Re: [PATCH v3 25/26] x86/virt/tdx: Avoid updates during update-sensitive operations

Next message: Pierre Gondois: "Re: [PATCH v6 7/9] ACPI: CPPC: add APIs and sysfs interface for perf_limited"
Previous message: Lorenzo Stoakes: "Re: [PATCH mm-unstable v14 00/16] khugepaged: mTHP support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tony Lindgren

Date: Mon Jan 26 2026 - 06:26:52 EST

On Fri, Jan 23, 2026 at 06:55:33AM -0800, Chao Gao wrote:
> TDX Module updates may cause TD management operations to fail if they
> occur during phases of the TD lifecycle that are sensitive to update
> compatibility.
>
> Currently, there are two update-sensitive scenarios:
> - TD build, where TD Measurement Register (TDMR) accumulates over multiple
> TDH.MEM.PAGE.ADD, TDH.MR.EXTEND and TDH.MR.FINALIZE calls.
>
> - TD migration, where an intermediate crypto state is saved if a state
> migration function (TDH.EXPORT.STATE.* or TDH.IMPORT.STATE.*) is
> interrupted and restored when the function is resumed.
>
> For example, if an update races with TD build operations, the TD
> Measurement Register will become incorrect, causing the TD to fail
> attestation.
>
> The TDX Module offers two solutions:
>
> 1. Avoid updates during update-sensitive times
>
> The host VMM can instruct TDH.SYS.SHUTDOWN to fail if any of the TDs
> are currently in any update-sensitive cases.
>
> 2. Detect incompatibility after updates
>
> On TDH.SYS.UPDATE, the host VMM can configure the TDX Module to detect
> actual incompatibility cases. The TDX Module will then return a special
> error to signal the incompatibility, allowing the host VMM to restart
> the update-sensitive operations.
>
> Implement option #1 to fail updates if the feature is available. Also,
> distinguish this update failure from other failures by returning -EBUSY,
> which will be converted to a firmware update error code indicating that the
> firmware is busy.

Looks good to me:

Reviewed-by: Tony Lindgren <tony.lindgren@xxxxxxxxxxxxxxx>