[PATCH v5 7/8] x86/virt/tdx: Require the module to assert it has the NO_RBP_MOD mitigation

From: Kai Huang
Date: Mon Oct 14 2024 - 07:34:55 EST

Next message: Kai Huang: "[PATCH v5 8/8] x86/virt/tdx: Reduce TDMR's reserved areas by using CMRs to find memory holes"
Previous message: Kai Huang: "[PATCH v5 6/8] x86/virt/tdx: Print TDX module version"
In reply to: Kai Huang: "[PATCH v5 6/8] x86/virt/tdx: Print TDX module version"
Next in thread: Kai Huang: "[PATCH v5 8/8] x86/virt/tdx: Reduce TDMR's reserved areas by using CMRs to find memory holes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Old TDX modules can clobber RBP in the TDH.VP.ENTER SEAMCALL. However
RBP is used as frame pointer in the x86_64 calling convention, and
clobbering RBP could result in bad things like being unable to unwind
the stack if any non-maskable exceptions (NMI, #MC etc) happens in that
gap.

A new "NO_RBP_MOD" feature was introduced to more recent TDX modules to
not clobber RBP. This feature is reported in the TDX_FEATURES0 global
metadata field via bit 18.

Don't initialize the TDX module if this feature is not supported [1].

Link: https://lore.kernel.org/all/fc0e8ab7-86d4-4428-be31-82e1ece6dd21@xxxxxxxxx/ [1]
Signed-off-by: Kai Huang <kai.huang@xxxxxxxxx>
Reviewed-by: Nikolay Borisov <nik.borisov@xxxxxxxx>
Reviewed-by: Adrian Hunter <adrian.hunter@xxxxxxxxx>
Reviewed-by: Dan Williams <dan.j.williams@xxxxxxxxx>
---

v4 -> v5:
- Rebase due to patch 3 change.

v3 -> v4:
- Move reading TDX_FEATURES0 code to this patch.
- Change patch title and use permalink - Dan.

Hi Dan, Ardian, Nikolay,

The code to read TDX_FEATURES0 was not included in this patch when you
gave your tag. I didn't remove them. Please let me know if you want
me to remove your tag. Thanks!

v2 -> v3:
- check_module_compatibility() -> check_features().
- Improve error message.

https://lore.kernel.org/kvm/cover.1721186590.git.kai.huang@xxxxxxxxx/T/#md9e2eeef927838cbf20d7b361cdbea518b8aec50

---
arch/x86/virt/vmx/tdx/tdx.c | 36 ++++++++++++++++++++++++++++++++++++
arch/x86/virt/vmx/tdx/tdx.h | 16 ++++++++++++++++
2 files changed, 52 insertions(+)

diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 130ddac47f64..c877d02ca057 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -292,6 +292,21 @@ static int __read_sys_metadata_field(u64 field_id, void *val, int size)
__read_sys_metadata_field(_field_id, _val, sizeof(*(_val))); \
})

+static int get_tdx_sys_info_features(struct tdx_sys_info_features *sysinfo_features)
+{
+ int ret = 0;
+
+#define READ_SYS_INFO(_field_id, _member) \
+ ret = ret ?: read_sys_metadata_field(MD_FIELD_ID_##_field_id, \
+ &sysinfo_features->_member)
+
+ READ_SYS_INFO(TDX_FEATURES0, tdx_features0);
+
+#undef READ_SYS_INFO
+
+ return ret;
+}
+
static int get_tdx_sys_info_version(struct tdx_sys_info_version *sysinfo_version)
{
int ret = 0;
@@ -335,6 +350,10 @@ static int get_tdx_sys_info(struct tdx_sys_info *sysinfo)
{
int ret;

+ ret = get_tdx_sys_info_features(&sysinfo->features);
+ if (ret)
+ return ret;
+
ret = get_tdx_sys_info_version(&sysinfo->version);
if (ret)
return ret;
@@ -364,6 +383,18 @@ static void print_basic_sys_info(struct tdx_sys_info *sysinfo)
print_sys_info_version(&sysinfo->version);
}

+static int check_features(struct tdx_sys_info *sysinfo)
+{
+ u64 tdx_features0 = sysinfo->features.tdx_features0;
+
+ if (!(tdx_features0 & TDX_FEATURES0_NO_RBP_MOD)) {
+ pr_err("frame pointer (RBP) clobber bug present, upgrade TDX module\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
/* Calculate the actual TDMR size */
static int tdmr_size_single(u16 max_reserved_per_tdmr)
{
@@ -1145,6 +1176,11 @@ static int init_tdx_module(void)

print_basic_sys_info(&sysinfo);

+ /* Check whether the kernel can support this module */
+ ret = check_features(&sysinfo);
+ if (ret)
+ return ret;
+
/*
* To keep things simple, assume that all TDX-protected memory
* will come from the page allocator. Make sure all pages in the
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index 0203528da024..18c54e1e3a4a 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -31,6 +31,7 @@
*
* See the "global_metadata.json" in the "TDX 1.5 ABI definitions".
*/
+#define MD_FIELD_ID_TDX_FEATURES0 0x0A00000300000008ULL
#define MD_FIELD_ID_BUILD_DATE 0x8800000200000001ULL
#define MD_FIELD_ID_BUILD_NUM 0x8800000100000002ULL
#define MD_FIELD_ID_MINOR_VERSION 0x0800000100000003ULL
@@ -105,6 +106,20 @@ struct tdmr_info {
* those used by the kernel are.
*/

+/*
+ * Class "TDX Module Info".
+ *
+ * This class also contains other fields like SYS_ATTRIBUTES and the
+ * NUM_TDX_FEATURES. For now only TDX_FEATURES0 is needed, but still
+ * keep the structure to follow the spec (and for future extension).
+ */
+struct tdx_sys_info_features {
+ u64 tdx_features0;
+};
+
+/* Bit definitions of TDX_FEATURES0 metadata field */
+#define TDX_FEATURES0_NO_RBP_MOD _BITULL(18)
+
/* Class "TDX Module Version" */
struct tdx_sys_info_version {
u16 major;
@@ -123,6 +138,7 @@ struct tdx_sys_info_tdmr {
};

struct tdx_sys_info {
+ struct tdx_sys_info_features features;
struct tdx_sys_info_version version;
struct tdx_sys_info_tdmr tdmr;
};
--
2.46.2

Next message: Kai Huang: "[PATCH v5 8/8] x86/virt/tdx: Reduce TDMR's reserved areas by using CMRs to find memory holes"
Previous message: Kai Huang: "[PATCH v5 6/8] x86/virt/tdx: Print TDX module version"
In reply to: Kai Huang: "[PATCH v5 6/8] x86/virt/tdx: Print TDX module version"
Next in thread: Kai Huang: "[PATCH v5 8/8] x86/virt/tdx: Reduce TDMR's reserved areas by using CMRs to find memory holes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]