Re: [ANNOUNCE] PUCK Notes - 2024.04.03 - TDX Upstreaming Strategy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4/6/2024 12:58 AM, Sean Christopherson wrote:

  - For guest MAXPHYADDR vs. GPAW, rely on KVM_GET_SUPPORTED_CPUID to enumerate
    the usable MAXPHYADDR[2], and simply refuse to enable TDX if the TDX Module
    isn't compatible.  Specifically, if MAXPHYADDR=52, 5-level paging is enabled,
    but the TDX-Module only allows GPAW=0, i.e. only supports 4-level paging.


So userspace can get supported GPAW from usable MAXPHYADDR, i.e.,
CPUID(0X8000_0008).eaxx[23:16] of KVM_GET_SUPPORTED_CPUID:
 - if usable MAXPHYADDR == 52, supported GPAW is 0 and 1.
 - if usable MAXPHYADDR <= 48, supported GPAW is only 0.
There is another thing needs to be discussed. How does userspace configure GPAW for TD guest?
Currently, KVM uses CPUID(0x8000_0008).EAX[7:0] in struct kvm_tdx_init_vm::cpuid.entries[] of IOCTL(KVM_TDX_INIT_VM) to deduce the GPAW: 

	int maxpa = 36;
	entry = kvm_find_cpuid_entry2(cpuid->entries, cpuid->nent, 0x80000008, 0);
	if (entry)
		max_pa = entry->eax & 0xff;

	...
	if (!cpu_has_vmx_ept_5levels() && max_pa > 48)
		return -EINVAL;
	if (cpu_has_vmx_ept_5levels() && max_pa > 48) {
		td_params->eptp_controls |= VMX_EPTP_PWL_5;
		td_params->exec_controls |= TDX_EXEC_CONTROL_MAX_GPAW;
	} else {
		td_params->eptp_controls |= VMX_EPTP_PWL_4;
	}
The code implies that KVM allows the provided CPUID(0x8000_0008).EAX[7:0] to be any value (when 5level ept is supported). when it > 48, configure GPAW of TD to 1, otherwise to 0.
However, the virtual value of CPUID(0x8000_0008).EAX[7:0] inside TD is always the native value of hardware (for current TDX).
So if we want to keep this behavior, we need to document it somewhere that CPUID(0x8000_0008).EAX[7:0] in struct kvm_tdx_init_vm::cpuid.entries[] of IOCTL(KVM_TDX_INIT_VM) is only for configuring GPAW, not for userspace to configure virtual CPUID value for TD VMs.
Another option is that, KVM doesn't allow userspace to configure CPUID(0x8000_0008).EAX[7:0]. Instead, it provides a gpaw field in struct kvm_tdx_init_vm for userspace to configure directly. 

What do you prefer?


[1]https://drive.google.com/corp/drive/folders/1hm_ITeuB6DjT7dNd-6Ezybio4tRRQOlC
[2]https://lore.kernel.org/all/20240313125844.912415-1-kraxel@xxxxxxxxxx
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux