilize the version number to verify the compatibility of TDX modules
with the P-SEAMLDR

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index a252f1ae3483..c2771323729c 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -11,7 +11,26 @@
 #include "tdx.h"
 #include "../vmx.h"
=20
-static __maybe_unused int seamldr_call(u64 fn, struct tdx_module_args *arg=
s)
+ /* P-SEAMLDR SEAMCALL leaf function */
+#define P_SEAMLDR_INFO			0x8000000000000000
+
+struct seamldr_info {
+	u32	version;
+	u32	attributes;
+	u32	vendor_id;
+	u32	build_date;
+	u16	build_num;
+	u16	minor_version;
+	u16	major_version;
+	u16	update_version;
+	u8	reserved0[4];
+	u32	num_remaining_updates;
+	u8	reserved1[224];
+} __packed;
+
+static struct seamldr_info seamldr_info __aligned(256);
+
+static inline int seamldr_call(u64 fn, struct tdx_module_args *args)
 {
 	u64 vmcs;
 	int ret;
@@ -42,3 +61,10 @@ static __maybe_unused int seamldr_call(u64 fn, struct td=
x_module_args *args)
=20
 	return ret;
 }
+
+static __maybe_unused int get_seamldr_info(void)
+{
+	struct tdx_module_args args =3D { .rcx =3D __pa(&seamldr_info) };
+
+	return seamldr_call(P_SEAMLDR_INFO, &args);
+}
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 039AA226D09;
	Fri, 23 May 2025 09:53:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994030; cv=none;
 b=SZZpPqq3UNRnxbNvYmlI5P4lfZFOLvr/+0v0n45yXLqIdupolLeZPoNi526TWnuEBvUOm3pMMjlLgJawc97z7ltTj8e5drsSWuzwoaFNPrDF5Y+VczlrfODGqRnJSPAtikyLuqviBNUAjATQB0jU5T73mCi/O9364lmoI8jkxcE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994030; c=relaxed/simple;
	bh=NvUaccfrS6dx/m6gucgj+rwlO2P8Wn4egKozBJswo34=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=Bkf4/GU7KKnqssdyncQHwui+4TfzMkEDhRntIdw5IOwGXglPa6FsBLeaHKMEbf+vAJ8NAmI19yPRjH08hWdFAj6yzpqEmIJVo7xmu4nOM8AHsxP8vjcDR9IejCjpQyh0Ukm8KslBd6ClMCfuCe2RcnOL7Gh76YE18txmfFcYOEE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=UZ2SjnOc; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="UZ2SjnOc"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994029; x=1779530029;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=NvUaccfrS6dx/m6gucgj+rwlO2P8Wn4egKozBJswo34=;
  b=UZ2SjnOcNJlf2iArFQr/NT7/tMCqsCCLWIL3PA4psfp3daiWv3uW33S6
   TIPZFB1q5Jf45WDi0M1WSkIxKMZ0fzyxjnXsf5nVA5IasrEMWCX8Fr/EX
   i6q235Fql2QBKwXtwpjbUaeRpln87lS2I8tThRl6jcXcFXmTWAUb/23QO
   0q5eQP2Jt1NlDL/d6vTzFNgrhFHbaGhpMbF7obQVnvTNm4dMex2MvaMVI
   QwQvbZCu9y6jnA6Y//DN/TjJjYqL+xZgPqxEmP+QbZLMzUSguPxlzh6Sv
   VVLu/n4XrmgNf+m3AEFKYbQ3ZDmKpoNQ2bw619h3O/kSqzgmN8oD3vCPg
   g==;
X-CSE-ConnectionGUID: NkAwxUP8TS+vqJNiIi63cQ==
X-CSE-MsgGUID: CZInTG8nSwucUXgeyhTpFg==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444149"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444149"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:48 -0700
X-CSE-ConnectionGUID: bDhdZuShQu2zr4sJq9ODrw==
X-CSE-MsgGUID: dUuUCjkTQhK1afh/t5erkA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315060"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:47 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 07/20] x86/virt/tdx: Expose SEAMLDR information via sysfs
Date: Fri, 23 May 2025 02:52:30 -0700
Message-ID: <20250523095322.88774-8-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

TD-Preserving updates depend on a userspace tool to select the appropriate
module to load. To facilitate this decision-making process, expose the
necessary information to userspace.

SEAMLDR version information can be used for compatibility check and
num_remaining_updates indicates how many updates can still be performed.

SEAMLDR serves as the foundation of TDX, as it is responsible for loading
the TDX module and, in other words, enabling the entire TDX system.
Therefore, attach its attributes to the root device of the new TDX virtual
subsystem.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 Documentation/ABI/testing/sysfs-devices-tdx | 24 ++++++++++++++
 arch/x86/virt/vmx/tdx/seamldr.c             | 35 ++++++++++++++++++++-
 arch/x86/virt/vmx/tdx/seamldr.h             | 14 +++++++++
 arch/x86/virt/vmx/tdx/tdx.c                 | 14 ++++++++-
 4 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 arch/x86/virt/vmx/tdx/seamldr.h

diff --git a/Documentation/ABI/testing/sysfs-devices-tdx b/Documentation/AB=
I/testing/sysfs-devices-tdx
index ccbe6431241e..112f0738253b 100644
--- a/Documentation/ABI/testing/sysfs-devices-tdx
+++ b/Documentation/ABI/testing/sysfs-devices-tdx
@@ -6,3 +6,27 @@ Description:	(RO) Report the version of the loaded TDX mod=
ule. The TDX module
 		version is formatted as x.y.z, where "x" is the major version,
 		"y" is the minor version and "z" is the update version. Versions
 		are used for bug reporting, TD-Preserving updates and etc.
+
+What:		/sys/devices/virtual/tdx/seamldr/version
+Date:		March 2025
+KernelVersion:	v6.15
+Contact:	linux-coco@lists.linux.dev
+Description:	(RO) Reports the version of the loaded SEAM loader. The SEAM
+		loader version is formatted as x.y.z, where "x" is the major
+		version, "y" is the minor version and "z" is the update version.
+		Versions are used for bug reporting and compatibility check.
+
+What:		/sys/devices/virtual/tdx/seamldr/num_remaining_updates
+Date:		March 2025
+KernelVersion:	v6.15
+Contact:	linux-coco@lists.linux.dev
+Description:	(RO) Reports the number of remaining updates that can be
+		performed via TD-Preserving updates. It is always zero if
+		SEAMLDR doesn't TD-Preserving updates. Otherwise, it is an
+		arch-specific value after bootup. This value decreases by one
+		after each successful TD-Preserving update. Once it reaches
+		zero, further TD-Preserving updates will fail until next reboot.
+
+		See Intel=C2=AE Trust Domain Extensions - SEAM Loader (SEAMLDR)
+		Interface Specification Chapter 3.3 "SEAMLDR_INFO" and Chapter
+		4.2 "SEAMLDR.INSTALL" for more information.
diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index c2771323729c..b628555daf55 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -7,9 +7,13 @@
 #define pr_fmt(fmt)	"seamldr: " fmt
=20
 #include <linux/cleanup.h>
+#include <linux/device.h>
+#include <linux/kobject.h>
+#include <linux/sysfs.h>
=20
 #include "tdx.h"
 #include "../vmx.h"
+#include "seamldr.h"
=20
  /* P-SEAMLDR SEAMCALL leaf function */
 #define P_SEAMLDR_INFO			0x8000000000000000
@@ -62,7 +66,36 @@ static inline int seamldr_call(u64 fn, struct tdx_module=
_args *args)
 	return ret;
 }
=20
-static __maybe_unused int get_seamldr_info(void)
+static ssize_t version_show(struct device *dev, struct device_attribute *a=
ttr,
+			    char *buf)
+{
+	return sysfs_emit(buf, "%u.%u.%u\n", seamldr_info.major_version,
+					     seamldr_info.minor_version,
+					     seamldr_info.update_version);
+}
+
+static ssize_t num_remaining_updates_show(struct device *dev,
+					  struct device_attribute *attr,
+					  char *buf)
+{
+	return sysfs_emit(buf, "%u\n", seamldr_info.num_remaining_updates);
+}
+
+static DEVICE_ATTR_RO(version);
+static DEVICE_ATTR_RO(num_remaining_updates);
+
+static struct attribute *seamldr_attrs[] =3D {
+	&dev_attr_version.attr,
+	&dev_attr_num_remaining_updates.attr,
+	NULL,
+};
+
+struct attribute_group seamldr_group =3D {
+	.name =3D "seamldr",
+	.attrs =3D seamldr_attrs,
+};
+
+int get_seamldr_info(void)
 {
 	struct tdx_module_args args =3D { .rcx =3D __pa(&seamldr_info) };
=20
diff --git a/arch/x86/virt/vmx/tdx/seamldr.h b/arch/x86/virt/vmx/tdx/seamld=
r.h
new file mode 100644
index 000000000000..15597cb5036d
--- /dev/null
+++ b/arch/x86/virt/vmx/tdx/seamldr.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _X86_VIRT_VMX_TDX_SEAMLDR_H
+#define _X86_VIRT_VMX_TDX_SEAMLDR_H
+
+#ifdef CONFIG_INTEL_TDX_MODULE_UPDATE
+extern struct attribute_group seamldr_group;
+#define SEAMLDR_GROUP (&seamldr_group)
+int get_seamldr_info(void);
+#else
+#define SEAMLDR_GROUP NULL
+static inline int get_seamldr_info(void) { return 0; }
+#endif
+
+#endif
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 5f1f463ddfe1..aa6a23d46494 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -41,6 +41,7 @@
 #include <asm/processor.h>
 #include <asm/mce.h>
 #include "tdx.h"
+#include "seamldr.h"
=20
 static u32 tdx_global_keyid __ro_after_init;
 static u32 tdx_guest_keyid_start __ro_after_init;
@@ -1147,13 +1148,24 @@ static struct tdx_tsm *init_tdx_tsm(void)
 	return no_free_ptr(tsm);
 }
=20
+static const struct attribute_group *tdx_subsys_groups[] =3D {
+	SEAMLDR_GROUP,
+	NULL,
+};
+
 static void tdx_subsys_init(void)
 {
 	struct tdx_tsm *tdx_tsm;
 	int err;
=20
+	err =3D get_seamldr_info();
+	if (err) {
+		pr_err("failed to get seamldr info %d\n", err);
+		return;
+	}
+
 	/* Establish subsystem for global TDX module attributes */
-	err =3D subsys_virtual_register(&tdx_subsys, NULL);
+	err =3D subsys_virtual_register(&tdx_subsys, tdx_subsys_groups);
 	if (err) {
 		pr_err("failed to register tdx_subsys %d\n", err);
 		return;
--=20
2.47.1

