| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Oct 2022 01:24:46 +0000
From: "Huang, Kai" <kai.huang@...el.com>
To: "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"ak@...ux.intel.com" <ak@...ux.intel.com>
CC: "Hansen, Dave" <dave.hansen@...el.com>,
"Luck, Tony" <tony.luck@...el.com>,
"bagasdotme@...il.com" <bagasdotme@...il.com>,
"Wysocki, Rafael J" <rafael.j.wysocki@...el.com>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
"Christopherson,, Sean" <seanjc@...gle.com>,
"Chatre, Reinette" <reinette.chatre@...el.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"Yamahata, Isaku" <isaku.yamahata@...el.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"Shahar, Sagi" <sagis@...gle.com>,
"imammedo@...hat.com" <imammedo@...hat.com>,
"Gao, Chao" <chao.gao@...el.com>,
"Brown, Len" <len.brown@...el.com>,
"sathyanarayanan.kuppuswamy@...ux.intel.com"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"Williams, Dan J" <dan.j.williams@...el.com>
Subject: Re: [PATCH v6 16/21] x86/virt/tdx: Reserve TDX module global KeyID
On Thu, 2022-10-27 at 05:40 -0700, Andi Kleen wrote:
> On 10/26/2022 4:16 PM, Kai Huang wrote:
> > TDX module initialization requires to use one TDX private KeyID as the
> > global KeyID to protect the TDX module metadata. The global KeyID is
> > configured to the TDX module along with TDMRs.
> >
> > Just reserve the first TDX private KeyID as the global KeyID. Keep the
> > global KeyID as a static variable as KVM will need to use it too.
> >
> > Reviewed-by: Isaku Yamahata <isaku.yamahata@...el.com>
> > Signed-off-by: Kai Huang <kai.huang@...el.com>
> > ---
> > arch/x86/virt/vmx/tdx/tdx.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
> > diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
> > index 5d74ada072ca..0820ba781f97 100644
> > --- a/arch/x86/virt/vmx/tdx/tdx.c
> > +++ b/arch/x86/virt/vmx/tdx/tdx.c
> > @@ -62,6 +62,9 @@ static struct tdsysinfo_struct tdx_sysinfo;
> > static struct cmr_info tdx_cmr_array[MAX_CMRS] __aligned(CMR_INFO_ARRAY_ALIGNMENT);
> > static int tdx_cmr_num;
> >
> > +/* TDX module global KeyID. Used in TDH.SYS.CONFIG ABI. */
> > +static u32 tdx_global_keyid;
>
>
> Comment how this is serialized (or doesn't need it)
>
>
TDH.SYS.CONFIG, which takes 'tdx_global_keyid' as input, only needs to be called
once on any cpu, so no serialization is needed.
TDH.SYS.KEY.CONFIG, which doesn't take 'tdx_global_keyid' as input but
internally programs it, does require some serialization as this SEAMCALL must be
called on one cpu for each package, and it cannot run concurrently on different
cpus. How about adding the comment in the patch which does TDH.SYS.KEY.CONFIG?
How about below (taken from patch 18 "x86/virt/tdx: Configure global KeyID on
all packages", but added "in serialized way as it cannot run concurrently on
different cpus" at the end of the first sentence in the comment)?
static int config_global_keyid(void)
{
struct seamcall_ctx sc = { .fn = TDH_SYS_KEY_CONFIG };
/*
* Configure the key of the global KeyID on all packages by
* calling TDH.SYS.KEY.CONFIG on all packages in serialized
* way as it cannot run concurrently on different cpus.
*
* ......
*/
return seamcall_on_each_package_serialized(&sc);
}
Powered by blists - more mailing lists