Re: [PATCH v10 22/25] x86/virt/tdx: Reject updates during compatibility-sensitive operations
From: Dave Hansen
Date: Wed May 20 2026 - 15:35:23 EST
On 5/20/26 06:38, Chao Gao wrote:
> int tdx_module_shutdown(void)
> {
> struct tdx_sys_info_handoff handoff = {};
> struct tdx_module_args args = {};
> int ret, cpu;
> + u64 err;
>
> ret = get_tdx_sys_info_handoff(&handoff);
> WARN_ON_ONCE(ret);
> @@ -1288,9 +1291,30 @@ int tdx_module_shutdown(void)
> * module can produce and most likely supported by newer modules.
> */
> args.rcx = handoff.module_hv;
> - ret = seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
> - if (ret)
> - return ret;
> +
> + /*
> + * This flag tells the TDX module to reject shutdown if it races
> + * with a "sensitive" ongoing operation. That eliminates exposure
> + * to a TDX erratum which can corrupt TDX guest states.
> + *
> + * This flag is not supported by all TDX modules and may cause
> + * the shutdown (and subsequent update procedure) to fail.
> + */
> + args.rcx |= TDX_SYS_SHUTDOWN_AVOID_COMPAT_SENSITIVE;
> +
> + err = seamcall(TDH_SYS_SHUTDOWN, &args);
> +
> + /*
> + * The shutdown ran into a "sensitive" ongoing operation. Signal
> + * to userspace that it can retry.
> + */
> + if ((err & TDX_SEAMCALL_STATUS_MASK) == TDX_UPDATE_COMPAT_SENSITIVE)
> + return -EBUSY;
> +
> + if (err) {
> + seamcall_err(TDH_SYS_SHUTDOWN, err, &args);
> + return -EIO;
> + }
This function is pretty tidy. More or less:
ret = get_tdx_sys_info_handoff(&handoff);
if (ret)
return
args.foo = handoff.bar;
ret = seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
if (ret)
return
memset(&tdx_module_state, 0, sizeof(tdx_module_state));
for_each_possible_cpu(cpu)
per_cpu(tdx_lp_initialized, cpu) = false;
The logic's not bad, right? Get the handoff data, hand it off to
something, then go set some fields.
Then what does this patch do? It goes and globs a just huge blob of
TDH_SYS_SHUTDOWN errata handling and implementation details right smack
in the middle. Our tidy little function is no more.
I really with this would trigger folks' gag reflexes. It's *SO* easy to
fix. It's *so* easy to keep the code tidy and hide the dead bodies so
that the logic can still be followed.
I'm probably going to drop this for now.