From: Chao Gao <chao.gao@intel.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Kiryl Shutsemau <kas@kernel.org>, <kvm@vger.kernel.org>,
<linux-coco@lists.linux.dev>, <linux-kernel@vger.kernel.org>,
<x86@kernel.org>, <vishal.l.verma@intel.com>,
<kai.huang@intel.com>, <dan.j.williams@intel.com>,
<yilun.xu@linux.intel.com>, <vannapurve@google.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
"Thomas Gleixner" <tglx@linutronix.de>
Subject: Re: [PATCH v2 0/3] Expose TDX Module version
Date: Tue, 6 Jan 2026 18:23:27 +0800 [thread overview]
Message-ID: <aVzinyLe5rxkJXUu@intel.com> (raw)
In-Reply-To: <d45cc504-509c-48a7-88e2-374e00068e79@intel.com>
>Generally, I find myself really wanting to know how this fits into the
>larger picture. Using this "faux" device really seems novel and
>TDX-specific. Should it be?
>
>What are other CPU vendors doing for this? SEV? CCA? S390? How are their
>firmware versions exposed? What about other things in the Intel world
>like CPU microcode or the billion other chunks of firmware? How about
>hypervisors? Do they expose their versions to guests with an explicit
>ABI? Are those exposed to userspace?
First I don't think we should expose TDX module version or hypervisor
version to guests. See my reply to Kirill.
Let me connect all the dots to explain why we use a "faux" device and expose
version information as device attributes.
Why add a device
================
SEV [1] employs a PCI device while CCA [2] adds a platform device. So, we add a
"virtual" device to represent TDX firmware. As illustrated in [3], the device
actually serves multiple purposes:
"""
Create a virtual device not only to align with other implementations but
also to make it easier to
- expose metadata (e.g., TDX module version, seamldr version etc) to
the userspace as device attributes
- implement firmware uploader APIs which are tied to a device. This is
needed to support TDX module runtime updates
- enable TDX Connect which will share a common infrastructure with other
platform implementations. In the TDX Connect context, every
architecture has a TSM, represented by a PCIe or virtual device. The
new "tdx_host" device will serve the TSM role.
"""
[1]: drivers/crypto/ccp/sev-dev.c
[2]: https://lore.kernel.org/all/20251208221319.1524888-5-vvidwans@nvidia.com/
[3]: https://lore.kernel.org/all/20251117022311.2443900-2-yilun.xu@linux.intel.com/
faux vs "virtual" device
========================
We previously implemented a virtual TDX device under /sys/devices/virtual/ but
it required creating a stub bus. As suggested by Dan, we switched to a faux
device to avoid this requirement.
The previous virtual device implementation was at:
https://lore.kernel.org/kvm/20250523095322.88774-5-chao.gao@intel.com/
As you can see from #LoC, the current tdx-host faux implementation is much
simpler:
before:
arch/x86/virt/vmx/tdx/tdx.c | 75 +++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
vs.
now:
drivers/virt/coco/Kconfig | 2 ++
drivers/virt/coco/tdx-host/Kconfig | 10 +++++++
drivers/virt/coco/Makefile | 1 +
drivers/virt/coco/tdx-host/Makefile | 1 +
drivers/virt/coco/tdx-host/tdx-host.c | 41 +++++++++++++++++++++++++++
5 files changed, 55 insertions(+)
Why expose version to userspace
===============================
SEV doesn't expose its API version (which I assume is the counterpart of TDX
module version, since it doesn't have a firmware version concept) to userspace
but only prints it in dmesg.
TDX Module version is exposed to userspace because:
1. For debugging purposes, the version will be available to userspace even if
dmesg logs are cleared. Like microcode version, it's printed in dmesg and
also readable from CPU virtual device attributes.
2. A userspace tool needs to read the current module version to select
compatible module versions for updates. This is a unique requirement of TDX.
Why expose version as device attribute
======================================
Once we have a virtual device to represent TDX firmware, using device
attributes is the natural choice. microcode version is exposed in a similar
way.
>
>For instance, I hear a lot of talk about updating the TDX module. But is
>this interface consistent with doing updates? Long term, I was hoping
>that TDX firmware could get treated like any other blob of modern
>firmware and have fwupd manage it, so I asked:
TDX module updates implement the firmware_upload API [*], just like NVMe firmware
updates and FPGA firmware updates. This results in them exposing similar uABIs
to userspace. If NVMe firmware or FPGA firmware can be supported by fwupd, it
shouldn't be difficult to have fwupd manage TDX modules as well.
[*]: https://docs.kernel.org/driver-api/firmware/fw_upload.html
>
> https://chatgpt.com/share/695be06c-3d40-8012-97c9-2089fc33cbb3
>
>My read on your approach here is that our new LLM overlords might
>consider it the "last resort".
The "last resort" in the above link refers to ACPI tables or WMI methods. But
IIUC, my approach here is the most common approach for non-UEFI firmware -
"sysfs devices", i.e.,
: Kernel dev takeaway
: - Make it a proper kernel device
: - Expose a stable firmware version attribute
: - Expose a way to trigger update (even if it’s just “write blob, reboot”)
Is there anything I misunderstood?
next prev parent reply other threads:[~2026-01-06 10:23 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-05 7:43 [PATCH v2 0/3] Expose TDX Module version Chao Gao
2026-01-05 7:43 ` [PATCH v2 1/3] x86/virt/tdx: Retrieve " Chao Gao
2026-01-05 7:43 ` [PATCH v2 2/3] coco/tdx-host: Expose " Chao Gao
2026-01-05 7:43 ` [PATCH v2 3/3] x86/virt/tdx: Print TDX Module version during init Chao Gao
2026-01-05 10:38 ` [PATCH v2 0/3] Expose TDX Module version Kiryl Shutsemau
2026-01-05 16:04 ` Dave Hansen
2026-01-05 17:04 ` Kiryl Shutsemau
2026-01-05 17:19 ` Dave Hansen
2026-01-05 18:03 ` Kiryl Shutsemau
2026-01-07 21:34 ` dan.j.williams
2026-01-07 22:26 ` Dave Hansen
2026-01-06 10:23 ` Chao Gao [this message]
2026-01-06 16:37 ` Dave Hansen
2026-01-06 6:47 ` Chao Gao
2026-01-06 9:17 ` Nikolay Borisov
2026-01-06 11:19 ` Kiryl Shutsemau
2026-01-06 13:31 ` Chao Gao
2026-01-07 0:36 ` dan.j.williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVzinyLe5rxkJXUu@intel.com \
--to=chao.gao@intel.com \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kai.huang@intel.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@linutronix.de \
--cc=vannapurve@google.com \
--cc=vishal.l.verma@intel.com \
--cc=x86@kernel.org \
--cc=yilun.xu@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox