lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5252a906-41e7-ec92-3b99-4a8d5cff4f0f@intel.com>
Date:   Fri, 18 Feb 2022 13:07:11 -0800
From:   Dave Hansen <dave.hansen@...el.com>
To:     "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
        luto@...nel.org, peterz@...radead.org
Cc:     sathyanarayanan.kuppuswamy@...ux.intel.com, aarcange@...hat.com,
        ak@...ux.intel.com, dan.j.williams@...el.com, david@...hat.com,
        hpa@...or.com, jgross@...e.com, jmattson@...gle.com,
        joro@...tes.org, jpoimboe@...hat.com, knsathya@...nel.org,
        pbonzini@...hat.com, sdeep@...are.com, seanjc@...gle.com,
        tony.luck@...el.com, vkuznets@...hat.com, wanpengli@...cent.com,
        x86@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCHv3 03/32] x86/tdx: Detect running as a TDX guest in early
 boot

On 2/18/22 08:16, Kirill A. Shutemov wrote:
> From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com>
> 
> cc_platform_has() API is used in the kernel to enable confidential
> computing features. Since TDX guest is a confidential computing
> platform, it also needs to use this API.

I'm struggling to connect the relevance of this paragraph to the patch
below.

I went through the whole series and I don't see any modifications to
cc_platform_has() or checks for X86_FEATURE_TDX_GUEST that seem like
they influence cc_platform_has().

What the heck am I missing?

> In preparation of extending cc_platform_has() API to support TDX guest,
> use CPUID instruction to detect support for TDX guests in the early
> boot code (via tdx_early_init()). Since copy_bootdata() is the first
> user of cc_platform_has() API, detect the TDX guest status before it.

This is good.  It tells us *why* it is initialized in that location.

> Since cc_plaform_has() API will be used frequently across the boot
> code, instead of repeatedly detecting the TDX guest status using the
> CPUID instruction, detect once and cache the result.

Isn't this a remnant of an old implementation where there was a separate
'tdx_enabled' variable in addition to X86_FEATURE_TDX_GUEST?

Does this "caching" refer to X86_FEATURE_TDX_GUEST or the old thing?

> Define a synthetic feature flag (X86_FEATURE_TDX_GUEST) and set this
> bit in a valid TDX guest platform.


> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 391c4cac8958..ea4190c53db6 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -880,6 +880,18 @@ config ACRN_GUEST
>  	  IOT with small footprint and real-time features. More details can be
>  	  found in https://projectacrn.org/.
>  
> +config INTEL_TDX_GUEST
> +	bool "Intel TDX (Trust Domain Extensions) - Guest Support"
> +	depends on X86_64 && CPU_SUP_INTEL
> +	depends on X86_X2APIC
> +	help
> +	  Support running as a guest under Intel TDX.  Without this support,
> +	  the guest kernel can not boot or run under TDX.
> +	  TDX includes memory encryption and integrity capabilities
> +	  which protect the confidentiality and integrity of guest
> +	  memory contents and CPU state. TDX guests are protected from
> +	  potential attacks from the VMM.

Nit: I don't think "potential" is the right word there.  "some" might
work better.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