lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250610021422.1214715-1-binbin.wu@linux.intel.com>
Date: Tue, 10 Jun 2025 10:14:18 +0800
From: Binbin Wu <binbin.wu@...ux.intel.com>
To: pbonzini@...hat.com,
	seanjc@...gle.com,
	kvm@...r.kernel.org
Cc: rick.p.edgecombe@...el.com,
	kai.huang@...el.com,
	adrian.hunter@...el.com,
	reinette.chatre@...el.com,
	xiaoyao.li@...el.com,
	tony.lindgren@...el.com,
	isaku.yamahata@...el.com,
	yan.y.zhao@...el.com,
	mikko.ylinen@...ux.intel.com,
	linux-kernel@...r.kernel.org,
	kirill.shutemov@...el.com,
	jiewen.yao@...el.com,
	binbin.wu@...ux.intel.com
Subject: [RFC PATCH 0/4] TDX attestation support and GHCI fixup

Hi,

This patch set includes TDX attestation support patch from [0] and some
fixups according to the proposed GHCI spec changes below. Tag the patch set
as RFC since it's based on the proposed GHCI spec changes. However, the
proposal and the patch set are expected to be discussed/finalized. The
attestation support and the fixups are hoped to be merged during the 6.16
merge window as part of the initial TDX support.

Paolo once suggested to implement all the TDVMCALLs defined in the current
GHCI 1.5 spec [1]. However, since there is a proposal to fix the GHCI spec
issues, this patch set doesn't implement the support for Service
SetupEventNotifyInterrupt, Instruction.WBINVD and Instruction.PCONFIG since
these TDVMCALLs have no real users for now.

Notable changes since attestation v2 [0]
========================================
- Use TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED instead of
  TDVMCALL_STATUS_INVALID_OPERAND for unsupported TDVMCALLs.
- Document the definition of "The base GHCI TDVMCALLs".
- Forward GetTdVmCallInfo to userspace with the new exit reason
  KVM_EXIT_TDX_GET_TDVMCALL_INFO when leaf (r12) input is 1 to allow
  userspace to provide the information of TDVMCALLs supported in userspace.
- Move the check of userspace's opt-in of KVM exit on KVM_HC_MAP_GPA_RANGE
  to KVM_TDX_FINALIZE_VM, since MapGPA is one of the GHCI base TDVMCALLs
  according to the proposal below.
  This requires some changes to the TDX KVM selftests cases posted [2] to
  always opt-in KVM exit on KVM_HC_MAP_GPA_RANGE before
  KVM_TDX_FINALIZE_VM.
- Since there is no opt-in from userspace for GetTdVmCallInfo and GetQuote,
  userspace is required to handle the exit reasons
  KVM_EXIT_TDX_GET_TDVMCALL_INFO and KVM_EXIT_TDX_GET_QUOTE as the initial
  support for TDX. To simplify the implementation in userspace, userspace
  could return TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED for GetQuote.

GHCI Change Proposal
====================
Current TDX Guest Host communication Interface (GHCI) spec[3] implies that
VMM should only return success for TDG.VP.VMCALL<GetTdVmCallInfo> if *all*
TDVMCALLs defined in the GHCI spec are supported. The spec is ambiguous on
the following perspectives:
- The description "all TDG.VP.VMCALLs defined in this specification" is not
  forward-compatible since more and more TDVMCALLs will be added when the
  GHCI spec evolves.
- It actually doesn't cover how to handle if the guest calls an unsupported
  TDVMCALL.
  Historically, KVM has returned TDVMCALL_STATUS_INVALID_OPERAND for any
  unknown TDVMCALL, as a reasonable interpretation of the ambiguous spec.
  However, TDX guests can't distinguish the error is due to the TDVMCALL is
  not supported or an invalid input of the TDVMCALL.
Also, enforce VMMs to implement the TDVMCALLs without real users is an
unnecessary burden.

To address the issues, the following are the proposed GHCI spec changes:
- Define "the GHCI base TDVMCALLs", which are: <GetTdVmCallInfo>, <MapGPA>,
  <ReportFatalError>, <Instruction.CPUID>, <#VE.RequestMMIO>,
  <Instruction.HLT>, <Instruction.IO>, <Instruction.RDMSR> and
  <Instruction.WRMSR>.
- Limit the scope of the TDG.VP.VMCALL<GetTdVmCallInfo> with leaf (R12) set
  to 0 to the GHCI base VMCALLs, so that the meaning is clear and
  unambiguous.
- Extend the TDG.VP.VMCALL<GetTdVmCallInfo> with leaf (R12) set to 1 to
  allow TDX guests to query the supported TDVMCALLs beyond the GHCI base
  TDVMCALLs.
  Use R11 - R14 to return the supported TDVMCALLs, which are defined as
  * R11
    bit 0: <GetQuote>
    bit 1: <SetupEventNotifyInterrupt>
    bit 2: <Service>
    bit 3: <MigTD>
    Other bits of R11 are reserved and must be 0.
  * R12
    bit 0: <Instruction.WBINVD>
    bit 1: <Instruction.PCONFIG>
    Other bits of R12 are reserved and must be 0.
  * R13 and R14 are reserved and must be 0.
- Add TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED to the TDVMCALL status codes for
  the ones that beyond GHCI base TDVMCALLs to indicate the subfunction is
  not supported.
  For the back-compatibility analysis, please refer to the change log of
  "KVM: TDX: Add new TDVMCALL status code for unsupported subfuncs".

Testing
=======
This series is based on kvm/next with the commit:
- '61374cc145f4' ("Merge tag 'kvmarm-fixes-6.16-1' of
  https://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD").

A matching QEMU is here:
https://github.com/intel-staging/qemu-tdx/commits/binbinwu/GetTdVmCallInfo_fixup

It requires TDX module 1.5.06.00.0744 [4], or later.
A working edk2 commit is 95d8a1c ("UnitTestFrameworkPkg: Use TianoCore
mirror of subhook submodule").

This patch series passed the TDX kvm-unit-tests, booting a Linux TD, and
TDX enhanced KVM selftests. It also passed the TDX related test cases
defined in the LKVS test suite as described in:
https://github.com/intel/lkvs/blob/main/KVM/docs/lkvs_on_avocado.md

KVM selftests patches based on the latest TDX KVM selftests patch
series [2], were used to test the flows of GetQuote, GetTdVmCallInfo with
leaf 1, unsupported TDVMCALL, and some modifications were made because the
opt-in of KVM exit on KVM_HC_MAP_GPA_RANGE should be done before
KVM_TDX_FINALIZE_VM.

[0] https://lore.kernel.org/kvm/20250416055433.2980510-1-binbin.wu@linux.intel.com
[1] https://lore.kernel.org/kvm/5e7e8cb7-27b2-416d-9262-e585034327be@redhat.com
[2] https://lore.kernel.org/kvm/20250414214801.2693294-1-sagis@google.com
[3] https://cdrdv2.intel.com/v1/dl/getContent/726792
[4] https://github.com/intel/tdx-module/releases/tag/TDX_1.5.06

Binbin Wu (4):
  KVM: TDX: Add new TDVMCALL status code for unsupported subfuncs
  KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>
  KVM: TDX: Exit to userspace for GetTdVmCallInfo
  KVM: TDX: Check KVM exit on KVM_HC_MAP_GPA_RANGE when TD finalize

 Documentation/virt/kvm/api.rst           | 44 ++++++++++++
 Documentation/virt/kvm/x86/intel-tdx.rst | 12 ++++
 arch/x86/include/asm/shared/tdx.h        |  1 +
 arch/x86/kvm/vmx/tdx.c                   | 85 +++++++++++++++++++-----
 include/uapi/linux/kvm.h                 | 14 ++++
 5 files changed, 141 insertions(+), 15 deletions(-)


base-commit: 61374cc145f4a56377eaf87c7409a97ec7a34041
-- 
2.46.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