From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "seanjc@google.com" <seanjc@google.com>
Cc: "Huang, Kai" <kai.huang@intel.com>,
"binbin.wu@linux.intel.com" <binbin.wu@linux.intel.com>,
"Li, Xiaoyao" <xiaoyao.li@intel.com>,
"Chatre, Reinette" <reinette.chatre@intel.com>,
"Zhao, Yan Y" <yan.y.zhao@intel.com>,
"tony.lindgren@linux.intel.com" <tony.lindgren@linux.intel.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"Yamahata, Isaku" <isaku.yamahata@intel.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"Hunter, Adrian" <adrian.hunter@intel.com>
Subject: Re: (Proposal) New TDX Global Metadata To Report FIXED0 and FIXED1 CPUID Bits
Date: Thu, 19 Dec 2024 17:52:56 +0000 [thread overview]
Message-ID: <a453369c6ef3a0f93376348a0c4a0bbfe1ea08e4.camel@intel.com> (raw)
In-Reply-To: <Z2OEQdxgLX0GM70n@google.com>
On Wed, 2024-12-18 at 18:33 -0800, Sean Christopherson wrote:
> > So that is how I arrived at that we need some list of host affecting bits to
> > verify match in the TD.
>
> At the end of the day, the list is going to be human-generated. For the UX
> side
> of things, it makes sense to push that responsibility to the TDX Module,
> because
> it should be trivially easy to derive from the source code.
The other reason to push it to the TDX module is because newly invented bits on
future CPUs can only be known by TDX Modules that start to use them.
[snip]
> >
> > There already is an interface to get CPUID bits (fixed and dynamic). But it
> > only
> > works after a TD is configured. So if we want to do extra verification or
> > adjustments, we could use it before entering the TD. Basically, if we delay
> > this
> > logic we don't need to wait for the fixed bit interface.
>
> Oh, yeah, that'd work. Grab the guest CPUID and then verify that bits KVM
> needs
> to be 0 (or 1) are set according, and WARN+kill if there's a mismatch.
>
> Honestly, I'd probably prefer that over using the fixed bit interface, as my
> gut
> says it's less likely for the TDX Module to misreport what CPUID it has
> created
> for the guest, than it is for the TDX module to generate a "fixed bits" list
> that
> doesn't match the code. E.g. KVM has (had?) more than a few CPUID features
> that
> KVM emulates without actually reporting support to userspace.
Ok, so we have a plan to:
1. Verify if there are more bits that affect host state
2. Encode this list in KVM for now
3. Check the bits match via the existing CPUID bit interface before the vCPU
enters the TD
Still to decide (not today):
I guess KVM=0,TDX=1 is the one to worry about, but might as well also check for
KVM=1,TDX=0. When KVM finds a conflict it must prevent entering the TD and
return an error to userspace. We could do this enforcement either on the first
enter, or with an additional per-vcpu "verify" ioctl.
We can take a look at the list of bits to decide. The current solution of
preventing configuration of the two known troublesome bits seems ok if that's
all.
next prev parent reply other threads:[~2024-12-19 17:53 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-06 2:42 (Proposal) New TDX Global Metadata To Report FIXED0 and FIXED1 CPUID Bits Xiaoyao Li
2024-12-06 18:41 ` Edgecombe, Rick P
2024-12-10 3:22 ` Xiaoyao Li
2024-12-10 17:45 ` Edgecombe, Rick P
2024-12-17 1:53 ` Sean Christopherson
2024-12-17 4:27 ` Xiaoyao Li
2024-12-17 21:31 ` Edgecombe, Rick P
2024-12-18 0:08 ` Sean Christopherson
2024-12-19 1:56 ` Edgecombe, Rick P
2024-12-19 2:33 ` Sean Christopherson
2024-12-19 17:52 ` Edgecombe, Rick P [this message]
2024-12-20 2:40 ` Xiaoyao Li
2024-12-20 16:59 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a453369c6ef3a0f93376348a0c4a0bbfe1ea08e4.camel@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=adrian.hunter@intel.com \
--cc=binbin.wu@linux.intel.com \
--cc=isaku.yamahata@intel.com \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=reinette.chatre@intel.com \
--cc=seanjc@google.com \
--cc=tony.lindgren@linux.intel.com \
--cc=xiaoyao.li@intel.com \
--cc=yan.y.zhao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).