On Wed, 2022-11-30 at 11:35 +0800, Binbin Wu wrote: > On 11/21/2022 8:26 AM, Kai Huang wrote: > > After the array of TDMRs and the global KeyID are configured to the TDX > > module, use TDH.SYS.KEY.CONFIG to configure the key of the global KeyID > > on all packages. > > > > TDH.SYS.KEY.CONFIG must be done on one (any) cpu for each package. And > > it cannot run concurrently on different CPUs. Implement a helper to > > run SEAMCALL on one cpu for each package one by one, and use it to > > configure the global KeyID on all packages. > > > > Intel hardware doesn't guarantee cache coherency across different > > KeyIDs. The kernel needs to flush PAMT's dirty cachelines (associated > > with KeyID 0) before the TDX module uses the global KeyID to access the > > PAMT. Following the TDX module specification, flush cache before > > configuring the global KeyID on all packages. > > > > Given the PAMT size can be large (~1/256th of system RAM), just use > > WBINVD on all CPUs to flush. > > > > Note if any TDH.SYS.KEY.CONFIG fails, the TDX module may already have > > used the global KeyID to write any PAMT. Therefore, need to use WBINVD > > to flush cache before freeing the PAMTs back to the kernel. Note using > > MOVDIR64B (which changes the page's associated KeyID from the old TDX > > private KeyID back to KeyID 0, which is used by the kernel) > > It seems not accurate to say MOVDIR64B changes the page's associated KeyID. > It just uses the current KeyID for memory operations. The "write" to the memory changes the page's associated KeyID to the KeyID that does the "write". A more accurate expression perhaps should be MOVDIR64B + MFENSE, but I think it doesn't matter in changelog. > > > > to clear > > PMATs isn't needed, as the KeyID 0 doesn't support integrity check. > > For integrity check, is KeyID 0 special or it just has the same behavior > as non-zero shared KeyID (if any)? KeyID 0 is TME KeyID. It is special. Hardware treats the KeyID 0 differently. > > By saying "KeyID 0 doesn't support integrity check", is it because of > the implementation of this patch set or hardware behavior? It's hardware behaviour. > > According to Architecure Specification 1.0 of TDX Module (344425-004US), > shared KeyID could also enable integrity check. > KeyID 0 is different from non-0 MKTME shared KeyID. For example, you cannot do PCONFIG on KeyID 0.
