Currently, there is no way to restore a TDX module from shutdown state to running state. This means if errors occur after a successful module shutdown, they are unrecoverable since the old module is gone but the new module isn't installed. All subsequent SEAMCALLs to the TDX module will fail, so TDs will be killed due to SEAMCALL failures. Log a message to clarify that SEAMCALL errors are expected in this scenario. This ensures that after update failures, the first message in dmesg explains the situation rather than showing confusing call traces from various code paths. Signed-off-by: Chao Gao Reviewed-by: Tony Lindgren Reviewed-by: Xu Yilun Acked-by: Kai Huang --- v4: - Use pr_warn_once() instead of reinventing it [Yilun] v3: - Rephrase the changelog to eliminate the confusing uses of 'i.e.' and 'e.g.' [Dave/Yilun] --- arch/x86/virt/vmx/tdx/seamldr.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamldr.c index b3f3b40627c3..a972f9ba6877 100644 --- a/arch/x86/virt/vmx/tdx/seamldr.c +++ b/arch/x86/virt/vmx/tdx/seamldr.c @@ -252,6 +252,11 @@ static void ack_state(void) set_target_state(update_data.state + 1); } +static void print_update_failure_message(void) +{ + pr_err_once("update failed, SEAMCALLs will report failure until TDs killed\n"); +} + /* * See multi_cpu_stop() from where this multi-cpu state-machine was * adopted, and the rationale for touch_nmi_watchdog(). @@ -291,10 +296,13 @@ static int do_seamldr_install_module(void *seamldr_params) break; } - if (ret) + if (ret) { WRITE_ONCE(update_data.failed, true); - else + if (curstate > MODULE_UPDATE_SHUTDOWN) + print_update_failure_message(); + } else { ack_state(); + } } else { touch_nmi_watchdog(); rcu_momentary_eqs(); -- 2.47.3