| Message ID | 20240812224820.34826-8-rick.p.edgecombe@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | TDX vCPU/VM creation | expand |
On 8/13/24 00:48, Rick Edgecombe wrote: > From: Isaku Yamahata <isaku.yamahata@intel.com> > > Add helper functions to allocate/free TDX private host key id (HKID). > > The memory controller encrypts TDX memory with the assigned HKIDs. Each TDX > guest must be protected by its own unique TDX HKID. > > The HW has a fixed set of these HKID keys. Out of those, some are set aside > for use by for other TDX components, but most are saved for guest use. The > code that does this partitioning, records the range chosen to be available > for guest use in the tdx_guest_keyid_start and tdx_nr_guest_keyids > variables. > > Use this range of HKIDs reserved for guest use with the kernel's IDA > allocator library helper to create a mini TDX HKID allocator that can be > called when setting up a TD. This way it can have an exclusive HKID, as is > required. This allocator will be used in future changes. This is basically what Dave was asking for, isn't it? Paolo > Signed-off-by: Isaku Yamahata <isaku.yamahata@intel.com> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > --- > uAPI breakout v1: > - Update the commit message > - Delete stale comment on global hkdi > - Deleted WARN_ON_ONCE() as it doesn't seemed very usefull > > v19: > - Removed stale comment in tdx_guest_keyid_alloc() by Binbin > - Update sanity check in tdx_guest_keyid_free() by Binbin > > v18: > - Moved the functions to kvm tdx from arch/x86/virt/vmx/tdx/ > - Drop exporting symbols as the host tdx does. > --- > arch/x86/kvm/vmx/tdx.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c > index dbcc1ed80efa..b1c885ce8c9c 100644 > --- a/arch/x86/kvm/vmx/tdx.c > +++ b/arch/x86/kvm/vmx/tdx.c > @@ -14,6 +14,21 @@ static enum cpuhp_state tdx_cpuhp_state; > > static const struct tdx_sysinfo *tdx_sysinfo; > > +/* TDX KeyID pool */ > +static DEFINE_IDA(tdx_guest_keyid_pool); > + > +static int __used tdx_guest_keyid_alloc(void) > +{ > + return ida_alloc_range(&tdx_guest_keyid_pool, tdx_guest_keyid_start, > + tdx_guest_keyid_start + tdx_nr_guest_keyids - 1, > + GFP_KERNEL); > +} > + > +static void __used tdx_guest_keyid_free(int keyid) > +{ > + ida_free(&tdx_guest_keyid_pool, keyid); > +} > + > static int tdx_online_cpu(unsigned int cpu) > { > unsigned long flags;
On Tue, 2024-09-10 at 18:27 +0200, Paolo Bonzini wrote: > On 8/13/24 00:48, Rick Edgecombe wrote: > > From: Isaku Yamahata <isaku.yamahata@intel.com> > > > > Add helper functions to allocate/free TDX private host key id (HKID). > > > > The memory controller encrypts TDX memory with the assigned HKIDs. Each TDX > > guest must be protected by its own unique TDX HKID. > > > > The HW has a fixed set of these HKID keys. Out of those, some are set aside > > for use by for other TDX components, but most are saved for guest use. The > > code that does this partitioning, records the range chosen to be available > > for guest use in the tdx_guest_keyid_start and tdx_nr_guest_keyids > > variables. > > > > Use this range of HKIDs reserved for guest use with the kernel's IDA > > allocator library helper to create a mini TDX HKID allocator that can be > > called when setting up a TD. This way it can have an exclusive HKID, as is > > required. This allocator will be used in future changes. > > This is basically what Dave was asking for, isn't it? This patch has the allocator in KVM code, and the keyid ranges exported from arch/x86. Per the discussion with Dave we will export the allocator functions and keep the keyid ranges in arch/x86 code.
On 9/10/24 18:39, Edgecombe, Rick P wrote: >>> Use this range of HKIDs reserved for guest use with the kernel's IDA >>> allocator library helper to create a mini TDX HKID allocator that can be >>> called when setting up a TD. This way it can have an exclusive HKID, as is >>> required. This allocator will be used in future changes. >> This is basically what Dave was asking for, isn't it? > This patch has the allocator in KVM code, and the keyid ranges exported from > arch/x86. Per the discussion with Dave we will export the allocator functions > and keep the keyid ranges in arch/x86 code. Yes, I meant this is the code and it just has to be moved to arch/x86. The only other function that is needed is a wrapper for ida_is_empty(), which is used in tdx_offline_cpu(): /* No TD is running. Allow any cpu to be offline. */ if (ida_is_empty(&tdx_guest_keyid_pool)) return 0; Paolo
On Tue, 2024-09-10 at 18:42 +0200, Paolo Bonzini wrote: > Yes, I meant this is the code and it just has to be moved to arch/x86. > The only other function that is needed is a wrapper for ida_is_empty(), > which is used in tdx_offline_cpu(): > > /* No TD is running. Allow any cpu to be offline. */ > if (ida_is_empty(&tdx_guest_keyid_pool)) > return 0; Oh, good point.
diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index dbcc1ed80efa..b1c885ce8c9c 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -14,6 +14,21 @@ static enum cpuhp_state tdx_cpuhp_state; static const struct tdx_sysinfo *tdx_sysinfo; +/* TDX KeyID pool */ +static DEFINE_IDA(tdx_guest_keyid_pool); + +static int __used tdx_guest_keyid_alloc(void) +{ + return ida_alloc_range(&tdx_guest_keyid_pool, tdx_guest_keyid_start, + tdx_guest_keyid_start + tdx_nr_guest_keyids - 1, + GFP_KERNEL); +} + +static void __used tdx_guest_keyid_free(int keyid) +{ + ida_free(&tdx_guest_keyid_pool, keyid); +} + static int tdx_online_cpu(unsigned int cpu) { unsigned long flags;