| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1a6b44f3fb23d0a35bb3c24d755fb2ae6f74b1bb.camel@intel.com>
Date: Thu, 13 Mar 2025 23:57:50 +0000
From: "Huang, Kai" <kai.huang@...el.com>
To: "tglx@...utronix.de" <tglx@...utronix.de>, "peterz@...radead.org"
<peterz@...radead.org>, "mingo@...hat.com" <mingo@...hat.com>, "Hansen, Dave"
<dave.hansen@...el.com>, "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>,
"bp@...en8.de" <bp@...en8.de>, "kirill.shutemov@...ux.intel.com"
<kirill.shutemov@...ux.intel.com>
CC: "pbonzini@...hat.com" <pbonzini@...hat.com>, "Yamahata, Isaku"
<isaku.yamahata@...el.com>, "seanjc@...gle.com" <seanjc@...gle.com>,
"x86@...nel.org" <x86@...nel.org>, "sagis@...gle.com" <sagis@...gle.com>,
"hpa@...or.com" <hpa@...or.com>, "Chatre, Reinette"
<reinette.chatre@...el.com>, "Williams, Dan J" <dan.j.williams@...el.com>,
"thomas.lendacky@....com" <thomas.lendacky@....com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"ashish.kalra@....com" <ashish.kalra@....com>, "dwmw@...zon.co.uk"
<dwmw@...zon.co.uk>, "bhe@...hat.com" <bhe@...hat.com>,
"nik.borisov@...e.com" <nik.borisov@...e.com>
Subject: Re: [RFC PATCH 3/5] x86/kexec: Disable kexec/kdump on platforms with
TDX partial write erratum
On Thu, 2025-03-13 at 22:47 +0000, Edgecombe, Rick P wrote:
> On Thu, 2025-03-13 at 22:32 +0000, Huang, Kai wrote:
> > > >
> > > > We can add a kernel parameter 'tdx_host={on|off}' and skip all TDX code
> > > > (thus
> > > > no
> > > > erratum detection) when it is off. I suppose it will be useful in general
> > > > anyway even w/o the context of kexec.
> > >
> > > What exactly are you thinking? Add a tdx_host parameter, but what is the
> > > default
> > > behavior? When tdx_host=on with the errata, kexec must still be disabled,
> > > right?
> > > Better to return an error, than proceed and crash.
> >
> > The default behaviour is tdx_host=off in order to not disrupt kexec/kdump
> > behaviour on the TDX platforms with erratum. The distros will be able to ship
> > kernels with both CONFIG_KEXEC_CORE and CONFIG_INTEL_TDX_HOST on, and no
> > visible
> > impact to the user who doesn't care about TDX.
> >
> > If the user is interested in TDX, tdx_host=on must be set in the kernel
> > command
> > line, but in this case user is expected to know kexec/kdump can only work
> > normally if the TDX platform doesn't have the erratum -- kexec/kdump are
> > disabled if the platform has the erratum.
>
> So this will switch all of TDX to be default off then, unless the kernel gets a
> parameter set.
>
Currently in KVM TDX is also default off.
> In which case we could also just unlock the Kconfig with just one
> small change. TDX and kexec would still mutually exclusive, but just at runtime.
Yeah I am thinking this too, given the "keyID 0 integrity" thing are still on-
going.
> We should try to flag Paolo and see what he thinks.
I appreciate if you could help to do.
>
> Or is the proposal to only be default tdx_host=off on the errata platforms? And
> tdx_host=on otherwise?
The tricky thing is, naturally, we want to skip all the code in tdx_init() if
tdx_host=off, because there's no reason to do those detection/initialization if
we are not going to use TDX, e.g., we don't need to this one:
register_memory_notifier(&tdx_memory_nb);
.. that means the code of detecting erratum will be skipped too.
If we only to only make tdx_host=off as default for erratum platforms, then we
need to do cleanup (e.g., to unregister the above memory notifier).
This isn't nice and seems hacky.
I don't see making tdx_host=off as default has problem, anyway, as mentioned
above TDX is off by default in KVM.
Powered by blists - more mailing lists