From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AAA2227581;
	Fri, 23 May 2025 09:53:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994031; cv=none;
 b=qEV5rpOCALLR8eX0gbrYuHKh/mQM40DLumZZuEiczxPt6RDbvqF9jFd0fmxyjBPd8aDLDMDXi03JYbiK3aRamH6EWURDw/W2LRB7TnXLQf7M3jR7U1C0bymse6q9GwXtFhP1YEoKPKmrFPajuRNevLIV7tgl1F7AI8dqQ5krifA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994031; c=relaxed/simple;
	bh=pqs2fT0FExKmtK8ExkzV11HkOUb8WOY0k/NicrtCV3A=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=KdhFCfUfYK0aLFJ5sO2IzxOs4E3f8bQYEurLkj1Q/Ky0s6WOU3JyA3NMMq1KJvWowKGvIAUkt0h8tAW1PK3fykB/imdtD57+2ZSojjGIg4lEkaRKYN+oUn1R1lbl7zcBP0Z9zvyGmDZ7Q2uhi3GYxcDmUIsu0SusNqe4hjQOf5I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=f0gmSpKF; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="f0gmSpKF"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994029; x=1779530029;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=pqs2fT0FExKmtK8ExkzV11HkOUb8WOY0k/NicrtCV3A=;
  b=f0gmSpKFYboUMvCa5JJ9O70T3nIiKqowpA80LTtLJ96tmINWLogkuthU
   szDcaaAJBXfvsKsMY1N2bslidCLUL+8Mi67ylAuY8Q5/ZC4u72/Ja/Hcv
   0HdJofwFHjxzZwNqXpkKyUT/mXjfmcUwCzcRiutY4Fzaig+XZNRaxRfgQ
   mTyPCG/atsMyu/HDu1b17mcE/qwlobFwLSw7pPJyOx2F5jDRVsl15awGY
   3OJDGs1RD79Chu+w3J2UcjlVPYtWXe/ilz3rnM0L2l8JCOOoLfKVTUZ9h
   bRyBS8R6ilj3sp9CjWqATUj3KQ5ijhAMNb3LUDJ6cNBdOD8XiYgiK8gon
   Q==;
X-CSE-ConnectionGUID: mFrt7oR4RyWC8/WLXUh+ZQ==
X-CSE-MsgGUID: N7Get2sIQxGpo+d11VwsgQ==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444160"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444160"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:49 -0700
X-CSE-ConnectionGUID: 3n44T+BMTJGu4lMSXb3TpA==
X-CSE-MsgGUID: g1cW/pqGRRepyiH7XwWPRQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315063"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:48 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 08/20] x86/virt/seamldr: Implement FW_UPLOAD sysfs ABI for
 TD-Preserving Updates
Date: Fri, 23 May 2025 02:52:31 -0700
Message-ID: <20250523095322.88774-9-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Implement a fw_upload interface to coordinate TD-Preserving updates. The
explicit file selection capabilities of fw_upload is preferred over the
implicit file selection of request_firmware() for the following reasons:

a. Intel distributes all versions of the TDX module, allowing admins to
load any version rather than always defaulting to the latest. This
flexibility is necessary because future extensions may require reverting to
a previous version to clear fatal errors.

b. Some module version series are platform-specific. For example, the 1.5.x
series is for certain platform generations, while the 2.0.x series is
intended for others.

c. The update policy for TD-Preserving is non-linear at times. The latest
TDX module may not be TD-Preserving capable. For example, TDX module
1.5.x may be updated to 1.5.y but not to 1.5.y+1. This policy is documented
separately in a file released along with each TDX module release.

So, the default policy of "request_firmware()" of "always load latest", is
not suitable for TDX. Userspace needs to deploy a more sophisticated policy
check (i.e. latest may not be TD-Preserving capable), and there is
potential operator choice to consider.

Just have userspace pick rather than add kernel mechanism to change the
default policy of request_firmware().

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/Kconfig                |  2 +
 arch/x86/virt/vmx/tdx/seamldr.c | 77 +++++++++++++++++++++++++++++++++
 arch/x86/virt/vmx/tdx/seamldr.h |  2 +
 arch/x86/virt/vmx/tdx/tdx.c     |  4 ++
 4 files changed, 85 insertions(+)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 8b1e0986b7f8..31385104a6ee 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1935,6 +1935,8 @@ config INTEL_TDX_HOST
 config INTEL_TDX_MODULE_UPDATE
 	bool "Intel TDX module runtime update"
 	depends on INTEL_TDX_HOST
+	select FW_LOADER
+	select FW_UPLOAD
 	help
 	  This enables the kernel to support TDX module runtime update. This allo=
ws
 	  the admin to upgrade the TDX module to a newer one without the need to
diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index b628555daf55..da862e71ebce 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -8,6 +8,8 @@
=20
 #include <linux/cleanup.h>
 #include <linux/device.h>
+#include <linux/firmware.h>
+#include <linux/gfp.h>
 #include <linux/kobject.h>
 #include <linux/sysfs.h>
=20
@@ -32,6 +34,15 @@ struct seamldr_info {
 	u8	reserved1[224];
 } __packed;
=20
+
+#define TDX_FW_STATE_BITS	32
+#define TDX_FW_CANCEL		0
+struct tdx_status {
+	DECLARE_BITMAP(fw_state, TDX_FW_STATE_BITS);
+};
+
+struct fw_upload *tdx_fwl;
+static struct tdx_status tdx_status;
 static struct seamldr_info seamldr_info __aligned(256);
=20
 static inline int seamldr_call(u64 fn, struct tdx_module_args *args)
@@ -101,3 +112,69 @@ int get_seamldr_info(void)
=20
 	return seamldr_call(P_SEAMLDR_INFO, &args);
 }
+
+static int seamldr_install_module(const u8 *data, u32 size)
+{
+	return -EOPNOTSUPP;
+}
+
+static enum fw_upload_err tdx_fw_prepare(struct fw_upload *fwl,
+					 const u8 *data, u32 size)
+{
+	struct tdx_status *status =3D fwl->dd_handle;
+
+	if (test_and_clear_bit(TDX_FW_CANCEL, status->fw_state))
+		return FW_UPLOAD_ERR_CANCELED;
+
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err tdx_fw_write(struct fw_upload *fwl, const u8 *da=
ta,
+				       u32 offset, u32 size, u32 *written)
+{
+	struct tdx_status *status =3D fwl->dd_handle;
+
+	if (test_and_clear_bit(TDX_FW_CANCEL, status->fw_state))
+		return FW_UPLOAD_ERR_CANCELED;
+
+	/*
+	 * No partial write will be returned to callers so @offset should
+	 * always be zero.
+	 */
+	WARN_ON_ONCE(offset);
+	if (seamldr_install_module(data, size))
+		return FW_UPLOAD_ERR_FW_INVALID;
+
+	*written =3D size;
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err tdx_fw_poll_complete(struct fw_upload *fwl)
+{
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static void tdx_fw_cancel(struct fw_upload *fwl)
+{
+	struct tdx_status *status =3D fwl->dd_handle;
+
+	set_bit(TDX_FW_CANCEL, status->fw_state);
+}
+
+static const struct fw_upload_ops tdx_fw_ops =3D {
+	.prepare =3D tdx_fw_prepare,
+	.write =3D tdx_fw_write,
+	.poll_complete =3D tdx_fw_poll_complete,
+	.cancel =3D tdx_fw_cancel,
+};
+
+void seamldr_init(struct device *dev)
+{
+	int ret;
+
+	tdx_fwl =3D firmware_upload_register(THIS_MODULE, dev, "seamldr_upload",
+					   &tdx_fw_ops, &tdx_status);
+	ret =3D PTR_ERR_OR_ZERO(tdx_fwl);
+	if (ret)
+		pr_err("failed to register module uploader %d\n", ret);
+}
diff --git a/arch/x86/virt/vmx/tdx/seamldr.h b/arch/x86/virt/vmx/tdx/seamld=
r.h
index 15597cb5036d..00fa3a4e9155 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.h
+++ b/arch/x86/virt/vmx/tdx/seamldr.h
@@ -6,9 +6,11 @@
 extern struct attribute_group seamldr_group;
 #define SEAMLDR_GROUP (&seamldr_group)
 int get_seamldr_info(void);
+void seamldr_init(struct device *dev);
 #else
 #define SEAMLDR_GROUP NULL
 static inline int get_seamldr_info(void) { return 0; }
+static inline void seamldr_init(struct device *dev) { }
 #endif
=20
 #endif
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index aa6a23d46494..22ffc15b4299 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -1178,6 +1178,10 @@ static void tdx_subsys_init(void)
 		goto err_bus;
 	}
=20
+	struct device *dev_root __free(put_device) =3D bus_get_dev_root(&tdx_subs=
ys);
+	if (dev_root)
+		seamldr_init(dev_root);
+
 	return;
=20
 err_bus:
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3AD24227E90;
	Fri, 23 May 2025 09:53:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994032; cv=none;
 b=Q1aYO0VxmmXqOIAs+JNmUTEkkO9IrESq2VS5Y1ZBQT/yLCZjvvd9JNElB67TK0aXDCwk7VStqcK2zFzjP/SPtPID4WOMH1H4eXomloyV6TpS6dzDWe5vP8b7NZZmNGIz+AdIoGdO1c1HtWlF8O18kSJwLpHnSa5sHe12gWRZawI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994032; c=relaxed/simple;
	bh=Spqzi2KhiF3DQTRtzBKxSzFtvQ3Feg6dLSx3tvfEMAI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=pbtvTnhZfVIklVJuw5dJLnC8n+e3rY/W5plqZyYGPSrk40Los5UxUbY1Rjl/XHnBZWcAu9nyCyRL7POqyQZJjeA4OXZ3h9O0DE7F10CzbJhr3LKwf953C2WGr9jLab5XcYxRXQ3LnT9JILqWwS0PzVwuVVUdgusZJ2PJYuQC3Dc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=iZouhb1p; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="iZouhb1p"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994030; x=1779530030;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=Spqzi2KhiF3DQTRtzBKxSzFtvQ3Feg6dLSx3tvfEMAI=;
  b=iZouhb1p3fvWViX0hx0mO/cGr9txaSqFXoFuLSeH7OUz6K1GwaQMvrqX
   Z/t8rqzKo1SzRspBHxp9VqEZLkAwxfiitUNC91tgCaLLSCSddJVdEdkur
   Pa1Ne7DgAoxKoiflfKe7QF1r33SBO82XTpiFxDOY+VurLkg2XWs2EGX1h
   qqiSrQ2ctssk1o8I0NQGWFEGADP0yH+EX5MWaI1plP/x26iesTPinEv3e
   6RzbQ0YQmp+cVjx1g7gK6yPvq7L+v6pvumCh2tlg9DOAzgyfz5o+l4/L0
   /WlZMDiW51ecl4it3dxjMETTVhyr4blQfnJSEknZDrczgTcndshx1M5F7
   g==;
X-CSE-ConnectionGUID: m7RbaU72SmCtLcYHWqjUDg==
X-CSE-MsgGUID: MXvupeUZTziGG6vWWgzdww==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444170"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444170"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:50 -0700
X-CSE-ConnectionGUID: FkLnFggBRtKp8ClMlrJKdg==
X-CSE-MsgGUID: fEsTitUIQwuXbeMR3EFv5A==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315066"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:49 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 09/20] x86/virt/seamldr: Allocate and populate a module
 update request
Date: Fri, 23 May 2025 02:52:32 -0700
Message-ID: <20250523095322.88774-10-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Allocate and populate a module update request, i.e., struct seamldr_params,
as defined in "SEAM Loader (SEAMLDR) Interface Specification" [1],
Revision 343755-004, Section 3.2.

struct seamldr_params includes a module binary, a sigstruct file, and an
update scenario. Parse the bitstream format, as defined by Intel, to
extract the binary and the sigstruct.

Currently, only the "UPDATE" scenario is supported.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Link: https://cdrdv2.intel.com/v1/dl/getContent/733584 [1]
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 145 +++++++++++++++++++++++++++++++-
 1 file changed, 144 insertions(+), 1 deletion(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index da862e71ebce..cdf85dff6d69 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -11,6 +11,8 @@
 #include <linux/firmware.h>
 #include <linux/gfp.h>
 #include <linux/kobject.h>
+#include <linux/mm.h>
+#include <linux/slab.h>
 #include <linux/sysfs.h>
=20
 #include "tdx.h"
@@ -41,6 +43,26 @@ struct tdx_status {
 	DECLARE_BITMAP(fw_state, TDX_FW_STATE_BITS);
 };
=20
+/* SEAMLDR can accept up to 496 4KB pages for TDX module binary */
+#define SEAMLDR_MAX_NR_MODULE_4KB_PAGES	496
+
+/* scenario field in struct seamldr_params */
+#define SEAMLDR_SCENARIO_UPDATE		1
+
+/*
+ * Passed to P-SEAMLDR to describe information about the TDX module to ins=
tall.
+ * Defined in "SEAM Loader (SEAMLDR) Interface Specification", Revision
+ * 343755-003, Section 3.2.
+ */
+struct seamldr_params {
+	u32	version;
+	u32	scenario;
+	u64	sigstruct_pa;
+	u8	reserved[104];
+	u64	num_module_pages;
+	u64	mod_pages_pa_list[SEAMLDR_MAX_NR_MODULE_4KB_PAGES];
+} __packed;
+
 struct fw_upload *tdx_fwl;
 static struct tdx_status tdx_status;
 static struct seamldr_info seamldr_info __aligned(256);
@@ -113,9 +135,130 @@ int get_seamldr_info(void)
 	return seamldr_call(P_SEAMLDR_INFO, &args);
 }
=20
+static void free_seamldr_params(struct seamldr_params *params)
+{
+	free_page((unsigned long)params);
+}
+
+/* Allocate and populate a seamldr_params */
+static struct seamldr_params *alloc_seamldr_params(const void *module, int=
 module_size,
+						   const void *sig, int sig_size)
+{
+	struct seamldr_params *params;
+	const u8 *ptr;
+	int i;
+
+	BUILD_BUG_ON(sizeof(struct seamldr_params) !=3D SZ_4K);
+	if (module_size > SEAMLDR_MAX_NR_MODULE_4KB_PAGES * SZ_4K)
+		return ERR_PTR(-EINVAL);
+
+	/* current seamldr_params accepts one 4KB-page for sigstruct */
+	if (sig_size !=3D SZ_4K)
+		return ERR_PTR(-EINVAL);
+
+	params =3D (struct seamldr_params *)get_zeroed_page(GFP_KERNEL);
+	if (!params)
+		return ERR_PTR(-ENOMEM);
+
+	params->scenario =3D SEAMLDR_SCENARIO_UPDATE;
+	params->sigstruct_pa =3D (vmalloc_to_pfn(sig) << PAGE_SHIFT) +
+			       ((unsigned long)sig & ~PAGE_MASK);
+	params->num_module_pages =3D DIV_ROUND_UP(module_size, SZ_4K);
+
+	ptr =3D module;
+	for (i =3D 0; i < params->num_module_pages; i++) {
+		params->mod_pages_pa_list[i] =3D (vmalloc_to_pfn(ptr) << PAGE_SHIFT) +
+					       ((unsigned long)ptr & ~PAGE_MASK);
+		ptr +=3D SZ_4K;
+	}
+
+	return params;
+}
+
+struct tdx_blob {
+	u16	version;
+	u16	checksum;
+	u32	offset_of_module;
+	u8	signature[8];
+	u32	len;
+	u32	resv1;
+	u64	resv2[509];
+	u8	data[];
+} __packed;
+
+/* Verify that the checksum of the entire blob is zero */
+static bool verify_checksum(const struct tdx_blob *blob)
+{
+	u32 size =3D blob->len;
+	u16 checksum =3D 0;
+	const u16 *p;
+	int i;
+
+	/* Handle the last byte if the size is odd */
+	if (size % 2) {
+		checksum +=3D *((const u8 *)blob + size - 1);
+		size--;
+	}
+
+	p =3D (const u16 *)blob;
+	for (i =3D 0; i < size; i +=3D 2) {
+		checksum +=3D *p;
+		p++;
+	}
+
+	return !checksum;
+}
+
+static struct seamldr_params *init_seamldr_params(const u8 *data, u32 size)
+{
+	const struct tdx_blob *blob =3D (const void *)data;
+	const void *sig, *module;
+	int module_size, sig_size;
+
+	/* Split the given blob into a sigstruct and a module */
+	sig =3D blob->data;
+	sig_size =3D blob->offset_of_module - sizeof(struct tdx_blob);
+	module =3D data + blob->offset_of_module;
+	module_size =3D size - blob->offset_of_module;
+
+	if (sig_size <=3D 0 || module_size <=3D 0 || blob->len !=3D size)
+		return ERR_PTR(-EINVAL);
+
+	if (memcmp(blob->signature, "TDX-BLOB", 8)) {
+		pr_err("invalid signature\n");
+		return ERR_PTR(-EINVAL);
+	}
+
+	if (!verify_checksum(blob)) {
+		pr_err("invalid checksum\n");
+		return ERR_PTR(-EINVAL);
+	}
+
+	return alloc_seamldr_params(module, module_size, sig, sig_size);
+}
+
+/*
+ * Temporary flag to guard TD-Preserving updates. This will be removed once
+ * all necessary components for its support are integrated.
+ */
+static bool td_preserving_ready;
+
+DEFINE_FREE(free_seamldr_params, struct seamldr_params *,
+	    if (!IS_ERR_OR_NULL(_T)) free_seamldr_params(_T))
+
 static int seamldr_install_module(const u8 *data, u32 size)
 {
-	return -EOPNOTSUPP;
+	if (!td_preserving_ready)
+		return -EOPNOTSUPP;
+
+	struct seamldr_params *params __free(free_seamldr_params) =3D
+						init_seamldr_params(data, size);
+	if (IS_ERR(params))
+		return PTR_ERR(params);
+
+	/* TODO: Install and initialize the new TDX module */
+
+	return 0;
 }
=20
 static enum fw_upload_err tdx_fw_prepare(struct fw_upload *fwl,
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D54A5227EA4;
	Fri, 23 May 2025 09:53:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994032; cv=none;
 b=DjbMTRkRPODO3obp3SwGU5HqXbiqqAY2SqkgiMIMTJGUkaYA1wdHHvcSiVGEmLWteRP8EJjwXSkqQ7NW+Fvs3PrEvPyRAGFioB7QQZ3l0VpYIPTrJpnzg7RBSUJDP7+gO0V7lhNE5ZSml4DDaxYVJ/CFQepsCFCy54s2NKGzG/Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994032; c=relaxed/simple;
	bh=rDHJEMn78FhgXJR8YNVixNZDLTo+19F3bcivnngaor4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=EtBt9Q1m8F7lTRbf9DyvZsNxFWMi3kgEcENr1Yi+Fuybe46Y2dE8sgJR95izFfw6z3BXH5kAlRU4E1CMZGAkEhDQ1BvAIMS5fww12bV4X8zJrnBp0v9/I5QBu3uswyg5CY8j+hhAHpJqCQY0Dn/7K83BY+K2TwFltJOuVGYe8D8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=Gwl/jjbi; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="Gwl/jjbi"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994031; x=1779530031;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=rDHJEMn78FhgXJR8YNVixNZDLTo+19F3bcivnngaor4=;
  b=Gwl/jjbi++BZ9VeQF2cxcNMgGC0sqM0C2DRmZw6XjoRM1VU8XJPhPcNG
   Zh9KzK4VJsx1sBIE84E7Ehn8X8s91DDJ0LYX1gnUx2Jz3gbeIYlrAJs8X
   MCDqhS/m7pMKmblWaWWJf7WKd7cl6PxnsQ05UOt4bowyix5iU+OWpbH8T
   5Fgi+tRFxGnnsnCKZ7IErkzQuilZ04IyXpi+5tJ9e3bxCi5HnDElOW393
   zwsx1mnyYqZ3zbMXoarc2UyX3zBJ4n7c4zww6b5ZnIbXZIyfmHTgitrdf
   1WbgQzCWmiJppoANAI5J5GMAwBtKJisEUgOG9jQj6FdQSW3GICSo3yDFD
   Q==;
X-CSE-ConnectionGUID: KKqKNXOpQqKa9BEchkIwlA==
X-CSE-MsgGUID: W4+vr9IvQZOPmYQ4u7CJyQ==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444181"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444181"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:50 -0700
X-CSE-ConnectionGUID: Uo9z9jH9SmS3tWtEwnbnJg==
X-CSE-MsgGUID: 68SxmyUjT+SmOoR80T30Aw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315069"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:50 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 10/20] x86/virt/seamldr: Introduce skeleton for
 TD-Preserving updates
Date: Fri, 23 May 2025 02:52:33 -0700
Message-ID: <20250523095322.88774-11-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

To perform TD-Preserving updates, the kernel must stop invoking any TDX
module SEAMCALLs. Currently, these SEAMCALLs can be invoked in various
contexts and in parallel across CPUs. Additionally, considering the need to
force all vCPUs out of guest mode, no single lock primitive, except for
stop_machine(), can meet this requirement.

A failed attempt is to lock all KVM entry points and kick all vCPUs. But it
cannot be done within KVM TDX code. And it needs to introduce new
infrastructure and maintenance burden outside of tdx for questionable
benefits.

Perform TD-Preserving updates within stop_machine() as it achieves the
seamldr requirements and is an existing well understood mechanism.

TD-Preserving updates consist of several steps: shutting down the old
module, installing the new module, and initializing the new one and etc.
Some steps must be executed on a single CPU, others serially across all
CPUs, and some can be performed concurrently on all CPUs and there are
ordering requirements between steps. So, all CPUs need to perform the work
in a step-locked manner.

In preparation for adding concrete steps for TD-Preserving updates,
establish the framework by mimicking multi_cpu_stop(). Specifically, use a
global state machine to control the work done on each CPU and require all
CPUs to acknowledge completion before proceeding to the next stage.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
instead of copy-pasting multi_cpu_stop(), would it be better to
abstract a common function and adapt it for TD-Preserving updates?
---
 arch/x86/virt/vmx/tdx/seamldr.c | 63 +++++++++++++++++++++++++++++++--
 1 file changed, 60 insertions(+), 3 deletions(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index cdf85dff6d69..01dc2b0bc4a5 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -12,7 +12,9 @@
 #include <linux/gfp.h>
 #include <linux/kobject.h>
 #include <linux/mm.h>
+#include <linux/nmi.h>
 #include <linux/slab.h>
+#include <linux/stop_machine.h>
 #include <linux/sysfs.h>
=20
 #include "tdx.h"
@@ -237,6 +239,62 @@ static struct seamldr_params *init_seamldr_params(cons=
t u8 *data, u32 size)
 	return alloc_seamldr_params(module, module_size, sig, sig_size);
 }
=20
+enum tdp_state {
+	TDP_START,
+	TDP_DONE,
+};
+
+static struct {
+	enum tdp_state state;
+	atomic_t thread_ack;
+} tdp_data;
+
+static void set_state(enum tdp_state state)
+{
+	/* Reset ack counter. */
+	atomic_set(&tdp_data.thread_ack, num_online_cpus());
+	/* Ensure thread_ack is updated before the new state */
+	smp_wmb();
+	WRITE_ONCE(tdp_data.state, state);
+}
+
+/* Last one to ack a state moves to the next state. */
+static void ack_state(void)
+{
+	if (atomic_dec_and_test(&tdp_data.thread_ack))
+		set_state(tdp_data.state + 1);
+}
+
+/*
+ * See multi_cpu_stop() from where this multi-cpu state-machine was
+ * adopted, and the rationale for touch_nmi_watchdog()
+ */
+static int do_seamldr_install_module(void *params)
+{
+	enum tdp_state newstate, curstate =3D TDP_START;
+	int ret =3D 0;
+
+	do {
+		/* Chill out and ensure we re-read tdp_data. */
+		cpu_relax();
+		newstate =3D READ_ONCE(tdp_data.state);
+
+		if (newstate !=3D curstate) {
+			curstate =3D newstate;
+			switch (curstate) {
+			default:
+				break;
+			}
+			ack_state();
+		} else {
+			touch_nmi_watchdog();
+		}
+		rcu_momentary_eqs();
+	} while (curstate !=3D TDP_DONE);
+
+	return ret;
+}
+
 /*
  * Temporary flag to guard TD-Preserving updates. This will be removed once
  * all necessary components for its support are integrated.
@@ -256,9 +314,8 @@ static int seamldr_install_module(const u8 *data, u32 s=
ize)
 	if (IS_ERR(params))
 		return PTR_ERR(params);
=20
-	/* TODO: Install and initialize the new TDX module */
-
-	return 0;
+	set_state(TDP_START + 1);
+	return stop_machine(do_seamldr_install_module, params, cpu_online_mask);
 }
=20
 static enum fw_upload_err tdx_fw_prepare(struct fw_upload *fwl,
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0FBC2367B8;
	Fri, 23 May 2025 09:53:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994033; cv=none;
 b=nHstEi5aBueMERF4WDNstl7G+ESww8AvudbVtyclH1nY7LvsVwNwL9zQA47i9MPrZDgt47R9kIfTc9N2I/YhP4xwisTzvXhKb3aW03n8wIxnLdRUfmSQJ2la9u/jfI0guAujHHg9lO0iOhXhN7c2dJZByylGNpz0lp8H3HMECXE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994033; c=relaxed/simple;
	bh=TsI9HxQ2Gz6GuimkwqYvAK3v4dW3I+m/53VcN46/PpA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=rQspgpnr53GPYH7BqTqVMO6Gryz9nRpPOUZt70ys8wm0Kis3nRB5KRKBZT2Mtgg4LOeBR+Oaap91a0J/NNWjBgQJqhftUK5sv40s4xvSJZ+ahrUfVNqpknmNpdRD33DNbjCNSaZ4PWy8MINZo/inQmFiSEw8G4e+AoG4wv6rSFw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=VltBvpx5; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="VltBvpx5"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994032; x=1779530032;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=TsI9HxQ2Gz6GuimkwqYvAK3v4dW3I+m/53VcN46/PpA=;
  b=VltBvpx5doJ7MwBZd6fpvvl/XqhwJSyR7WS3CqXzOt5bxLzaj7vsbVTe
   ZLNFKETaIaQCEtru+BygeRSFRa8MakzpGgIwRNb1/Cozpe66xZ6y2RlTP
   PuiJ7AvQCAp/m5sgtNgel+lMQQJa61kTDIIRYNZvxe5qwtOSBIGvNzU+5
   AZ9fsbRgoddtRDYHv84TODAZgTdHvtJYudxoya5rSJ4Fr7l4vQRuxT33e
   O0glqNpMUqnENhjEilV5dWE2i6oI5LHTv6U7S9q6qmg8x9HmHkw0ZIA/H
   tDuY037Ns7NKD9iIOBQ3CKtWeXdN75HZjo1AjtX1cjezs+WMfc9y5QMPO
   w==;
X-CSE-ConnectionGUID: xVHOTc67TbyeCXQdy4XG1A==
X-CSE-MsgGUID: tNp3URM4RmKKs43LSBG8NA==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444189"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444189"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:51 -0700
X-CSE-ConnectionGUID: 4G5ctHf6RjuhrRGHbSR6Nw==
X-CSE-MsgGUID: NBdC9/7BTGS+2BkR2PyaCw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315072"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:50 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 11/20] x86/virt/seamldr: Abort updates if errors occurred
 midway
Date: Fri, 23 May 2025 02:52:34 -0700
Message-ID: <20250523095322.88774-12-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The update process is divided into multiple stages, each of which may
encounter failures. However, the current state machine for updates proceeds
to the next stage regardless of errors.

Continuing updates when errors occur midway is pointless.

Implement a mechanism that transitions directly to the final stage,
effectively aborting the update and skipping all remaining stages when an
error is detected.

This is in preparation for adding the first stage that may fail.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index 01dc2b0bc4a5..9d0d37a92bfd 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -247,6 +247,7 @@ enum tdp_state {
 static struct {
 	enum tdp_state state;
 	atomic_t thread_ack;
+	atomic_t failed;
 } tdp_data;
=20
 static void set_state(enum tdp_state state)
@@ -261,8 +262,16 @@ static void set_state(enum tdp_state state)
 /* Last one to ack a state moves to the next state. */
 static void ack_state(void)
 {
-	if (atomic_dec_and_test(&tdp_data.thread_ack))
-		set_state(tdp_data.state + 1);
+	if (atomic_dec_and_test(&tdp_data.thread_ack)) {
+		/*
+		 * If an error occurred, abort the update by skipping to
+		 * the final state
+		 */
+		if (atomic_read(&tdp_data.failed))
+			set_state(TDP_DONE);
+		else
+			set_state(tdp_data.state + 1);
+	}
 }
=20
 /*
@@ -285,6 +294,9 @@ static int do_seamldr_install_module(void *params)
 			default:
 				break;
 			}
+
+			if (ret)
+				atomic_inc(&tdp_data.failed);
 			ack_state();
 		} else {
 			touch_nmi_watchdog();
@@ -314,6 +326,7 @@ static int seamldr_install_module(const u8 *data, u32 s=
ize)
 	if (IS_ERR(params))
 		return PTR_ERR(params);
=20
+	atomic_set(&tdp_data.failed, 0);
 	set_state(TDP_START + 1);
 	return stop_machine(do_seamldr_install_module, params, cpu_online_mask);
 }
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9C7923C4F4;
	Fri, 23 May 2025 09:53:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994035; cv=none;
 b=VhRKdfmZyYrvOpEBuih0kY8nkrEkGieJOvu0UWgLWoXDfSI0aKDcCxMpwtjWodc772MBBavuES5NYYWm3nNnK2vw27dUQvvnpVmXMONJedhcc/QGbMApeiWwzQHrkCj9Vmd79FrnrihiFYPJ1ZqRHHN57AA8si0jHUgr12xP918=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994035; c=relaxed/simple;
	bh=Ji+zxcDg6HyiUmEYaMcKATRfTO8H0bwmGnt9rZMxtXc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=kP007gVTZK5xmbyx6hofxMs+m98HKYWV2gmHCrSCz/C0oFpAe1UcPXEEfPfbepv8WhzcWNN0vau2fokuDGUOmVX7yZ2BGCUv8DoxTjy8p4ck3g9wHYKQZrwgQz200QRZpw3CjZJpalGxNjDx58e1JbKBk6+3IyKbtQS+G8Y6JV4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=YR0Fcjkx; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="YR0Fcjkx"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994034; x=1779530034;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=Ji+zxcDg6HyiUmEYaMcKATRfTO8H0bwmGnt9rZMxtXc=;
  b=YR0FcjkxMD2eZvFFyH7AnZKrlLAhE/wR7RN8Z3ENeNCwsJFZZY00F3HC
   KztFl+HbDHE5zb/H57rJzgzIT0B/XxyXoKAyjz4by9V6+IdU92qwRxPGh
   73/Zz3RH82mcUVK1PlASR9E9HyoaHCssczzeVSDsgjAZbaDIC4AM/fq8A
   /5Q+AWPFiQqFDaLSFl18QpFgGETcQtZEMNQXyhbS8owtiCb9cSMLCmKqW
   8tYb5uE8UrIjsMYKZl3P7S/XERjGHJh3Mv+7jRsmYP9LT5SzlWzxlxNL9
   Q62UCKDs46Eiit1t5hh0BA8zHWFImxzeQDXQ3wqEGStFH4kkwLe1PzqUQ
   w==;
X-CSE-ConnectionGUID: Y9/ApZheQomJqfyJ5i18Ww==
X-CSE-MsgGUID: fNzGqi9WT6eaQyybQqiiCw==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444198"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444198"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:53 -0700
X-CSE-ConnectionGUID: 4VgRQ3HmRYqAuDsvbP3F/A==
X-CSE-MsgGUID: x0cVf/4WRmGgBXTovuESyA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315075"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:52 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 12/20] x86/virt/seamldr: Shut down the current TDX module
Date: Fri, 23 May 2025 02:52:35 -0700
Message-ID: <20250523095322.88774-13-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

TD-Preserving updates request shutting down the existing TDX module.
During this shutdown, the module generates hand-off data, which captures
the module's states essential for preserving running TDs. The new TDX
module can utilize this hand-off data to establish its states.

Invoke the TDH_SYS_SHUTDOWN API on one CPU to perform the shutdown. This
API requires a hand-off module version. Use the module's own hand-off
version, as it is the highest version the module can produce and is more
likely to be compatible with new modules.

Changes to tdx_global_metadata.{hc} are auto-generated by following the
instructions detailed in [1], after adding the following section to the
tdx.py script:

    "handoff": [
       "MODULE_HV",
    ],

Add a check to ensure that module_hv is guarded by the TDX module's
support for TD-Preserving.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Link: https://lore.kernel.org/kvm/20250226181453.2311849-12-pbonzini@redhat=
.com/ [1]
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/include/asm/tdx_global_metadata.h  |  5 +++++
 arch/x86/virt/vmx/tdx/seamldr.c             | 11 +++++++++++
 arch/x86/virt/vmx/tdx/tdx.c                 | 18 ++++++++++++++++++
 arch/x86/virt/vmx/tdx/tdx.h                 |  4 ++++
 arch/x86/virt/vmx/tdx/tdx_global_metadata.c | 13 +++++++++++++
 5 files changed, 51 insertions(+)

diff --git a/arch/x86/include/asm/tdx_global_metadata.h b/arch/x86/include/=
asm/tdx_global_metadata.h
index ce0370f4a5b9..a2011a3575ff 100644
--- a/arch/x86/include/asm/tdx_global_metadata.h
+++ b/arch/x86/include/asm/tdx_global_metadata.h
@@ -40,12 +40,17 @@ struct tdx_sys_info_td_conf {
 	u64 cpuid_config_values[128][2];
 };
=20
+struct tdx_sys_info_handoff {
+	u16 module_hv;
+};
+
 struct tdx_sys_info {
 	struct tdx_sys_info_versions versions;
 	struct tdx_sys_info_features features;
 	struct tdx_sys_info_tdmr tdmr;
 	struct tdx_sys_info_td_ctrl td_ctrl;
 	struct tdx_sys_info_td_conf td_conf;
+	struct tdx_sys_info_handoff handoff;
 };
=20
 #endif
diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index 9d0d37a92bfd..11c0c5a93c32 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -241,6 +241,7 @@ static struct seamldr_params *init_seamldr_params(const=
 u8 *data, u32 size)
=20
 enum tdp_state {
 	TDP_START,
+	TDP_SHUTDOWN,
 	TDP_DONE,
 };
=20
@@ -281,8 +282,12 @@ static void ack_state(void)
 static int do_seamldr_install_module(void *params)
 {
 	enum tdp_state newstate, curstate =3D TDP_START;
+	int cpu =3D smp_processor_id();
+	bool primary;
 	int ret =3D 0;
=20
+	primary =3D !!(cpumask_first(cpu_online_mask) =3D=3D cpu);
+
 	do {
 		/* Chill out and ensure we re-read tdp_data. */
 		cpu_relax();
@@ -291,6 +296,12 @@ static int do_seamldr_install_module(void *params)
 		if (newstate !=3D curstate) {
 			curstate =3D newstate;
 			switch (curstate) {
+			case TDP_SHUTDOWN:
+				if (!primary)
+					break;
+
+				ret =3D tdx_module_shutdown();
+				break;
 			default:
 				break;
 			}
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 22ffc15b4299..fa6b3f1eb197 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -295,6 +295,11 @@ static int read_sys_metadata_field(u64 field_id, u64 *=
data)
 	return 0;
 }
=20
+static bool tdx_has_td_preserving(void)
+{
+	return tdx_sysinfo.features.tdx_features0 & TDX_FEATURES0_TD_PRESERVING;
+}
+
 #include "tdx_global_metadata.c"
=20
 static int check_features(struct tdx_sys_info *sysinfo)
@@ -1341,6 +1346,19 @@ int tdx_enable(void)
 }
 EXPORT_SYMBOL_GPL(tdx_enable);
=20
+int tdx_module_shutdown(void)
+{
+	struct tdx_module_args args =3D {};
+
+	/*
+	 * Shut down TDX module and prepare handoff data for the next TDX module.
+	 * Following a successful TDH_SYS_SHUTDOWN, further TDX module APIs will
+	 * fail.
+	 */
+	args.rcx =3D tdx_sysinfo.handoff.module_hv;
+	return seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
+}
+
 static bool is_pamt_page(unsigned long phys)
 {
 	struct tdmr_info_list *tdmr_list =3D &tdx_tdmr_list;
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index 48c0a850c621..3830dee4da91 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -48,6 +48,7 @@
 #define TDH_PHYMEM_PAGE_WBINVD		41
 #define TDH_VP_WR			43
 #define TDH_SYS_CONFIG			45
+#define TDH_SYS_SHUTDOWN		52
=20
 /*
  * SEAMCALL leaf:
@@ -87,6 +88,7 @@ struct tdmr_info {
 } __packed __aligned(TDMR_INFO_ALIGNMENT);
=20
 /* Bit definitions of TDX_FEATURES0 metadata field */
+#define TDX_FEATURES0_TD_PRESERVING	BIT(1)
 #define TDX_FEATURES0_NO_RBP_MOD	BIT(18)
=20
 /*
@@ -122,4 +124,6 @@ struct tdmr_info_list {
=20
 int seamldr_prerr(u64 fn, struct tdx_module_args *args);
=20
+int tdx_module_shutdown(void);
+
 #endif
diff --git a/arch/x86/virt/vmx/tdx/tdx_global_metadata.c b/arch/x86/virt/vm=
x/tdx/tdx_global_metadata.c
index 088e5bff4025..a17cbb82e6b8 100644
--- a/arch/x86/virt/vmx/tdx/tdx_global_metadata.c
+++ b/arch/x86/virt/vmx/tdx/tdx_global_metadata.c
@@ -100,6 +100,18 @@ static int get_tdx_sys_info_td_conf(struct tdx_sys_inf=
o_td_conf *sysinfo_td_conf
 	return ret;
 }
=20
+static int get_tdx_sys_info_handoff(struct tdx_sys_info_handoff *sysinfo_h=
andoff)
+{
+	int ret =3D 0;
+	u64 val;
+
+	if (!ret && tdx_has_td_preserving() &&
+	    !(ret =3D read_sys_metadata_field(0x8900000100000000, &val)))
+		sysinfo_handoff->module_hv =3D val;
+
+	return ret;
+}
+
 static int get_tdx_sys_info(struct tdx_sys_info *sysinfo)
 {
 	int ret =3D 0;
@@ -109,6 +121,7 @@ static int get_tdx_sys_info(struct tdx_sys_info *sysinf=
o)
 	ret =3D ret ?: get_tdx_sys_info_tdmr(&sysinfo->tdmr);
 	ret =3D ret ?: get_tdx_sys_info_td_ctrl(&sysinfo->td_ctrl);
 	ret =3D ret ?: get_tdx_sys_info_td_conf(&sysinfo->td_conf);
+	ret =3D ret ?: get_tdx_sys_info_handoff(&sysinfo->handoff);
=20
 	return ret;
 }
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 557C823C8DB;
	Fri, 23 May 2025 09:53:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994036; cv=none;
 b=b+G+AJ/Qd+qa91pV9eJHUsg7Cm6A8jsnJmcbkJkOpJyw6Wa2sM4PPNhhwFxfDcv9SBZhGCjZ2CNMtYyLM2JCyWV4HmS2lLXPa4oDe7XcazUMJEbJvfhuzkNAfarRltKgzzi+xtFD0xcvPNZWl7qDx41PxUuVj8hbzkBUG97rERY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994036; c=relaxed/simple;
	bh=nviGRwH+/KUO7vULr9q0AjxG0x6jr8VzzBx1v24lAQg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=OkuyL+FnWFPz4jQVveU6u45KLy1z7NzvgEwypsBIzzb5fa4b8H62gM2ZTpF0RiUrnYXTrghZCdOzqBQRchP1KfMGF8xSTkJLLhyhQZp/DTPeg8nmEXf7W1l4fWyNa0tTVDP2756ZY09Ks4TDYuQNGcJayBA5YFWf3JoovxGSiMI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=Oplk5MMM; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="Oplk5MMM"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994034; x=1779530034;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=nviGRwH+/KUO7vULr9q0AjxG0x6jr8VzzBx1v24lAQg=;
  b=Oplk5MMMJcFNSC1G2lvzYAeM/Est0vbFycFp84JhbbuYTrGAin6fU7e4
   nHaThirrbt4G6CaZ5rCJbvRtxyWuw0NbTdBQfe/cLlv8Kac0lsu1Vu9Or
   hOWs1H/150clC5XUzi4n4uVdzC44MyrP3WpciIBSE+HtsgpnNqxUj0l11
   FYb2DmQoll/kImE7sT+dtjmrjLB1lbYlmPZA5968CM9Y9ADDgQSzTZQEb
   E/C51qLG6UXhMfcDiC7UNfWPojMHUSnkPR5Ya9CWZGl8zPBGQQlx8RvKL
   kYT/6VU8A+KsbjYCwcHtWFX/Fi5XiGe2b4RabtwPNg/eYXZ5uO8BGvuvE
   w==;
X-CSE-ConnectionGUID: kN/XWtKDROWua0OEX/+WpA==
X-CSE-MsgGUID: AJHB0EE1QKOltr8k7PWFFg==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444207"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444207"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:54 -0700
X-CSE-ConnectionGUID: lcqwToa7S8+fQ2cBRbMlWg==
X-CSE-MsgGUID: UrMtVa8yS/OqOHu8OsbCDA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315078"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:53 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 13/20] x86/virt/tdx: Reset software states after TDX
 module shutdown
Date: Fri, 23 May 2025 02:52:36 -0700
Message-ID: <20250523095322.88774-14-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Reset all software states used to track and guard TDX global and per-CPU
initialization (i.e. TDH.SYS.INIT and TDH.SYS.LP.INIT). the kernel needs to
do them again after TD-Preserving updates.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/tdx.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index fa6b3f1eb197..4cdeec0a4128 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -56,6 +56,9 @@ static struct tdmr_info_list tdx_tdmr_list;
 static enum tdx_module_status_t tdx_module_status;
 static DEFINE_MUTEX(tdx_module_lock);
=20
+static bool sysinit_done;
+static int sysinit_ret;
+
 /* All TDX-usable memory regions.  Protected by mem_hotplug_lock. */
 static LIST_HEAD(tdx_memlist);
=20
@@ -130,8 +133,6 @@ static int try_init_module_global(void)
 {
 	struct tdx_module_args args =3D {};
 	static DEFINE_RAW_SPINLOCK(sysinit_lock);
-	static bool sysinit_done;
-	static int sysinit_ret;
=20
 	lockdep_assert_irqs_disabled();
=20
@@ -1346,9 +1347,22 @@ int tdx_enable(void)
 }
 EXPORT_SYMBOL_GPL(tdx_enable);
=20
+static void tdx_module_reset_state(void)
+{
+	int cpu;
+
+	tdx_module_status =3D TDX_MODULE_UNINITIALIZED;
+	sysinit_done =3D false;
+	sysinit_ret =3D 0;
+
+	for_each_online_cpu(cpu)
+		per_cpu(tdx_lp_initialized, cpu) =3D false;
+}
+
 int tdx_module_shutdown(void)
 {
 	struct tdx_module_args args =3D {};
+	int ret;
=20
 	/*
 	 * Shut down TDX module and prepare handoff data for the next TDX module.
@@ -1356,7 +1370,11 @@ int tdx_module_shutdown(void)
 	 * fail.
 	 */
 	args.rcx =3D tdx_sysinfo.handoff.module_hv;
-	return seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
+	ret =3D seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
+	if (!ret)
+		tdx_module_reset_state();
+
+	return ret;
 }
=20
 static bool is_pamt_page(unsigned long phys)
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ECF8C23D2B9;
	Fri, 23 May 2025 09:53:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994036; cv=none;
 b=JM3izUmPFGnQHkLOKX0z9H2pKjA3CYXJZBj921SCiPsjXfOWmDl7KZuZ9DSDcX5ezlY9kCoKNB+tMzuUMT93+zaoBj8mcK29KMr4B503SRBM+87SL0SzZxRQEmaSMoIWwn4ocu43HHuLme7+qkz0UVDhgJPwkMQjcvFr6AKGk+8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994036; c=relaxed/simple;
	bh=nLB//jXSfhIU7YPwnLTRK4m1UCg/JGEcEi2LTwa2dRs=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=hqf9RMon8TkLlszF3UbLtCXwP/ZDeXcQCnKjq15E9MuF4PbQlN1kpZiHC5V0qq0TAl8glHsUzKlM+wal73B6+tT27o8sitL62ZtblGIesPgvQw+cJfV4svHCJaKYwzRMyLLX29vbC0Mfgi11hdBhkSIante17DZJA1vO7RDQJQY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=WDWJfPqH; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="WDWJfPqH"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994035; x=1779530035;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=nLB//jXSfhIU7YPwnLTRK4m1UCg/JGEcEi2LTwa2dRs=;
  b=WDWJfPqH2L86Jx3k32N95JVf9kA/fyZTg53H96M8K5/tkUJtMlShcyQW
   FMCWJfOR8sdsB1dc0Ln2VHCEdP3SsSEBmOfJhgCwn/n9FsRu90hLoFs7N
   E1YP74bLMs5OZcnvsubsQAbftsWFpDbP+LylhSE89Kk7Z9rpTzgxI1+Qu
   TFBHEpMnQhpZA2NpdTyaX7WmpXYxJAKu0AFyrhMwJIWe9eorzZCBvUpLl
   v87cRqV+eV1zGMpox29MeF5JMcUYkn68CC0+GZkslDlYmFKl2QZV8WuXw
   RjKyCHQN0lk7Mt6RL2phsAscQVAK3alpN/nSivR2NuquzsEb6UdEPVIlX
   Q==;
X-CSE-ConnectionGUID: 2uWP0PGaQo2rk61gD5PClw==
X-CSE-MsgGUID: zwY9c/vJTnapiBp7qmW7bg==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444216"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444216"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:54 -0700
X-CSE-ConnectionGUID: i77PidjWROaIyAU85Yh0sg==
X-CSE-MsgGUID: dMaWjCigTjOAMpad/vo+XA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315081"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:54 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 14/20] x86/virt/seamldr: Install a new TDX module
Date: Fri, 23 May 2025 02:52:37 -0700
Message-ID: <20250523095322.88774-15-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Invoke the P_SEAMLDR_INSTALL API serially on all online CPUs to install a
new TDX module. "Serially" is a requirement of P-SEAMLDR and is enforced by
a new spinlock.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index 11c0c5a93c32..1ecb5d3088af 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -23,6 +23,7 @@
=20
  /* P-SEAMLDR SEAMCALL leaf function */
 #define P_SEAMLDR_INFO			0x8000000000000000
+#define P_SEAMLDR_INSTALL		0x8000000000000001
=20
 struct seamldr_info {
 	u32	version;
@@ -68,6 +69,7 @@ struct seamldr_params {
 struct fw_upload *tdx_fwl;
 static struct tdx_status tdx_status;
 static struct seamldr_info seamldr_info __aligned(256);
+static DEFINE_RAW_SPINLOCK(seamldr_lock);
=20
 static inline int seamldr_call(u64 fn, struct tdx_module_args *args)
 {
@@ -242,6 +244,7 @@ static struct seamldr_params *init_seamldr_params(const=
 u8 *data, u32 size)
 enum tdp_state {
 	TDP_START,
 	TDP_SHUTDOWN,
+	TDP_CPU_INSTALL,
 	TDP_DONE,
 };
=20
@@ -281,6 +284,7 @@ static void ack_state(void)
  */
 static int do_seamldr_install_module(void *params)
 {
+	struct tdx_module_args args =3D { .rcx =3D __pa(params) };
 	enum tdp_state newstate, curstate =3D TDP_START;
 	int cpu =3D smp_processor_id();
 	bool primary;
@@ -302,6 +306,10 @@ static int do_seamldr_install_module(void *params)
=20
 				ret =3D tdx_module_shutdown();
 				break;
+			case TDP_CPU_INSTALL:
+				scoped_guard(raw_spinlock, &seamldr_lock)
+					ret =3D seamldr_call(P_SEAMLDR_INSTALL, &args);
+				break;
 			default:
 				break;
 			}
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A98DC23E336;
	Fri, 23 May 2025 09:53:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994037; cv=none;
 b=kepybZZgh8ifUir3bqFjd5rP/Wg/BpLtm2ZAtqRgoYl1xNYiPciypt5OLJKUFUCVGoTByLHAiRNbSOIrZ0GOqmg3WDTKXVhDjStBTLNH+ddTsMZOsCGxicSp45ThZloFa0ncnfCoTlLpv8IntMcPaBkjmi1sOcsdQSNhwAUM4f0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994037; c=relaxed/simple;
	bh=PuirriKIku0f37Y1z7AzxJVhYOd56gcoD/kA14CytQQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=eHYalM/ptj0izUmgFh0sUTLgfITV7O5marejK+2zc6UMXlZDOuWV4HH4+dt48/BtqJnZA8sZ6MeeR/+ZVhHZRl9lQRg/xvEflscIJ/chRvRepq8JrNUAmfnFzvnjnn0kif/5a1cPbY2w0HGclPETZVj01gK8dieLleUtlG/tn9E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=HMy6Dre8; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="HMy6Dre8"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994036; x=1779530036;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=PuirriKIku0f37Y1z7AzxJVhYOd56gcoD/kA14CytQQ=;
  b=HMy6Dre8HvH/2CXtFeG5vzm/4g90OAFUHfl2Th0QCN/HABcnqWhAKttY
   vv66CKVdNKm+H82zGraniHlv0XcJu4uHi1ipiqTDUoLfQidMXtfBTIJ9Z
   0h5mXa23xK3J4t1qwb2VMhqw+fiaOUfCPXfAElAQdPuecKG7dnWsSZxPF
   nkI23cW+7r9nirzoUK1bp9H2l6bkRlTfJPz+oeG4HJrtmvyhB1Z3Ssrpy
   QGYVxLL83/ZKcTM2JG38lnRnxDIKIXWBMRz35hcLhyDOuX8vvhh5sQ89o
   OOFiDOSIG4hTxTUUL0fpt6CxTsy1VKzLqQHYjki2dmqb3bSaT0YYHZMta
   A==;
X-CSE-ConnectionGUID: M9XXAFz1S7SgncVoc7w5FA==
X-CSE-MsgGUID: n+vjz/xLQrS5ubXNQfCK0w==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444227"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444227"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:55 -0700
X-CSE-ConnectionGUID: +//3taRjQD+Z0DCRSYG1ig==
X-CSE-MsgGUID: 5vL9xZxlQiywW2E/+v2/iA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315084"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:54 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 15/20] x86/virt/seamldr: Handle TD-Preserving update
 failures
Date: Fri, 23 May 2025 02:52:38 -0700
Message-ID: <20250523095322.88774-16-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Failure encounterred after the module shutdown are unrecoverable. All
subsequent SEAMCALLs will fail and TDs will be killed.

Report the error through sysfs attributes and log a message to clarify that
SEAMCALL errors are expected in this situation.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 15 ++++++++++++++-
 arch/x86/virt/vmx/tdx/tdx.c     | 13 +++++++++++++
 arch/x86/virt/vmx/tdx/tdx.h     |  1 +
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index 1ecb5d3088af..a18df08a5528 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -278,6 +278,14 @@ static void ack_state(void)
 	}
 }
=20
+static void print_update_failure_message(void)
+{
+	static atomic_t printed =3D ATOMIC_INIT(0);
+
+	if (atomic_inc_return(&printed) =3D=3D 1)
+		pr_err("update failed, SEAMCALLs will report failure until TDs killed\n"=
);
+}
+
 /*
  * See multi_cpu_stop() from where this multi-cpu state-machine was
  * adopted, and the rationale for touch_nmi_watchdog()
@@ -314,8 +322,13 @@ static int do_seamldr_install_module(void *params)
 				break;
 			}
=20
-			if (ret)
+			if (ret) {
 				atomic_inc(&tdp_data.failed);
+				if (curstate >=3D TDP_CPU_INSTALL) {
+					tdx_module_set_error();
+					print_update_failure_message();
+				}
+			}
 			ack_state();
 		} else {
 			touch_nmi_watchdog();
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 4cdeec0a4128..331c86eeddcf 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -1102,6 +1102,13 @@ static ssize_t version_show(struct device *dev, stru=
ct device_attribute *attr,
 {
 	const struct tdx_sys_info_versions *v =3D &tdx_sysinfo.versions;
=20
+	/*
+	 * Inform userspace that the TDX module isn't in a usable state,
+	 * possibly due to a failed update.
+	 */
+	if (tdx_module_status !=3D TDX_MODULE_INITIALIZED)
+		return -ENXIO;
+
 	return sysfs_emit(buf, "%u.%u.%u\n", v->major_version,
 					     v->minor_version,
 					     v->update_version);
@@ -1377,6 +1384,12 @@ int tdx_module_shutdown(void)
 	return ret;
 }
=20
+void tdx_module_set_error(void)
+{
+	/* Called from stop_machine(). no need to hold tdx_module_lock */
+	tdx_module_status =3D TDX_MODULE_ERROR;
+}
+
 static bool is_pamt_page(unsigned long phys)
 {
 	struct tdmr_info_list *tdmr_list =3D &tdx_tdmr_list;
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index 3830dee4da91..ed3d74c991f6 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -125,5 +125,6 @@ struct tdmr_info_list {
 int seamldr_prerr(u64 fn, struct tdx_module_args *args);
=20
 int tdx_module_shutdown(void);
+void tdx_module_set_error(void);
=20
 #endif
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 348CF23F28B;
	Fri, 23 May 2025 09:53:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994039; cv=none;
 b=fHrcnE98pb+vN2WWQ04Wgk1pfwzx1gGUPCZZdnpXX6iM7pWp2HmZvbtArPlgssfWt52I/7UF8dDVY5FOBJE0V4/gS+zyQdcfsklIt/nimZOgLy+Eze277S8rYBKM+6+SMPBQExxamM8fMWfnVZloYDwOX+v0C0FiUhDzBudFihc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994039; c=relaxed/simple;
	bh=A5/numxrZ8wt+tf/LRq2aHHFDCvIzonkxuDUA8d5rwA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Y3SuHShswLiyE3kFFVDgrJhdUs/PYU+1cG5R+JPbuCWkIiI6MtbDos3HY83vhQrqy1OdtBIOxyeUkQThBlObBlUQfV4TEH3ZaCsvf3hIGaRAgiu5UqbpmH3gOvUEYhm4piED1Tl3eSaHXEd3CFJh0L0u8DTrf1cYvsiqEuqt0Oo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=jxjOclPj; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="jxjOclPj"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994036; x=1779530036;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=A5/numxrZ8wt+tf/LRq2aHHFDCvIzonkxuDUA8d5rwA=;
  b=jxjOclPj9/N5xC4qCbKNqlCeklZjwDvz0d0iO0qLRxy19tPAaf6skVU5
   UjqFJPt4aFzatsQ2Xs+yLNryobolJvPJ9Fs//fNvJV3P9lFiXOFOO2v7y
   XxRIXlamNE9E82hssDXp14iLW+dor4XliS8WkI/6uP2wCoX2hZNaobkTB
   +FJBVODSYQvOsN21ve+Jg1j97Y5EU9m135S6l0NKNs5RuBvBhJqzKqeSq
   c8IuEmISf5eiVvJi2biUvU87/TruWAdncsuz1eXFcxkNXzfw28TnjCSrq
   TGrzbSs0lSET5Q6ZkuEmy1tlv7m7Hf4ZabsLNrmIYTHaW2zUii/7fCoSO
   A==;
X-CSE-ConnectionGUID: VWd0yO+8QgqwGxEnorYhzw==
X-CSE-MsgGUID: SzKHO1+jSFi0orNWpPrx0A==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444235"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444235"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:56 -0700
X-CSE-ConnectionGUID: qp3+oRTeQN+JVqRxKsMrMg==
X-CSE-MsgGUID: BL8ajBhdQ22Ar53QARRFkw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315088"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:55 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 16/20] x86/virt/seamldr: Do TDX cpu init after updates
Date: Fri, 23 May 2025 02:52:39 -0700
Message-ID: <20250523095322.88774-17-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For the newly loaded module, the global initialization and per-CPU
initialization are also needed. Do them on all CPU concurrently.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index a18df08a5528..c4e1b7540a43 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -245,6 +245,7 @@ enum tdp_state {
 	TDP_START,
 	TDP_SHUTDOWN,
 	TDP_CPU_INSTALL,
+	TDP_CPU_INIT,
 	TDP_DONE,
 };
=20
@@ -318,6 +319,9 @@ static int do_seamldr_install_module(void *params)
 				scoped_guard(raw_spinlock, &seamldr_lock)
 					ret =3D seamldr_call(P_SEAMLDR_INSTALL, &args);
 				break;
+			case TDP_CPU_INIT:
+				ret =3D tdx_cpu_enable();
+				break;
 			default:
 				break;
 			}
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6BA1241665;
	Fri, 23 May 2025 09:53:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994038; cv=none;
 b=bR/jloo06sxMjUjmfuL4y015h58eXnIWkgPN5CLyCQlhoLBwWdjM096oH0tqizqz4x9IPFaL6+SpMx0dLOFo3uWDiZm7559/tZeyQgiwcjcGXiV9zu7ZHAnKaNflC224alVCSNj+Hmo8x2R5Tv7rcIdYoPEfV6V9L/t1Djp2mmY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994038; c=relaxed/simple;
	bh=MHYI6BG+L0TzNrsOZ1WeYjrr84DT6xKaIAXH83HbkR8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=jHc3sHdEWeIQWA6h66bsSbnbrJsW0ZxkhZeBPKVUKgTQ0VI7MulnGydvS1YOZBWk9lmX9c4gPQyR/1eca5FpLh6mI5NqTrduD/umfC9pQLQw4Xh903QxLKxkmtm7AA3uv8y5B9tIF7lg2X14X2v++lFj7ZJLF4PDmv+KEQVVH7I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=Ts7g1Rsw; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="Ts7g1Rsw"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994037; x=1779530037;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=MHYI6BG+L0TzNrsOZ1WeYjrr84DT6xKaIAXH83HbkR8=;
  b=Ts7g1RswhkzqtXJ5OCVlE6Ebf/JXq3i1PV9EmcDt3SnuVqYdIiWXr1b8
   G0QfRrCUOLAWVDjYr3Vsn5JQG+b8xbnZDUp44FIk0ohyMl3h8OLbBAkGx
   Ws+OnMJLI1wSNL+5unj2gOGttDB/1rWq65JCB4xxkFGalsCzKYrb9W5C4
   Rt5aNBGdCh0ev3kDfwSSVF8MuZaTgjGbQCqVAqa3DI1VB59/nXNQQmo+c
   tG1rAzyuMBXjJm2iUuWUC4P79+pOgTrKiGNGXr6kLIqKDXIMFiWQkzVcu
   u259YWZqNOP6d6925stPyXLo7jWiA3ggb24erU+w/cRP3CDTXSyFiNXXa
   g==;
X-CSE-ConnectionGUID: eVF2TLUvQpGNKLIs9ihCoQ==
X-CSE-MsgGUID: 3B2QM1U/TQauvINc9+7xiQ==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444243"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444243"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:56 -0700
X-CSE-ConnectionGUID: pWgkUhH1SnGujQhMaoDXKg==
X-CSE-MsgGUID: t2+7IjtaTu+hILJ8cKt8pg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315091"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:56 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 17/20] x86/virt/tdx: Establish contexts for the new module
Date: Fri, 23 May 2025 02:52:40 -0700
Message-ID: <20250523095322.88774-18-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

TD-Preserving doesn't need to re-configure the global HKID, TDMRs or PAMTs.
The new module can import the handoff data created by the old module to
establish all necessary contexts. The TDH.SYS.UPDATE API is introduced for
the import process

Once the import is done, the module update is complete, and the new module
is ready to handle requests from the VMM and guests.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c |  7 +++++++
 arch/x86/virt/vmx/tdx/tdx.c     | 16 ++++++++++++++++
 arch/x86/virt/vmx/tdx/tdx.h     |  2 ++
 3 files changed, 25 insertions(+)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index c4e1b7540a43..168fd2afd0c9 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -246,6 +246,7 @@ enum tdp_state {
 	TDP_SHUTDOWN,
 	TDP_CPU_INSTALL,
 	TDP_CPU_INIT,
+	TDP_RUN_UPDATE,
 	TDP_DONE,
 };
=20
@@ -322,6 +323,12 @@ static int do_seamldr_install_module(void *params)
 			case TDP_CPU_INIT:
 				ret =3D tdx_cpu_enable();
 				break;
+			case TDP_RUN_UPDATE:
+				if (!primary)
+					break;
+
+				ret =3D tdx_module_run_update();
+				break;
 			default:
 				break;
 			}
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 331c86eeddcf..5f678c9da4ee 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -1390,6 +1390,22 @@ void tdx_module_set_error(void)
 	tdx_module_status =3D TDX_MODULE_ERROR;
 }
=20
+int tdx_module_run_update(void)
+{
+	struct tdx_module_args args =3D {};
+	int ret;
+
+	ret =3D seamcall(TDH_SYS_UPDATE, &args);
+	if (ret) {
+		tdx_module_status =3D TDX_MODULE_ERROR;
+		pr_info("module update failed: %d\n", ret);
+		return ret;
+	}
+
+	tdx_module_status =3D TDX_MODULE_INITIALIZED;
+	return ret;
+}
+
 static bool is_pamt_page(unsigned long phys)
 {
 	struct tdmr_info_list *tdmr_list =3D &tdx_tdmr_list;
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index ed3d74c991f6..a05e3c21e7f5 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -49,6 +49,7 @@
 #define TDH_VP_WR			43
 #define TDH_SYS_CONFIG			45
 #define TDH_SYS_SHUTDOWN		52
+#define TDH_SYS_UPDATE		53
=20
 /*
  * SEAMCALL leaf:
@@ -126,5 +127,6 @@ int seamldr_prerr(u64 fn, struct tdx_module_args *args);
=20
 int tdx_module_shutdown(void);
 void tdx_module_set_error(void);
+int tdx_module_run_update(void);
=20
 #endif
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C51B7242D9B;
	Fri, 23 May 2025 09:53:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994039; cv=none;
 b=Z7dWjIUHAoZ/BsqxNlqZCKbUG6NquysbrI+IqCTXLxKCknCGjuHzvP28TiRL3zPUk9NKKWJISKUlY8mQBQ3GV4yu/L+ahlyjHrj/eUSVIF5zmofowsrEOWibFC6vlbxHhzoPLK3Qxz2ozd8qHKn0buSO0OmGnbR8dpCtYUznBS0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994039; c=relaxed/simple;
	bh=IeNltA/qaq4b+9CtIyLBU4ahh0Vwfgfh/OnoEQ8ozbE=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ADepfRTwRfPqTxSxOFI9gH9mli/fU1OwJq8smhQvH7sBjCrE8DKgGSgwQLdjXxhZi6IYaN2LPCByXU79SwEoChN4NRg+B1SxrvCtUJwKGHZktkEf10OFKHwA8JQuabGHN/63tDb1gjntnZeCXjxlcMrw06eo/rx4G+1mlUCgbXQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=ZXhL23M4; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="ZXhL23M4"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994038; x=1779530038;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=IeNltA/qaq4b+9CtIyLBU4ahh0Vwfgfh/OnoEQ8ozbE=;
  b=ZXhL23M4jt1teQFtiLfI1eRa9TYg6I0mIqv5STczqmbFMTNn0vVIVILp
   67lHtC7kNJfGJC799rjeVrBmA45VejgPqfr/XQhrWiqfYaiK2KLE22goE
   /2qBLkfvE8MJ5jq2U6NDFQFOEcG7XhpxJxhPDOY2BFAbX2B425CL9o8SE
   gvE0YcYCA3mRN8ce1TVgj0l/pMHmfM6q4nVFFz28ZtRQYPIv+G/wsFLYN
   p/1hUuIxaPzwW+Y5iWnkz/A2RlodatD+MzxA8Zh4F2sbfMxSsomU3m5lS
   9WorycbWZwajVpwDyem0FLk/y2iVrlgXtoRHL9DMAFbfDzxDFjhvc1WbS
   w==;
X-CSE-ConnectionGUID: pI30BZlKTyG3v1ydgAfZ/Q==
X-CSE-MsgGUID: MN3Edbp/Rl2mwTLKTeDYbA==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444251"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444251"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:57 -0700
X-CSE-ConnectionGUID: qbH+nGkaRe6RYyIdM7Y3fQ==
X-CSE-MsgGUID: Mf96JNqmT+2uVx5yJeM35g==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315094"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:57 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 18/20] x86/virt/tdx: Update tdx_sysinfo and check features
 post-update
Date: Fri, 23 May 2025 02:52:41 -0700
Message-ID: <20250523095322.88774-19-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tdx_sysinfo contains all metadata of the active TDX module, including
versions, supported features, and TDMR/TDCS/TDVPS information. These
elements may change over updates. Blindly refreshing the entire tdx_sysinfo
could disrupt running software, as it may subtly rely on the previous state
unless proven otherwise.

Adopt a conservative approach, like microcode updates, by only refreshing
version information that does not affect functionality, while ignoring
all other changes. This is acceptable as TD-Preserving-capable modules are
required to maintain backward compatibility.

Any updates to metadata beyond versions should be justified and reviewed on
a case-by-case basis.

