lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d82dd253-aeea-49c5-a21b-44864bd78f25@intel.com>
Date: Wed, 28 Jan 2026 09:01:35 -0800
From: Dave Hansen <dave.hansen@...el.com>
To: Chao Gao <chao.gao@...el.com>, linux-coco@...ts.linux.dev,
 linux-kernel@...r.kernel.org, kvm@...r.kernel.org, x86@...nel.org
Cc: reinette.chatre@...el.com, ira.weiny@...el.com, kai.huang@...el.com,
 dan.j.williams@...el.com, yilun.xu@...ux.intel.com, sagis@...gle.com,
 vannapurve@...gle.com, paulmck@...nel.org, nik.borisov@...e.com,
 zhenzhong.duan@...el.com, seanjc@...gle.com, rick.p.edgecombe@...el.com,
 kas@...nel.org, dave.hansen@...ux.intel.com, vishal.l.verma@...el.com
Subject: Re: [PATCH v3 05/26] coco/tdx-host: Expose TDX Module version

On 1/23/26 06:55, Chao Gao wrote:
...
> This approach follows the pattern used by microcode updates and
> other CoCo implementations:
> 
> 1. AMD has a PCI device for the PSP for SEV which provides an
> existing place to hang their equivalent metadata.
> 
> 2. ARM CCA will likely have a faux device (although it isn't obvious
> if they have a need to export version information there) [1]
> 
> 3. Microcode revisions are exposed as CPU device attributes

I kinda disagree with the idea that this follows existing patterns. It
uses a *NEW* pattern.

AMD doesn't use a faux device because they *HAVE* a PCI device in their
architecture. TDX doesn't have a PCI device in its hardware architecture.

ARM CCA doesn't exist in the tree.

CPU microcode doesn't use a faux device. For good reason. The microcode
version is *actually* per-cpu. It can differ between CPU cores. The TDX
module version is not per-cpu. There's one and only one global module.
This is the reason that we need a global, unique device for TDX.

I'm not saying that being new is a bad thing. But let's not pretend this
is following any kind of existing pattern. Let's explain *why* it needs
to be different.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