From: Peter Fang <peter.fang@intel.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "kas@kernel.org" <kas@kernel.org>,
"djbw@kernel.org" <djbw@kernel.org>,
"yilun.xu@linux.intel.com" <yilun.xu@linux.intel.com>,
"x86@kernel.org" <x86@kernel.org>,
"Xu, Yilun" <yilun.xu@intel.com>,
"Duan, Zhenzhong" <zhenzhong.duan@intel.com>,
"baolu.lu@linux.intel.com" <baolu.lu@linux.intel.com>,
"Li, Xiaoyao" <xiaoyao.li@intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Mehta, Sohil" <sohil.mehta@intel.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>
Subject: Re: [RFC PATCH 09/15] x86/virt/tdx: Add interface to generate a Quote
Date: Sun, 14 Jun 2026 04:29:48 -0700 [thread overview]
Message-ID: <20260614112948.GG3200182@pedri> (raw)
In-Reply-To: <a10ad58ed8092e4e7d81be1995438efd21647fde.camel@intel.com>
On Thu, May 28, 2026 at 03:30:45PM -0700, Edgecombe, Rick P wrote:
> > +
> > + /* TDH.QUOTE.GET expects the input data to fit in a page */
> > + if (in_data_len > PAGE_SIZE)
> > + return NULL;
>
> Do we really need this check? We can't trust the caller to pass the right size?
There is a similar check for this in_data_len on the KVM side in patch
12, but it is for a different reason. The check in KVM is to make sure
it maps valid guest memory pages into the kernel, while here we make
sure it complies with the SEAMCALL API. That said, the KVM check does
make the check here kinda redundant... I can remove this for simplicity.
>
> > +
> > + mutex_lock(&tdx_quote_lock);
> > +
> > + /*
> > + * Use the first page of the quote buffer for input data. The buffer
> > + * must be at least one page in size. @in_data may not be page-aligned,
> > + * but TDH.QUOTE.GET expects page-aligned addresses.
> > + */
> > + memcpy(quote_data.buf, in_data, (size_t)in_data_len);
> > +
> > + r = tdx_quote_get(td, quote_data.hpa_list[0], (u64)in_data_len,
> > + quote_data.hpa_list_pa, quote_data.buf_len, &out_len);
> > + if (r || !out_len || out_len > quote_data.buf_len)
>
>
> How do these various error conditions happen?
"r" is a SEAMCALL error just like any other SEAMCALL. If r == 0
(SUCCESS), there is no documented scenario for when "!out_len" or
"out_len > quote_data.buf_len" would occur. I would assume these would
be TDX module bugs.
The reason I check the last 2 conditions is mainly to protect the
kernel:
- "!out_len" will cause kvmemdup() to return ZERO_SIZE_PTR
- "out_len > quote_data.buf_len" will cause out-of-bounds memory
access in kvmemdup()
>
> > + goto out;
> > +
> > + /*
> > + * The quote buffer is a shared resource, so use it only for the
> > + * SEAMCALL and copy the data out as soon as possible.
> > + */
> > + quote_dup = kvmemdup(quote_data.buf, out_len, GFP_KERNEL);
>
> So at init time we allocate a vmalloc for the quote and pre-populate the
> hpa_list. Then we use it every time and copy the contents to a new vmalloc.
> Would it really be that hard to keep the hpa list allocation around, do a
> vmalloc here and update the pfn list. Then do get quote on that and pass back
> the vmalloc we just allocated? Just feels like global reuse way has extra pieces
> in it. Compared to the whole quoting operation, this vmalloc_to_pfn() loop is
> probably not very expensive.
Hm interesting idea. But a Quote buffer could be close to 4MB in the worst
case. Let's say max_quote_size is 3MB, that's 768 vmalloc_to_pfn() calls
each time... That sounds a bit excessive right?
The extra bits mainly come from using kvmemdup() I think. Having to use
kvfree() on it does feel a bit annoying but that was the tradeoff I
made...
