Tags: jialeif/tdx-dcui
Tags
x86/tdx: Add vsock to TDX device filter's allow list Vsock driver has been audited, add it to the allow list in the TDX device filter. Signed-off-by: Alexander Shishkin <[email protected]> Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
x86/tdx: Port attestation changes from v5.17-rcx tree Attestation driver has been modified in latest upstream version to adapt to GetQuote ABI changes in Guest-Host Communication Interface (GHCI) Specification, sec 3.3, titled "VP.VMCALL<GetQuote>". It also includes some changes related to upstream review. Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
KVM: x86: tdp_mmu: zap private GPA on mmu notifier As page migration is supported for private GPA, On mmu notifier, the GPA can also be zapped. (present -> private_zapped or cleanly zapped). Remove/add drop_private argument from kvm_tdp_mmu_unmap_gfn_range() and make it always drop private GPA. - Drop private page the flags of spte_private_zapped and spte_private_prohibit are also lost. When tearing down VM and memory slot operation(creation/move/deletion). - Keep private page The flags of spte_private_zapped and spte_private_prohibit are also kept. The private page needs to be kept with spte_private_zapped flag. On next EPT-violation, the page will be migrated or unzapped. When mmu notifier for page migration/thp and large page recovery by kernel thread. Signed-off-by: Isaku Yamahata <[email protected]>
[REVERTME] platform/x86: Fix deadlock issue in TDX_CMD_EXTEND_RTMR IOCTL Currently for invalid rtmr values (0 or 1), we return -EINVAL directly without unlocking the &attestation_lock. This will lead to deadlock and prevent any further attestation IOCTLs to work. So instead of returning directly, use a break statement to exit the switch case with proper unlock logic. Fixes: 41fe88a ("[REVERTME] platform/x86: Add RTMR update interface") Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
x86/apic: Do apic driver probe for "nosmp" use case For the "nosmp" use case, APIC initialization code uses "APIC_SYMMETRIC_IO_NO_ROUTING" as a default interrupt mode. As per current design, APIC drivers are not probed (via default_setup_apic_routing()) for the above mentioned interrupt mode. Due to missing probe, later when local APIC is initialized (for x2APIC case), it leads to the null pointer exception due to missing allocation of "cluster_hotplug_mask" (aka 'cmsk'). This is observed in TDX platform where x2APIC is enabled and "nosmp" command line option is allowed. To fix this issue, probe APIC drivers via default_setup_apic_routing() for the APIC_SYMMETRIC_IO_NO_ROUTING interrupt mode. This will make the code similar to APIC_SYMMETRIC_IO and APIC_VIRTUAL_WIRE interrupt modes. Since APIC_SYMMETRIC_IO_NO_ROUTING interrupt mode is in-between configuration between APIC_SYMMETRIC_IO and APIC_VIRTUAL_WIRE, making the code similar to them will not have any impact (other than just loading the apic drivers). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 1 SMP NOPTI CPU: 0 PID: 0 Comm: swapper/0 Tainted: G Y 5.14.0-rc4-tdx-guest-v5.14-2-tdx-attest-y-vsockets+ #32 RIP: 0010:init_x2apic_ldr+0xaf/0xc0 Code: fb 76 65 8b 15 9a 88 fb 76 89 d2 f0 48 0f ab 50 08 5b 5d 41 5c 41 5d c3 48 8b 05 74 0d fe 02 48 c7 05 69 0d fe 02 00 00 00 00 <89> 18 eb c9 48 89 e8 eb c7 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 RSP: 0000:ffffffff8ae03e48 EFLAGS: 00010283 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: fffffffffffffffe RSI: 0000000000000000 RDI: 0000000000000200 RBP: ffffffff8b7704a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000007 R12: 0000000000000001 R13: 0000000000017120 R14: ffffffff8ae13108 R15: ffffffff8aab7a20 FS: 0000000000000000(0000) GS:ffff976a37c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000017ae0c001 CR4: 00000000000606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: setup_local_APIC+0x9b/0x350 ? printk+0x58/0x6f apic_intr_mode_init+0xe5/0x109 x86_late_time_init+0x20/0x30 start_kernel+0x5fb/0x6b9 secondary_startup_64_no_verify+0xbf/0xcb Modules linked in: CR2: 0000000000000000 --[ end trace e82759a76de428f6 ]-- RIP: 0010:init_x2apic_ldr+0xaf/0xc0 Suggested-by: Kirill A. Shutemov <[email protected]> Suggested-by: Rafael J. Wysocki <[email protected]> Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
x86/tdx: Initialize subvendor/subdevice in "authorize_allow_devs" parser Currently when parsing PCI bus data in the "authorize_allow_devs" command line option, we only parse and initialize "vendor" and "device" data. But this logic is incorrect. For a PCI driver to probe the given device, "subdevice" and "subvendor" details also need to be initialized properly. So add relevant support. Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
x86/tdx: Initialize subvendor/subdevice in "authorize_allow_devs" parser Currently when parsing PCI bus data in the "authorize_allow_devs" command line option, we only parse and initialize "vendor" and "device" data. But this logic is incorrect. For a PCI driver to probe the given device, "subdevice" and "subvendor" details also need to be initialized properly. So add relevant support. Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
x86/virt/tdx: Export information about the TDX module via sysfs TDX requires a firmware, TDX module, to load and initialized. The TDX module comes with its attributes, vendor id, build date, build number, minor version, major version, etc. Export those information via sysfs for administrator or VM management software like libvirt. Co-developed-by: Xiaoyao Li <[email protected]> Signed-off-by: Xiaoyao Li <[email protected]> Signed-off-by: Isaku Yamahata <[email protected]>
PreviousNext