TDX supports shutting down the TDX module at any time during its lifetime. After the module is shut down, no further TDX module SEAMCALL leaf functions can be made to the module on any logical cpu. Shut down the TDX module in case of any error during the initialization process. It's pointless to leave the TDX module in some middle state. Shutting down the TDX module requires calling TDH.SYS.LP.SHUTDOWN on all BIOS-enabled CPUs, and the SEMACALL can run concurrently on different CPUs. Implement a mechanism to run SEAMCALL concurrently on all online CPUs and use it to shut down the module. Later logical-cpu scope module initialization will use it too. Also add a wrapper of __seamcall() which additionally prints out the error information if SEAMCALL fails. It will be useful during the TDX module initialization as it provides more error information to the user. SEAMCALL instruction causes #UD if CPU is not in VMX operation (VMXON has been done). So far only KVM supports VMXON. It guarantees all online CPUs are in VMX operation when there's any VM still exists. As so far KVM is also the only user of TDX, choose to just let the caller to guarantee all CPUs are in VMX operation during tdx_init(). Adding the support of VMXON/VMXOFF to the core kernel isn't trivial. In the long term, more kernel components will likely need to use TDX so a reference-based approach to do VMXON/VMXOFF will likely be needed. Signed-off-by: Kai Huang <kai.huang@xxxxxxxxx> --- - v3 -> v5 (no feedback on v4): - Added a wrapper of __seamcall() to print error code if SEAMCALL fails. - Made the seamcall_on_each_cpu() void. - Removed 'seamcall_ret' and 'tdx_module_out' from 'struct seamcall_ctx', as they must be local variable. - Added the comments to tdx_init() and one paragraph to changelog to explain the caller should handle VMXON. - Called out after shut down, no "TDX module" SEAMCALL can be made. --- arch/x86/virt/vmx/tdx/tdx.c | 65 ++++++++++++++++++++++++++++++++++++- arch/x86/virt/vmx/tdx/tdx.h | 5 +++ 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c index 1f9d8108eeea..31ce4522100a 100644 --- a/arch/x86/virt/vmx/tdx/tdx.c +++ b/arch/x86/virt/vmx/tdx/tdx.c @@ -13,6 +13,8 @@ #include <linux/mutex.h> #include <linux/cpu.h> #include <linux/cpumask.h> +#include <linux/smp.h> +#include <linux/atomic.h> #include <asm/cpufeatures.h> #include <asm/cpufeature.h> #include <asm/msr-index.h> @@ -123,6 +125,61 @@ static int __init tdx_early_detect(void) } early_initcall(tdx_early_detect); +/* + * Data structure to make SEAMCALL on multiple CPUs concurrently. + * @err is set to -EFAULT when SEAMCALL fails on any cpu. + */ +struct seamcall_ctx { + u64 fn; + u64 rcx; + u64 rdx; + u64 r8; + u64 r9; + atomic_t err; +}; + +/* + * Wrapper of __seamcall(). It additionally prints out the error + * informationi if __seamcall() fails normally. It is useful during + * the module initialization by providing more information to the user. + */ +static u64 seamcall(u64 fn, u64 rcx, u64 rdx, u64 r8, u64 r9, + struct tdx_module_output *out) +{ + u64 ret; + + ret = __seamcall(fn, rcx, rdx, r8, r9, out); + if (ret == TDX_SEAMCALL_VMFAILINVALID || !ret) + return ret; + + pr_err("SEAMCALL failed: leaf: 0x%llx, error: 0x%llx\n", fn, ret); + if (out) + pr_err("SEAMCALL additional output: rcx 0x%llx, rdx 0x%llx, r8 0x%llx, r9 0x%llx, r10 0x%llx, r11 0x%llx.\n", + out->rcx, out->rdx, out->r8, out->r9, out->r10, out->r11); + + return ret; +} + +static void seamcall_smp_call_function(void *data) +{ + struct seamcall_ctx *sc = data; + struct tdx_module_output out; + u64 ret; + + ret = seamcall(sc->fn, sc->rcx, sc->rdx, sc->r8, sc->r9, &out); + if (ret) + atomic_set(&sc->err, -EFAULT); +} + +/* + * Call the SEAMCALL on all online CPUs concurrently. Caller to check + * @sc->err to determine whether any SEAMCALL failed on any cpu. + */ +static void seamcall_on_each_cpu(struct seamcall_ctx *sc) +{ + on_each_cpu(seamcall_smp_call_function, sc, true); +} + /* * Detect and initialize the TDX module. * @@ -138,7 +195,10 @@ static int init_tdx_module(void) static void shutdown_tdx_module(void) { - /* TODO: Shut down the TDX module */ + struct seamcall_ctx sc = { .fn = TDH_SYS_LP_SHUTDOWN }; + + seamcall_on_each_cpu(&sc); + tdx_module_status = TDX_MODULE_SHUTDOWN; } @@ -221,6 +281,9 @@ bool platform_tdx_enabled(void) * CPU hotplug is temporarily disabled internally to prevent any cpu * from going offline. * + * Caller also needs to guarantee all CPUs are in VMX operation during + * this function, otherwise Oops may be triggered. + * * This function can be called in parallel by multiple callers. * * Return: diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h index f1a2dfb978b1..95d4eb884134 100644 --- a/arch/x86/virt/vmx/tdx/tdx.h +++ b/arch/x86/virt/vmx/tdx/tdx.h @@ -46,6 +46,11 @@ #define TDX_KEYID_NUM(_keyid_part) ((u32)((_keyid_part) >> 32)) +/* + * TDX module SEAMCALL leaf functions + */ +#define TDH_SYS_LP_SHUTDOWN 44 + /* * Do not put any hardware-defined TDX structure representations below this * comment! -- 2.36.1