| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <550c89ae-de6e-45f7-89a2-ccc815f8d5a2@amd.com>
Date: Wed, 4 Feb 2026 21:50:01 -0600
From: "Pratik R. Sampat" <prsampat@....com>
To: "David Hildenbrand (arm)" <david@...nel.org>,
Kiryl Shutsemau <kas@...nel.org>
Cc: linux-mm@...ck.org, linux-coco@...ts.linux.dev, x86@...nel.org,
linux-kernel@...r.kernel.org, tglx@...utronix.de, mingo@...hat.com,
bp@...en8.de, dave.hansen@...ux.intel.com, ardb@...nel.org,
akpm@...ux-foundation.org, osalvador@...e.de, thomas.lendacky@....com,
michael.roth@....com
Subject: Re: [PATCH v4 1/2] mm/memory_hotplug: Add support to accept memory
during hot-add
On 2/4/26 1:59 PM, David Hildenbrand (arm) wrote:
> On 2/4/26 12:22, Kiryl Shutsemau wrote:
>> On Tue, Feb 03, 2026 at 11:49:45AM -0600, Pratik R. Sampat wrote:
>>> Confidential computing guests require memory to be accepted before use.
>>> The unaccepted memory bitmap maintained by firmware does not track
>>> most hotplugged memory ranges apart from system memory annotated to be
>>> cold plugged at boot.
>>>
>>> Explicitly validate and transition the newly added memory to a private
>>> state, making it usable by the guest.
>>>
>>> Signed-off-by: Pratik R. Sampat <prsampat@....com>
>>> ---
>>> drivers/firmware/efi/unaccepted_memory.c | 47 ++++++++++++++++++++++++
>>> include/linux/mm.h | 5 +++
>>> mm/memory_hotplug.c | 2 +
>>> 3 files changed, 54 insertions(+)
>>>
>>> diff --git a/drivers/firmware/efi/unaccepted_memory.c b/drivers/firmware/efi/unaccepted_memory.c
>>> index c2c067eff634..359779133cb4 100644
>>> --- a/drivers/firmware/efi/unaccepted_memory.c
>>> +++ b/drivers/firmware/efi/unaccepted_memory.c
>>> @@ -209,6 +209,53 @@ bool range_contains_unaccepted_memory(phys_addr_t start, unsigned long size)
>>> return ret;
>>> }
>>> +/*
>>> + * Unaccepted memory bitmap only covers initial boot memory and not the
>>> + * hotpluggable range that is part of SRAT parsing. However, some initial memory
>>> + * with the attribute EFI_MEMORY_HOT_PLUGGABLE can indicate boot time memory
>>> + * that can be hot-removed. Hence post acceptance, only for that range update
>>> + * the unaccepted bitmap to reflect this change.
>>> + */
>>> +void accept_hotplug_memory(phys_addr_t start, unsigned long size)
>>> +{
>>> + struct efi_unaccepted_memory *unaccepted;
>>> + unsigned long range_start, range_len;
>>> + phys_addr_t end = start + size;
>>> + u64 phys_base, unit_size;
>>> + unsigned long flags;
>>> +
>>> + unaccepted = efi_get_unaccepted_table();
>>> + if (!unaccepted)
>>> + return;
>>
>> This can be tricky.
>>
>> If we boot a VM with <4GiB of memory and all of it is pre-accepted by
>> BIOS, the table will not be allocated.
>>
>> But it doesn't mean that hotplugged memory above should not be accepted.
>>
>> I don't think there is a way to detect such cases.
>>
>> Your check is probably the best we can do, but it means VMs are going to
>> crash if memory accept is required by no table.
>>
>> This is ugly situation.
Agreed. Breaking hotplug for VMs under 4G is absolutely not the way to go.
Would it be worse if we call arch_accept_memory() if the table doesn't exist?
The table is primarily to operate on the bitmap's entry. We could wrap these
accept calls within an arch check for TDX and SNP guest if the unaccepted table
is NULL. Or, less preferably convert the panic() of the existing
arch_[accept/unaccept]_memory() to a WARN() instead.
>
> It's all starting to feel .... very hacky, sorry to say.
>
> This should all be easier. If we expect memory hotplug (SRAT), why can't we just allocate the bitmap properly?
>
The unaccepted bitmap allocation happens a lot earlier than SRAT parsing. So to
get the right range, either we have to duplicate some of that parsing logic
earlier, or, replace the memblock allocated bitmap later. The first one is a
bit more hacky, but the second one would require us to the change the original
unaccepted struct from a flexible array to a pointer which might break kexec.
Neither of the approaches seem less intrusive than the other unfortunately.
--Pratik
Powered by blists - more mailing lists