lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e177a82687eb546d6020821a5ccdf916f046b3de.camel@intel.com>
Date:   Fri, 28 Oct 2022 01:24:46 +0000
From:   "Huang, Kai" <kai.huang@...el.com>
To:     "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "ak@...ux.intel.com" <ak@...ux.intel.com>
CC:     "Hansen, Dave" <dave.hansen@...el.com>,
        "Luck, Tony" <tony.luck@...el.com>,
        "bagasdotme@...il.com" <bagasdotme@...il.com>,
        "Wysocki, Rafael J" <rafael.j.wysocki@...el.com>,
        "kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
        "Christopherson,, Sean" <seanjc@...gle.com>,
        "Chatre, Reinette" <reinette.chatre@...el.com>,
        "pbonzini@...hat.com" <pbonzini@...hat.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "Yamahata, Isaku" <isaku.yamahata@...el.com>,
        "peterz@...radead.org" <peterz@...radead.org>,
        "Shahar, Sagi" <sagis@...gle.com>,
        "imammedo@...hat.com" <imammedo@...hat.com>,
        "Gao, Chao" <chao.gao@...el.com>,
        "Brown, Len" <len.brown@...el.com>,
        "sathyanarayanan.kuppuswamy@...ux.intel.com" 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>,
        "Williams, Dan J" <dan.j.williams@...el.com>
Subject: Re: [PATCH v6 16/21] x86/virt/tdx: Reserve TDX module global KeyID

On Thu, 2022-10-27 at 05:40 -0700, Andi Kleen wrote:
> On 10/26/2022 4:16 PM, Kai Huang wrote:
> > TDX module initialization requires to use one TDX private KeyID as the
> > global KeyID to protect the TDX module metadata.  The global KeyID is
> > configured to the TDX module along with TDMRs.
> > 
> > Just reserve the first TDX private KeyID as the global KeyID.  Keep the
> > global KeyID as a static variable as KVM will need to use it too.
> > 
> > Reviewed-by: Isaku Yamahata <isaku.yamahata@...el.com>
> > Signed-off-by: Kai Huang <kai.huang@...el.com>
> > ---
> >   arch/x86/virt/vmx/tdx/tdx.c | 9 +++++++++
> >   1 file changed, 9 insertions(+)
> > 
> > diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
> > index 5d74ada072ca..0820ba781f97 100644
> > --- a/arch/x86/virt/vmx/tdx/tdx.c
> > +++ b/arch/x86/virt/vmx/tdx/tdx.c
> > @@ -62,6 +62,9 @@ static struct tdsysinfo_struct tdx_sysinfo;
> >   static struct cmr_info tdx_cmr_array[MAX_CMRS] __aligned(CMR_INFO_ARRAY_ALIGNMENT);
> >   static int tdx_cmr_num;
> >   
> > +/* TDX module global KeyID.  Used in TDH.SYS.CONFIG ABI. */
> > +static u32 tdx_global_keyid;
> 
> 
> Comment how this is serialized (or doesn't need it)
> 
> 

TDH.SYS.CONFIG, which takes 'tdx_global_keyid' as input, only needs to be called
once on any cpu, so no serialization is needed.

TDH.SYS.KEY.CONFIG, which doesn't take 'tdx_global_keyid' as input but
internally programs it, does require some serialization as this SEAMCALL must be
called on one cpu for each package, and it cannot run concurrently on different
cpus.  How about adding the comment in the patch which does TDH.SYS.KEY.CONFIG?

How about below (taken from patch 18 "x86/virt/tdx: Configure global KeyID on
all packages", but added "in serialized way as it cannot run concurrently on
different cpus" at the end of the first sentence in the comment)?

static int config_global_keyid(void)
{
	struct seamcall_ctx sc = { .fn = TDH_SYS_KEY_CONFIG };

	/*
	 * Configure the key of the global KeyID on all packages by
	 * calling TDH.SYS.KEY.CONFIG on all packages in serialized
	 * way as it cannot run concurrently on different cpus.
	 *
	 * ......
	 */
	return seamcall_on_each_package_serialized(&sc);
}





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