From: Xiaoyao Li <xiaoyao.li@intel.com>
To: "Huang, Kai" <kai.huang@intel.com>,
"seanjc@google.com" <seanjc@google.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"Williams, Dan J" <dan.j.williams@intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"binbin.wu@linux.intel.com" <binbin.wu@linux.intel.com>
Subject: Re: [PATCH v2 2/2] KVM: TDX: WARN if a SEAMCALL VM-Exit makes its way out to KVM
Date: Mon, 20 Oct 2025 14:10:12 +0800 [thread overview]
Message-ID: <0a49bd9b-e4d8-42eb-854c-e8730b5a58b7@intel.com> (raw)
In-Reply-To: <38ac916f7c3ae7520708f37389f5524d9278c648.camel@intel.com>
On 10/18/2025 4:58 AM, Huang, Kai wrote:
> On Fri, 2025-10-17 at 10:25 -0700, Sean Christopherson wrote:
>> On Fri, Oct 17, 2025, Kai Huang wrote:
>>> On Thu, 2025-10-16 at 11:21 -0700, Sean Christopherson wrote:
>>>> WARN if KVM observes a SEAMCALL VM-Exit while running a TD guest, as the
>>>> TDX-Module is supposed to inject a #UD, per the "Unconditionally Blocked
>>>> Instructions" section of the TDX-Module base specification.
>>>>
>>>> Reported-by: Xiaoyao Li <xiaoyao.li@intel.com>
>>>> Signed-off-by: Sean Christopherson <seanjc@google.com>
>>>> ---
>>>> arch/x86/kvm/vmx/tdx.c | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
>>>> index 097304bf1e1d..ffcfe95f224f 100644
>>>> --- a/arch/x86/kvm/vmx/tdx.c
>>>> +++ b/arch/x86/kvm/vmx/tdx.c
>>>> @@ -2148,6 +2148,9 @@ int tdx_handle_exit(struct kvm_vcpu *vcpu, fastpath_t fastpath)
>>>> * - If it's not an MSMI, no need to do anything here.
>>>> */
>>>> return 1;
>>>> + case EXIT_REASON_SEAMCALL:
>>>> + WARN_ON_ONCE(1);
>>>> + break;
>>>>
>>>
>>> While this exit should never happen from a TDX guest, I am wondering why
>>> we need to explicitly handle the SEAMCALL? E.g., per "Unconditionally
>>> Blocked Instructions" ENCLS/ENCLV are also listed, therefore
>>> EXIT_REASON_ELCLS/ENCLV should never come from a TDX guest either.
>>
>> Good point. SEAMCALL was obviously top of mind, I didn't think about all the
>> other exits that should be impossible.
>>
>> I haven't looked closely, at all, but I wonder if we can get away with this?
>>
>> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
>> index 097304bf1e1d..4c68444bd673 100644
>> --- a/arch/x86/kvm/vmx/tdx.c
>> +++ b/arch/x86/kvm/vmx/tdx.c
>> @@ -2149,6 +2149,8 @@ int tdx_handle_exit(struct kvm_vcpu *vcpu, fastpath_t fastpath)
>> */
>> return 1;
>> default:
>> + /* All other known exits should be handled by the TDX-Module. */
>> + WARN_ON_ONCE(exit_reason.basic <= c);
>> break;
>> }
>
> Not 100% sure, but should be fine? Needs more second eyes here.
>
> E.g., when a new module feature makes another exit reason possible then
> presumably we need explicit opt-in to that feature.
>
> Don't quite follow 'exit_reason.basic <= c' part, though. Maybe we can
> just unconditional WARN_ON_ONCE()?
>
> Or we can do things similar to VMX:
>
> vcpu_unimpl(vcpu, "vmx: unexpected exit reason 0x%x\n",
> exit_reason.full);
>
> Or just get rid of this patch :-)
I agree to it.
WARN_ON_ONCE() seems not provide more information except that we can
identify quickly there is TDX module bug when it gets hit.
But it's not too hard to get these information from the
KVM_INTERNAL_ERROR_UNEXPECTED_EXIT_REASON with vp_enter_ret in data[0].
And if we add WARN_ON_ONCE() here, we need to evaluate if it needs to
update "EXIT_REASON_TDCALL" everytime a new EXIT reason is introduced.
e.g., currently the largest exit reason number defined in SDM is 79 (for
WRMSRLIST) and it is actually handled by TDX module and KVM cannot
receive it from a TD vcpu.
next prev parent reply other threads:[~2025-10-20 6:10 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 18:21 [PATCH v2 0/2] KVM: VMX: Handle SEAMCALL or TDCALL VM-Exits Sean Christopherson
2025-10-16 18:21 ` [PATCH v2 1/2] KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL Sean Christopherson
2025-10-17 2:53 ` Xiaoyao Li
2025-10-17 5:27 ` Binbin Wu
2025-10-17 10:53 ` Huang, Kai
2025-10-17 13:00 ` Sean Christopherson
2025-10-17 20:34 ` Huang, Kai
2025-10-17 20:34 ` Huang, Kai
2025-10-16 18:21 ` [PATCH v2 2/2] KVM: TDX: WARN if a SEAMCALL VM-Exit makes its way out to KVM Sean Christopherson
2025-10-17 2:56 ` Xiaoyao Li
2025-10-17 5:29 ` Binbin Wu
2025-10-17 10:40 ` Huang, Kai
2025-10-17 17:25 ` Sean Christopherson
2025-10-17 20:58 ` Huang, Kai
2025-10-17 21:11 ` Huang, Kai
2025-10-20 6:10 ` Xiaoyao Li [this message]
2025-10-20 15:03 ` Sean Christopherson
2025-11-04 17:45 ` [PATCH v2 0/2] KVM: VMX: Handle SEAMCALL or TDCALL VM-Exits Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0a49bd9b-e4d8-42eb-854c-e8730b5a58b7@intel.com \
--to=xiaoyao.li@intel.com \
--cc=binbin.wu@linux.intel.com \
--cc=dan.j.williams@intel.com \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox