From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B997F3D34A9 for ; Mon, 27 Apr 2026 15:30:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.20 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777303812; cv=none; b=JSVVLA/QkOxynvVBWnBfQKgjJbRm7qZb6msHVhYZZsvXeGustVoTm4WSHWCYXOzgttg1fDMfctbQ5rcf9rzMhSt1AwBkDVelA4r3YJdSQ998WvhHjqccwmxrQAJFS85Zi0IthTgz0qYh8rRheLteFVQRYnR2NTYop8t1Mbswebc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777303812; c=relaxed/simple; bh=ja0sZPXfqEg02647Dix95yhc8htdxrG9MSGFPBzC070=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GZRQB/ePNQGtVeE0V16GtKDdIkmlTPLAXOdsqJPhPv4ibp/r4zY7BNqwOU8wpircu3mTxg+UoHjOHyXD39ZDkKuQ/EQscXUlPanJB3LYLwh9bse/HSY+7z3017rM1Uf/6hY+ClmKqYNsSF05TciSgto58BtS7JzIRrm5uOWLmc0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=JZZoaRiw; arc=none smtp.client-ip=198.175.65.20 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="JZZoaRiw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1777303811; x=1808839811; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ja0sZPXfqEg02647Dix95yhc8htdxrG9MSGFPBzC070=; b=JZZoaRiwC9P2xizcRdto5c+OKWc6ianqrj0J6L0KmBpoFZu98dmRLSKr gUZikC2EO4ZBqoBbsAf4hzaFb7sOUW0PPsAOaiDpoAgFYpoK9aVzPsb5k P9vxt7KzKVNbfBLc05FvWaOpMSz+v5EoYB0U8DjQpPcmBKZFYA8PIU8Eb 1I4QfLbZ5lkz1vkUpj+eeF3/3WngWAW/AxCZTPZJXkREWg5j0SyAQnATn hcWcIwEIe+pXssQkcqARcRF58Wji3K/vb/rwhgRgL2mE0SmXkpnH149d9 57nXnWmAMKAxX+7XaLKMiqp1nrl1Hic8k6fGiLlscL/9uqXAutxK0jPZX A==; X-CSE-ConnectionGUID: qd//FG3rQxugUj5cNU5SWQ== X-CSE-MsgGUID: ubMHSUtVSXOWWVOpVj31pA== X-IronPort-AV: E=McAfee;i="6800,10657,11769"; a="77900796" X-IronPort-AV: E=Sophos;i="6.23,202,1770624000"; d="scan'208";a="77900796" Received: from orviesa006.jf.intel.com ([10.64.159.146]) by orvoesa112.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2026 08:30:05 -0700 X-CSE-ConnectionGUID: V4iALeHsQaWit9edj0KG2A== X-CSE-MsgGUID: i7ufKUKrRbeMiJAtVteGaw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,202,1770624000"; d="scan'208";a="232673341" Received: from 984fee019967.jf.intel.com ([10.23.153.244]) by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2026 08:30:05 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org, x86@kernel.org Cc: binbin.wu@linux.intel.com, dave.hansen@linux.intel.com, djbw@kernel.org, ira.weiny@intel.com, kai.huang@intel.com, kas@kernel.org, nik.borisov@suse.com, paulmck@kernel.org, pbonzini@redhat.com, reinette.chatre@intel.com, rick.p.edgecombe@intel.com, sagis@google.com, seanjc@google.com, tony.lindgren@linux.intel.com, vannapurve@google.com, vishal.l.verma@intel.com, yilun.xu@linux.intel.com, xiaoyao.li@intel.com, yan.y.zhao@intel.com, Chao Gao , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" Subject: [PATCH v8 17/21] x86/virt/seamldr: Abort updates on failure Date: Mon, 27 Apr 2026 08:28:11 -0700 Message-ID: <20260427152854.101171-18-chao.gao@intel.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260427152854.101171-1-chao.gao@intel.com> References: <20260427152854.101171-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: linux-coco@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit TDX module update is a multi-step process, and each step can fail. The current update flow continues to later steps after an error. Continuing after failure leaves the TDX module in an unrecoverable state. One failure case must remain recoverable: update contention with an ongoing TD build. The agreed kernel behavior for this case is to fail the update with -EBUSY so userspace can retry later. Abort the update on any failure. For the contention case, this provides a recoverable failure mode because the failure occurs before any TDX module state is changed. Use the same rule for all errors to avoid special-casing -EBUSY. Introduce a shared "failed" flag. When a CPU fails, set the flag and force all CPUs to exit the update loop. A failing CPU does not acknowledge the current step, so other CPUs remain at that step until they observe the "failed" flag and exit. Use READ_ONCE()/WRITE_ONCE() for the flag because it is used for lockless communication between stop_machine workers. Also use WRITE_ONCE() for the initial clear to keep accesses to the flag uniform and explicit. Signed-off-by: Chao Gao Reviewed-by: Xu Yilun Reviewed-by: Tony Lindgren Reviewed-by: Kai Huang Reviewed-by: Kiryl Shutsemau (Meta) --- v8: - Explain why aborting updates is necessary. [Rick] - always use READ_ONCE()/WRITE_ONCE() for the "failed" flag. --- arch/x86/virt/vmx/tdx/seamldr.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamldr.c index c81b26c4bac1..9b8f571eb03f 100644 --- a/arch/x86/virt/vmx/tdx/seamldr.c +++ b/arch/x86/virt/vmx/tdx/seamldr.c @@ -220,6 +220,7 @@ enum module_update_state { static struct { enum module_update_state state; int thread_ack; + bool failed; /* * Protect update_data. Raw spinlock as it will be acquired from * interrupt-disabled contexts. @@ -284,12 +285,15 @@ static int do_seamldr_install_module(void *seamldr_params) break; } - ack_state(); + if (ret) + WRITE_ONCE(update_data.failed, true); + else + ack_state(); } else { touch_nmi_watchdog(); rcu_momentary_eqs(); } - } while (curstate != MODULE_UPDATE_DONE); + } while (curstate != MODULE_UPDATE_DONE && !READ_ONCE(update_data.failed)); return ret; } @@ -315,6 +319,7 @@ int seamldr_install_module(const u8 *data, u32 size) /* Ensure a stable set of online CPUs for the update process. */ guard(cpus_read_lock)(); + WRITE_ONCE(update_data.failed, false); set_target_state(MODULE_UPDATE_START + 1); ret = stop_machine_cpuslocked(do_seamldr_install_module, params, cpu_online_mask); if (ret) -- 2.47.1