On 8/30/2022 4:57 PM, Binbin Wu wrote:
On 2022/8/30 3:09, Isaku Yamahata wrote:
+}
+
+static int tdx_reclaim_page(unsigned long va, hpa_t pa, bool do_wb,
u16 hkid)
+{
+ struct tdx_module_output out;
+ u64 err;
+
+ err = tdh_phymem_page_reclaim(pa, &out);
+ if (WARN_ON_ONCE(err)) {
+ pr_tdx_error(TDH_PHYMEM_PAGE_RECLAIM, err, &out);
+ return -EIO;
+ }
+
+ if (do_wb) {
+ err = tdh_phymem_page_wbinvd(set_hkid_to_hpa(pa, hkid));
+ if (WARN_ON_ONCE(err)) {
+ pr_tdx_error(TDH_PHYMEM_PAGE_WBINVD, err, NULL);
+ return -EIO;
+ }
+ }
+
+ tdx_clear_page(va);
Is it really necessary to clear the reclaimed page using MOVDIR64?
According to the TDX module spec, when add a page to TD, both for
control
structures and TD private memory, during the process some function of
the
TDX module will initialize the page using binding hkid and direct write
(MOVDIR64B).
So still need to clear the page using direct write to avoid integrity
error
when re-assign one page from old keyid to a new keyid as you
mentioned in
the comment?
Yes. As you described above, TDX module does when assining a page to a
private
hkid. i.e. TDH.MEM.PAGE.{ADD, AUG}. But when re-assigning a page from
an old
private hkid to a new _shared_ hkid, i.e. TDH.MEM.PAGE.REMOVE or
TDH.PHYMEM.PAGE.RECLAIM, TDX module doesn't.
Is the reason you added the tdx_clear_page() here due to the description
in 1.3.1 of Intel CPU Architectural Extensions Specification for TDX
(343754-002US)?
NO. The purpose of tdx_clear_page() is to update the HKID associated
with the memory to 0. Otherwise the page cannot be used for host/KVM.
Because the cacheline is still associated with a TD HKID, and it will
get TD-bit mismatch when host accesses it without MOVDIR64B to update
the HKID.
The description as following:
"MKTME on an SOC that supports SEAM might support an integrity
protected, memory encryption mode. When using keys with integrity
enabled, the MKTME associates a message authentication code (MAC) with
each cache line. By design, when reading a cache line using a KeyID with
integrity enabled, if the MAC stored in the metadata does not match the
MAC regenerated by the MKTME, then the cache line is marked poisoned to
prevent the data from being consumed. Integrity protected memory must be
initialized before being read, and such initialization must be performed
using 64-bytes direct-store with 64-byte write atomicity using the
MOVDIR64B instruction"
Actually I have a question about the description, does the
initialization using MOVDIR64B must associated with the according hkid?
MOVDIR64B is just an instruction to write memory. What HKID is used
depends on your purpose. When TDX module tries to initialize the private
memory for TDs, TD's HKID is embedded into the PA. When host kernel/KVM
tries to reclaim the memory from TD, it needs to embed HKID 0 into PA to
clear the page.
