Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online

Next message: Maxim Storetvedt: "Re: [PATCH v6 3/3] arm64: dts: qcom: Add Samsung Galaxy Book4 Edge DTS/DTSI"
Previous message: Andy Shevchenko: "Re: [PATCH] hwmon: (ina2xx) drop unused platform data"
In reply to: Edgecombe, Rick P: "Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online"
Next in thread: Edgecombe, Rick P: "Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Bonzini

Date: Thu Mar 26 2026 - 14:34:23 EST

Il mer 25 mar 2026, 18:21 Edgecombe, Rick P
<rick.p.edgecombe@xxxxxxxxx> ha scritto:
>
> Ah, I see now! So the problem is not that the kernel is accidentally
> re-accepting the memory. It's that host userspace is not actually
> removing the memory during unplug. Hmm. Why not fix userspace then? If
> the memory is unplugged it should not be usable anymore by the guest.
> If it is still accessible then it seems kind of like a bug, no?
>
> And! This totally justifies the warning. If the error is ignored, the
> guest would think the memory is zeroed, but it could have old data in
> it. It's exactly the kind of tricks a VMM could play to attack the
> guest.
>
> Another option could be to perform a TDG.MEM.PAGE.RELEASE TDCALL from
> the guest when it unplugs the memory, to put it in an unaccepted state.
> This would be more robust to buggy VMM behavior. But working around
> buggy VM behavior would need a high bar.

Wouldn't it actually be a very low bar? Just from these two paragraphs
of yours, it's clear that the line between buggy and malicious is
fine, in fact I think userspace should not care at all about removing
the memory. Only the guest cares about acceptance state.

Doing a RELEASE TDCALL seems more robust and not hard.

Paolo