Re: [PATCH v7 17/20] x86/virt/tdx: Configure global KeyID on all packages
From: Huang, Kai
Date: Wed Nov 30 2022 - 03:35:48 EST
On Wed, 2022-11-30 at 11:35 +0800, Binbin Wu wrote:
> On 11/21/2022 8:26 AM, Kai Huang wrote:
> > After the array of TDMRs and the global KeyID are configured to the TDX
> > module, use TDH.SYS.KEY.CONFIG to configure the key of the global KeyID
> > on all packages.
> >
> > TDH.SYS.KEY.CONFIG must be done on one (any) cpu for each package. And
> > it cannot run concurrently on different CPUs. Implement a helper to
> > run SEAMCALL on one cpu for each package one by one, and use it to
> > configure the global KeyID on all packages.
> >
> > Intel hardware doesn't guarantee cache coherency across different
> > KeyIDs. The kernel needs to flush PAMT's dirty cachelines (associated
> > with KeyID 0) before the TDX module uses the global KeyID to access the
> > PAMT. Following the TDX module specification, flush cache before
> > configuring the global KeyID on all packages.
> >
> > Given the PAMT size can be large (~1/256th of system RAM), just use
> > WBINVD on all CPUs to flush.
> >
> > Note if any TDH.SYS.KEY.CONFIG fails, the TDX module may already have
> > used the global KeyID to write any PAMT. Therefore, need to use WBINVD
> > to flush cache before freeing the PAMTs back to the kernel. Note using
> > MOVDIR64B (which changes the page's associated KeyID from the old TDX
> > private KeyID back to KeyID 0, which is used by the kernel)
>
> It seems not accurate to say MOVDIR64B changes the page's associated KeyID.
> It just uses the current KeyID for memory operations.
The "write" to the memory changes the page's associated KeyID to the KeyID that
does the "write". A more accurate expression perhaps should be MOVDIR64B +
MFENSE, but I think it doesn't matter in changelog.
>
>
> > to clear
> > PMATs isn't needed, as the KeyID 0 doesn't support integrity check.
>
> For integrity check, is KeyID 0 special or it just has the same behavior
> as non-zero shared KeyID (if any)?
KeyID 0 is TME KeyID. It is special. Hardware treats the KeyID 0 differently.
>
> By saying "KeyID 0 doesn't support integrity check", is it because of
> the implementation of this patch set or hardware behavior?
It's hardware behaviour.
>
> According to Architecure Specification 1.0 of TDX Module (344425-004US),
> shared KeyID could also enable integrity check.
>
KeyID 0 is different from non-0 MKTME shared KeyID. For example, you cannot do
PCONFIG on KeyID 0.