From: Peter Fang Enable the TDX Quoting feature via TDH.SYS.CONFIG when supported by the TDX module. The TDX Quoting extension generates TDX attestation Quotes via a SEAMCALL, without using a discrete Quoting engine. TDX Module supports add-on TDX features (e.g. TDX Quoting & TDX Module Extensions) that should be manually enabled by host. It extends TDH.SYS.CONFIG for host to choose to enable them on bootup. Call TDH.SYS.CONFIG with a new bitmap input parameter to specify which features to enable. The bitmap uses the same definitions as TDX_FEATURES0. But note not all bits in TDX_FEATURES0 are valid for configuration, e.g. TDX Module Extensions is a service that supports TDX Quoting, it is implicitly enabled when TDX Quoting is enabled. Setting TDX_FEATURES0_EXT in the bitmap has no effect. TDX Module advances the version of TDH.SYS.CONFIG for the change, so use the latest version (v1) for add-on feature enabling. But supporting existing Modules which only support v0 is still necessary until they are deprecated. In fact, it is unlikely that TDH.SYS.CONFIG ever needs to change again and the code would stay in v1. So there is little value in worrying about deprecating v0 to save a couple lines of code in 5-7 years when these original TDX platforms sunset. TDX Module updates global metadata when add-on features are enabled. Host should update the cached tdx_sysinfo to reflect these changes. Co-developed-by: Xu Yilun Signed-off-by: Xu Yilun Signed-off-by: Peter Fang --- arch/x86/virt/vmx/tdx/tdx.h | 4 +++- arch/x86/virt/vmx/tdx/tdx.c | 24 ++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h index 10aff23cd01f..524a14c01aa6 100644 --- a/arch/x86/virt/vmx/tdx/tdx.h +++ b/arch/x86/virt/vmx/tdx/tdx.h @@ -58,7 +58,8 @@ #define TDH_PHYMEM_CACHE_WB 40 #define TDH_PHYMEM_PAGE_WBINVD 41 #define TDH_VP_WR 43 -#define TDH_SYS_CONFIG 45 +#define TDH_SYS_CONFIG_V0 45 +#define TDH_SYS_CONFIG SEAMCALL_LEAF_VER(TDH_SYS_CONFIG_V0, 1) #define TDH_EXT_INIT 60 #define TDH_EXT_MEM_ADD 61 #define TDH_SYS_DISABLE 69 @@ -97,6 +98,7 @@ struct tdmr_info { /* Bit definitions of TDX_FEATURES0 metadata field */ #define TDX_FEATURES0_NO_RBP_MOD BIT(18) #define TDX_FEATURES0_EXT BIT_ULL(39) +#define TDX_FEATURES0_QUOTE BIT_ULL(50) /* * Do not put any hardware-defined TDX structure representations below diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c index f7600f930c6e..86e5b7ad19b3 100644 --- a/arch/x86/virt/vmx/tdx/tdx.c +++ b/arch/x86/virt/vmx/tdx/tdx.c @@ -1049,6 +1049,7 @@ static __init int construct_tdmrs(struct list_head *tmb_list, static __init int config_tdx_module(struct tdmr_info_list *tdmr_list, u64 global_keyid) { + u64 seamcall_fn = TDH_SYS_CONFIG_V0; struct tdx_module_args args = {}; u64 *tdmr_pa_array; size_t array_sz; @@ -1074,8 +1075,22 @@ static __init int config_tdx_module(struct tdmr_info_list *tdmr_list, args.rcx = __pa(tdmr_pa_array); args.rdx = tdmr_list->nr_consumed_tdmrs; args.r8 = global_keyid; - ret = seamcall_prerr(TDH_SYS_CONFIG, &args); + if (tdx_sysinfo.features.tdx_features0 & TDX_FEATURES0_QUOTE) { + args.r9 |= TDX_FEATURES0_QUOTE; + /* These parameters require version >= 1 */ + seamcall_fn = TDH_SYS_CONFIG; + } + + ret = seamcall_prerr(seamcall_fn, &args); + if (ret) + goto free_tdmr; + + /* enabling TDX Quoting may change tdx_sysinfo, update it */ + if (tdx_sysinfo.features.tdx_features0 & TDX_FEATURES0_QUOTE) + ret = get_tdx_sys_info(&tdx_sysinfo); + +free_tdmr: /* Free the array as it is not required anymore. */ kfree(tdmr_pa_array); @@ -1384,12 +1399,17 @@ static void tdx_quote_init(void) unsigned int nr_quote_pages; u64 r; + if (!(tdx_sysinfo.features.tdx_features0 & TDX_FEATURES0_QUOTE)) + return; + do { r = seamcall(TDH_QUOTE_INIT, &args); } while (r == TDX_INTERRUPTED_RESUMABLE); - if (r) + if (r) { + pr_err("Failed to enable quoting extension: 0x%llx\n", r); return; + } /* Quoting metadata is valid only after initialization */ if (get_tdx_sys_info_quote(&tdx_sysinfo.quote)) -- 2.25.1