lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 5 Oct 2021 06:29:43 -0700
From:   Sathyanarayanan Kuppuswamy Natarajan 
        <sathyanarayanan.nkuppuswamy@...il.com>
To:     Randy Dunlap <rdunlap@...radead.org>
Cc:     Kuppuswamy Sathyanarayanan 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, Paolo Bonzini <pbonzini@...hat.com>,
        David Hildenbrand <david@...hat.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Juergen Gross <jgross@...e.com>, Deep Shah <sdeep@...are.com>,
        VMware Inc <pv-drivers@...are.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>, Peter H Anvin <hpa@...or.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Tony Luck <tony.luck@...el.com>,
        Dan Williams <dan.j.williams@...el.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Kirill Shutemov <kirill.shutemov@...ux.intel.com>,
        Sean Christopherson <seanjc@...gle.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v8 02/11] x86/tdx: Introduce INTEL_TDX_GUEST config option

On Mon, Oct 4, 2021 at 9:53 PM Randy Dunlap <rdunlap@...radead.org> wrote:
>
> On 10/4/21 7:51 PM, Kuppuswamy Sathyanarayanan wrote:
> > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > index 2b2a9639d8ae..c42dd8a2d1f4 100644
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -865,6 +865,20 @@ config ACRN_GUEST
> >         IOT with small footprint and real-time features. More details can be
> >         found inhttps://projectacrn.org/.
> >
> > +config INTEL_TDX_GUEST
> > +     bool "Intel Trusted Domain eXtensions Guest Support"
> > +     depends on X86_64 && CPU_SUP_INTEL && PARAVIRT
> > +     depends on SECURITY
> > +     select X86_X2APIC
>
> Apparently some Intel CPUs don't have the x2apic feature, since the
> Kconfig help text for X86_X2APIC says:
>
>           This enables x2apic support on CPUs that have this feature.
>
> so how is it safe to set/enable/select that kconfig symbol?
>
> Will the x2apic code just safely not work if the h/w feature is
> missing?

For the TDX guest, x2apic will be emulated. So it will exist in our
case. Even if x2apic or TDX guest is not supported by CPU, it will
boot just fine.

>
> > +     select SECURITY_LOCKDOWN_LSM
> > +     help
> > +       Provide support for running in a trusted domain on Intel processors
> > +       equipped with Trusted Domain eXtensions. TDX is a Intel technology
> > +       that extends VMX and Memory Encryption with a new kind of virtual
> > +       machine guest called Trust Domain (TD). A TD is designed to run in
> > +       a CPU mode that protects the confidentiality of TD memory contents
> > +       and the TD’s CPU state from other software, including VMM.
>
>
> thanks.
> --
> ~Randy



-- 
Sathyanarayanan Kuppuswamy
Linux Kernel Developer

Powered by blists - more mailing lists