From: Andi Kleen <ak@linux.intel.com>
To: Kai Huang <kai.huang@intel.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc: linux-mm@kvack.org, seanjc@google.com, pbonzini@redhat.com,
dave.hansen@intel.com, dan.j.williams@intel.com,
rafael.j.wysocki@intel.com, kirill.shutemov@linux.intel.com,
reinette.chatre@intel.com, len.brown@intel.com,
tony.luck@intel.com, peterz@infradead.org,
isaku.yamahata@intel.com, chao.gao@intel.com,
sathyanarayanan.kuppuswamy@linux.intel.com, bagasdotme@gmail.com,
sagis@google.com, imammedo@redhat.com
Subject: Re: [PATCH v6 21/21] Documentation/x86: Add documentation for TDX host support
Date: Thu, 27 Oct 2022 05:38:09 -0700 [thread overview]
Message-ID: <b210d6f3-868c-9711-7703-1363dcd9269f@linux.intel.com> (raw)
In-Reply-To: <a3783eb87c0b3e652938dfd8714ed2fe93989c76.1666824663.git.kai.huang@intel.com>
On 10/26/2022 4:16 PM, Kai Huang wrote:
> Add documentation for TDX host kernel support. There is already one
> file Documentation/x86/tdx.rst containing documentation for TDX guest
> internals. Also reuse it for TDX host kernel support.
>
> Introduce a new level menu "TDX Guest Support" and move existing
> materials under it, and add a new menu for TDX host kernel support.
>
> Signed-off-by: Kai Huang <kai.huang@intel.com>
> ---
> Documentation/x86/tdx.rst | 209 ++++++++++++++++++++++++++++++++++++--
> 1 file changed, 198 insertions(+), 11 deletions(-)
>
> diff --git a/Documentation/x86/tdx.rst b/Documentation/x86/tdx.rst
> index b8fa4329e1a5..59481dbe64b2 100644
> --- a/Documentation/x86/tdx.rst
> +++ b/Documentation/x86/tdx.rst
> @@ -10,6 +10,193 @@ encrypting the guest memory. In TDX, a special module running in a special
> mode sits between the host and the guest and manages the guest/host
> separation.
>
> +TDX Host Kernel Support
> +=======================
> +
> +TDX introduces a new CPU mode called Secure Arbitration Mode (SEAM) and
> +a new isolated range pointed by the SEAM Ranger Register (SEAMRR). A
> +CPU-attested software module called 'the TDX module' runs inside the new
> +isolated range to provide the functionalities to manage and run protected
> +VMs.
> +
> +TDX also leverages Intel Multi-Key Total Memory Encryption (MKTME) to
> +provide crypto-protection to the VMs. TDX reserves part of MKTME KeyIDs
> +as TDX private KeyIDs, which are only accessible within the SEAM mode.
> +BIOS is responsible for partitioning legacy MKTME KeyIDs and TDX KeyIDs.
> +
> +Before the TDX module can be used to create and run protected VMs, it
> +must be loaded into the isolated range and properly initialized. The TDX
> +architecture doesn't require the BIOS to load the TDX module, but the
> +kernel assumes it is loaded by the BIOS.
> +
> +TDX boot-time detection
> +-----------------------
> +
> +The kernel detects TDX by detecting TDX private KeyIDs during kernel
> +boot. Below dmesg shows when TDX is enabled by BIOS::
> +
> + [..] tdx: TDX enabled by BIOS. TDX private KeyID range: [16, 64).
> +
> +TDX module detection and initialization
> +---------------------------------------
> +
> +There is no CPUID or MSR to detect the TDX module. The kernel detects it
> +by initializing it.
> +
> +The kernel talks to the TDX module via the new SEAMCALL instruction. The
> +TDX module implements SEAMCALL leaf functions to allow the kernel to
> +initialize it.
> +
> +Initializing the TDX module consumes roughly ~1/256th system RAM size to
> +use it as 'metadata' for the TDX memory. It also takes additional CPU
> +time to initialize those metadata along with the TDX module itself. Both
> +are not trivial. The kernel initializes the TDX module at runtime on
> +demand. The caller to call tdx_enable() to initialize the TDX module::
> +
> + ret = tdx_enable();
> + if (ret)
> + goto no_tdx;
> + // TDX is ready to use
> +
> +Initializing the TDX module requires all logical CPUs being online.
> +tdx_enable() internally temporarily disables CPU hotplug to prevent any
> +CPU from going offline, but the caller still needs to guarantee all
> +present CPUs are online before calling tdx_enable().
> +
> +Also, tdx_enable() requires all CPUs are already in VMX operation
> +(requirement of making SEAMCALL). Currently, tdx_enable() doesn't handle
> +VMXON internally, but depends on the caller to guarantee that. So far
> +KVM is the only user of TDX and KVM already handles VMXON.
> +
> +User can consult dmesg to see the presence of the TDX module, and whether
> +it has been initialized.
> +
> +If the TDX module is not loaded, dmesg shows below::
> +
> + [..] tdx: TDX module is not loaded.
> +
> +If the TDX module is initialized successfully, dmesg shows something
> +like below::
> +
> + [..] tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 0, build_date 20211209, build_num 160
> + [..] tdx: 65667 pages allocated for PAMT.
> + [..] tdx: TDX module initialized.
> +
> +If the TDX module failed to initialize, dmesg shows below::
> +
> + [..] tdx: Failed to initialize TDX module. Shut it down.
> +
> +TDX Interaction to Other Kernel Components
> +------------------------------------------
> +
> +TDX Memory Policy
> +~~~~~~~~~~~~~~~~~
> +
> +The TDX module reports a list of "Convertible Memory Region" (CMR) to
> +indicate which memory regions are TDX-capable. Those regions are
> +generated by BIOS and verified by the MCHECK so that they are truly
> +present during platform boot and can meet security guarantees.
> +
> +However those TDX convertible memory regions are not automatically usable
> +to the TDX module. The kernel needs to choose all TDX-usable memory
> +regions and pass those regions to the TDX module when initializing it.
> +After TDX module is initialized, no more TDX-usable memory can be added
> +to the TDX module.
> +
> +To keep things simple, this initial implementation chooses to use all
> +boot-time present memory managed by the page allocator as TDX memory.
> +This _requires_ all boot-time present memory is TDX convertible memory,
> +which is true in practice. If there's any boot-time memory isn't TDX
> +convertible memory (which is allowed from TDX architecture's point of
> +view), it will be caught later during TDX module initialization and the
> +initialization will fail.
> +
> +However one machine may support both TDX and non-TDX memory both at
> +machine boot time and runtime. For example, any memory hot-added at
> +runtime cannot be TDX memory. Also, for now NVDIMM and CXL memory are
> +not TDX memory, no matter whether they are present at machine boot time
> +or not.
> +
> +This raises a problem that, if any non-TDX memory is hot-added to the
> +system-wide memory allocation pool, a non-TDX page may be allocated to a
> +TDX guest, which will result in failing to create the TDX guest, or
> +killing it at runtime.
> +
> +The current implementation doesn't explicitly prevent adding any non-TDX
> +memory to system-wide memory pool, but depends on the machine owner to
> +make sure such operation won't happen. For example, the machine owner
> +should never plug any NVDIMM or CXL memory to the machine, or use kmem
> +driver to hot-add any to the core-mm.
I assume that will be fixed in some form, so doesn't need to be in the
documentation.
> +
> +To keep things simple, this series doesn't handle memory hotplug at all,
> +but depends on the machine owner to not do any memory hotplug operation.
> +For example, the machine owner should not plug any NVDIMM or CXL memory
> +into the machine, or use kmem driver to plug NVDIMM or CXL memory to the
> +core-mm.
Dito. Documentation/* shouldn't contain temporary things like a commit log.
next prev parent reply other threads:[~2022-10-27 12:38 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-26 23:15 [PATCH v6 00/21] TDX host kernel support Kai Huang
2022-10-26 23:16 ` [PATCH v6 01/21] x86/tdx: Use enum to define page level of TDX supported page sizes Kai Huang
2022-10-27 7:08 ` Xiaoyao Li
2022-10-27 8:42 ` Huang, Kai
2022-10-27 13:51 ` Kirill A. Shutemov
2022-10-28 0:47 ` Huang, Kai
2022-10-27 22:28 ` Isaku Yamahata
2022-10-27 15:27 ` Dave Hansen
2022-10-28 0:10 ` Huang, Kai
2022-10-26 23:16 ` [PATCH v6 02/21] x86/virt/tdx: Detect TDX during kernel boot Kai Huang
2022-10-26 23:16 ` [PATCH v6 03/21] x86/virt/tdx: Disable TDX if X2APIC is not enabled Kai Huang
2022-10-26 23:16 ` [PATCH v6 04/21] x86/virt/tdx: Use all boot-time system memory as TDX memory Kai Huang
2022-10-26 23:16 ` [PATCH v6 05/21] x86/virt/tdx: Add skeleton to initialize TDX on demand Kai Huang
2022-10-26 23:16 ` [PATCH v6 06/21] x86/virt/tdx: Implement functions to make SEAMCALL Kai Huang
2022-10-26 23:16 ` [PATCH v6 07/21] x86/virt/tdx: Shut down TDX module in case of error Kai Huang
2022-10-26 23:16 ` [PATCH v6 08/21] x86/virt/tdx: Do TDX module global initialization Kai Huang
2022-10-26 23:16 ` [PATCH v6 09/21] x86/virt/tdx: Do logical-cpu scope TDX module initialization Kai Huang
2022-10-26 23:16 ` [PATCH v6 10/21] x86/virt/tdx: Get information about TDX module and TDX-capable memory Kai Huang
2022-10-26 23:16 ` [PATCH v6 11/21] x86/virt/tdx: Sanity check all TDX memory ranges are convertible memory Kai Huang
2022-10-26 23:16 ` [PATCH v6 12/21] x86/virt/tdx: Add placeholder to construct TDMRs to cover all TDX memory regions Kai Huang
2022-10-27 15:31 ` Andi Kleen
2022-10-28 2:21 ` Huang, Kai
2022-11-03 8:55 ` Huang, Kai
2022-11-03 15:05 ` Dave Hansen
2022-11-03 22:07 ` Huang, Kai
2022-10-26 23:16 ` [PATCH v6 13/21] x86/virt/tdx: Create " Kai Huang
2022-10-26 23:16 ` [PATCH v6 14/21] x86/virt/tdx: Allocate and set up PAMTs for TDMRs Kai Huang
2022-10-26 23:16 ` [PATCH v6 15/21] x86/virt/tdx: Set up reserved areas for all TDMRs Kai Huang
2022-10-26 23:16 ` [PATCH v6 16/21] x86/virt/tdx: Reserve TDX module global KeyID Kai Huang
2022-10-27 12:40 ` Andi Kleen
2022-10-28 1:24 ` Huang, Kai
2022-10-26 23:16 ` [PATCH v6 17/21] x86/virt/tdx: Configure TDX module with TDMRs and " Kai Huang
2022-10-26 23:16 ` [PATCH v6 18/21] x86/virt/tdx: Configure global KeyID on all packages Kai Huang
2022-10-27 12:35 ` Andi Kleen
2022-10-28 1:07 ` Huang, Kai
2022-10-26 23:16 ` [PATCH v6 19/21] x86/virt/tdx: Initialize all TDMRs Kai Huang
2022-10-27 12:30 ` Andi Kleen
2022-10-28 1:08 ` Huang, Kai
2022-10-26 23:16 ` [PATCH v6 20/21] x86/virt/tdx: Flush cache in kexec() when TDX is enabled Kai Huang
2022-10-26 23:16 ` [PATCH v6 21/21] Documentation/x86: Add documentation for TDX host support Kai Huang
2022-10-27 12:38 ` Andi Kleen [this message]
2022-10-28 2:31 ` Huang, Kai
2022-10-28 12:52 ` Bagas Sanjaya
2022-10-28 14:16 ` Dave Hansen
2022-10-26 23:26 ` [PATCH v6 00/21] TDX host kernel support Dave Hansen
2022-10-26 23:51 ` Huang, Kai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b210d6f3-868c-9711-7703-1363dcd9269f@linux.intel.com \
--to=ak@linux.intel.com \
--cc=bagasdotme@gmail.com \
--cc=chao.gao@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@intel.com \
--cc=imammedo@redhat.com \
--cc=isaku.yamahata@intel.com \
--cc=kai.huang@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rafael.j.wysocki@intel.com \
--cc=reinette.chatre@intel.com \
--cc=sagis@google.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).