The TDX Module update protocol facilitates compatible runtime updates. Document the compatibility criteria and indicators of various update failures, including violations of the compatibility criteria. Signed-off-by: Chao Gao Reviewed-by: Dan Williams --- v4 - Drop "compat_capable" kernel ABI [Dan] - Document Linux compatibility expectations and results of violating them [Dan] --- .../ABI/testing/sysfs-devices-faux-tdx-host | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/Documentation/ABI/testing/sysfs-devices-faux-tdx-host b/Documentation/ABI/testing/sysfs-devices-faux-tdx-host index 88a9c0b2bdfe..fefe762998db 100644 --- a/Documentation/ABI/testing/sysfs-devices-faux-tdx-host +++ b/Documentation/ABI/testing/sysfs-devices-faux-tdx-host @@ -27,3 +27,56 @@ Description: (RO) Report the number of remaining updates. TDX maintains a Interface Specification, Revision 343755-003, Chapter 3.3 "SEAMLDR_INFO" and Chapter 4.2 "SEAMLDR.INSTALL" for more information. + +What: /sys/devices/faux/tdx_host/firmware/tdx_module +Contact: linux-coco@lists.linux.dev +Description: (Directory) The tdx_module directory implements the fw_upload + sysfs ABI, see Documentation/ABI/testing/sysfs-class-firmware + for the general description of the attributes @data, @cancel, + @error, @loading, @remaining_size, and @status. This ABI + facilitates "Compatible TDX Module Updates". A compatible update + is one that meets the following criteria: + + Does not interrupt or interfere with any current TDX + operation or TD VM. + + Does not invalidate any previously consumed Module metadata + values outside of the TEE_TCB_SVN_2 field (updated Security + Version Number) in TD Quotes. + + Does not require validation of new Module metadata fields. By + implication, new Module features and capabilities are only + available by installing the Module at reboot (BIOS or EFI + helper loaded). + + See tdx_host/firmware/tdx_module/error for information on + compatibility check failures and how to prevent them. + +What: /sys/devices/faux/tdx_host/firmware/tdx_module/error +Contact: linux-coco@lists.linux.dev +Description: (RO) See Documentation/ABI/testing/sysfs-class-firmware for + baseline expectations for this file. The part in the + : format can be: + + "device-busy": Compatibility checks failed or not all CPUs + are online + + "flash-wearout": The number of updates reached the limit. + + "read-write-error": Memory allocation failed. + + "hw-error": Cannot communicate with P-SEAMLDR or TDX Module. + + "firmware-invalid": The provided TDX Module update is invalid + or other unexpected errors occurred. + + "hw-error" or "firmware-invalid" may be fatal, causing all TDs + and the TDX Module to be lost and preventing further TDX + operations. This occurs when reading + /sys/devices/faux/tdx_host/version returns -ENXIO. For other + errors, TDs and the (previous) TDX Module stay running. + + See tdxctl [1] documentation for how to detect compatible + updates and whether the current platform components catch errors + or let them leak and cause potential TD attestation failures. + [1]: -- 2.47.3