From: Chao Gao <chao.gao@intel.com>
To: "Huang, Kai" <kai.huang@intel.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"tony.lindgren@linux.intel.com" <tony.lindgren@linux.intel.com>,
"binbin.wu@linux.intel.com" <binbin.wu@linux.intel.com>,
"seanjc@google.com" <seanjc@google.com>,
"kas@kernel.org" <kas@kernel.org>,
"Chatre, Reinette" <reinette.chatre@intel.com>,
"Verma, Vishal L" <vishal.l.verma@intel.com>,
"nik.borisov@suse.com" <nik.borisov@suse.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"Weiny, Ira" <ira.weiny@intel.com>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"Annapurve, Vishal" <vannapurve@google.com>,
"sagis@google.com" <sagis@google.com>,
"Duan, Zhenzhong" <zhenzhong.duan@intel.com>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"paulmck@kernel.org" <paulmck@kernel.org>,
"tglx@kernel.org" <tglx@kernel.org>,
"yilun.xu@linux.intel.com" <yilun.xu@linux.intel.com>,
"Williams, Dan J" <dan.j.williams@intel.com>,
"bp@alien8.de" <bp@alien8.de>
Subject: Re: [PATCH v4 21/24] x86/virt/tdx: Avoid updates during update-sensitive operations
Date: Thu, 26 Feb 2026 11:02:44 +0800 [thread overview]
Message-ID: <aZ+31DJr0cI7v8C9@intel.com> (raw)
In-Reply-To: <a0a5301140be5a3d944b1c91914b93017af026fb.camel@intel.com>
>> int tdx_module_shutdown(void)
>> {
>> struct tdx_module_args args = {};
>> - int ret, cpu;
>> + u64 ret;
>> + int cpu;
>>
>> /*
>> * Shut down the TDX Module and prepare handoff data for the next
>> @@ -1189,9 +1192,21 @@ int tdx_module_shutdown(void)
>> * modules as new modules likely have higher handoff version.
>> */
>> args.rcx = tdx_sysinfo.handoff.module_hv;
>> - ret = seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
>> - if (ret)
>> - return ret;
>> +
>> + if (tdx_supports_update_compatibility(&tdx_sysinfo))
>> + args.rcx |= TDX_SYS_SHUTDOWN_AVOID_COMPAT_SENSITIVE;
>> +
>> + ret = seamcall(TDH_SYS_SHUTDOWN, &args);
>> +
>> + /*
>> + * Return -EBUSY to signal that there is one or more ongoing flows
>> + * which may not be compatible with an updated TDX module, so that
>> + * userspace can retry on this error.
>> + */
>> + if ((ret & TDX_SEAMCALL_STATUS_MASK) == TDX_UPDATE_COMPAT_SENSITIVE)
>> + return -EBUSY;
>> + else if (ret)
>> + return -EIO;
>>
>
>The changelog says "doing nothing" isn't an option, and we need to depend on
>TDH.SYS.SHUTDOWN to catch such incompatibilities.
>
>To me this means we cannot support module update if TDH.SYS.SHUTDOWN doesn't
>support this "AVOID_COMPAT_SENSITIVE" feature, because w/o it we cannot tell
>whether the update is happening during any sensitive operation.
>
Good point.
I'm fine with disabling updates in this case. The only concern is that it would
block even perfectly compatible updates, but this only impacts a few older
modules, so it shouldn't be a big problem. And the value of supporting old
modules will also diminish over time.
But IMO, the kernel's incompatibility check is intentionally best effort, not a
guarantee. For example, the kernel doesn't verify if the module update is
compatible with the CPU or P-SEAMLDR. So non-compatible updates may slip through
anyway, and the expectation for users is "run non-compatible updates at their
own risk". Given this, allowing updates when one incompatibility check is
not supported (i.e., AVOID_COMPAT_SENSITIVE) is also acceptable. At minimum,
users can choose not to perform updates if the module lacks
AVOID_COMPAT_SENSITIVE support.