>
next prev parent reply other threads:[~2026-06-14 11:29 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 3:41 [PATCH 00/15] Enable TDX Module Extensions and DICE-based TDX Quoting Xu Yilun
2026-05-22 3:41 ` [PATCH 01/15] x86/virt/tdx: Read global metadata for TDX Module Extensions Xu Yilun
2026-05-25 6:24 ` Xiaoyao Li
2026-05-25 6:54 ` Xiaoyao Li
2026-05-27 15:35 ` Kiryl Shutsemau
2026-05-28 4:25 ` Xu Yilun
2026-05-28 21:17 ` Edgecombe, Rick P
2026-05-29 15:34 ` Xu Yilun
2026-05-27 6:05 ` Sohil Mehta
2026-05-27 7:11 ` Xu Yilun
2026-05-27 17:17 ` Sohil Mehta
2026-05-28 3:48 ` Xu Yilun
2026-05-28 21:00 ` Edgecombe, Rick P
2026-05-29 16:59 ` Xu Yilun
2026-06-09 13:06 ` Adrian Hunter
2026-06-10 3:20 ` Xu Yilun
2026-06-12 22:20 ` Dan Williams (nvidia)
2026-05-22 3:41 ` [PATCH 02/15] x86/virt/tdx: Add extra memory to TDX Module for Extensions Xu Yilun
2026-05-25 8:56 ` Xiaoyao Li
2026-05-27 3:47 ` Xu Yilun
2026-05-27 6:38 ` Xiaoyao Li
2026-05-27 7:32 ` Xu Yilun
2026-05-27 8:18 ` Xiaoyao Li
2026-06-07 4:38 ` Kishen Maloor
2026-06-08 9:41 ` Xu Yilun
2026-06-09 13:38 ` Adrian Hunter
2026-06-10 5:13 ` Xu Yilun
2026-06-10 5:43 ` Adrian Hunter
2026-06-10 7:44 ` Xu Yilun
2026-06-12 23:49 ` Dan Williams (nvidia)
2026-05-22 3:41 ` [PATCH 03/15] x86/virt/tdx: Make TDX Module initialize Extensions Xu Yilun
2026-05-25 8:58 ` Xiaoyao Li
2026-06-05 8:46 ` Tony Lindgren
2026-06-09 15:14 ` Adrian Hunter
2026-06-10 8:09 ` Xu Yilun
2026-05-22 3:41 ` [PATCH 04/15] x86/virt/tdx: Enable the Extensions right after basic TDX Module init Xu Yilun
2026-05-25 6:00 ` Tony Lindgren
2026-05-27 4:02 ` Xu Yilun
2026-05-25 8:05 ` Xiaoyao Li
2026-05-28 21:32 ` Edgecombe, Rick P
2026-05-29 17:19 ` Xu Yilun
2026-06-07 4:38 ` Kishen Maloor
2026-06-08 10:12 ` Xu Yilun
2026-06-14 7:00 ` Peter Fang
2026-06-13 0:08 ` Dan Williams (nvidia)
2026-05-22 3:41 ` [RFC PATCH 05/15] x86/virt/tdx: Move tdx_tdr_pa() up in the file Xu Yilun
2026-05-28 21:32 ` Edgecombe, Rick P
2026-06-11 16:21 ` Adrian Hunter
2026-06-14 7:04 ` Peter Fang
2026-05-22 3:41 ` [RFC PATCH 06/15] x86/virt/tdx: Initialize Quoting extension during bringup Xu Yilun
2026-05-28 21:35 ` Edgecombe, Rick P
2026-06-14 7:10 ` Peter Fang
2026-06-11 16:22 ` Adrian Hunter
2026-06-14 7:20 ` Peter Fang
2026-06-13 0:00 ` Dan Williams (nvidia)
2026-06-14 7:50 ` Peter Fang
2026-05-22 3:41 ` [RFC PATCH 07/15] x86/virt/tdx: Prepare Quote buffer during extension bringup Xu Yilun
2026-05-28 22:30 ` Edgecombe, Rick P
2026-06-14 10:28 ` Peter Fang
