From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDF323AEF4C for ; Mon, 15 Jun 2026 19:44:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.15 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781552672; cv=none; b=E/zY7fovhKteC6kgpn8iD+bxEob63lWukJBHHMI7kIC9KsR4jCdcRZQzbsHLKfW06dRQsh8aJBS95Sr9rNtrWNuR/ZaEoMd3qmLd3fazxuRegoQD8vv4xftgakUCD5sI8fo89LovqNHzlkrkuBruAiO/sniHus9mkp6WtpRXv8k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781552672; c=relaxed/simple; bh=rO+/WsjXBOS2ZWUgt5AvQL5J/3opS8EjLjyv2S3RygA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ov/Cc0N4GZGcbW/XTPbTgZqtW542mk+kl1+76cSvxK14BxHVE72Qa4+/nKK7bCTc8Tq6c31phLqZtrWycmGqWPatN7MmsGYEKO5/xVJzrmwwqIfUKU8hNFh7ILi4JKfWGGotYIX51HcpPJ85fZRx44xJMebTb0CZJKT5QlZnODg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=AUsUQP3h; arc=none smtp.client-ip=192.198.163.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="AUsUQP3h" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1781552671; x=1813088671; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=rO+/WsjXBOS2ZWUgt5AvQL5J/3opS8EjLjyv2S3RygA=; b=AUsUQP3hbeKV4sQHpM7IZL34JX0fTWGmy7wC1KPAI3DX7smtO+hwketb s50klDzAnRbCM5EnUBCLT0jtgtrF267UL0XYcHwLDtXn3TWK4lgcKFErq 0ib0OvQig98I4KKLOTKQZ5Tzd741iOfdGqvfZgaJ03s1cf2vOj4bKymi+ qVll3zZcRkuAbG3tBGB1F9r73TzBFtGZBkxWyqaWrYWDYa9XKu4HvFGd5 +FINy1BdGG44g8KiM+hzb4+O861ctjUCb3zUDlX10IoE4ZIMxsdCOHOii NsVZFZ6FXL3EXol/jX9UkRNzrQqnaliqUNPo8egFW4Obfbwly+Y3tn024 A==; X-CSE-ConnectionGUID: 3y8STvt5QNOTuR8E/cB6Cg== X-CSE-MsgGUID: uy2utKg1QBioOoQ92fw3XQ== X-IronPort-AV: E=McAfee;i="6800,10657,11818"; a="82411917" X-IronPort-AV: E=Sophos;i="6.24,206,1774335600"; d="scan'208";a="82411917" Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa109.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jun 2026 12:44:30 -0700 X-CSE-ConnectionGUID: w2BY1xpyR5i5gIM0gFfwNw== X-CSE-MsgGUID: 5MAOqiymTn2ONQK6fuJjbA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.24,206,1774335600"; d="scan'208";a="271272640" Received: from smtp.ostc.intel.com ([10.54.29.231]) by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jun 2026 12:44:30 -0700 Received: from ray2.sr71.net (unknown [10.125.111.24]) by smtp.ostc.intel.com (Postfix) with ESMTP id 0883C5EA7; Mon, 15 Jun 2026 12:44:30 -0700 (PDT) From: Dave Hansen To: torvalds@linux-foundation.org Cc: x86@kernel.org, linux-kernel@vger.kernel.org, Dave Hansen Subject: [GIT PULL] x86/tdx for 7.2-rc1 Date: Mon, 15 Jun 2026 12:44:31 -0700 Message-ID: <20260615194431.530118-1-dave.hansen@linux.intel.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Hi Linus, Please pull some x86/tdx changes for 7.2-rc1. There are a few cleanups, and some changes that should allow TDX and kexec to coexist nicely. The biggest change, however, is support for updating the TDX module after boot, just like CPU microcode. TDX users really want this because it lets them do security updates without tearing things down and rebooting. The commits here are younger than normal: ~2 weeks old. I botched some of the Link: tags when applying and did not fix it up until 2 weeks ago. All the content except the Documentation patch on the end is much more mature than 2 weeks. -- The following changes since commit 254f49634ee16a731174d2ae34bc50bd5f45e731: Linux 7.1-rc1 (2026-04-26 14:19:00 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git tags/x86_tdx_for_7.2-rc1 for you to fetch changes up to 2b9ad7a6154e0938b9458691536296dd0224942d: x86/virt/tdx: Document TDX module update (2026-06-05 14:18:37 -0700) ---------------------------------------------------------------- * Add TDX module update support * Make kexec and TDX finally place nice together * Put TDX error codes into a single header ---------------------------------------------------------------- Chao Gao (22): x86/virt/tdx: Clarify try_init_module_global() result caching x86/virt/tdx: Move TDX global initialization states to file scope x86/virt/tdx: Consolidate TDX global initialization states x86/virt/tdx: Move TDX_FEATURES0 bits to asm/tdx.h coco/tdx-host: Introduce a "tdx_host" device coco/tdx-host: Expose TDX module version x86/virt/seamldr: Introduce a wrapper for P-SEAMLDR SEAMCALLs x86/virt/seamldr: Add a helper to retrieve P-SEAMLDR information coco/tdx-host: Expose P-SEAMLDR information via sysfs coco/tdx-host: Don't expose P-SEAMLDR information on CPUs with erratum coco/tdx-host: Implement firmware upload sysfs ABI for TDX module updates x86/virt/seamldr: Allocate and populate a module update request x86/virt/seamldr: Introduce skeleton for TDX module updates x86/virt/seamldr: Abort updates after a failed step x86/virt/seamldr: Shut down the current TDX module x86/virt/tdx: Reset software states during TDX module shutdown x86/virt/seamldr: Install a new TDX module x86/virt/seamldr: Initialize the newly-installed TDX module x86/virt/tdx: Restore TDX module state x86/virt/tdx: Refresh TDX module version after update x86/virt/tdx: Enable TDX module runtime updates x86/virt/tdx: Document TDX module update Dave Hansen (2): x86/virt/seamldr: Add module update locking coco/tdx-host: Lock out module updates when reading version Kai Huang (1): x86/virt/tdx: Move low level SEAMCALL helpers out of Kiryl Shutsemau (1): x86/tdx: Move TDX architectural error codes into Rick Edgecombe (2): x86/virt/tdx: Pull kexec cache flush logic into arch/x86 x86/virt/tdx: Remove kexec docs Vishal Verma (2): x86/virt/tdx: Add SEAMCALL wrapper for TDH.SYS.DISABLE x86/tdx: Disable the TDX module during kexec and kdump .../ABI/testing/sysfs-devices-faux-tdx-host | 26 ++ Documentation/arch/x86/tdx.rst | 134 +++++++- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/seamldr.h | 38 +++ arch/x86/include/asm/shared/tdx.h | 1 + .../{kvm/vmx => include/asm/shared}/tdx_errno.h | 8 +- arch/x86/include/asm/tdx.h | 70 +--- arch/x86/include/asm/tdx_global_metadata.h | 4 + arch/x86/include/asm/vmx.h | 1 + arch/x86/kernel/crash.c | 2 + arch/x86/kernel/machine_kexec_64.c | 16 - arch/x86/kvm/vmx/tdx.c | 10 - arch/x86/kvm/vmx/tdx.h | 1 - arch/x86/virt/vmx/tdx/Makefile | 2 +- arch/x86/virt/vmx/tdx/seamcall_internal.h | 109 ++++++ arch/x86/virt/vmx/tdx/seamldr.c | 368 +++++++++++++++++++++ arch/x86/virt/vmx/tdx/tdx.c | 219 ++++++++---- arch/x86/virt/vmx/tdx/tdx.h | 9 +- arch/x86/virt/vmx/tdx/tdx_global_metadata.c | 17 +- drivers/virt/coco/Kconfig | 2 + drivers/virt/coco/Makefile | 1 + drivers/virt/coco/tdx-host/Kconfig | 6 + drivers/virt/coco/tdx-host/Makefile | 1 + drivers/virt/coco/tdx-host/tdx-host.c | 239 +++++++++++++ 24 files changed, 1118 insertions(+), 167 deletions(-) create mode 100644 Documentation/ABI/testing/sysfs-devices-faux-tdx-host create mode 100644 arch/x86/include/asm/seamldr.h rename arch/x86/{kvm/vmx => include/asm/shared}/tdx_errno.h (90%) create mode 100644 arch/x86/virt/vmx/tdx/seamcall_internal.h create mode 100644 arch/x86/virt/vmx/tdx/seamldr.c create mode 100644 drivers/virt/coco/tdx-host/Kconfig create mode 100644 drivers/virt/coco/tdx-host/Makefile create mode 100644 drivers/virt/coco/tdx-host/tdx-host.c