Re: [PATCH v5 17/22] x86/virt/tdx: Avoid updates during update-sensitive operations

From: Chao Gao

Date: Fri Mar 20 2026 - 04:01:40 EST

On Thu, Mar 19, 2026 at 02:00:00PM +0000, Kiryl Shutsemau wrote:
>On Sun, Mar 15, 2026 at 06:58:37AM -0700, Chao Gao wrote:
>> diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
>> index b3a7301e77c6..4c4f7acd4044 100644
>> --- a/arch/x86/include/asm/tdx.h
>> +++ b/arch/x86/include/asm/tdx.h
>> @@ -26,11 +26,18 @@
>> #define TDX_SEAMCALL_GP (TDX_SW_ERROR | X86_TRAP_GP)
>> #define TDX_SEAMCALL_UD (TDX_SW_ERROR | X86_TRAP_UD)
>>
>> +#define TDX_SEAMCALL_STATUS_MASK 0xFFFFFFFF00000000ULL
>> +
>> /*
>> * TDX module SEAMCALL leaf function error codes
>> */
>> -#define TDX_SUCCESS 0ULL
>> -#define TDX_RND_NO_ENTROPY 0x8000020300000000ULL
>> +#define TDX_SUCCESS 0ULL
>> +#define TDX_RND_NO_ENTROPY 0x8000020300000000ULL
>> +#define TDX_UPDATE_COMPAT_SENSITIVE 0x8000051200000000ULL
>
>This competes with other patchset[1].
>
>[1] https://lore.kernel.org/all/20260307010358.819645-1-rick.p.edgecombe@xxxxxxxxx

Got it. But I suppose the conflicts can be addressed when maintainers merge
the two series.

Dave asked me to remove all (false) dependencies to make this series move
reviewable since v3. So I think we don't need to rebase onto that patchset.

>
>> @@ -1189,9 +1192,21 @@ int tdx_module_shutdown(void)
>> * modules as new modules likely have higher handoff version.
>> */
>> args.rcx = tdx_sysinfo.handoff.module_hv;
>> - ret = seamcall_prerr(TDH_SYS_SHUTDOWN, &args);
>> - if (ret)
>> - return ret;
>> +
>> + if (tdx_supports_update_compatibility(&tdx_sysinfo))
>> + args.rcx |= TDX_SYS_SHUTDOWN_AVOID_COMPAT_SENSITIVE;
>
>Hm. So what happens if the module doesn't support it? We just ignore
>problem?

Yes. The kernel ignores the problem and leaves the decision (whether to
update modules) to userspace.

>
>Maybe we should just block updates on such modules?

Kai made the same suggestion, but Dan rejected it [1][2]. Dan's position is
to avoid kernel complexity and let userspace handle the check, updating at
their own risk.

I've prepared a patch for the userspace tool [3] to check if the feature is
supported and will push it.

[1]: https://lore.kernel.org/kvm/699fe97dc212f_2f4a100b@dwillia2-mobl4.notmuch/
[2]: https://lore.kernel.org/kvm/69a0c3d24310_1cc5100d1@dwillia2-mobl4.notmuch/
[3]: https://github.com/intel/confidential-computing.tdx.tdx-module.binaries/blob/main/version_select_and_load.py