[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <71f3326d-319b-c78a-345b-499001e766ff@intel.com>
Date: Thu, 21 Jul 2022 12:23:03 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Sathyanarayanan Kuppuswamy
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
Isaku Yamahata <isaku.yamahata@...il.com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H . Peter Anvin" <hpa@...or.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
Tony Luck <tony.luck@...el.com>,
Andi Kleen <ak@...ux.intel.com>,
Kai Huang <kai.huang@...el.com>,
Wander Lairson Costa <wander@...hat.com>,
marcelo.cerri@...onical.com, tim.gardner@...onical.com,
khalid.elmously@...onical.com, philip.cox@...onical.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v8 5/5] x86/tdx: Add Quote generation support
On 7/21/22 11:57, Sathyanarayanan Kuppuswamy wrote:
>> How does the VMM know how much to read/write? I have a theory: the spec
>> says that R12 is:
>>
>> "Shared 4KB GPA as input – the memory contains a
>> TDREPORT_STRUCT."
>>
>> That's *A* 4KB GPA. The maximum is one 4KB page. That's the only thing
>> that makes sense because there's no length in the ABI anywhere.
>>
>> What am I missing?
> I think you are looking into the old spec. Please check the version
> "FEBRUARY 2022"
>
> Following are the ABI details:
>
> R11 - TDG.VP.VMCALL< GetQuote > sub-function per Table 2-3
> R12 - Shared GPA as input – the memory contains a TDREPORT_STRUCT. The
> same buffer is used as output – the memory contains a TD Quote.
> R13 - Size of shared GPA. The size must be 4KB-aligned.
Yeah, silly me. I assumed the ABI was stable and wouldn't be, you know,
adding and removing parameters.
I still don't know how this all works. You just said:
> Current ABI allows attestation service and agent to decide the quote size. So
> we can't make assumptions on what that size will be.
But, the guest *HAS* to make assumptions, right? It's allocating the
buffer and handing a pointer and size over to the host. It's also guest
*userspace*. In fact, this implementation *ABSOLUTELY* makes
assumptions about the buffer size.
If host userspace some day decides it needs 5MB of space, then all the
guests will just stop working. This implementation is limited by the
max page allocator size.
This all just seems to work by chance.
Powered by blists - more mailing lists