From: <dan.j.williams@intel.com>
To: Chao Gao <chao.gao@intel.com>, "Huang, Kai" <kai.huang@intel.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"tony.lindgren@linux.intel.com" <tony.lindgren@linux.intel.com>,
"binbin.wu@linux.intel.com" <binbin.wu@linux.intel.com>,
"seanjc@google.com" <seanjc@google.com>,
"kas@kernel.org" <kas@kernel.org>,
"Chatre, Reinette" <reinette.chatre@intel.com>,
"Verma, Vishal L" <vishal.l.verma@intel.com>,
"nik.borisov@suse.com" <nik.borisov@suse.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"Weiny, Ira" <ira.weiny@intel.com>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"Annapurve, Vishal" <vannapurve@google.com>,
"sagis@google.com" <sagis@google.com>,
"Duan, Zhenzhong" <zhenzhong.duan@intel.com>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"paulmck@kernel.org" <paulmck@kernel.org>,
"tglx@kernel.org" <tglx@kernel.org>,
"yilun.xu@linux.intel.com" <yilun.xu@linux.intel.com>,
"Williams, Dan J" <dan.j.williams@intel.com>,
"bp@alien8.de" <bp@alien8.de>
Subject: Re: [PATCH v4 21/24] x86/virt/tdx: Avoid updates during update-sensitive operations
Date: Wed, 25 Feb 2026 22:34:37 -0800 [thread overview]
Message-ID: <699fe97dc212f_2f4a100b@dwillia2-mobl4.notmuch> (raw)
In-Reply-To: <aZ+31DJr0cI7v8C9@intel.com>
Chao Gao wrote:
> >> int tdx_module_shutdown(void)
> >> {
> >> struct tdx_module_args args = {};
> >> - int ret, cpu;
> >> + u64 ret;
> >> + int cpu;
> >>
> >> /*
> >> * Shut down the TDX Module and prepare handoff data for the next
> >> @@ -1189,9 +1192,21 @@ int tdx_module_shutdown(void)
> >> * modules as new modules likely have higher handoff version.
> >> */
> >> args.rcx = tdx_sysinfo.handoff.module_hv;
> >> - ret = seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
> >> - if (ret)
> >> - return ret;
> >> +
> >> + if (tdx_supports_update_compatibility(&tdx_sysinfo))
> >> + args.rcx |= TDX_SYS_SHUTDOWN_AVOID_COMPAT_SENSITIVE;
> >> +
> >> + ret = seamcall(TDH_SYS_SHUTDOWN, &args);
> >> +
> >> + /*
> >> + * Return -EBUSY to signal that there is one or more ongoing flows
> >> + * which may not be compatible with an updated TDX module, so that
> >> + * userspace can retry on this error.
> >> + */
> >> + if ((ret & TDX_SEAMCALL_STATUS_MASK) == TDX_UPDATE_COMPAT_SENSITIVE)
> >> + return -EBUSY;
> >> + else if (ret)
> >> + return -EIO;
> >>
> >
> >The changelog says "doing nothing" isn't an option, and we need to depend on
> >TDH.SYS.SHUTDOWN to catch such incompatibilities.
Doing nothing in the kernel is fine. This is a tooling problem.
> >To me this means we cannot support module update if TDH.SYS.SHUTDOWN doesn't
> >support this "AVOID_COMPAT_SENSITIVE" feature, because w/o it we cannot tell
> >whether the update is happening during any sensitive operation.
> >
>
> Good point.
>
> I'm fine with disabling updates in this case. The only concern is that it would
> block even perfectly compatible updates, but this only impacts a few older
> modules, so it shouldn't be a big problem. And the value of supporting old
> modules will also diminish over time.
>
> But IMO, the kernel's incompatibility check is intentionally best effort, not a
> guarantee. For example, the kernel doesn't verify if the module update is
> compatible with the CPU or P-SEAMLDR. So non-compatible updates may slip through
> anyway, and the expectation for users is "run non-compatible updates at their
> own risk". Given this, allowing updates when one incompatibility check is
> not supported (i.e., AVOID_COMPAT_SENSITIVE) is also acceptable. At minimum,
> users can choose not to perform updates if the module lacks
> AVOID_COMPAT_SENSITIVE support.
>
> I'm fine with either approach, but slightly prefer disabling updates in
> this case. Let's see if anyone has strong opinions on this.
Do not make Linux carry short lived one-off complexity. Make userspace
do a "if $module_version < $min_module_version_for_compat_detect" and
tell the user to update at their own risk if that minimum version is not
met. Linux should be encouraging the module to be better, not
accommodate every early generation miss like this with permanent hacks.
next prev parent reply other threads:[~2026-02-26 6:34 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 14:35 [PATCH v4 00/24] Runtime TDX Module update support Chao Gao
2026-02-12 14:35 ` [PATCH v4 01/24] x86/virt/tdx: Move low level SEAMCALL helpers out of <asm/tdx.h> Chao Gao
2026-03-02 12:24 ` Chao Gao
2026-03-05 9:24 ` Binbin Wu
2026-02-12 14:35 ` [PATCH v4 02/24] coco/tdx-host: Introduce a "tdx_host" device Chao Gao
2026-02-20 0:15 ` Huang, Kai
2026-02-24 1:11 ` Chao Gao
2026-03-05 9:25 ` Binbin Wu
2026-03-06 2:13 ` Chao Gao
2026-03-06 4:17 ` Dave Hansen
2026-03-06 5:12 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 03/24] coco/tdx-host: Expose TDX Module version Chao Gao
2026-02-20 0:40 ` Huang, Kai
2026-02-24 2:02 ` Chao Gao
2026-02-24 10:18 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 04/24] x86/virt/seamldr: Introduce a wrapper for P-SEAMLDR SEAMCALLs Chao Gao
2026-02-20 1:12 ` Huang, Kai
2026-02-24 2:31 ` Chao Gao
2026-02-24 10:25 ` Huang, Kai
2026-03-12 20:15 ` Dave Hansen
2026-03-05 9:51 ` Binbin Wu
2026-03-12 20:14 ` Dave Hansen
2026-03-13 8:02 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 05/24] x86/virt/seamldr: Retrieve P-SEAMLDR information Chao Gao
2026-02-20 9:36 ` Huang, Kai
2026-02-24 2:59 ` Chao Gao
2026-02-24 10:30 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 06/24] coco/tdx-host: Expose P-SEAMLDR information via sysfs Chao Gao
2026-03-06 9:29 ` Binbin Wu
2026-02-12 14:35 ` [PATCH v4 07/24] coco/tdx-host: Implement firmware upload sysfs ABI for TDX Module updates Chao Gao
2026-02-27 3:30 ` Xu Yilun
2026-02-27 4:36 ` Xu Yilun
2026-03-10 2:31 ` Yan Zhao
2026-03-12 20:20 ` Dave Hansen
2026-03-13 8:28 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 08/24] x86/virt/seamldr: Block TDX Module updates if any CPU is offline Chao Gao
2026-03-05 7:02 ` Huang, Kai
2026-03-12 20:20 ` Dave Hansen
2026-03-13 8:17 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 09/24] x86/virt/seamldr: Check update limit before TDX Module updates Chao Gao
2026-03-05 4:09 ` Xu Yilun
2026-03-05 7:04 ` Huang, Kai
2026-03-12 2:35 ` Yan Zhao
2026-03-12 14:13 ` Chao Gao
2026-03-12 19:21 ` Edgecombe, Rick P
2026-03-12 20:23 ` Dave Hansen
2026-03-13 8:32 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 10/24] x86/virt/seamldr: Allocate and populate a module update request Chao Gao
2026-02-19 22:31 ` Huang, Kai
2026-02-24 5:15 ` Chao Gao
2026-02-24 10:46 ` Huang, Kai
2026-03-05 4:12 ` Xu Yilun
2026-03-12 2:32 ` Yan Zhao
2026-03-12 14:36 ` Chao Gao
2026-03-12 16:56 ` Edgecombe, Rick P
2026-03-13 12:16 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 11/24] x86/virt/seamldr: Introduce skeleton for TDX Module updates Chao Gao
2026-02-23 9:25 ` Huang, Kai
2026-02-24 6:00 ` Chao Gao
2026-02-24 10:49 ` Huang, Kai
2026-03-12 2:00 ` Edgecombe, Rick P
2026-03-12 14:09 ` Chao Gao
2026-03-12 18:05 ` Edgecombe, Rick P
2026-03-13 13:54 ` Chao Gao
2026-03-13 17:43 ` Edgecombe, Rick P
2026-03-12 20:40 ` Dave Hansen
