Currently, there is no way to restore a TDX Module from shutdown state to running state. This means if errors occur after a successful module shutdown, they are unrecoverable since the old module is gone but the new module isn't installed. All subsequent SEAMCALLs to the TDX Module will fail, so TDs will be killed due to SEAMCALL failures. Log a message to clarify that SEAMCALL errors are expected in this scenario. This ensures that after update failures, the first message in dmesg explains the situation rather than showing confusing call traces from various code paths. Signed-off-by: Chao Gao Reviewed-by: Tony Lindgren --- v4: - Use pr_warn_once() instead of reinventing it [Yilun] v3: - Rephrase the changelog to eliminate the confusing uses of 'i.e.' and 'e.g.' [Dave/Yilun] --- arch/x86/virt/vmx/tdx/seamldr.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamldr.c index c59cdd5b1fe4..4e0a98404c7f 100644 --- a/arch/x86/virt/vmx/tdx/seamldr.c +++ b/arch/x86/virt/vmx/tdx/seamldr.c @@ -223,6 +223,11 @@ static void ack_state(void) set_target_state(tdp_data.state + 1); } +static void print_update_failure_message(void) +{ + pr_err_once("update failed, SEAMCALLs will report failure until TDs killed\n"); +} + /* * See multi_cpu_stop() from where this multi-cpu state-machine was * adopted, and the rationale for touch_nmi_watchdog() @@ -252,10 +257,13 @@ static int do_seamldr_install_module(void *params) break; } - if (ret) + if (ret) { atomic_inc(&tdp_data.failed); - else + if (curstate > TDP_SHUTDOWN) + print_update_failure_message(); + } else { ack_state(); + } } else { touch_nmi_watchdog(); rcu_momentary_eqs(); -- 2.47.3