Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>

From: Binbin Wu
Date: Wed Apr 02 2025 - 09:16:57 EST

Next message: Abraham Samuel Adekunle: "[PATCH] staging: rtl8723bs: modify struct field to use standard bool type"
Previous message: Tommaso Merciai: "[PATCH 3/4] arm64: dts: renesas: r9a09g047: Add Mali-G52 GPU node"
In reply to: Binbin Wu: "Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>"
Next in thread: Huang, Kai: "Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/2/2025 8:53 PM, Binbin Wu wrote:
[...]

diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
index b952bc673271..535200446c21 100644
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -1463,6 +1463,39 @@ static int tdx_get_td_vm_call_info(struct kvm_vcpu *vcpu)
      return 1;
}
+static int tdx_complete_get_quote(struct kvm_vcpu *vcpu)
+{
+    tdvmcall_set_return_code(vcpu, vcpu->run->tdx_get_quote.ret);
+    return 1;
+}
+
+static int tdx_get_quote(struct kvm_vcpu *vcpu)
+{
+    struct vcpu_tdx *tdx = to_tdx(vcpu);
+
+    u64 gpa = tdx->vp_enter_args.r12;
+    u64 size = tdx->vp_enter_args.r13;
+
+    /* The buffer must be shared memory. */
+    if (vt_is_tdx_private_gpa(vcpu->kvm, gpa) || size == 0) {
+        tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
+        return 1;
+    }

It is a little bit confusing about the shared buffer check here. There are two
perspectives here:

1) the buffer has already been converted to shared, i.e., the attributes are
stored in the Xarray.
2) the GPA passed in the GetQuote must have the shared bit set.

The key is we need 1) here. From the spec, we need the 2) as well because it
*seems* that the spec requires GetQuote to provide the GPA with shared bit set,
as it says "Shared GPA as input".

The above check only does 2). I think we need to check 1) as well, because once
you forward this GetQuote to userspace, userspace is able to access it freely.

Right.

Another discussion is whether KVM should skip the sanity checks for GetQuote
and let the userspace take the job.
Considering checking the buffer is shared memory or not, KVM seems to be a
better place.

A second thought. If the userspace could do the shared memory check, the
whole sanity checks can be done in userspace to keep KVM as small as possible.

As a result, the comment

   /* The buffer must be shared memory. */

should also be updated to something like:

   /*
    * The buffer must be shared. GetQuote requires the GPA to have
    * shared bit set.
    */

Next message: Abraham Samuel Adekunle: "[PATCH] staging: rtl8723bs: modify struct field to use standard bool type"
Previous message: Tommaso Merciai: "[PATCH 3/4] arm64: dts: renesas: r9a09g047: Add Mali-G52 GPU node"
In reply to: Binbin Wu: "Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>"
Next in thread: Huang, Kai: "Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]