Re: [RFC PATCH 3/5] x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum
From: Huang, Kai
Date: Thu Mar 13 2025 - 19:58:13 EST
On Thu, 2025-03-13 at 22:47 +0000, Edgecombe, Rick P wrote:
> On Thu, 2025-03-13 at 22:32 +0000, Huang, Kai wrote:
> > > >
> > > > We can add a kernel parameter 'tdx_host={on|off}' and skip all TDX code
> > > > (thus
> > > > no
> > > > erratum detection) when it is off. I suppose it will be useful in general
> > > > anyway even w/o the context of kexec.
> > >
> > > What exactly are you thinking? Add a tdx_host parameter, but what is the
> > > default
> > > behavior? When tdx_host=on with the errata, kexec must still be disabled,
> > > right?
> > > Better to return an error, than proceed and crash.
> >
> > The default behaviour is tdx_host=off in order to not disrupt kexec/kdump
> > behaviour on the TDX platforms with erratum. The distros will be able to ship
> > kernels with both CONFIG_KEXEC_CORE and CONFIG_INTEL_TDX_HOST on, and no
> > visible
> > impact to the user who doesn't care about TDX.
> >
> > If the user is interested in TDX, tdx_host=on must be set in the kernel
> > command
> > line, but in this case user is expected to know kexec/kdump can only work
> > normally if the TDX platform doesn't have the erratum -- kexec/kdump are
> > disabled if the platform has the erratum.
>
> So this will switch all of TDX to be default off then, unless the kernel gets a
> parameter set.
>
Currently in KVM TDX is also default off.
> In which case we could also just unlock the Kconfig with just one
> small change. TDX and kexec would still mutually exclusive, but just at runtime.
Yeah I am thinking this too, given the "keyID 0 integrity" thing are still on-
going.
> We should try to flag Paolo and see what he thinks.
I appreciate if you could help to do.
>
> Or is the proposal to only be default tdx_host=off on the errata platforms? And
> tdx_host=on otherwise?
The tricky thing is, naturally, we want to skip all the code in tdx_init() if
tdx_host=off, because there's no reason to do those detection/initialization if
we are not going to use TDX, e.g., we don't need to this one:
register_memory_notifier(&tdx_memory_nb);
.. that means the code of detecting erratum will be skipped too.
If we only to only make tdx_host=off as default for erratum platforms, then we
need to do cleanup (e.g., to unregister the above memory notifier).
This isn't nice and seems hacky.
I don't see making tdx_host=off as default has problem, anyway, as mentioned
above TDX is off by default in KVM.