[11/13] x86/virt/tdx: Add SEAMCALL wrappers for TD measurement of initial contents

Commit Message

Paolo Bonzini Jan. 1, 2025, 7:49 a.m. UTC

From: Isaku Yamahata <isaku.yamahata@intel.com>

The TDX module measures the TD during the build process and saves the
measurement in TDCS.MRTD to facilitate TD attestation of the initial
contents of the TD. Wrap the SEAMCALL TDH.MR.EXTEND with tdh_mr_extend()
and TDH.MR.FINALIZE with tdh_mr_finalize() to enable the host kernel to
assist the TDX module in performing the measurement.

The measurement in TDCS.MRTD is a SHA-384 digest of the build process.
SEAMCALLs TDH.MNG.INIT and TDH.MEM.PAGE.ADD initialize and contribute to
the MRTD digest calculation.

The caller of tdh_mr_extend() should break the TD private page into chunks
of size TDX_EXTENDMR_CHUNKSIZE and invoke tdh_mr_extend() to add the page
content into the digest calculation. Failures are possible with
TDH.MR.EXTEND (e.g., due to SEPT walking). The caller of tdh_mr_extend()
can check the function return value and retrieve extended error information
from the function output parameters.

Calling tdh_mr_finalize() completes the measurement. The TDX module then
turns the TD into the runnable state. Further TDH.MEM.PAGE.ADD and
TDH.MR.EXTEND calls will fail.

TDH.MR.FINALIZE may fail due to errors such as the TD having no vCPUs or
contentions. Check function return value when calling tdh_mr_finalize() to
determine the exact reason for failure. Take proper locks on the caller's
side to avoid contention failures, or handle the BUSY error in specific
ways (e.g., retry). Return the SEAMCALL error code directly to the caller.
Do not attempt to handle it in the core kernel.

[Kai: Switched from generic seamcall export]
[Yan: Re-wrote the changelog]
Co-developed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Isaku Yamahata <isaku.yamahata@intel.com>
Signed-off-by: Kai Huang <kai.huang@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
Message-ID: <20241112073709.22171-1-yan.y.zhao@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 arch/x86/include/asm/tdx.h  |  2 ++
 arch/x86/virt/vmx/tdx/tdx.c | 27 +++++++++++++++++++++++++++
 arch/x86/virt/vmx/tdx/tdx.h |  2 ++
 3 files changed, 31 insertions(+)

Comments

Edgecombe, Rick P Jan. 3, 2025, 6:02 p.m. UTC | #1

On Wed, 2025-01-01 at 02:49 -0500, Paolo Bonzini wrote:
> From: Isaku Yamahata <isaku.yamahata@intel.com>
> 
> The TDX module measures the TD during the build process and saves the
> measurement in TDCS.MRTD to facilitate TD attestation of the initial
> contents of the TD. Wrap the SEAMCALL TDH.MR.EXTEND with tdh_mr_extend()
> and TDH.MR.FINALIZE with tdh_mr_finalize() to enable the host kernel to
> assist the TDX module in performing the measurement.
> 
> The measurement in TDCS.MRTD is a SHA-384 digest of the build process.
> SEAMCALLs TDH.MNG.INIT and TDH.MEM.PAGE.ADD initialize and contribute to
> the MRTD digest calculation.
> 
> The caller of tdh_mr_extend() should break the TD private page into chunks
> of size TDX_EXTENDMR_CHUNKSIZE and invoke tdh_mr_extend() to add the page
> content into the digest calculation. Failures are possible with
> TDH.MR.EXTEND (e.g., due to SEPT walking). The caller of tdh_mr_extend()
> can check the function return value and retrieve extended error information
> from the function output parameters.
> 
> Calling tdh_mr_finalize() completes the measurement. The TDX module then
> turns the TD into the runnable state. Further TDH.MEM.PAGE.ADD and
> TDH.MR.EXTEND calls will fail.
> 
> TDH.MR.FINALIZE may fail due to errors such as the TD having no vCPUs or
> contentions. Check function return value when calling tdh_mr_finalize() to
> determine the exact reason for failure. Take proper locks on the caller's
> side to avoid contention failures, or handle the BUSY error in specific
> ways (e.g., retry). Return the SEAMCALL error code directly to the caller.
> Do not attempt to handle it in the core kernel.
> 
> [Kai: Switched from generic seamcall export]
> [Yan: Re-wrote the changelog]
> Co-developed-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Signed-off-by: Isaku Yamahata <isaku.yamahata@intel.com>
> Signed-off-by: Kai Huang <kai.huang@intel.com>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
> Message-ID: <20241112073709.22171-1-yan.y.zhao@intel.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  arch/x86/include/asm/tdx.h  |  2 ++
>  arch/x86/virt/vmx/tdx/tdx.c | 27 +++++++++++++++++++++++++++
>  arch/x86/virt/vmx/tdx/tdx.h |  2 ++
>  3 files changed, 31 insertions(+)
> 
> diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
> index 74938f725481..6981a3d75eb2 100644
> --- a/arch/x86/include/asm/tdx.h
> +++ b/arch/x86/include/asm/tdx.h
> @@ -147,6 +147,8 @@ u64 tdh_mng_key_config(struct tdx_td *td);
>  u64 tdh_mng_create(struct tdx_td *td, u64 hkid);
>  u64 tdh_vp_create(struct tdx_td *td, struct tdx_vp *vp);
>  u64 tdh_mng_rd(struct tdx_td *td, u64 field, u64 *data);
> +u64 tdh_mr_extend(struct tdx_td *td, u64 gpa, u64 *rcx, u64 *rdx);
> +u64 tdh_mr_finalize(struct tdx_td *td);
>  u64 tdh_vp_flush(struct tdx_vp *vp);
>  u64 tdh_mng_vpflushdone(struct tdx_td *td);
>  u64 tdh_mng_key_freeid(struct tdx_td *td);
> diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
> index cde55e9b3280..84fe5bc79434 100644
> --- a/arch/x86/virt/vmx/tdx/tdx.c
> +++ b/arch/x86/virt/vmx/tdx/tdx.c
> @@ -1629,6 +1629,33 @@ u64 tdh_mng_rd(struct tdx_td *td, u64 field, u64 *data)
>  }
>  EXPORT_SYMBOL_GPL(tdh_mng_rd);
>  
> +u64 tdh_mr_extend(struct tdx_td *td, u64 gpa, u64 *rcx, u64 *rdx)

gpa should be type gpa_t to avoid bare u64 types.

> +{
> +	struct tdx_module_args args = {
> +		.rcx = gpa,
> +		.rdx = tdx_tdr_pa(td),
> +	};
> +	u64 ret;
> +
> +	ret = seamcall_ret(TDH_MR_EXTEND, &args);
> +
> +	*rcx = args.rcx;
> +	*rdx = args.rdx;

Could be extended_err1/2.

> +
> +	return ret;
> +}
> +EXPORT_SYMBOL_GPL(tdh_mr_extend);
> +
> +u64 tdh_mr_finalize(struct tdx_td *td)
> +{
> +	struct tdx_module_args args = {
> +		.rcx = tdx_tdr_pa(td),
> +	};
> +
> +	return seamcall(TDH_MR_FINALIZE, &args);
> +}
> +EXPORT_SYMBOL_GPL(tdh_mr_finalize);
> +
>  u64 tdh_vp_flush(struct tdx_vp *vp)
>  {
>  	struct tdx_module_args args = {
> diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
> index d49cdd9b0577..a1e34773bab7 100644
> --- a/arch/x86/virt/vmx/tdx/tdx.h
> +++ b/arch/x86/virt/vmx/tdx/tdx.h
> @@ -24,6 +24,8 @@
>  #define TDH_MNG_KEY_CONFIG		8
>  #define TDH_MNG_CREATE			9
>  #define TDH_MNG_RD			11
> +#define TDH_MR_EXTEND			16
> +#define TDH_MR_FINALIZE			17
>  #define TDH_VP_FLUSH			18
>  #define TDH_MNG_VPFLUSHDONE		19
>  #define TDH_VP_CREATE			10

Yan Zhao Jan. 7, 2025, 7:01 a.m. UTC | #2

Here's the KVM side fixup for patches 7-11. (attached in case you want
to take a look).

diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
index ced4d09b2673..c3a84eb4694a 100644
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -1606,13 +1606,11 @@ static int tdx_mem_page_aug(struct kvm *kvm, gfn_t gfn,
                            enum pg_level level, kvm_pfn_t pfn)
 {
        struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
-       hpa_t tdr_pa = page_to_phys(kvm_tdx->td.tdr_page);
-       hpa_t hpa = pfn_to_hpa(pfn);
-       gpa_t gpa = gfn_to_gpa(gfn);
+       struct page *private_page = pfn_to_page(pfn);
        u64 entry, level_state;
        u64 err;

-       err = tdh_mem_page_aug(tdr_pa, gpa, hpa, &entry, &level_state);
+       err = tdh_mem_page_aug(&kvm_tdx->td, gfn, private_page, &entry, &level_state);
        if (unlikely(err & TDX_OPERAND_BUSY)) {
                tdx_unpin(kvm, pfn);
                return -EBUSY;
@@ -1687,9 +1685,6 @@ static int tdx_sept_drop_private_spte(struct kvm *kvm, gfn_t gfn,
 {
        int tdx_level = pg_level_to_tdx_sept_level(level);
        struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
-       hpa_t tdr_pa = page_to_phys(kvm_tdx->td.tdr_page);
-       gpa_t gpa = gfn_to_gpa(gfn);
-       hpa_t hpa = pfn_to_hpa(pfn);
        u64 err, entry, level_state;

        /* TODO: handle large pages. */
@@ -1705,7 +1700,7 @@ static int tdx_sept_drop_private_spte(struct kvm *kvm, gfn_t gfn,
                 * condition with other vcpu sept operation.  Race only with
                 * TDH.VP.ENTER.
                 */
-               err = tdh_mem_page_remove(tdr_pa, gpa, tdx_level, &entry,
+               err = tdh_mem_page_remove(&kvm_tdx->td, gfn, tdx_level, &entry,
                                          &level_state);
        } while (unlikely(err == TDX_ERROR_SEPT_BUSY));

@@ -1734,7 +1729,7 @@ static int tdx_sept_drop_private_spte(struct kvm *kvm, gfn_t gfn,
                 * this page was removed above, other thread shouldn't be
                 * repeatedly operating on this page.  Just retry loop.
                 */
-               err = tdh_phymem_page_wbinvd_hkid(hpa, (u16)kvm_tdx->hkid);
+               err = tdh_phymem_page_wbinvd_hkid(pfn_to_page(pfn), kvm_tdx->hkid);
        } while (unlikely(err == (TDX_OPERAND_BUSY | TDX_OPERAND_ID_RCX)));

        if (KVM_BUG_ON(err, kvm)) {
@@ -1751,13 +1746,11 @@ int tdx_sept_link_private_spt(struct kvm *kvm, gfn_t gfn,
 {
        int tdx_level = pg_level_to_tdx_sept_level(level);
        struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
-       hpa_t tdr_pa = page_to_phys(kvm_tdx->td.tdr_page);
-       gpa_t gpa = gfn_to_gpa(gfn);
-       hpa_t hpa = __pa(private_spt);
+       struct page *sept_page = virt_to_page(private_spt);
        u64 err, entry, level_state;