Note that preallocating a tdx_sys_info buffer before updates is to avoid
having to handle -ENOMEM when updating tdx_sysinfo after a successful
update.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 13 ++++++++-
 arch/x86/virt/vmx/tdx/tdx.c     | 51 +++++++++++++++++++++++++++++++++
 arch/x86/virt/vmx/tdx/tdx.h     |  1 +
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index 168fd2afd0c9..93385db56281 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -361,9 +361,16 @@ DEFINE_FREE(free_seamldr_params, struct seamldr_params=
 *,
=20
 static int seamldr_install_module(const u8 *data, u32 size)
 {
+	struct tdx_sys_info *info __free(kfree) =3D kzalloc(sizeof(*info),
+							  GFP_KERNEL);
+	int ret;
+
 	if (!td_preserving_ready)
 		return -EOPNOTSUPP;
=20
+	if (!info)
+		return -ENOMEM;
+
 	struct seamldr_params *params __free(free_seamldr_params) =3D
 						init_seamldr_params(data, size);
 	if (IS_ERR(params))
@@ -371,7 +378,11 @@ static int seamldr_install_module(const u8 *data, u32 =
size)
=20
 	atomic_set(&tdp_data.failed, 0);
 	set_state(TDP_START + 1);
-	return stop_machine(do_seamldr_install_module, params, cpu_online_mask);
+	ret =3D stop_machine(do_seamldr_install_module, params, cpu_online_mask);
+	if (ret)
+		return ret;
+
+	return tdx_module_post_update(info);
 }
=20
 static enum fw_upload_err tdx_fw_prepare(struct fw_upload *fwl,
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 5f678c9da4ee..55bdc99818a1 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -1406,6 +1406,57 @@ int tdx_module_run_update(void)
 	return ret;
 }
=20
+/*
+ * Update tdx_sysinfo and check if any TDX module features changed after
+ * updates
+ */
+static void tdx_module_sysinfo_update_and_check(struct tdx_sys_info *info)
+{
+	struct tdx_sys_info_versions *old, *new;
+
+	guard(mutex)(&tdx_module_lock);
+
+	old =3D &tdx_sysinfo.versions;
+	new =3D &info->versions;
+	pr_info("version %d.%d.%d -> %d.%d.%d\n", old->major_version,
+						  old->minor_version,
+						  old->update_version,
+						  new->major_version,
+						  new->minor_version,
+						  new->update_version);
+
+	/*
+	 * Blindly refreshing the entire tdx_sysinfo could disrupt running
+	 * software, as it may subtly rely on the previous state unless
+	 * proven otherwise.
+	 *
+	 * Only refresh version information (including handoff version)
+	 * that does not affect functionality, and ignore all other
+	 * changes.
+	 */
+	tdx_sysinfo.versions	=3D info->versions;
+	tdx_sysinfo.handoff	=3D info->handoff;
+
+	if (!memcmp(&tdx_sysinfo, info, sizeof(*info)))
+		return;
+
+	pr_info("TDX module features have changed after updates, but might not ta=
ke effect.\n");
+	pr_info("Please consider a potential BIOS update.\n");
+}
+
+int tdx_module_post_update(struct tdx_sys_info *info)
+{
+	int ret;
+
+	/* Shouldn't fail as the update has succeeded */
+	ret =3D get_tdx_sys_info(info);
+	if (WARN_ON_ONCE(ret))
+		return ret;
+
+	tdx_module_sysinfo_update_and_check(info);
+	return 0;
+}
+
 static bool is_pamt_page(unsigned long phys)
 {
 	struct tdmr_info_list *tdmr_list =3D &tdx_tdmr_list;
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index a05e3c21e7f5..57ccceba5406 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -128,5 +128,6 @@ int seamldr_prerr(u64 fn, struct tdx_module_args *args);
 int tdx_module_shutdown(void);
 void tdx_module_set_error(void);
 int tdx_module_run_update(void);
+int tdx_module_post_update(struct tdx_sys_info *info);
=20
 #endif
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BDD4224467D;
	Fri, 23 May 2025 09:53:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994040; cv=none;
 b=omFHOx6BRwDNdWh/T4KpTsJ6DI9FslLv0K4pewX5NoxdahbMHVY97JtWFYeHFTWf/m2FOy1p27P3q0K3ckBWhwbT8Jo/pD0BHutsC4reBZMn1zm7eoJG56+FRjmvE7waX8SKVIcYima+5LNdCfkwlgaQi2axUgwM6aY4zkaHcpk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994040; c=relaxed/simple;
	bh=eSNu+v2D+KaWmQHSJ63w2hZA/nb1bEbeikUu1ijOXvU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=sxImPoKbuKl4W34A+JlJTbh/0Ns/DaOP3V77bAfzVb5P/LyeE1xmzPSLQO/bPDx+FfCarh90eIr7os+9lUXZTpzMCVqnR1S41aOGYi0fB+vPuzIvB1mXvYUogSJ2wrp3eMZ9NmI0G4upQ8USYeOMPRJLDlrpJOfnxcfnIYUdJHI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=Vv8dh5aK; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="Vv8dh5aK"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994039; x=1779530039;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=eSNu+v2D+KaWmQHSJ63w2hZA/nb1bEbeikUu1ijOXvU=;
  b=Vv8dh5aKXu5oQTJcFNZ9DItBeq+qjXdgw0vUPPTmVlQUjwb/A9LuKOTE
   3a4/RltAeGw3u4IQan0Zg01X+G+rhgnjoSvx/GqzdBoFZ+Ii+/ZQPg+IT
   W51x4x0tFVm/fTeAfL7QfhdZ/V95VaC0OlqXPmuihsFMsDP821e9P65Xy
   hzLjgEewSoH+HC9lgkQ97IESASpr07KuyFA57m2xXfo7sMtCSPozPGKsG
   0oPc5sqPkxgtAuswX+f9+oy09jjCb9X67JZ3Q7OY7MiwqieWpUln2qppK
   Y8Bgztv15PtqkxVmOmODHihcz8x2v8NbFCx3OnNFupSHnHZ1id4ABi5Uq
   g==;
X-CSE-ConnectionGUID: zz1KG4YjSca/GCiz1ZfN4g==
X-CSE-MsgGUID: 5LulC0WeRi+w5eYioRil1g==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444259"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444259"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:58 -0700
X-CSE-ConnectionGUID: hgsxCPppRP21PE4KRjgwyA==
X-CSE-MsgGUID: 0U8B0qiWQL29bXl1nG54zA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315097"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:57 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 19/20] x86/virt/seamldr: Verify availability of slots for
 TD-Preserving updates
Date: Fri, 23 May 2025 02:52:42 -0700
Message-ID: <20250523095322.88774-20-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Before initiating TD-Preserving updates, ensure that the limit on
successive TD-Preserving updates has not been exceeded. This is a cheap
check to prevent update failure.

Refresh SEAMLDR info after each update so that userspace can read the
correct value of remaining updates.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index 93385db56281..fe8f98701429 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -371,6 +371,9 @@ static int seamldr_install_module(const u8 *data, u32 s=
ize)
 	if (!info)
 		return -ENOMEM;
=20
+	if (!seamldr_info.num_remaining_updates)
+		return -ENOSPC;
+
 	struct seamldr_params *params __free(free_seamldr_params) =3D
 						init_seamldr_params(data, size);
 	if (IS_ERR(params))
@@ -382,6 +385,8 @@ static int seamldr_install_module(const u8 *data, u32 s=
ize)
 	if (ret)
 		return ret;
=20
+	WARN_ON_ONCE(get_seamldr_info());
+
 	return tdx_module_post_update(info);
 }
=20
--=20
2.47.1
From nobody Fri Dec 19 14:46:40 2025
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A593245008;
	Fri, 23 May 2025 09:53:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=192.198.163.7
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1747994041; cv=none;
 b=mKs8VmmwBKBizOsytnJDPtn/MB8Cwi3chOXh/6DUpuXfL1lOCBvp+0sb6tDBlQD4ZH5RVSOYOKEXQD8UmLH5D+wsZPtKyW75ny2yKOM31H3kkDkoovOLYQ+Ho0+2W3iTTdDG+ieS7jzIsyvKni0vsh0FakKZg+Iu9Y2ZyKsLQqU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1747994041; c=relaxed/simple;
	bh=z0i0/IXCqbcVFjIzw3ueLhZMcxcGtEoHNUIB6t7zan8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=AqshVlYtuHtKvmVg8uWLm1c8Ls5NJA+vazIemOhzTXAPxa4sTjqxqWqYPyV+Ct+tSzGBPCrxO8UxB31YqwnhgSJKzT1q0YA5qGM3Fdn0wADFJ5U4OwcsOLHRhpDL5j/1Do2XDprYXBA6WPCDvPSDjPFBx8IXAzOlL6CYZC4p99M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=Vjvbg+YV; arc=none smtp.client-ip=192.198.163.7
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="Vjvbg+YV"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1747994039; x=1779530039;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=z0i0/IXCqbcVFjIzw3ueLhZMcxcGtEoHNUIB6t7zan8=;
  b=Vjvbg+YVKoDKYcQbgF2ZfOLMndj9YVmtcB8XO6Mmf8czhlzN5/e3/YUG
   7EbzTMTpH+ojxov3tIK1NhOeoQtdR4ZMXeVImyQTR7Y4rbpsr8fbuoGTj
   fo0xeybSQXnXmgBsz3OZFQyiM8LEkEPmg/N92gnA05ATYgNkS6KRATRO3
   xPdHfd/vFcqIjhL9dQ9NZqPXA0sYO5xSfqGswa8n+BIPoHrIJqvQu3+rE
   X0HKFxVKiOOaj0SWEKfk9BA35WgkSnrcWMz0TKhcxR3PZfe4oGFPRTtHf
   SYk7nB1HAYGSYh1Lw04u03qXI50GL4/wqfADAG5aRx5a/W9+qIKhogjc1
   A==;
X-CSE-ConnectionGUID: xkl3ryjSQRiUX2iDeGcEOQ==
X-CSE-MsgGUID: 8WIWM7+dSLuBX8kpqQ8m1Q==
X-IronPort-AV: E=McAfee;i="6700,10204,11441"; a="75444268"
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="75444268"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:58 -0700
X-CSE-ConnectionGUID: 9TZeUvwGS6S9vS7yl4WNcg==
X-CSE-MsgGUID: obpdoiXhTq+asbZ9XygFYA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.15,308,1739865600";
   d="scan'208";a="164315100"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 May 2025 02:53:58 -0700
From: Chao Gao <chao.gao@intel.com>
To: linux-coco@lists.linux.dev,
	x86@kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	pbonzini@redhat.com,
	eddie.dong@intel.com,
	kirill.shutemov@intel.com,
	dave.hansen@intel.com,
	dan.j.williams@intel.com,
	kai.huang@intel.com,
	isaku.yamahata@intel.com,
	elena.reshetova@intel.com,
	rick.p.edgecombe@intel.com,
	Chao Gao <chao.gao@intel.com>,
	Farrah Chen <farrah.chen@intel.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH 20/20] x86/virt/seamldr: Enable TD-Preserving Updates
Date: Fri, 23 May 2025 02:52:43 -0700
Message-ID: <20250523095322.88774-21-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250523095322.88774-1-chao.gao@intel.com>
References: <20250523095322.88774-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

All necessary steps for TD-Preserving updates have been integrated.
Remove the temporary guard to enable TD-Preserving updates.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Tested-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/virt/vmx/tdx/seamldr.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index fe8f98701429..c6e40a7418d3 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -350,12 +350,6 @@ static int do_seamldr_install_module(void *params)
 	return ret;
 }
=20
-/*
- * Temporary flag to guard TD-Preserving updates. This will be removed once
- * all necessary components for its support are integrated.
- */
-static bool td_preserving_ready;
-
 DEFINE_FREE(free_seamldr_params, struct seamldr_params *,
 	    if (!IS_ERR_OR_NULL(_T)) free_seamldr_params(_T))
=20
@@ -365,9 +359,6 @@ static int seamldr_install_module(const u8 *data, u32 s=
ize)
 							  GFP_KERNEL);
 	int ret;
=20
-	if (!td_preserving_ready)
-		return -EOPNOTSUPP;
-
 	if (!info)
 		return -ENOMEM;
=20
--=20
2.47.1