On 25.08.23 г. 15:14 ч., Kai Huang wrote:
To enable TDX the kernel needs to initialize TDX from two perspectives:
1) Do a set of SEAMCALLs to initialize the TDX module to make it ready
to create and run TDX guests; 2) Do the per-cpu initialization SEAMCALL
on one logical cpu before the kernel wants to make any other SEAMCALLs
on that cpu (including those involved during module initialization and
running TDX guests).
The TDX module can be initialized only once in its lifetime. Instead
of always initializing it at boot time, this implementation chooses an
"on demand" approach to initialize TDX until there is a real need (e.g
when requested by KVM). This approach has below pros:
1) It avoids consuming the memory that must be allocated by kernel and
given to the TDX module as metadata (~1/256th of the TDX-usable memory),
and also saves the CPU cycles of initializing the TDX module (and the
metadata) when TDX is not used at all.
2) The TDX module design allows it to be updated while the system is
running. The update procedure shares quite a few steps with this "on
demand" initialization mechanism. The hope is that much of "on demand"
mechanism can be shared with a future "update" mechanism. A boot-time
TDX module implementation would not be able to share much code with the
update mechanism.
3) Making SEAMCALL requires VMX to be enabled. Currently, only the KVM
code mucks with VMX enabling. If the TDX module were to be initialized
separately from KVM (like at boot), the boot code would need to be
taught how to muck with VMX enabling and KVM would need to be taught how
to cope with that. Making KVM itself responsible for TDX initialization
lets the rest of the kernel stay blissfully unaware of VMX.
Similar to module initialization, also make the per-cpu initialization
"on demand" as it also depends on VMX being enabled.
Add two functions, tdx_enable() and tdx_cpu_enable(), to enable the TDX
module and enable TDX on local cpu respectively. For now tdx_enable()
is a placeholder. The TODO list will be pared down as functionality is
added.
Export both tdx_cpu_enable() and tdx_enable() for KVM use.
In tdx_enable() use a state machine protected by mutex to make sure the
initialization will only be done once, as tdx_enable() can be called
multiple times (i.e. KVM module can be reloaded) and may be called
concurrently by other kernel components in the future.
The per-cpu initialization on each cpu can only be done once during the
module's life time. Use a per-cpu variable to track its status to make
sure it is only done once in tdx_cpu_enable().
Also, a SEAMCALL to do TDX module global initialization must be done
once on any logical cpu before any per-cpu initialization SEAMCALL. Do
it inside tdx_cpu_enable() too (if hasn't been done).
tdx_enable() can potentially invoke SEAMCALLs on any online cpus. The
per-cpu initialization must be done before those SEAMCALLs are invoked
on some cpu. To keep things simple, in tdx_cpu_enable(), always do the
per-cpu initialization regardless of whether the TDX module has been
initialized or not. And in tdx_enable(), don't call tdx_cpu_enable()
but assume the caller has disabled CPU hotplug, done VMXON and
tdx_cpu_enable() on all online cpus before calling tdx_enable().
Signed-off-by: Kai Huang <kai.huang@xxxxxxxxx>
---
v12 -> v13:
- Made tdx_cpu_enable() always be called with IRQ disabled via IPI
funciton call (Peter, Kirill).
v11 -> v12:
- Simplified TDX module global init and lp init status tracking (David).
- Added comment around try_init_module_global() for using
raw_spin_lock() (Dave).
- Added one sentence to changelog to explain why to expose tdx_enable()
and tdx_cpu_enable() (Dave).
- Simplifed comments around tdx_enable() and tdx_cpu_enable() to use
lockdep_assert_*() instead. (Dave)
- Removed redundent "TDX" in error message (Dave).
v10 -> v11:
- Return -NODEV instead of -EINVAL when CONFIG_INTEL_TDX_HOST is off.
- Return the actual error code for tdx_enable() instead of -EINVAL.
- Added Isaku's Reviewed-by.
v9 -> v10:
- Merged the patch to handle per-cpu initialization to this patch to
tell the story better.
- Changed how to handle the per-cpu initialization to only provide a
tdx_cpu_enable() function to let the user of TDX to do it when the
user wants to run TDX code on a certain cpu.
- Changed tdx_enable() to not call cpus_read_lock() explicitly, but
call lockdep_assert_cpus_held() to assume the caller has done that.
- Improved comments around tdx_enable() and tdx_cpu_enable().
- Improved changelog to tell the story better accordingly.
v8 -> v9:
- Removed detailed TODO list in the changelog (Dave).
- Added back steps to do module global initialization and per-cpu
initialization in the TODO list comment.
- Moved the 'enum tdx_module_status_t' from tdx.c to local tdx.h
v7 -> v8:
- Refined changelog (Dave).
- Removed "all BIOS-enabled cpus" related code (Peter/Thomas/Dave).
- Add a "TODO list" comment in init_tdx_module() to list all steps of
initializing the TDX Module to tell the story (Dave).
- Made tdx_enable() unverisally return -EINVAL, and removed nonsense
comments (Dave).
- Simplified __tdx_enable() to only handle success or failure.
- TDX_MODULE_SHUTDOWN -> TDX_MODULE_ERROR
- Removed TDX_MODULE_NONE (not loaded) as it is not necessary.
- Improved comments (Dave).
- Pointed out 'tdx_module_status' is software thing (Dave).
v6 -> v7:
- No change.
v5 -> v6:
- Added code to set status to TDX_MODULE_NONE if TDX module is not
loaded (Chao)
- Added Chao's Reviewed-by.
- Improved comments around cpus_read_lock().
- v3->v5 (no feedback on v4):
- Removed the check that SEAMRR and TDX KeyID have been detected on
all present cpus.
- Removed tdx_detect().
- Added num_online_cpus() to MADT-enabled CPUs check within the CPU
hotplug lock and return early with error message.
- Improved dmesg printing for TDX module detection and initialization.
---
arch/x86/include/asm/tdx.h | 4 +
arch/x86/virt/vmx/tdx/tdx.c | 157 ++++++++++++++++++++++++++++++++++++
arch/x86/virt/vmx/tdx/tdx.h | 30 +++++++
3 files changed, 191 insertions(+)
create mode 100644 arch/x86/virt/vmx/tdx/tdx.h
diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
index 3b248c94a4a4..fce7abc99bf5 100644
--- a/arch/x86/include/asm/tdx.h
+++ b/arch/x86/include/asm/tdx.h
@@ -111,8 +111,12 @@ u64 __seamcall_saved_ret(u64 fn, struct tdx_module_args *args);
SEAMCALL_NO_ENTROPY_RETRY(__seamcall_saved_ret, (__fn), (__args))
bool platform_tdx_enabled(void);
+int tdx_cpu_enable(void);
+int tdx_enable(void);
#else
static inline bool platform_tdx_enabled(void) { return false; }
+static inline int tdx_cpu_enable(void) { return -ENODEV; }
+static inline int tdx_enable(void) { return -ENODEV; }
#endif /* CONFIG_INTEL_TDX_HOST */
#endif /* !__ASSEMBLY__ */
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index bb63cb7361c8..898523d8b8b0 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -12,9 +12,14 @@
#include <linux/init.h>
#include <linux/errno.h>
#include <linux/printk.h>
+#include <linux/cpu.h>
+#include <linux/spinlock.h>
+#include <linux/percpu-defs.h>
+#include <linux/mutex.h>
#include <asm/msr-index.h>
#include <asm/msr.h>
#include <asm/tdx.h>
+#include "tdx.h"
#define seamcall_err(__fn, __err, __args, __prerr_func) \
__prerr_func("SEAMCALL (0x%llx) failed: 0x%llx\n", \
@@ -104,6 +109,158 @@ static u32 tdx_global_keyid __ro_after_init;
static u32 tdx_guest_keyid_start __ro_after_init;
static u32 tdx_nr_guest_keyids __ro_after_init;
+static bool tdx_global_initialized;
+static DEFINE_RAW_SPINLOCK(tdx_global_init_lock);
+static DEFINE_PER_CPU(bool, tdx_lp_initialized);
+
+static enum tdx_module_status_t tdx_module_status;
+static DEFINE_MUTEX(tdx_module_lock);
+
+/*
+ * Do the module global initialization if not done yet. It can be
+ * done on any cpu. It's always called with interrupts disabled.
nit: Add lockdep_assert_irqs_off rather than the comment, the same way
it's done for the lp enable function below.
+ */
<snip>