From: Jun Miao <jun.miao@intel.com>
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: <dave.hansen@linux.intel.com>, <linux-coco@lists.linux.dev>,
"Miao, Jun" <jun.miao@intel.com>
Subject: Re: [PATCH] x86/virt/tdx: accurately distinguishes TDX module loading situations
Date: Sat, 29 Jun 2024 01:17:05 +0800 [thread overview]
Message-ID: <016dd1a5-b1ac-c413-e750-f785e47145f8@intel.com> (raw)
In-Reply-To: <2sejjb666z5rzxzinqtkvyh2q4726fgaq5cqvxi57xd6mqu2o7@ixhcmkmumxhr>
On 6/24/24 19:26, Kirill A. Shutemov wrote:
> On Sun, Jun 23, 2024 at 01:50:37AM +0800, Jun Miao wrote:
>> The first SEAMCALL is important to response the state of TDX Module/BIOS.
>>
>> In actual incorrect BIOS setup or deployment, the sysinit_ret will be
>> -EOPNOTSUPP. But the message "module not loaded" isn`t enough to describe
>> the accurate loading situation when module loaded but SEAMCALL failed
>> for some BIOS wrong setting. So add the error return operation code number.
> Do you want to actually check for EOPNOTSUPP and print a
> user-understandable message for it?
It`s like this: I am a customer service support engineer, I awlays
deploy TDX on site such as ByteDance/meituan
TDX is not simple but full stack.If boot up a TD guest, the follwing
three requirements must be met:
- The IFWI includes the correct seamldr and module in the BIOS, as
the same time have the ability to load the TDX module.
- Setting the TDX series of options, such as TME/SGX in the bios.
- At last, loading the kernel, check if it can be boot with below
demsg(when loaded successfully)
dmesg | grep - i tdx
[0.303913] virt/tdx: BIOS enabled: private KeyID range [64, 128)
[0.303916] virt/tdx: Disable Kexec. Turn off TDX in the BIOS to use KEXEC.
[0.303918] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use
ACPI S3.
[4.846924] usb usb1: Manufacturer: Linux 6.6.0-tdx.1.0.v1 xhci-hcd
[4.847748] usb usb2: Manufacturer: Linux 6.6.0-tdx.1.0.v1 xhci-hcd
[6.577811] BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.6.0-tdx.1.0.v1
[17.723174] virt/tdx: 1575964 KB? allocated for PAMT
[17.723185] virt/tdx: module initialized
But this time,? It took a lot of effort to find the SEAMLDR.bin loading
failed, since enable the bios debug need OEM cooperation
Got the bios log below as:
[TdxDxe]: [TDX_LATE-HANDLE_SEAMLDR] LoadTdxSeamldr BEGIN FATAL ERROR -
RaiseTpl withOldTpl(0x1F) > NewTpl(0x10) ASSERT
[DxeCore]e:\w\r\MdeModulePkg\Core\Dxe\Event\Tpl.c(66): ((BOOLEAN)(0==1))
[TdxDxe]: [TDX_LATE-HANDLE_SEAMLDR LoadTdxSeamldr END (Load Error)
But In the kernel, there is too little log message to find the error
like this(loading failed):
dmesg | grep - i tdx
[0.303913] virt/tdx: BIOS enabled: private KeyID range [64,
128)[0.303916] virt/tdx: Disable Kexec. Turn off TDX in the BIOS to use
KEXEC.
[0.303918] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use
ACPI S3.
I add the printk in the kernel and find the sysinit_ret = -19 = -EOPNOTSUPP
From the current logic,? no ¡°module not loaded¡± always meaning module
loaded.? But in fact, sysinit_ret is -EOPNOTSUPP(-19).
I will believe the module block at next seamcall: TDH_SYS_LP_INIT, which
is misleading.
> if (sysinit_ret == -ENODEV)
> pr_err("module not loaded\n");
... ...
> ret = seamcall_prerr(TDH_SYS_LP_INIT,&args);?? ?
However I also use the old bkc kernel, there is a useful message to find
such issues.¡± SEAMRR is not enabled by BIOS¡± to remind me where the
problem lies.
In order to more accurately find the problems, add some printing
reminders here will help the On site deployment engineer like me. ?
The story is a bit long. Thank you again for reading it over. Looking
forward to your suggestions.
---
Jun Miao
>
>> Signed-off-by: Jun Miao <jun.miao@intel.com>
>> ---
>> arch/x86/virt/vmx/tdx/tdx.c | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
>> index 4e2b2e2ac9f9..787dfaf44036 100644
>> --- a/arch/x86/virt/vmx/tdx/tdx.c
>> +++ b/arch/x86/virt/vmx/tdx/tdx.c
>> @@ -122,10 +122,14 @@ static int try_init_module_global(void)
>> /*
>> * The first SEAMCALL also detects the TDX module, thus
>> * it can fail due to the TDX module is not loaded.
>> - * Dump message to let the user know.
>> + * Dump more detailed message to let the user know.
>> */
>> if (sysinit_ret == -ENODEV)
>> pr_err("module not loaded\n");
>> + else if (sysinit_ret)
>> + pr_warn("module loaded error ret=%d\n",sysinit_ret);
> s/loaded/load/
>
>> + else
>> + pr_info("module loaded\n");
>>
>> sysinit_done = true;
>> out:
>> --
>> 2.32.0
>>
next prev parent reply other threads:[~2024-06-28 17:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-22 17:50 [PATCH] x86/virt/tdx: accurately distinguishes TDX module loading situations Jun Miao
2024-06-24 11:26 ` Kirill A. Shutemov
2024-06-28 17:17 ` Jun Miao [this message]
2024-07-19 1:31 ` Huang, Kai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=016dd1a5-b1ac-c413-e750-f785e47145f8@intel.com \
--to=jun.miao@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).