| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Jun 2023 16:44:07 -0700
From: Isaku Yamahata <isaku.yamahata@...il.com>
To: Kai Huang <kai.huang@...el.com>
Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
linux-mm@...ck.org, dave.hansen@...el.com,
kirill.shutemov@...ux.intel.com, tony.luck@...el.com,
peterz@...radead.org, tglx@...utronix.de, seanjc@...gle.com,
pbonzini@...hat.com, david@...hat.com, dan.j.williams@...el.com,
rafael.j.wysocki@...el.com, ying.huang@...el.com,
reinette.chatre@...el.com, len.brown@...el.com, ak@...ux.intel.com,
isaku.yamahata@...el.com, chao.gao@...el.com,
sathyanarayanan.kuppuswamy@...ux.intel.com, bagasdotme@...il.com,
sagis@...gle.com, imammedo@...hat.com, isaku.yamahata@...il.com
Subject: Re: [PATCH v11 02/20] x86/virt/tdx: Detect TDX during kernel boot
On Mon, Jun 05, 2023 at 02:27:15AM +1200,
Kai Huang <kai.huang@...el.com> wrote:
> diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
> new file mode 100644
> index 000000000000..2d91e7120c90
> --- /dev/null
> +++ b/arch/x86/virt/vmx/tdx/tdx.c
> @@ -0,0 +1,92 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright(c) 2023 Intel Corporation.
> + *
> + * Intel Trusted Domain Extensions (TDX) support
> + */
> +
> +#define pr_fmt(fmt) "tdx: " fmt
> +
> +#include <linux/types.h>
> +#include <linux/cache.h>
> +#include <linux/init.h>
> +#include <linux/errno.h>
> +#include <linux/printk.h>
> +#include <asm/msr-index.h>
> +#include <asm/msr.h>
> +#include <asm/tdx.h>
> +
> +static u32 tdx_global_keyid __ro_after_init;
> +static u32 tdx_guest_keyid_start __ro_after_init;
> +static u32 tdx_nr_guest_keyids __ro_after_init;
> +
> +static int __init record_keyid_partitioning(u32 *tdx_keyid_start,
> + u32 *nr_tdx_keyids)
> +{
> + u32 _nr_mktme_keyids, _tdx_keyid_start, _nr_tdx_keyids;
> + int ret;
> +
> + /*
> + * IA32_MKTME_KEYID_PARTIONING:
> + * Bit [31:0]: Number of MKTME KeyIDs.
> + * Bit [63:32]: Number of TDX private KeyIDs.
> + */
> + ret = rdmsr_safe(MSR_IA32_MKTME_KEYID_PARTITIONING, &_nr_mktme_keyids,
> + &_nr_tdx_keyids);
> + if (ret)
> + return -ENODEV;
> +
> + if (!_nr_tdx_keyids)
> + return -ENODEV;
> +
> + /* TDX KeyIDs start after the last MKTME KeyID. */
> + _tdx_keyid_start = _nr_mktme_keyids + 1;
> +
> + *tdx_keyid_start = _tdx_keyid_start;
> + *nr_tdx_keyids = _nr_tdx_keyids;
> +
> + return 0;
> +}
> +
> +static int __init tdx_init(void)
> +{
> + u32 tdx_keyid_start, nr_tdx_keyids;
> + int err;
> +
> + err = record_keyid_partitioning(&tdx_keyid_start, &nr_tdx_keyids);
> + if (err)
> + return err;
> +
> + pr_info("BIOS enabled: private KeyID range [%u, %u)\n",
> + tdx_keyid_start, tdx_keyid_start + nr_tdx_keyids);
> +
> + /*
> + * The TDX module itself requires one 'global KeyID' to protect
> + * its metadata. If there's only one TDX KeyID, there won't be
> + * any left for TDX guests thus there's no point to enable TDX
> + * at all.
> + */
> + if (nr_tdx_keyids < 2) {
> + pr_info("initialization failed: too few private KeyIDs available.\n");
Because this case is against the admin expectation, pr_warn() or pr_err()?
Except that, looks good to me
Reviewed-by: Isaku Yamahata <isaku.yamahata@...el.com>
--
Isaku Yamahata <isaku.yamahata@...il.com>
Powered by blists - more mailing lists