-       err = tdh_mem_sept_add(tdr_pa, gpa, tdx_level, hpa, &entry,
-                              &level_state);
+       err = tdh_mem_sept_add(&kvm_tdx->td, gfn, tdx_level, sept_page,
+                              &entry, &level_state);
        if (unlikely(err == TDX_ERROR_SEPT_BUSY))
                return -EAGAIN;
        if (KVM_BUG_ON(err, kvm)) {
@@ -1773,14 +1766,13 @@ static int tdx_sept_zap_private_spte(struct kvm *kvm, gfn_t gfn,
 {
        int tdx_level = pg_level_to_tdx_sept_level(level);
        struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
-       hpa_t tdr_pa = page_to_phys(kvm_tdx->td.tdr_page);
-       gpa_t gpa = gfn_to_gpa(gfn) & KVM_HPAGE_MASK(level);
+       gfn_t base_gfn = gfn_round_for_level(gfn, level);
        u64 err, entry, level_state;

        /* For now large page isn't supported yet. */
        WARN_ON_ONCE(level != PG_LEVEL_4K);

-       err = tdh_mem_range_block(tdr_pa, gpa, tdx_level, &entry, &level_state);
+       err = tdh_mem_range_block(&kvm_tdx->td, base_gfn, tdx_level, &entry, &level_state);
        if (unlikely(err == TDX_ERROR_SEPT_BUSY))
                return -EAGAIN;
        if (KVM_BUG_ON(err, kvm)) {
@@ -1817,7 +1809,6 @@ static int tdx_sept_zap_private_spte(struct kvm *kvm, gfn_t gfn,
 static void tdx_track(struct kvm *kvm)
 {
        struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
-       hpa_t tdr_pa = page_to_phys(kvm_tdx->td.tdr_page);
        u64 err;

        /* If TD isn't finalized, it's before any vcpu running. */
@@ -1827,7 +1818,7 @@ static void tdx_track(struct kvm *kvm)
        lockdep_assert_held_write(&kvm->mmu_lock);

        do {
-               err = tdh_mem_track(tdr_pa);
+               err = tdh_mem_track(&kvm_tdx->td);
        } while (unlikely((err & TDX_SEAMCALL_STATUS_MASK) == TDX_OPERAND_BUSY));

        if (KVM_BUG_ON(err, kvm))
@@ -2756,7 +2747,6 @@ void tdx_flush_tlb_all(struct kvm_vcpu *vcpu)
 static int tdx_td_finalizemr(struct kvm *kvm, struct kvm_tdx_cmd *cmd)
 {
        struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
-       hpa_t tdr_pa = page_to_phys(kvm_tdx->td.tdr_page);

        guard(mutex)(&kvm->slots_lock);

@@ -2769,7 +2759,7 @@ static int tdx_td_finalizemr(struct kvm *kvm, struct kvm_tdx_cmd *cmd)
        if (atomic64_read(&kvm_tdx->nr_premapped))
                return -EINVAL;

-       cmd->hw_error = tdh_mr_finalize(tdr_pa);
+       cmd->hw_error = tdh_mr_finalize(&kvm_tdx->td);
        if ((cmd->hw_error & TDX_SEAMCALL_STATUS_MASK) == TDX_OPERAND_BUSY)
                return -EAGAIN;
        if (KVM_BUG_ON(cmd->hw_error, kvm)) {
@@ -3029,7 +3019,6 @@ static int tdx_gmem_post_populate(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
 {
        u64 error_code = PFERR_GUEST_FINAL_MASK | PFERR_PRIVATE_ACCESS;
        struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
-       hpa_t tdr_pa = page_to_phys(kvm_tdx->td.tdr_page);
        struct tdx_gmem_post_populate_arg *arg = _arg;
        struct kvm_vcpu *vcpu = arg->vcpu;
        gpa_t gpa = gfn_to_gpa(gfn);
@@ -3068,9 +3057,8 @@ static int tdx_gmem_post_populate(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,

