| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aXzPIO2qZwuwaeLi@google.com> Date: Fri, 30 Jan 2026 07:32:48 -0800 From: Sean Christopherson <seanjc@...gle.com> To: Yan Zhao <yan.y.zhao@...el.com> Cc: Rick P Edgecombe <rick.p.edgecombe@...el.com>, Fan Du <fan.du@...el.com>, Xiaoyao Li <xiaoyao.li@...el.com>, Kai Huang <kai.huang@...el.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, Dave Hansen <dave.hansen@...el.com>, "thomas.lendacky@....com" <thomas.lendacky@....com>, "vbabka@...e.cz" <vbabka@...e.cz>, "tabba@...gle.com" <tabba@...gle.com>, "david@...nel.org" <david@...nel.org>, "kas@...nel.org" <kas@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Ira Weiny <ira.weiny@...el.com>, "francescolavra.fl@...il.com" <francescolavra.fl@...il.com>, "pbonzini@...hat.com" <pbonzini@...hat.com>, "ackerleytng@...gle.com" <ackerleytng@...gle.com>, "nik.borisov@...e.com" <nik.borisov@...e.com>, "binbin.wu@...ux.intel.com" <binbin.wu@...ux.intel.com>, Isaku Yamahata <isaku.yamahata@...el.com>, Chao P Peng <chao.p.peng@...el.com>, "michael.roth@....com" <michael.roth@....com>, Vishal Annapurve <vannapurve@...gle.com>, "sagis@...gle.com" <sagis@...gle.com>, Chao Gao <chao.gao@...el.com>, Jun Miao <jun.miao@...el.com>, "jgross@...e.com" <jgross@...e.com>, "pgonda@...gle.com" <pgonda@...gle.com>, "x86@...nel.org" <x86@...nel.org> Subject: Re: [PATCH v3 00/24] KVM: TDX huge page support for private memory On Mon, Jan 19, 2026, Yan Zhao wrote: > On Sat, Jan 17, 2026 at 12:58:02AM +0800, Edgecombe, Rick P wrote: > > On Fri, 2026-01-16 at 08:31 -0800, Sean Christopherson wrote: > IIUC, this concern should be gone as Dave has agreed to use "pfn" as the > SEAMCALL parameter [1]? > Then should we invoke "KVM_MMU_WARN_ON(!tdx_is_convertible_pfn(pfn));" in KVM > for every pfn of a huge mapping? Or should we keep the sanity check inside the > SEAMCALL wrappers? I don't have a strong preference. But if it goes in KVM, definitely guard it with KVM_MMU_WARN_ON(). > BTW, I have another question about the SEAMCALL wrapper implementation, as Kai > also pointed out in [2]: since the SEAMCALL wrappers now serve as APIs available > to callers besides KVM, should the SEAMCALL wrappers return TDX_OPERAND_INVALID > or WARN_ON() (or WARN_ON_ONCE()) on sanity check failure? Why not both? But maybe TDX_SW_ERROR instead of TDX_OPERAND_INVALID? If an API has a defined contract and/or set of expectations, and those expectations aren't met by the caller, then a WARN is justified. But the failure still needs to be communicated to the caller. > By returning TDX_OPERAND_INVALID, the caller can check the return code, adjust > the input or trigger WARN_ON() by itself; > By triggering WARN_ON() directly in the SEAMCALL wrapper, we need to document > this requirement for the SEAMCALL wrappers and have the caller invoke the API > correctly. Document what exactly? Most of this should be common sense. E.g. we don't generally document that pointers must be non-NULL, because that goes without saying 99.9% of the time. IMO, that holds true here as well. E.g. trying to map memory into a TDX guest that isn't convertible is obviously a bug, I don't see any value in formally documenting that requirement. > So, it looks that "WARN_ON() directly in the SEAMCALL wrapper" is the preferred > approach, right? > > [1] https://lore.kernel.org/all/d119c824-4770-41d2-a926-4ab5268ea3a6@intel.com/ > [2] https://lore.kernel.org/all/baf6df2cc63d8e897455168c1bf07180fc9c1db8.camel@intel.com
Powered by blists - more mailing lists