Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online

Next message: Joonwon Kang: "[PATCH v3 1/2] mailbox: Use per-thread completion to fix wrong completion order"
Previous message: Arnd Bergmann: "Re: [PATCH] power: sequencing: pcie-m2: add SERIAL_DEV_BUS dependency"
In reply to: Reshetova, Elena: "RE: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edgecombe, Rick P

Date: Thu Apr 02 2026 - 13:12:51 EST

On Thu, 2026-04-02 at 08:18 +0000, Reshetova, Elena wrote:
> > Oh, I was just wondering if we could just zero the page on accept
> > failure for the case of already accepted. Handle the issue
> > internally
> > and actually go back to something like patch 1. Will it work for
> > SNP?
>
> I don't know about SNP, but if you are proposing to zero the page on
> double acceptance, this is not great from security pov.

Accept does zero the memory already. So the guest side operation is
doing an operation that says "make this memory usable in an known state
of zeros". And the operation complies. What is the difference?

> It creates a
> predictable behaviour primitive for the host to zero any data inside
> the confidential guest and it can be misused (think of zeroing out a
> page containing a cryptographic key).

If the host can trigger an accept somehow in the guest (via something
like this or other issue), then the host can also remove, then AUG the
page from the S-EPT. This will result in a normal accept which also
zeros the page.

So the part about whether a triggered accept succeeds or returns an
already accepted error is already under the control of the host. I.e.,
if we don't have the zeroing behavior, the host can already cause the
page to get zeroed. So I don't think anything is regressed. Both come
down to how careful the guest is about what it accepts.