        ret = 0;
        do {
-               err = tdh_mem_page_add(tdr_pa, gpa, pfn_to_hpa(pfn),
-                                      pfn_to_hpa(page_to_pfn(page)),
-                                      &entry, &level_state);
+               err = tdh_mem_page_add(&kvm_tdx->td, gfn, pfn_to_page(pfn),
+                                      page, &entry, &level_state);
        } while (err == TDX_ERROR_SEPT_BUSY);
        if (err) {
                ret = -EIO;
@@ -3082,7 +3070,7 @@ static int tdx_gmem_post_populate(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,

        if (arg->flags & KVM_TDX_MEASURE_MEMORY_REGION) {
                for (i = 0; i < PAGE_SIZE; i += TDX_EXTENDMR_CHUNKSIZE) {
-                       err = tdh_mr_extend(tdr_pa, gpa + i, &entry,
+                       err = tdh_mr_extend(&kvm_tdx->td, gpa + i, &entry,
                                            &level_state);
                        if (err) {
                                ret = -EIO;

Patch

diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
index 74938f725481..6981a3d75eb2 100644
--- a/arch/x86/include/asm/tdx.h
+++ b/arch/x86/include/asm/tdx.h
@@ -147,6 +147,8 @@  u64 tdh_mng_key_config(struct tdx_td *td);
 u64 tdh_mng_create(struct tdx_td *td, u64 hkid);
 u64 tdh_vp_create(struct tdx_td *td, struct tdx_vp *vp);
 u64 tdh_mng_rd(struct tdx_td *td, u64 field, u64 *data);
+u64 tdh_mr_extend(struct tdx_td *td, u64 gpa, u64 *rcx, u64 *rdx);
+u64 tdh_mr_finalize(struct tdx_td *td);
 u64 tdh_vp_flush(struct tdx_vp *vp);
 u64 tdh_mng_vpflushdone(struct tdx_td *td);
 u64 tdh_mng_key_freeid(struct tdx_td *td);
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index cde55e9b3280..84fe5bc79434 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -1629,6 +1629,33 @@  u64 tdh_mng_rd(struct tdx_td *td, u64 field, u64 *data)
 }
 EXPORT_SYMBOL_GPL(tdh_mng_rd);
 
+u64 tdh_mr_extend(struct tdx_td *td, u64 gpa, u64 *rcx, u64 *rdx)
+{
+	struct tdx_module_args args = {
+		.rcx = gpa,
+		.rdx = tdx_tdr_pa(td),
+	};
+	u64 ret;
+
+	ret = seamcall_ret(TDH_MR_EXTEND, &args);
+
+	*rcx = args.rcx;
+	*rdx = args.rdx;
+
+	return ret;
+}
+EXPORT_SYMBOL_GPL(tdh_mr_extend);
+
+u64 tdh_mr_finalize(struct tdx_td *td)
+{
+	struct tdx_module_args args = {
+		.rcx = tdx_tdr_pa(td),
+	};
+
+	return seamcall(TDH_MR_FINALIZE, &args);
+}
+EXPORT_SYMBOL_GPL(tdh_mr_finalize);
+
 u64 tdh_vp_flush(struct tdx_vp *vp)
 {
 	struct tdx_module_args args = {
diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
index d49cdd9b0577..a1e34773bab7 100644
--- a/arch/x86/virt/vmx/tdx/tdx.h
+++ b/arch/x86/virt/vmx/tdx/tdx.h
@@ -24,6 +24,8 @@ 
 #define TDH_MNG_KEY_CONFIG		8
 #define TDH_MNG_CREATE			9
 #define TDH_MNG_RD			11
+#define TDH_MR_EXTEND			16
+#define TDH_MR_FINALIZE			17
 #define TDH_VP_FLUSH			18
 #define TDH_MNG_VPFLUSHDONE		19
 #define TDH_VP_CREATE			10