[v7,51/52] i386/tdx: Validate phys_bits against host value

Message ID	20250124132048.3229049-52-xiaoyao.li@intel.com (mailing list archive)
State	New
Headers	show Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 273853596F for <kvm@vger.kernel.org>; Fri, 24 Jan 2025 13:40:13 +0000 (UTC) From: Xiaoyao Li <xiaoyao.li@intel.com> To: Paolo Bonzini <pbonzini@redhat.com>, =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>, =?utf-8?q?Phil?= =?utf-8?q?ippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>, Igor Mammedov <imammedo@redhat.com> Cc: Zhao Liu <zhao1.liu@intel.com>, "Michael S. Tsirkin" <mst@redhat.com>, Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>, Peter Maydell <peter.maydell@linaro.org>, Marcelo Tosatti <mtosatti@redhat.com>, Huacai Chen <chenhuacai@kernel.org>, Rick Edgecombe <rick.p.edgecombe@intel.com>, Francesco Lavra <francescolavra.fl@gmail.com>, xiaoyao.li@intel.com, qemu-devel@nongnu.org, kvm@vger.kernel.org Subject: [PATCH v7 51/52] i386/tdx: Validate phys_bits against host value Date: Fri, 24 Jan 2025 08:20:47 -0500 Message-Id: <20250124132048.3229049-52-xiaoyao.li@intel.com> In-Reply-To: <20250124132048.3229049-1-xiaoyao.li@intel.com> References: <20250124132048.3229049-1-xiaoyao.li@intel.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	QEMU TDX support \| expand [v7,00/52] QEMU TDX support [v7,01/52] * HACK * linux-headers: Update headers to pull in TDX API changes [v7,02/52] i386: Introduce tdx-guest object [v7,03/52] i386/tdx: Implement tdx_kvm_type() for TDX [v7,04/52] i386/tdx: Implement tdx_kvm_init() to initialize TDX VM context [v7,05/52] i386/tdx: Get tdx_capabilities via KVM_TDX_CAPABILITIES [v7,06/52] i386/tdx: Introduce is_tdx_vm() helper and cache tdx_guest object [v7,07/52] kvm: Introduce kvm_arch_pre_create_vcpu() [v7,08/52] i386/tdx: Initialize TDX before creating TD vcpus [v7,09/52] i386/tdx: Add property sept-ve-disable for tdx-guest object [v7,10/52] i386/tdx: Make sept_ve_disable set by default [v7,11/52] i386/tdx: Wire CPU features up with attributes of TD guest [v7,12/52] i386/tdx: Validate TD attributes [v7,13/52] i386/tdx: Set APIC bus rate to match with what TDX module enforces [v7,14/52] i386/tdx: Implement user specified tsc frequency [v7,15/52] i386/tdx: load TDVF for TD guest [v7,16/52] i386/tdvf: Introduce function to parse TDVF metadata [v7,17/52] i386/tdx: Parse TDVF metadata for TDX VM [v7,18/52] i386/tdx: Don't initialize pc.rom for TDX VMs [v7,19/52] i386/tdx: Track mem_ptr for each firmware entry of TDVF [v7,20/52] i386/tdx: Track RAM entries for TDX VM [v7,21/52] headers: Add definitions from UEFI spec for volumes, resources, etc... [v7,22/52] i386/tdx: Setup the TD HOB list [v7,23/52] i386/tdx: Add TDVF memory via KVM_TDX_INIT_MEM_REGION [v7,24/52] i386/tdx: Call KVM_TDX_INIT_VCPU to initialize TDX vcpu [v7,25/52] i386/tdx: Finalize TDX VM [v7,26/52] i386/tdx: Enable user exit on KVM_HC_MAP_GPA_RANGE [v7,27/52] i386/tdx: Handle KVM_SYSTEM_EVENT_TDX_FATAL [v7,28/52] i386/tdx: Wire TDX_REPORT_FATAL_ERROR with GuestPanic facility [v7,29/52] i386/cpu: introduce x86_confidential_guest_cpu_instance_init() [v7,30/52] i386/tdx: implement tdx_cpu_instance_init() [v7,31/52] i386/cpu: Introduce enable_cpuid_0x1f to force exposing CPUID 0x1f [v7,32/52] i386/tdx: Force exposing CPUID 0x1f [v7,33/52] i386/tdx: Set kvm_readonly_mem_enabled to false for TDX VM [v7,34/52] i386/tdx: Disable SMM for TDX VMs [v7,35/52] i386/tdx: Disable PIC for TDX VMs [v7,36/52] i386/tdx: Don't synchronize guest tsc for TDs [v7,37/52] i386/tdx: Only configure MSR_IA32_UCODE_REV in kvm_init_msrs() for TDs [v7,38/52] i386/apic: Skip kvm_apic_put() for TDX [v7,39/52] cpu: Don't set vcpu_dirty when guest_state_protected [v7,40/52] i386/cgs: Rename mask_cpuid_features() to adjust_cpuid_features() [v7,41/52] i386/tdx: Implement adjust_cpuid_features() for TDX [v7,42/52] i386/tdx: Apply TDX fixed0 and fixed1 information to supported CPUIDs [v7,43/52] i386/tdx: Mask off CPUID bits by unsupported TD Attributes [v7,44/52] i386/cpu: Move CPUID_XSTATE_XSS_MASK to header file and introduce CPUID_XSTATE_MASK [v7,45/52] i386/tdx: Mask off CPUID bits by unsupported XFAM [v7,46/52] i386/tdx: Mark the configurable bit not reported by KVM as unsupported [v7,47/52] i386/cgs: Introduce x86_confidential_guest_check_features() [v7,48/52] i386/tdx: Fetch and validate CPUID of TD guest [v7,49/52] i386/tdx: Don't treat SYSCALL as unavailable [v7,50/52] i386/tdx: Make invtsc default on [v7,51/52] i386/tdx: Validate phys_bits against host value [v7,52/52] docs: Add TDX documentation

Message ID

20250124132048.3229049-52-xiaoyao.li@intel.com (mailing list archive)

State

New

Headers

From: Xiaoyao Li <xiaoyao.li@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>, =?utf-8?q?Phil?=
	=?utf-8?q?ippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Igor Mammedov <imammedo@redhat.com>
Cc: Zhao Liu <zhao1.liu@intel.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Eric Blake <eblake@redhat.com>,
	Markus Armbruster <armbru@redhat.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Huacai Chen <chenhuacai@kernel.org>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Francesco Lavra <francescolavra.fl@gmail.com>,
	xiaoyao.li@intel.com,
	qemu-devel@nongnu.org,
	kvm@vger.kernel.org
Subject: [PATCH v7 51/52] i386/tdx: Validate phys_bits against host value
Date: Fri, 24 Jan 2025 08:20:47 -0500
Message-Id: <20250124132048.3229049-52-xiaoyao.li@intel.com>
In-Reply-To: <20250124132048.3229049-1-xiaoyao.li@intel.com>
References: <20250124132048.3229049-1-xiaoyao.li@intel.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

QEMU TDX support | expand

Commit Message

Xiaoyao Li Jan. 24, 2025, 1:20 p.m. UTC

For TDX guest, the phys_bits is not configurable and can only be
host/native value.

Validate phys_bits inside tdx_check_features().

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 target/i386/host-cpu.c | 2 +-
 target/i386/host-cpu.h | 1 +
 target/i386/kvm/tdx.c  | 8 ++++++++
 3 files changed, 10 insertions(+), 1 deletion(-)

Comments

Paolo Bonzini Jan. 31, 2025, 6:27 p.m. UTC | #1

On Fri, Jan 24, 2025 at 2:40 PM Xiaoyao Li <xiaoyao.li@intel.com> wrote:
>
> For TDX guest, the phys_bits is not configurable and can only be
> host/native value.
>
> Validate phys_bits inside tdx_check_features().

Hi Xiaoyao,

to avoid

qemu-kvm: TDX requires guest CPU physical bits (48) to match host CPU
physical bits (52)

I need options like

-cpu host,phys-bits=52,guest-phys-bits=52,host-phys-bits-limit=52,-kvm-asyncpf-int

to start a TDX guest, is that intentional?

Thanks,

Paolo

> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
>  target/i386/host-cpu.c | 2 +-
>  target/i386/host-cpu.h | 1 +
>  target/i386/kvm/tdx.c  | 8 ++++++++
>  3 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/target/i386/host-cpu.c b/target/i386/host-cpu.c
> index 3e4e85e729c8..8a15af458b05 100644
> --- a/target/i386/host-cpu.c
> +++ b/target/i386/host-cpu.c
> @@ -15,7 +15,7 @@
>  #include "system/system.h"
>
>  /* Note: Only safe for use on x86(-64) hosts */
> -static uint32_t host_cpu_phys_bits(void)
> +uint32_t host_cpu_phys_bits(void)
>  {
>      uint32_t eax;
>      uint32_t host_phys_bits;
> diff --git a/target/i386/host-cpu.h b/target/i386/host-cpu.h
> index 6a9bc918baa4..b97ec01c9bec 100644
> --- a/target/i386/host-cpu.h
> +++ b/target/i386/host-cpu.h
> @@ -10,6 +10,7 @@
>  #ifndef HOST_CPU_H
>  #define HOST_CPU_H
>
> +uint32_t host_cpu_phys_bits(void);
>  void host_cpu_instance_init(X86CPU *cpu);
>  void host_cpu_max_instance_init(X86CPU *cpu);
>  bool host_cpu_realizefn(CPUState *cs, Error **errp);
> diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
> index bb75eb06dad9..c906a76c4c0e 100644
> --- a/target/i386/kvm/tdx.c
> +++ b/target/i386/kvm/tdx.c
> @@ -24,6 +24,7 @@
>
>  #include "cpu.h"
>  #include "cpu-internal.h"
> +#include "host-cpu.h"
>  #include "hw/i386/e820_memory_layout.h"
>  #include "hw/i386/x86.h"
>  #include "hw/i386/tdvf.h"
> @@ -838,6 +839,13 @@ static int tdx_check_features(X86ConfidentialGuest *cg, CPUState *cs)
>          return -1;
>      }
>
> +    if (cpu->phys_bits != host_cpu_phys_bits()) {
> +        error_report("TDX requires guest CPU physical bits (%u) "
> +                     "to match host CPU physical bits (%u)",
> +                     cpu->phys_bits, host_cpu_phys_bits());
> +        exit(1);
> +    }
> +
>      return 0;
>  }
>
> --
> 2.34.1
>

Xiaoyao Li Feb. 2, 2025, 2:39 p.m. UTC | #2

On 2/1/2025 2:27 AM, Paolo Bonzini wrote:
> On Fri, Jan 24, 2025 at 2:40 PM Xiaoyao Li <xiaoyao.li@intel.com> wrote:
>>
>> For TDX guest, the phys_bits is not configurable and can only be
>> host/native value.
>>
>> Validate phys_bits inside tdx_check_features().
> 
> Hi Xiaoyao,
> 
> to avoid
> 
> qemu-kvm: TDX requires guest CPU physical bits (48) to match host CPU
> physical bits (52)
> 
> I need options like
> 
> -cpu host,phys-bits=52,guest-phys-bits=52,host-phys-bits-limit=52,-kvm-asyncpf-int
> 
> to start a TDX guest, is that intentional?

"-cpu host" should be sufficient and should not hit the error.

why did you get "guest CPU physical bits (48)"?

> Thanks,
> 
> Paolo
> 
>> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
>> ---
>>   target/i386/host-cpu.c | 2 +-
>>   target/i386/host-cpu.h | 1 +
>>   target/i386/kvm/tdx.c  | 8 ++++++++
>>   3 files changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/target/i386/host-cpu.c b/target/i386/host-cpu.c
>> index 3e4e85e729c8..8a15af458b05 100644
>> --- a/target/i386/host-cpu.c
>> +++ b/target/i386/host-cpu.c
>> @@ -15,7 +15,7 @@
>>   #include "system/system.h"
>>
>>   /* Note: Only safe for use on x86(-64) hosts */
>> -static uint32_t host_cpu_phys_bits(void)
>> +uint32_t host_cpu_phys_bits(void)
>>   {
>>       uint32_t eax;
>>       uint32_t host_phys_bits;
>> diff --git a/target/i386/host-cpu.h b/target/i386/host-cpu.h
>> index 6a9bc918baa4..b97ec01c9bec 100644
>> --- a/target/i386/host-cpu.h
>> +++ b/target/i386/host-cpu.h
>> @@ -10,6 +10,7 @@
>>   #ifndef HOST_CPU_H
>>   #define HOST_CPU_H
>>
>> +uint32_t host_cpu_phys_bits(void);
>>   void host_cpu_instance_init(X86CPU *cpu);
>>   void host_cpu_max_instance_init(X86CPU *cpu);
>>   bool host_cpu_realizefn(CPUState *cs, Error **errp);
>> diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
>> index bb75eb06dad9..c906a76c4c0e 100644
>> --- a/target/i386/kvm/tdx.c
>> +++ b/target/i386/kvm/tdx.c
>> @@ -24,6 +24,7 @@
>>
>>   #include "cpu.h"
>>   #include "cpu-internal.h"
>> +#include "host-cpu.h"
>>   #include "hw/i386/e820_memory_layout.h"
>>   #include "hw/i386/x86.h"
>>   #include "hw/i386/tdvf.h"
>> @@ -838,6 +839,13 @@ static int tdx_check_features(X86ConfidentialGuest *cg, CPUState *cs)
>>           return -1;
>>       }
>>
>> +    if (cpu->phys_bits != host_cpu_phys_bits()) {
>> +        error_report("TDX requires guest CPU physical bits (%u) "
>> +                     "to match host CPU physical bits (%u)",
>> +                     cpu->phys_bits, host_cpu_phys_bits());
>> +        exit(1);
>> +    }
>> +
>>       return 0;
>>   }
>>
>> --
>> 2.34.1
>>
> 
>