I'm fine with either approach, but slightly prefer disabling updates in
this case. Let's see if anyone has strong opinions on this.
next prev parent reply other threads:[~2026-02-26 3:03 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 14:35 [PATCH v4 00/24] Runtime TDX Module update support Chao Gao
2026-02-12 14:35 ` [PATCH v4 01/24] x86/virt/tdx: Move low level SEAMCALL helpers out of <asm/tdx.h> Chao Gao
2026-03-02 12:24 ` Chao Gao
2026-03-05 9:24 ` Binbin Wu
2026-02-12 14:35 ` [PATCH v4 02/24] coco/tdx-host: Introduce a "tdx_host" device Chao Gao
2026-02-20 0:15 ` Huang, Kai
2026-02-24 1:11 ` Chao Gao
2026-03-05 9:25 ` Binbin Wu
2026-03-06 2:13 ` Chao Gao
2026-03-06 4:17 ` Dave Hansen
2026-03-06 5:12 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 03/24] coco/tdx-host: Expose TDX Module version Chao Gao
2026-02-20 0:40 ` Huang, Kai
2026-02-24 2:02 ` Chao Gao
2026-02-24 10:18 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 04/24] x86/virt/seamldr: Introduce a wrapper for P-SEAMLDR SEAMCALLs Chao Gao
2026-02-20 1:12 ` Huang, Kai
2026-02-24 2:31 ` Chao Gao
2026-02-24 10:25 ` Huang, Kai
2026-03-12 20:15 ` Dave Hansen
2026-03-05 9:51 ` Binbin Wu
2026-03-12 20:14 ` Dave Hansen
2026-03-13 8:02 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 05/24] x86/virt/seamldr: Retrieve P-SEAMLDR information Chao Gao
2026-02-20 9:36 ` Huang, Kai
2026-02-24 2:59 ` Chao Gao
2026-02-24 10:30 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 06/24] coco/tdx-host: Expose P-SEAMLDR information via sysfs Chao Gao
2026-03-06 9:29 ` Binbin Wu
2026-02-12 14:35 ` [PATCH v4 07/24] coco/tdx-host: Implement firmware upload sysfs ABI for TDX Module updates Chao Gao
2026-02-27 3:30 ` Xu Yilun
2026-02-27 4:36 ` Xu Yilun
2026-03-10 2:31 ` Yan Zhao
2026-03-12 20:20 ` Dave Hansen
2026-03-13 8:28 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 08/24] x86/virt/seamldr: Block TDX Module updates if any CPU is offline Chao Gao
2026-03-05 7:02 ` Huang, Kai
2026-03-12 20:20 ` Dave Hansen
2026-03-13 8:17 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 09/24] x86/virt/seamldr: Check update limit before TDX Module updates Chao Gao
2026-03-05 4:09 ` Xu Yilun
2026-03-05 7:04 ` Huang, Kai
2026-03-12 2:35 ` Yan Zhao
2026-03-12 14:13 ` Chao Gao
2026-03-12 19:21 ` Edgecombe, Rick P
2026-03-12 20:23 ` Dave Hansen
2026-03-13 8:32 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 10/24] x86/virt/seamldr: Allocate and populate a module update request Chao Gao
2026-02-19 22:31 ` Huang, Kai
2026-02-24 5:15 ` Chao Gao
2026-02-24 10:46 ` Huang, Kai
2026-03-05 4:12 ` Xu Yilun
2026-03-12 2:32 ` Yan Zhao
2026-03-12 14:36 ` Chao Gao
2026-03-12 16:56 ` Edgecombe, Rick P
2026-03-13 12:16 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 11/24] x86/virt/seamldr: Introduce skeleton for TDX Module updates Chao Gao
2026-02-23 9:25 ` Huang, Kai
2026-02-24 6:00 ` Chao Gao
2026-02-24 10:49 ` Huang, Kai
2026-03-12 2:00 ` Edgecombe, Rick P
2026-03-12 14:09 ` Chao Gao
2026-03-12 18:05 ` Edgecombe, Rick P
2026-03-13 13:54 ` Chao Gao
2026-03-13 17:43 ` Edgecombe, Rick P
2026-03-12 20:40 ` Dave Hansen
2026-03-13 12:15 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 12/24] x86/virt/seamldr: Abort updates if errors occurred midway Chao Gao
2026-03-04 22:38 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 13/24] x86/virt/seamldr: Shut down the current TDX module Chao Gao
2026-03-04 22:59 ` Huang, Kai
2026-03-06 8:14 ` Chao Gao
2026-03-12 2:34 ` Edgecombe, Rick P
2026-03-05 4:14 ` Xu Yilun
2026-03-12 2:17 ` Edgecombe, Rick P
2026-03-12 2:57 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 14/24] x86/virt/tdx: Reset software states during TDX Module shutdown Chao Gao
2026-03-04 23:06 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 15/24] x86/virt/seamldr: Log TDX Module update failures Chao Gao
2026-03-04 23:08 ` Huang, Kai
2026-03-05 4:18 ` Xu Yilun
2026-02-12 14:35 ` [PATCH v4 16/24] x86/virt/seamldr: Install a new TDX Module Chao Gao
2026-03-04 23:17 ` Huang, Kai
2026-03-05 4:22 ` Xu Yilun
2026-02-12 14:35 ` [PATCH v4 17/24] x86/virt/seamldr: Do TDX per-CPU initialization after updates Chao Gao
2026-03-04 23:18 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 18/24] x86/virt/tdx: Restore TDX Module state Chao Gao
2026-03-04 23:24 ` Huang, Kai
2026-02-12 14:35 ` [PATCH v4 19/24] x86/virt/tdx: Update tdx_sysinfo and check features post-update Chao Gao
2026-03-04 23:40 ` Huang, Kai
2026-03-06 8:32 ` Chao Gao
2026-03-06 9:35 ` Huang, Kai
2026-03-12 18:48 ` Edgecombe, Rick P
2026-02-12 14:35 ` [PATCH v4 20/24] x86/virt/tdx: Enable TDX Module runtime updates Chao Gao
2026-02-23 5:09 ` Huang, Kai
2026-02-24 6:02 ` Chao Gao
2026-02-12 14:35 ` [PATCH v4 21/24] x86/virt/tdx: Avoid updates during update-sensitive operations Chao Gao
2026-02-23 4:58 ` Huang, Kai
2026-02-26 3:02 ` Chao Gao [this message]
2026-02-26 6:34 ` dan.j.williams
2026-02-26 15:32 ` Chao Gao
2026-02-26 22:06 ` dan.j.williams
2026-02-12 14:35 ` [PATCH v4 22/24] coco/tdx-host: Document TDX Module update expectations Chao Gao
2026-02-12 21:59 ` dan.j.williams
2026-02-12 14:35 ` [PATCH v4 23/24] x86/virt/tdx: Document TDX Module updates Chao Gao
2026-03-04 23:49 ` Huang, Kai
2026-03-12 2:42 ` Edgecombe, Rick P
2026-02-12 14:35 ` [PATCH v4 24/24] [NOT-FOR-REVIEW] x86/virt/seamldr: Save and restore current VMCS Chao Gao
2026-03-11 12:50 ` Chao Gao
2026-03-11 22:06 ` Huang, Kai
2026-03-12 8:48 ` Chao Gao
2026-03-12 9:59 ` Huang, Kai
2026-03-12 15:26 ` Vishal Annapurve
2026-03-12 15:31 ` Dave Hansen
2026-02-12 14:46 ` [PATCH v4 00/24] Runtime TDX Module update support Chao Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZ+31DJr0cI7v8C9@intel.com \
--to=chao.gao@intel.com \
--cc=binbin.wu@linux.intel.com \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=ira.weiny@intel.com \
--cc=kai.huang@intel.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nik.borisov@suse.com \
--cc=paulmck@kernel.org \
--cc=pbonzini@redhat.com \
--cc=reinette.chatre@intel.com \
--cc=rick.p.edgecombe@intel.com \
--cc=sagis@google.com \
--cc=seanjc@google.com \
--cc=tglx@kernel.org \
--cc=tony.lindgren@linux.intel.com \
--cc=vannapurve@google.com \
--cc=vishal.l.verma@intel.com \
--cc=x86@kernel.org \
--cc=yilun.xu@linux.intel.com \
--cc=zhenzhong.duan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox