[PATCH 0/2] x86/tdx: Enforce no #VE on private memory accesses

From: Kirill A. Shutemov
Date: Fri Oct 28 2022 - 10:12:37 EST


As described in 9a22bf6debbf ("x86/traps: Add #VE support for TDX
guest"), kernel relies on "no #VE on access to private memory" to keep
guest secure from attacks against syscall gap or NMI entry code.

SEPT_VE_DISABLE TD attribute controls TDX module behaviour on EPT
violation.

The attribute must be set to avoid #VE. Refuse to boot the guest if it
is not.

Kirill A. Shutemov (1):
x86/tdx: Do not allow #VE due to EPT violation on the private memory

Kuppuswamy Sathyanarayanan (1):
x86/tdx: Extract GET_INFO call from get_cc_mask()

arch/x86/coco/tdx/tdx.c | 74 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 69 insertions(+), 5 deletions(-)

--
2.38.0