2026-03-13 12:15 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 12/24] x86/virt/seamldr: Abort updates if errors occurred midway Chao Gao
2026-03-04 22:38 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 13/24] x86/virt/seamldr: Shut down the current TDX module Chao Gao
2026-03-04 22:59 ` Huang, Kai
2026-03-06 8:14 ` Chao Gao
2026-03-12 2:34 ` Edgecombe, Rick P
2026-03-05 4:14 ` Xu Yilun
2026-03-12 2:17 ` Edgecombe, Rick P
2026-03-12 2:57 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 14/24] x86/virt/tdx: Reset software states during TDX Module shutdown Chao Gao
2026-03-04 23:06 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 15/24] x86/virt/seamldr: Log TDX Module update failures Chao Gao
2026-03-04 23:08 ` Huang, Kai
2026-03-05 4:18 ` Xu Yilun
2026-02-12 14:35 ` [PATCH v4 16/24] x86/virt/seamldr: Install a new TDX Module Chao Gao
2026-03-04 23:17 ` Huang, Kai
2026-03-05 4:22 ` Xu Yilun
2026-02-12 14:35 ` [PATCH v4 17/24] x86/virt/seamldr: Do TDX per-CPU initialization after updates Chao Gao
2026-03-04 23:18 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 18/24] x86/virt/tdx: Restore TDX Module state Chao Gao
2026-03-04 23:24 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 19/24] x86/virt/tdx: Update tdx_sysinfo and check features post-update Chao Gao
2026-03-04 23:40 ` Huang, Kai
2026-03-06 8:32 ` Chao Gao
2026-03-06 9:35 ` Huang, Kai
2026-03-12 18:48 ` Edgecombe, Rick P
2026-02-12 14:35 ` [PATCH v4 20/24] x86/virt/tdx: Enable TDX Module runtime updates Chao Gao
2026-02-23 5:09 ` Huang, Kai
2026-02-24 6:02 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 21/24] x86/virt/tdx: Avoid updates during update-sensitive operations Chao Gao
2026-02-23 4:58 ` Huang, Kai
2026-02-26 3:02 ` Chao Gao
2026-02-26 6:34 ` dan.j.williams [this message]
2026-02-26 15:32 ` Chao Gao
2026-02-26 22:06 ` dan.j.williams
2026-02-12 14:35 ` [PATCH v4 22/24] coco/tdx-host: Document TDX Module update expectations Chao Gao
2026-02-12 21:59 ` dan.j.williams
2026-02-12 14:35 ` [PATCH v4 23/24] x86/virt/tdx: Document TDX Module updates Chao Gao
2026-03-04 23:49 ` Huang, Kai
2026-03-12 2:42 ` Edgecombe, Rick P
2026-02-12 14:35 ` [PATCH v4 24/24] [NOT-FOR-REVIEW] x86/virt/seamldr: Save and restore current VMCS Chao Gao
2026-03-11 12:50 ` Chao Gao
2026-03-11 22:06 ` Huang, Kai
2026-03-12 8:48 ` Chao Gao
2026-03-12 9:59 ` Huang, Kai
2026-03-12 15:26 ` Vishal Annapurve
2026-03-12 15:31 ` Dave Hansen
2026-02-12 14:46 ` [PATCH v4 00/24] Runtime TDX Module update support Chao Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=699fe97dc212f_2f4a100b@dwillia2-mobl4.notmuch \
--to=dan.j.williams@intel.com \
--cc=binbin.wu@linux.intel.com \
--cc=bp@alien8.de \
--cc=chao.gao@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=ira.weiny@intel.com \
--cc=kai.huang@intel.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nik.borisov@suse.com \
--cc=paulmck@kernel.org \
--cc=pbonzini@redhat.com \
--cc=reinette.chatre@intel.com \
--cc=rick.p.edgecombe@intel.com \
--cc=sagis@google.com \
--cc=seanjc@google.com \
--cc=tglx@kernel.org \
--cc=tony.lindgren@linux.intel.com \
--cc=vannapurve@google.com \
--cc=vishal.l.verma@intel.com \
--cc=x86@kernel.org \
--cc=yilun.xu@linux.intel.com \
--cc=zhenzhong.duan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox