lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c9c648536ed4cd242ce5d7de87cafe352503839f.camel@intel.com>
Date: Wed, 28 Jan 2026 23:01:03 +0000
From: "Huang, Kai" <kai.huang@...el.com>
To: "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "linux-coco@...ts.linux.dev"
	<linux-coco@...ts.linux.dev>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "Gao, Chao" <chao.gao@...el.com>,
	"x86@...nel.org" <x86@...nel.org>
CC: "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
	"kas@...nel.org" <kas@...nel.org>, "mingo@...hat.com" <mingo@...hat.com>,
	"seanjc@...gle.com" <seanjc@...gle.com>, "Weiny, Ira" <ira.weiny@...el.com>,
	"Chatre, Reinette" <reinette.chatre@...el.com>, "tglx@...utronix.de"
	<tglx@...utronix.de>, "nik.borisov@...e.com" <nik.borisov@...e.com>, "Verma,
 Vishal L" <vishal.l.verma@...el.com>, "hpa@...or.com" <hpa@...or.com>,
	"sagis@...gle.com" <sagis@...gle.com>, "Annapurve, Vishal"
	<vannapurve@...gle.com>, "Duan, Zhenzhong" <zhenzhong.duan@...el.com>,
	"Edgecombe, Rick P" <rick.p.edgecombe@...el.com>, "paulmck@...nel.org"
	<paulmck@...nel.org>, "bp@...en8.de" <bp@...en8.de>,
	"yilun.xu@...ux.intel.com" <yilun.xu@...ux.intel.com>, "Williams, Dan J"
	<dan.j.williams@...el.com>
Subject: Re: [PATCH v3 24/26] x86/virt/seamldr: Extend sigstruct to 16KB

On Fri, 2026-01-23 at 06:55 -0800, Chao Gao wrote:
> Currently, each TDX Module has a 4KB sigstruct that is passed to the
> P-SEAMLDR during module updates to authenticate the TDX Module binary.
> 
> Future TDX Module versions will pack additional information into the
> sigstruct, which will exceed the current 4KB size limit.
> 
> To accommodate this, the sigstruct is being extended to support up to
> 16KB. Update seamldr_params and tdx-blob structures to handle the larger
> sigstruct size.
> 
> Signed-off-by: Chao Gao <chao.gao@...el.com>
> ---
>  arch/x86/virt/vmx/tdx/seamldr.c | 28 +++++++++++++++++++---------
>  1 file changed, 19 insertions(+), 9 deletions(-)
> 
> diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamldr.c
> index d2d85114d6c4..9e77b24f659c 100644
> --- a/arch/x86/virt/vmx/tdx/seamldr.c
> +++ b/arch/x86/virt/vmx/tdx/seamldr.c
> @@ -29,6 +29,8 @@
>  /* P-SEAMLDR can accept up to 496 4KB pages for TDX module binary */
>  #define SEAMLDR_MAX_NR_MODULE_4KB_PAGES	496
>  
> +#define SEAMLDR_MAX_NR_SIG_4KB_PAGES	4
> +
>  /* scenario field in struct seamldr_params */
>  #define SEAMLDR_SCENARIO_UPDATE		1
>  
> @@ -40,8 +42,8 @@
>  struct seamldr_params {
>  	u32	version;
>  	u32	scenario;
> -	u64	sigstruct_pa;
> -	u8	reserved[104];
> +	u64	sigstruct_pa[SEAMLDR_MAX_NR_SIG_4KB_PAGES];
> +	u8	reserved[80];
>  	u64	num_module_pages;
>  	u64	mod_pages_pa_list[SEAMLDR_MAX_NR_MODULE_4KB_PAGES];
>  } __packed;
> @@ -121,7 +123,10 @@ static struct seamldr_params *alloc_seamldr_params(const void *module, unsigned
>  	if (module_size > SEAMLDR_MAX_NR_MODULE_4KB_PAGES * SZ_4K)
>  		return ERR_PTR(-EINVAL);
>  
> -	if (!IS_ALIGNED(module_size, SZ_4K) || sig_size != SZ_4K ||
> +	if (sig_size > SEAMLDR_MAX_NR_SIG_4KB_PAGES * SZ_4K)
> +		return ERR_PTR(-EINVAL);
> +
> +	if (!IS_ALIGNED(module_size, SZ_4K) || !IS_ALIGNED(sig_size, SZ_4K) ||
>  	    !IS_ALIGNED((unsigned long)module, SZ_4K) ||
>  	    !IS_ALIGNED((unsigned long)sig, SZ_4K))
>  		return ERR_PTR(-EINVAL);
> @@ -132,12 +137,17 @@ static struct seamldr_params *alloc_seamldr_params(const void *module, unsigned
>  
>  	params->scenario = SEAMLDR_SCENARIO_UPDATE;
>  
> -	/*
> -	 * Don't assume @sig is page-aligned although it is 4KB-aligned.
> -	 * Always add the in-page offset to get the physical address.
> -	 */
> -	params->sigstruct_pa = (vmalloc_to_pfn(sig) << PAGE_SHIFT) +
> -			       ((unsigned long)sig & ~PAGE_MASK);
> +	ptr = sig;
> +	for (i = 0; i < sig_size / SZ_4K; i++) {
> +		/*
> +		 * Don't assume @sig is page-aligned although it is 4KB-aligned.
> +		 * Always add the in-page offset to get the physical address.
> +		 */
> +		params->sigstruct_pa[i] = (vmalloc_to_pfn(ptr) << PAGE_SHIFT) +
> +					  ((unsigned long)ptr & ~PAGE_MASK);
> +		ptr += SZ_4K;
> +	}
> +
>  	params->num_module_pages = module_size / SZ_4K;
>  
>  	ptr = module;

Let's move the discussion here (from patch 13 -- sorry about that):

IIRC this patch just simply re-purposes couple of reserved space in
SEAMLDR_PARAMS (which is part of P-SEAMLDR ABI) w/o enumeration, explicit
opt-in whatever.  The code change here doesn't even bump up its version.

IIUC, if this code run on an old platform where SEAMLDR.INSTALL still only
works with 4K SIGSTRUCT, the SEAMLDR.INSTALL will only see part of the
SIGSTRUCT thus will likely fail.

How can we know whether a given 'struct tdx_blob' can work on an platform or
not?  Or am I missing anything?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