If failures occur after the TDX Module has been successfully shut down, they are unrecoverable. The kernel cannot restore the previous TDX Module to a running state. All subsequent SEAMCALLs to the TDX Module will fail, so TDs cannot continue to run. Log a message to clarify that SEAMCALL errors are expected in this case. To prevent TDX Module update failures, admins are encouraged to use the user space tool [1] that will perform compatibility and integrity checks that guarantee TDX Module update success. Signed-off-by: Chao Gao Tested-by: Farrah Chen Link: https://github.com/intel/tdx-module-binaries/blob/main/version_select_and_load.py # [1] --- v3: - Rephrase the changelog to eliminate the confusing uses of 'i.e.' and 'e.g.' [Dave/Yilun] --- arch/x86/virt/vmx/tdx/seamldr.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamldr.c index 76f404d1115c..b497fa72ebb6 100644 --- a/arch/x86/virt/vmx/tdx/seamldr.c +++ b/arch/x86/virt/vmx/tdx/seamldr.c @@ -260,6 +260,14 @@ static void ack_state(void) set_target_state(tdp_data.state + 1); } +static void print_update_failure_message(void) +{ + static atomic_t printed = ATOMIC_INIT(0); + + if (atomic_inc_return(&printed) == 1) + pr_err("update failed, SEAMCALLs will report failure until TDs killed\n"); +} + /* * See multi_cpu_stop() from where this multi-cpu state-machine was * adopted, and the rationale for touch_nmi_watchdog() @@ -289,10 +297,13 @@ static int do_seamldr_install_module(void *params) break; } - if (ret) + if (ret) { atomic_inc(&tdp_data.failed); - else + if (curstate > TDP_SHUTDOWN) + print_update_failure_message(); + } else { ack_state(); + } } else { touch_nmi_watchdog(); rcu_momentary_eqs(); -- 2.47.3