From: Xu Yilun <yilun.xu@linux.intel.com>
To: linux-coco@lists.linux.dev, linux-pci@vger.kernel.org,
dan.j.williams@intel.com, x86@kernel.org
Cc: chao.gao@intel.com, dave.jiang@intel.com,
baolu.lu@linux.intel.com, yilun.xu@linux.intel.com,
yilun.xu@intel.com, zhenzhong.duan@intel.com,
kvm@vger.kernel.org, rick.p.edgecombe@intel.com,
dave.hansen@linux.intel.com, kas@kernel.org,
xiaoyao.li@intel.com, vishal.l.verma@intel.com,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 21/31] x86/virt/tdx: Add SEAMCALL wrappers for trusted IOMMU setup and clear
Date: Sat, 28 Mar 2026 00:01:22 +0800 [thread overview]
Message-ID: <20260327160132.2946114-22-yilun.xu@linux.intel.com> (raw)
In-Reply-To: <20260327160132.2946114-1-yilun.xu@linux.intel.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Add SEAMCALLs to setup/clear trusted IOMMU for TDX Connect.
Enable TEE I/O support for a target device requires to setup trusted IOMMU
for the related IOMMU device first, even only for enabling physical secure
links like SPDM/IDE.
TDH.IOMMU.SETUP takes the register base address (VTBAR) to position an
IOMMU device, and outputs an IOMMU_ID as the trusted IOMMU identifier.
TDH.IOMMU.CLEAR takes the IOMMU_ID to reverse the setup.
More information see Intel TDX Connect ABI Specification [1]
Section 3.2 TDX Connect Host-Side (SEAMCALL) Interface Functions.
[1]: https://cdrdv2.intel.com/v1/dl/getContent/858625
Co-developed-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
arch/x86/include/asm/tdx.h | 2 ++
arch/x86/virt/vmx/tdx/tdx.h | 2 ++
arch/x86/virt/vmx/tdx/tdx.c | 32 ++++++++++++++++++++++++++++++--
3 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
index d7605235aa9b..a59e0e43e465 100644
--- a/arch/x86/include/asm/tdx.h
+++ b/arch/x86/include/asm/tdx.h
@@ -245,6 +245,8 @@ u64 tdh_mem_page_remove(struct tdx_td *td, u64 gpa, u64 level, u64 *ext_err1, u6
u64 tdh_phymem_cache_wb(bool resume);
u64 tdh_phymem_page_wbinvd_tdr(struct tdx_td *td);
u64 tdh_phymem_page_wbinvd_hkid(u64 hkid, struct page *page);
+u64 tdh_iommu_setup(u64 vtbar, struct tdx_page_array *iommu_mt, u64 *iommu_id);
+u64 tdh_iommu_clear(u64 iommu_id, struct tdx_page_array *iommu_mt);
#else
static inline void tdx_init(void) { }
static inline int tdx_cpu_enable(void) { return -ENODEV; }
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index a26fe94c07ff..b25c418f6e61 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -62,6 +62,8 @@
#define TDH_SYS_CONFIG SEAMCALL_LEAF_VER(TDH_SYS_CONFIG_V0, 1)
#define TDH_EXT_INIT 60
#define TDH_EXT_MEM_ADD 61
+#define TDH_IOMMU_SETUP 128
+#define TDH_IOMMU_CLEAR 129
/* TDX page types */
#define PT_NDA 0x0
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 294f36048c03..790713881f1f 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -2084,8 +2084,8 @@ static inline u64 tdx_tdr_pa(struct tdx_td *td)
return page_to_phys(td->tdr_page);
}
-static u64 __maybe_unused __seamcall_ir_resched(sc_func_t sc_func, u64 fn,
- struct tdx_module_args *args)
+static u64 __seamcall_ir_resched(sc_func_t sc_func, u64 fn,
+ struct tdx_module_args *args)
{
struct tdx_module_args _args;
u64 r;
@@ -2478,3 +2478,31 @@ void tdx_cpu_flush_cache_for_kexec(void)
}
EXPORT_SYMBOL_FOR_KVM(tdx_cpu_flush_cache_for_kexec);
#endif
+
+u64 tdh_iommu_setup(u64 vtbar, struct tdx_page_array *iommu_mt, u64 *iommu_id)
+{
+ struct tdx_module_args args = {
+ .rcx = vtbar,
+ .rdx = virt_to_phys(iommu_mt->root),
+ };
+ u64 r;
+
+ tdx_clflush_page_array(iommu_mt);
+
+ r = seamcall_ret_ir_resched(TDH_IOMMU_SETUP, &args);
+
+ *iommu_id = args.rcx;
+ return r;
+}
+EXPORT_SYMBOL_FOR_MODULES(tdh_iommu_setup, "tdx-host");
+
+u64 tdh_iommu_clear(u64 iommu_id, struct tdx_page_array *iommu_mt)
+{
+ struct tdx_module_args args = {
+ .rcx = iommu_id,
+ .rdx = virt_to_phys(iommu_mt->root),
+ };
+
+ return seamcall_ret_ir_resched(TDH_IOMMU_CLEAR, &args);
+}
+EXPORT_SYMBOL_FOR_MODULES(tdh_iommu_clear, "tdx-host");
--
2.25.1
