A runtime TDX module update can conflict with TD lifecycle operations that are update-sensitive. Today, update-sensitive operations include: - TD build: TD measurement is accumulated across multiple TDH.MEM.PAGE.ADD, TDH.MR.EXTEND, and TDH.MR.FINALIZE calls. - TD migration: intermediate crypto state is saved/restored across interrupted/resumed TDH.EXPORT.STATE.* and TDH.IMPORT.STATE.* flows. If an update races TD build, for example, TD measurement can become incorrect and attestation can fail. The TDX architecture exposes two approaches: 1) Avoid updates during update-sensitive operations. 2) Detect incompatibility after update and recover. Post-update detection (option #2) is not a good fit: as discussed in [1], future module behavior may expand update-sensitive operations in ways that make KVM ABIs unstable and will break userspace. "Do nothing" is also not preferred: while it keeps kernel code simple, it lets the issue leak into the broader stack, where both detection and recovery require significantly more effort. So, use option #1. Specifically, request "avoid update-sensitive" behavior during TDX module shutdown and map the resulting failure to -EBUSY so userspace can distinguish an update race from other failures. When the "avoid update-sensitive" feature isn't supported, proceed with updates. If a race occurs between module update and update-sensitive operations, failures happen at a later stage (e.g., incorrect TD measurements in attestation reports for TD build). Effectively, this means "let userspace update at their own risk". Userspace can check if the feature is supported or not. The alternative of blocking updates entirely is rejected [2] as it introduces permanent kernel complexity to accommodate limitations in early TDX module releases that userspace can handle. Note: this implementation is based on a reference patch by Vishal [3]. Note2: moving "NO_RBP_MOD" is just to centralize bit definitions. Signed-off-by: Chao Gao Reviewed-by: Tony Lindgren Link: https://lore.kernel.org/linux-coco/aQIbM5m09G0FYTzE@google.com/ # [1] Link: https://lore.kernel.org/kvm/699fe97dc212f_2f4a100b@dwillia2-mobl4.notmuch/ # [2] Link: https://lore.kernel.org/linux-coco/CAGtprH_oR44Vx9Z0cfxvq5-QbyLmy_+Gn3tWm3wzHPmC1nC0eg@mail.gmail.com/ # [3] --- v7: - add error logging otherwise it is dropped when we switch from seamcall_prerr() to seamcall(). v6: - Revise the changelog to clarify behavior when "avoid update-sensitive" isn't supported. - Drop unnecessary wrapper for feature capability check --- arch/x86/include/asm/tdx.h | 11 +++++++++-- arch/x86/kvm/vmx/tdx_errno.h | 2 -- arch/x86/virt/vmx/tdx/tdx.c | 25 +++++++++++++++++++++---- arch/x86/virt/vmx/tdx/tdx.h | 3 --- 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h index 79733fdb35c6..00751506dd3c 100644 --- a/arch/x86/include/asm/tdx.h +++ b/arch/x86/include/asm/tdx.h @@ -26,11 +26,18 @@ #define TDX_SEAMCALL_GP (TDX_SW_ERROR | X86_TRAP_GP) #define TDX_SEAMCALL_UD (TDX_SW_ERROR | X86_TRAP_UD) +#define TDX_SEAMCALL_STATUS_MASK 0xFFFFFFFF00000000ULL + /* * TDX module SEAMCALL leaf function error codes */ -#define TDX_SUCCESS 0ULL -#define TDX_RND_NO_ENTROPY 0x8000020300000000ULL +#define TDX_SUCCESS 0ULL +#define TDX_RND_NO_ENTROPY 0x8000020300000000ULL +#define TDX_UPDATE_COMPAT_SENSITIVE 0x8000051200000000ULL + +/* Bit definitions of TDX_FEATURES0 metadata field */ +#define TDX_FEATURES0_NO_RBP_MOD BIT_ULL(18) +#define TDX_FEATURES0_UPDATE_COMPAT BIT_ULL(47) #ifndef __ASSEMBLER__ diff --git a/arch/x86/kvm/vmx/tdx_errno.h b/arch/x86/kvm/vmx/tdx_errno.h index 6ff4672c4181..215c00d76a94 100644 --- a/arch/x86/kvm/vmx/tdx_errno.h +++ b/arch/x86/kvm/vmx/tdx_errno.h @@ -4,8 +4,6 @@ #ifndef __KVM_X86_TDX_ERRNO_H #define __KVM_X86_TDX_ERRNO_H -#define TDX_SEAMCALL_STATUS_MASK 0xFFFFFFFF00000000ULL - /* * TDX SEAMCALL Status Codes (returned in RAX) */ diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c index 08d9f4cb32f9..d144860e17c2 100644 --- a/arch/x86/virt/vmx/tdx/tdx.c +++ b/arch/x86/virt/vmx/tdx/tdx.c @@ -1176,10 +1176,13 @@ int tdx_enable(void) } EXPORT_SYMBOL_FOR_KVM(tdx_enable); +#define TDX_SYS_SHUTDOWN_AVOID_COMPAT_SENSITIVE BIT(16) + int tdx_module_shutdown(void) { struct tdx_module_args args = {}; - int ret, cpu; + u64 ret; + int cpu; /* * Shut down the TDX module and prepare handoff data for the next @@ -1189,9 +1192,23 @@ int tdx_module_shutdown(void) * modules as new modules likely have higher handoff version. */ args.rcx = tdx_sysinfo.handoff.module_hv; - ret = seamcall_prerr(TDH_SYS_SHUTDOWN, &args); - if (ret) - return ret; + + if (tdx_sysinfo.features.tdx_features0 & TDX_FEATURES0_UPDATE_COMPAT) + args.rcx |= TDX_SYS_SHUTDOWN_AVOID_COMPAT_SENSITIVE; + + ret = seamcall(TDH_SYS_SHUTDOWN, &args); + + /* + * Return -EBUSY to signal that there is one or more ongoing flows + * which may not be compatible with an updated TDX module, so that + * userspace can retry on this error. + */ + if ((ret & TDX_SEAMCALL_STATUS_MASK) == TDX_UPDATE_COMPAT_SENSITIVE) + return -EBUSY; + if (ret) { + seamcall_err(TDH_SYS_SHUTDOWN, ret, &args); + return -EIO; + } /* * Mark the module is unavailable (in ERROR status) to prevent diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h index f8686247c660..2435f88c6994 100644 --- a/arch/x86/virt/vmx/tdx/tdx.h +++ b/arch/x86/virt/vmx/tdx/tdx.h @@ -88,9 +88,6 @@ struct tdmr_info { DECLARE_FLEX_ARRAY(struct tdmr_reserved_area, reserved_areas); } __packed __aligned(TDMR_INFO_ALIGNMENT); -/* Bit definitions of TDX_FEATURES0 metadata field */ -#define TDX_FEATURES0_NO_RBP_MOD BIT(18) - /* * Do not put any hardware-defined TDX structure representations below * this comment! -- 2.47.3