[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cec13fb656f05d8c9d231c225587072076448d71.camel@intel.com>
Date: Wed, 06 Apr 2022 13:55:28 +1200
From: Kai Huang <kai.huang@...el.com>
To: Isaku Yamahata <isaku.yamahata@...il.com>
Cc: isaku.yamahata@...el.com, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
Jim Mattson <jmattson@...gle.com>, erdemaktas@...gle.com,
Connor Kuehl <ckuehl@...hat.com>,
Sean Christopherson <seanjc@...gle.com>
Subject: Re: [RFC PATCH v5 023/104] x86/cpu: Add helper functions to
allocate/free MKTME keyid
On Thu, 2022-03-31 at 13:15 -0700, Isaku Yamahata wrote:
> On Thu, Mar 31, 2022 at 02:21:06PM +1300,
> Kai Huang <kai.huang@...el.com> wrote:
>
> > On Fri, 2022-03-04 at 11:48 -0800, isaku.yamahata@...el.com wrote:
> > > From: Isaku Yamahata <isaku.yamahata@...el.com>
> > >
> > > MKTME keyid is assigned to guest TD. The memory controller encrypts guest
> > > TD memory with key id. Add helper functions to allocate/free MKTME keyid
> > > so that TDX KVM assign keyid.
> >
> > Using MKTME keyid is wrong, at least not accurate I think. We should use
> > explicitly use "TDX private KeyID", which is clearly documented in the spec:
> >
> > https://software.intel.com/content/dam/develop/external/us/en/documents-tps/intel-tdx-cpu-architectural-specification.pdf
> >
> > Also, description of IA32_MKTME_KEYID_PARTITIONING MSR clearly says TDX private
> > KeyIDs span the range (NUM_MKTME_KIDS+1) through
> > (NUM_MKTME_KIDS+NUM_TDX_PRIV_KIDS). So please just use TDX private KeyID here.
> >
> >
> > >
> > > Also export MKTME global keyid that is used to encrypt TDX module and its
> > > memory.
> >
> > This needs explanation why the global keyID needs to be exported.
>
> How about the followings?
>
> TDX private host key id is assigned to guest TD. The memory controller
> encrypts guest TD memory with the assigned host key id (HIKD). Add helper
> functions to allocate/free TDX private host key id so that TDX KVM manage
> it.
HIKD -> HKID.
You may also want to use KeyID in consistent way (KeyID, keyid, key id, etc).
The spec uses KeyID.
>
> Also export the global TDX private host key id that is used to encrypt TDX
> module, its memory and some dynamic data (e.g. TDR). When VMM releasing
> encrypted page to reuse it, the page needs to be flushed with the used host
> key id. VMM needs the global TDX private host key id to flush such pages
> TDX module accesses with the global TDX private host key id.
>
>
Find to me.
Powered by blists - more mailing lists