From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "Verma, Vishal L" <vishal.l.verma@intel.com>,
"kas@kernel.org" <kas@kernel.org>
Cc: "seanjc@google.com" <seanjc@google.com>,
"bp@alien8.de" <bp@alien8.de>, "x86@kernel.org" <x86@kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"tglx@kernel.org" <tglx@kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>
Subject: Re: [PATCH v2 3/5] x86/virt/tdx: Add SEAMCALL wrapper for TDH.SYS.DISABLE
Date: Tue, 31 Mar 2026 21:36:03 +0000 [thread overview]
Message-ID: <944b3fe5fa8955319030a7dfc0ea164bb0266e68.camel@intel.com> (raw)
In-Reply-To: <b9aa84d76c131132b5268712a44200e804c31aeb.camel@intel.com>
On Tue, 2026-03-31 at 18:22 +0000, Verma, Vishal L wrote:
> >
> > I guess the actual behaviour is dependant on the return code. It is
> > obviously going to be the case for TDX_SUCCESS. And from the discussion,
> > I guess that's true for TDX_SYS_BUSY and TDX_INTERRUPTED_RESUMABLE.
> >
> > What about other cases? The spec draft also lists TDX_SYS_NOT_READY and
> > TDX_SYS_SHUTDOWN.
>
> I think these are safe too - TDX_SYS_SHUTDOWN means the module has
> already been shutdown, which this seamcall would've done, so things
> should be in the same state either way.
>
> TDX_SYS_NOT_READY means the module hasn't been initialized yet. This
> seamcall should just exit, and the module is already blocking any
> seamcall that need the module to be initialized. The seamcalls to
> initialize the module will be allowed, as they are after a sys_disable
> call anyway.
Should the seamcall return success in the case where it would return
TDX_SYS_NOT_READY? It is in basically a reset state right? The errors we care
about are actual errors (TDX_SW_ERROR), so it makes no difference to the code in
the patch. But it might be a nicer API for the seamcall?
>
> >
> > I wounder if it can affect the kernel. Consider the case when kexec
> > (crash kernel start) happens due to crash on TDX module.
> >
> > Will we be able to shutdown TDX module cleanly and make kexec safe?
>
> Hm -are the semantics for what happens if there is a crash in the
> module defined? I think Linux should expect that sys_disable should
> either start doing its shutdown work, or exit with one of the other
> defined exit statuses. Anything else would be considered a module bug.
We often have the question come up about how much we should to guard against
bugs in the TDX module. I tend to also think we should not do defensive
programming, same as we do for the kernel. If it's easy to handle something or
emit a warning it's nice, but otherwise the solution for such cases should be to
fix the TDX module bug.
But for the kdump case, we don't actually need sys disable to succeed. The kdump
kernel will not load the TDX module. And as for the errata, this already needs a
special situation to be a problem. But even if it happens, I'd think better to
try to the kdump. Not sure what the fix would be for that scenario, even if we
allowed for a large complexity budget. So best effort seems good.
Does it seem reasonable?
next prev parent reply other threads:[~2026-03-31 21:36 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 20:59 [PATCH v2 0/5] Fuller TDX kexec support Vishal Verma
2026-03-23 20:59 ` [PATCH v2 1/5] x86/tdx: Move all TDX error defines into <asm/shared/tdx_errno.h> Vishal Verma
2026-03-24 9:49 ` Chao Gao
2026-03-31 19:30 ` Sean Christopherson
2026-03-31 21:46 ` Edgecombe, Rick P
2026-03-23 20:59 ` [PATCH v2 2/5] x86/virt/tdx: Pull kexec cache flush logic into arch/x86 Vishal Verma
2026-03-24 10:03 ` Chao Gao
2026-03-30 11:42 ` Kiryl Shutsemau
2026-03-31 19:22 ` Sean Christopherson
2026-03-31 22:21 ` Edgecombe, Rick P
2026-03-31 23:04 ` Sean Christopherson
2026-03-31 23:29 ` Edgecombe, Rick P
2026-04-01 15:03 ` Dave Hansen
2026-04-01 17:42 ` H. Peter Anvin
2026-04-01 18:12 ` Sean Christopherson
2026-04-01 18:30 ` Dave Hansen
2026-03-23 20:59 ` [PATCH v2 3/5] x86/virt/tdx: Add SEAMCALL wrapper for TDH.SYS.DISABLE Vishal Verma
2026-03-23 21:54 ` Verma, Vishal L
2026-03-23 22:40 ` Huang, Kai
2026-03-24 10:18 ` Chao Gao
2026-03-30 11:58 ` Kiryl Shutsemau
2026-03-30 19:25 ` Edgecombe, Rick P
2026-03-31 12:18 ` Kiryl Shutsemau
2026-03-31 18:22 ` Verma, Vishal L
2026-03-31 21:36 ` Edgecombe, Rick P [this message]
2026-04-01 9:26 ` Kiryl Shutsemau
2026-04-01 14:24 ` Dave Hansen
2026-03-23 20:59 ` [PATCH v2 4/5] x86/tdx: Disable the TDX module during kexec and kdump Vishal Verma
2026-03-23 22:41 ` Huang, Kai
2026-03-30 12:03 ` Kiryl Shutsemau
2026-03-23 20:59 ` [PATCH v2 5/5] x86/virt/tdx: Remove kexec docs Vishal Verma
2026-03-23 22:41 ` Huang, Kai
2026-03-30 12:04 ` Kiryl Shutsemau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=944b3fe5fa8955319030a7dfc0ea164bb0266e68.camel@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=tglx@kernel.org \
--cc=vishal.l.verma@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox