The TDX module requires a one-time global initialization (TDH.SYS.INIT) and per-CPU initialization (TDH.SYS.LP.INIT) before use. These initializations are guarded by software flags to prevent repetition. After TDX module updates, the new TDX module requires the same global and per-CPU initializations, but the existing software flags prevent re-initialization. Reset all software flags guarding the initialization flows to allow the global and per-CPU initializations to be triggered again after updates. Set tdx_module_status to ERROR to indicate the module is unavailable. This is to prevent re-initialization/tdx_sysinfo reporting on a failed update. Using ERROR instead of UNINITIALIZED as the latter implicitly depends on get_tdx_sys_info() failing early to prevent re-init after successful shutdown followed by failed update. Signed-off-by: Chao Gao Reviewed-by: Tony Lindgren Reviewed-by: Kai Huang --- v7: - Use ERROR instead of UNINITIALIZED for tdx_module_status. Both work, but UNINITIALIZED implicitly depends on get_tdx_sys_info() failing early to prevent re-initialization after successful shutdown followed by failed update - add a comment to explain why no lock is held and re-initialization isn't a problem. v6: - reset tdx_lp_initialized for offlined CPUs and update the comment accordingly [Kai] v5: - add a comment to clarify why state access doesn't require holding a lock. [Kai] --- arch/x86/virt/vmx/tdx/tdx.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c index f87fad429f4e..4c9565d507fe 100644 --- a/arch/x86/virt/vmx/tdx/tdx.c +++ b/arch/x86/virt/vmx/tdx/tdx.c @@ -55,6 +55,8 @@ static struct tdmr_info_list tdx_tdmr_list; static enum tdx_module_status_t tdx_module_status; static DEFINE_MUTEX(tdx_module_lock); +static bool sysinit_done; +static int sysinit_ret; /* All TDX-usable memory regions. Protected by mem_hotplug_lock. */ static LIST_HEAD(tdx_memlist); @@ -70,8 +72,6 @@ static int try_init_module_global(void) { struct tdx_module_args args = {}; static DEFINE_RAW_SPINLOCK(sysinit_lock); - static bool sysinit_done; - static int sysinit_ret; lockdep_assert_irqs_disabled(); @@ -1179,6 +1179,7 @@ EXPORT_SYMBOL_FOR_KVM(tdx_enable); int tdx_module_shutdown(void) { struct tdx_module_args args = {}; + int ret, cpu; /* * Shut down the TDX module and prepare handoff data for the next @@ -1188,7 +1189,31 @@ int tdx_module_shutdown(void) * modules as new modules likely have higher handoff version. */ args.rcx = tdx_sysinfo.handoff.module_hv; - return seamcall_prerr(TDH_SYS_SHUTDOWN, &args); + ret = seamcall_prerr(TDH_SYS_SHUTDOWN, &args); + if (ret) + return ret; + + /* + * Mark the module is unavailable (in ERROR status) to prevent + * re-initialization and tdx_sysinfo reporting. Note the status + * will be restored after a successful update. + * + * No need to acquire tdx_module_lock here since this runs in + * stop_machine() where no concurrent initialization can occur. + */ + tdx_module_status = TDX_MODULE_ERROR; + sysinit_done = false; + sysinit_ret = 0; + + /* + * Since the TDX module is shut down and gone, mark all CPUs + * (including offlined ones) as uninitialized. This is called in + * stop_machine() (where CPU hotplug is disabled), preventing + * races with other tdx_lp_initialized accesses. + */ + for_each_possible_cpu(cpu) + per_cpu(tdx_lp_initialized, cpu) = false; + return 0; } static bool is_pamt_page(unsigned long phys) -- 2.47.3