Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online

Next message: Breno Leitao: "[PATCH net-next v2 1/4] net: add getsockopt_iter callback to proto_ops"
Previous message: Michael Roth: "Re: [PATCH RFC v4 10/44] KVM: guest_memfd: Add support for KVM_SET_MEMORY_ATTRIBUTES2"
Next in thread: Edgecombe, Rick P: "Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edgecombe, Rick P

Date: Wed Apr 01 2026 - 12:03:58 EST

On Mon, 2026-03-30 at 11:10 -0400, Pratik R. Sampat wrote:
> SNP likely has an analogous issue too.
> Failing to switch states on remove will cause that RMP entry to
> remain validated. A malicious hypervisor could then remap this GPA to
> another HPA which would put this in the Guest-Invalid state. On re-
> hotplug if we ignore errors suggested by Patch 1 (in our case that'd
> be PVALIDATE_FAIL_NOUPDATE error likely), we could have two RMP
> entries for the same GPA and both being validated. This is dangerous
> because hypervisor could swap these at will.

Oh, I was just wondering if we could just zero the page on accept
failure for the case of already accepted. Handle the issue internally
and actually go back to something like patch 1. Will it work for SNP?

>
> Would it not be better to have this information in the unaccepted
> bitmap which we could explicitly query to accept/unaccept?

It makes me think about shared memory too. Should the unplug event also
signal the host to reset the memory to private? If the VMM is actually
not adjusting the guest mapping for a unplug/re-plug then the memory
would come back as shared.

But it really starts to feel like work the host should be doing.

>
> For ACPI hardware-style hotplug I was working with the UEFI side on a
> POC to reflect SRAT hotplug windows in UEFI_UNACCEPTED_MEMORY using
> EFI_MEMORY_HOT_PLUGGABLE attribute and working to modify that spec.
> I’m less sure what this description for virtio-mem would look like
> and if it'd be possible to do this early-boot.