next prev parent reply other threads:[~2026-03-27 16:23 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 16:01 [PATCH v2 00/31] PCI/TSM: PCIe Link Encryption Establishment via TDX platform services Xu Yilun
2026-03-27 16:01 ` [PATCH v2 01/31] x86/tdx: Move all TDX error defines into <asm/shared/tdx_errno.h> Xu Yilun
2026-03-27 23:37 ` Edgecombe, Rick P
2026-03-28 1:16 ` Dan Williams
2026-03-27 16:01 ` [PATCH v2 02/31] x86/virt/tdx: Move bit definitions of TDX_FEATURES0 to public header Xu Yilun
2026-03-27 23:45 ` Edgecombe, Rick P
2026-03-27 16:01 ` [PATCH v2 03/31] x86/virt/tdx: Add tdx_page_array helpers for new TDX Module objects Xu Yilun
2026-03-28 1:35 ` Edgecombe, Rick P
2026-03-27 16:01 ` [PATCH v2 04/31] x86/virt/tdx: Support allocating contiguous pages for tdx_page_array Xu Yilun
2026-03-27 16:01 ` [PATCH v2 05/31] x86/virt/tdx: Extend tdx_page_array to support IOMMU_MT Xu Yilun
2026-03-27 16:01 ` [PATCH v2 06/31] x86/virt/tdx: Read global metadata for TDX Module Extensions/Connect Xu Yilun
2026-03-27 16:01 ` [PATCH v2 07/31] x86/virt/tdx: Embed version info in SEAMCALL leaf function definitions Xu Yilun
2026-03-27 16:01 ` [PATCH v2 08/31] x86/virt/tdx: Configure TDX Module with optional TDX Connect feature Xu Yilun
2026-03-27 16:01 ` [PATCH v2 09/31] x86/virt/tdx: Move tdx_clflush_page() up in the file Xu Yilun
2026-03-27 16:01 ` [PATCH v2 10/31] x86/virt/tdx: Add extra memory to TDX Module for Extensions Xu Yilun
2026-03-27 16:01 ` [PATCH v2 11/31] x86/virt/tdx: Make TDX Module initialize Extensions Xu Yilun
2026-03-27 16:01 ` [PATCH v2 12/31] x86/virt/tdx: Enable the Extensions after basic TDX Module init Xu Yilun
2026-03-27 16:01 ` [PATCH v2 13/31] x86/virt/tdx: Extend tdx_clflush_page() to handle compound pages Xu Yilun
2026-03-27 16:01 ` [PATCH v2 14/31] PCI/TSM: Report active IDE streams per host bridge Xu Yilun
2026-03-27 16:01 ` [PATCH v2 15/31] coco/tdx-host: Introduce a "tdx_host" device Xu Yilun
2026-03-27 16:01 ` [PATCH v2 16/31] coco/tdx-host: Support Link TSM for TDX host Xu Yilun
2026-03-27 16:01 ` [PATCH v2 17/31] acpi: Add KEYP support to fw_table parsing Xu Yilun
2026-03-27 16:01 ` [PATCH v2 18/31] iommu/vt-d: Cache max domain ID to avoid redundant calculation Xu Yilun
2026-03-27 16:01 ` [PATCH v2 19/31] iommu/vt-d: Reserve the MSB domain ID bit for the TDX module Xu Yilun
2026-03-28 16:57 ` kernel test robot
2026-03-28 19:58 ` kernel test robot
2026-03-27 16:01 ` [PATCH v2 20/31] x86/virt/tdx: Add a helper to loop on TDX_INTERRUPTED_RESUMABLE Xu Yilun
2026-03-27 16:01 ` Xu Yilun [this message]
2026-03-27 16:01 ` [PATCH v2 22/31] iommu/vt-d: Export a helper to do function for each dmar_drhd_unit Xu Yilun
2026-03-27 16:01 ` [PATCH v2 23/31] coco/tdx-host: Setup all trusted IOMMUs on TDX Connect init Xu Yilun
2026-03-27 16:01 ` [PATCH v2 24/31] coco/tdx-host: Add a helper to exchange SPDM messages through DOE Xu Yilun
2026-03-27 16:01 ` [PATCH v2 25/31] x86/virt/tdx: Add SEAMCALL wrappers for SPDM management Xu Yilun
2026-03-27 16:01 ` [PATCH v2 26/31] mm: Add __free() support for __free_page() Xu Yilun
2026-03-27 16:01 ` [PATCH v2 27/31] coco/tdx-host: Implement SPDM session setup Xu Yilun
2026-03-27 16:01 ` [PATCH v2 28/31] coco/tdx-host: Parse ACPI KEYP table to init IDE for PCI host bridges Xu Yilun
2026-03-27 16:01 ` [PATCH v2 29/31] x86/virt/tdx: Add SEAMCALL wrappers for IDE stream management Xu Yilun
2026-03-27 16:01 ` [PATCH v2 30/31] coco/tdx-host: Implement IDE stream setup/teardown Xu Yilun
2026-03-27 16:01 ` [PATCH v2 31/31] coco/tdx-host: Finally enable SPDM session and IDE Establishment Xu Yilun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260327160132.2946114-22-yilun.xu@linux.intel.com \
--to=yilun.xu@linux.intel.com \
--cc=baolu.lu@linux.intel.com \
--cc=chao.gao@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dave.jiang@intel.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=rick.p.edgecombe@intel.com \
--cc=vishal.l.verma@intel.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
--cc=yilun.xu@intel.com \
--cc=zhenzhong.duan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox