lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9053a4ef-2de6-47b4-a2f7-62d3ded24cfa@intel.com>
Date: Thu, 20 Feb 2025 15:00:43 -0800
From: Dave Hansen <dave.hansen@...el.com>
To: Vishal Annapurve <vannapurve@...gle.com>, x86@...nel.org,
 linux-kernel@...r.kernel.org, linux-coco@...ts.linux.dev,
 virtualization@...ts.linux.dev
Cc: pbonzini@...hat.com, seanjc@...gle.com, erdemaktas@...gle.com,
 ackerleytng@...gle.com, jxgao@...gle.com, sagis@...gle.com,
 oupton@...gle.com, pgonda@...gle.com, kirill@...temov.name,
 dave.hansen@...ux.intel.com, chao.p.peng@...ux.intel.com,
 isaku.yamahata@...il.com, sathyanarayanan.kuppuswamy@...ux.intel.com,
 jgross@...e.com, ajay.kaher@...adcom.com, alexey.amakhalov@...adcom.com,
 stable@...r.kernel.org
Subject: Re: [PATCH V5 2/4] x86/tdx: Route safe halt execution via
 tdx_safe_halt()

On 2/20/25 13:16, Vishal Annapurve wrote:
> Direct HLT instruction execution causes #VEs for TDX VMs which is routed
> to hypervisor via TDCALL. safe_halt() routines execute HLT in STI-shadow
> so IRQs need to remain disabled until the TDCALL to ensure that pending
> IRQs are correctly treated as wake events.

This isn't quite true. There's only one paravirt safe_halt() and it
doesn't do HLT or STI.

I think it's more true to say that "safe" halts are entered with IRQs
disabled. They logically do the halt operation and then enable
interrupts before returning.

> So "sti;hlt" sequence needs to be replaced for TDX VMs with "TDCALL;
> *_irq_enable()" to keep interrupts disabled during TDCALL execution.
But this isn't new. TDX already tried to avoid "sti;hlt". It just
screwed up the implementation.

> Commit bfe6ed0c6727 ("x86/tdx: Add HLT support for TDX guests")
> prevented the idle routines from using "sti;hlt". But it missed the
> paravirt routine which can be reached like this as an example:
>         acpi_safe_halt() =>
>         raw_safe_halt()  =>
>         arch_safe_halt() =>
>         irq.safe_halt()  =>
>         pv_native_safe_halt()

This, on the other hand, *is* important.

> Modify tdx_safe_halt() to implement the sequence "TDCALL;
> raw_local_irq_enable()" and invoke tdx_halt() from idle routine which just
> executes TDCALL without toggling interrupt state. Introduce dependency
> on CONFIG_PARAVIRT and override paravirt halt()/safe_halt() routines for
> TDX VMs.

This changelog glosses over one of the key points: Why *MUST* TDX use
paravirt? It further confuses the reasoning by alluding to the idea that
"Direct HLT instruction execution ... is routed to hypervisor via TDCALL".

It gives background and a solution, but it's not obvious what the
problem is or how the solution _fixes_ the problem.

What must TDX now depend on PARAVIRT?

Why not just route the HLT to a TDXCALL via the #VE code?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