2026-05-22 3:41 ` [RFC PATCH 08/15] x86/virt/tdx: Add interface to check Quoting availability Xu Yilun
2026-05-22 3:41 ` [RFC PATCH 09/15] x86/virt/tdx: Add interface to generate a Quote Xu Yilun
2026-05-28 22:30 ` Edgecombe, Rick P
2026-06-14 11:29 ` Peter Fang [this message]
2026-06-11 17:15 ` Adrian Hunter
2026-06-14 11:36 ` Peter Fang
2026-05-22 3:41 ` [RFC PATCH 10/15] x86/tdx: Move and rename Quote request structure Xu Yilun
2026-06-11 17:16 ` Adrian Hunter
2026-06-14 11:50 ` Peter Fang
2026-06-13 0:04 ` Dan Williams (nvidia)
2026-06-14 11:51 ` Peter Fang
2026-05-22 3:41 ` [RFC PATCH 11/15] KVM: TDX: Factor out userspace return path from tdx_get_quote() Xu Yilun
2026-05-22 3:41 ` [RFC PATCH 12/15] KVM: TDX: Add in-kernel Quote generation Xu Yilun
2026-06-13 0:20 ` Dan Williams (nvidia)
2026-06-14 11:57 ` Peter Fang
2026-05-22 3:41 ` [RFC PATCH 13/15] KVM: TDX: Support event-notify interrupts only with userspace quoting Xu Yilun
2026-06-11 19:36 ` Adrian Hunter
2026-06-14 12:57 ` Peter Fang
2026-05-22 3:41 ` [RFC PATCH 14/15] x86/virt/tdx: Embed version info in SEAMCALL leaf function definitions Xu Yilun
2026-05-25 9:00 ` Xiaoyao Li
2026-05-27 6:45 ` Xu Yilun
2026-05-27 7:44 ` Xiaoyao Li
2026-05-27 11:45 ` Xu Yilun
2026-06-12 5:47 ` Adrian Hunter
2026-06-13 15:55 ` Xu Yilun
2026-05-22 3:41 ` [RFC PATCH 15/15] x86/virt/tdx: Enable TDX Quoting extension Xu Yilun
2026-05-25 5:17 ` Tony Lindgren
2026-05-25 10:51 ` Xiaoyao Li
2026-05-26 9:00 ` Tony Lindgren
2026-05-26 15:45 ` Xu Yilun
2026-05-27 1:30 ` Xiaoyao Li
2026-06-07 4:41 ` Kishen Maloor
2026-06-08 15:10 ` Xu Yilun
2026-05-27 5:23 ` [PATCH 00/15] Enable TDX Module Extensions and DICE-based TDX Quoting Sohil Mehta
2026-05-27 10:38 ` Xu Yilun
2026-05-27 17:09 ` Sohil Mehta
2026-05-28 4:52 ` Xu Yilun
2026-05-28 19:50 ` Sohil Mehta
2026-06-01 9:36 ` Xu Yilun
2026-06-01 20:17 ` Sohil Mehta
2026-06-02 5:36 ` Xu Yilun
2026-06-07 4:36 ` Kishen Maloor
2026-06-08 6:54 ` Xu Yilun
2026-06-08 18:31 ` Adrian Hunter
2026-06-12 22:03 ` Dan Williams (nvidia)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260614112948.GG3200182@pedri \
--to=peter.fang@intel.com \
--cc=baolu.lu@linux.intel.com \
--cc=djbw@kernel.org \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=rick.p.edgecombe@intel.com \
--cc=sohil.mehta@intel.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
--cc=yilun.xu@intel.com \
--cc=yilun.xu@linux.intel.com \
--cc=zhenzhong.duan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.