Paolo Bonzini Feb. 3, 2025, 6:15 p.m. UTC | #3

On 2/2/25 15:39, Xiaoyao Li wrote:
> On 2/1/2025 2:27 AM, Paolo Bonzini wrote:
>> On Fri, Jan 24, 2025 at 2:40 PM Xiaoyao Li <xiaoyao.li@intel.com> wrote:
>>>
>>> For TDX guest, the phys_bits is not configurable and can only be
>>> host/native value.
>>>
>>> Validate phys_bits inside tdx_check_features().
>>
>> Hi Xiaoyao,
>>
>> to avoid
>>
>> qemu-kvm: TDX requires guest CPU physical bits (48) to match host CPU
>> physical bits (52)
>>
>> I need options like
>>
>> -cpu host,phys-bits=52,guest-phys-bits=52,host-phys-bits-limit=52,- 
>> kvm-asyncpf-int
>>
>> to start a TDX guest, is that intentional?
> 
> "-cpu host" should be sufficient and should not hit the error.
> 
> why did you get "guest CPU physical bits (48)"?

Nevermind - I got it from the RHEL machine types.  The fix (which does not have
to be included upstream, though I would not complain) is

diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
index e0ab41bcb7b..7aca8219405 100644
--- a/target/i386/kvm/tdx.c
+++ b/target/i386/kvm/tdx.c
@@ -444,6 +444,7 @@ static void tdx_cpu_instance_init(X86ConfidentialGuest *cg, CPUState *cpu)
      X86CPU *x86cpu = X86_CPU(cpu);
  
      object_property_set_bool(OBJECT(cpu), "pmu", false, &error_abort);
+    object_property_set_bool(OBJECT(cpu), "host-phys-bits-limit", 0, &error_abort);
  
      /* invtsc is fixed1 for TD guest */
      object_property_set_bool(OBJECT(cpu), "invtsc", true, &error_abort);

but it also needs the patch at
https://lore.kernel.org/qemu-devel/20250203114132.259155-1-pbonzini@redhat.com/T/.

With these two changes, QEMU accepts "-cpu host" just fine.

Paolo

diff --git a/target/i386/host-cpu.c b/target/i386/host-cpu.c
index 3e4e85e729c8..8a15af458b05 100644
--- a/target/i386/host-cpu.c
+++ b/target/i386/host-cpu.c
@@ -15,7 +15,7 @@ 
 #include "system/system.h"
 
 /* Note: Only safe for use on x86(-64) hosts */
-static uint32_t host_cpu_phys_bits(void)
+uint32_t host_cpu_phys_bits(void)
 {
     uint32_t eax;
     uint32_t host_phys_bits;
diff --git a/target/i386/host-cpu.h b/target/i386/host-cpu.h
index 6a9bc918baa4..b97ec01c9bec 100644
--- a/target/i386/host-cpu.h
+++ b/target/i386/host-cpu.h
@@ -10,6 +10,7 @@ 
 #ifndef HOST_CPU_H
 #define HOST_CPU_H
 
+uint32_t host_cpu_phys_bits(void);
 void host_cpu_instance_init(X86CPU *cpu);
 void host_cpu_max_instance_init(X86CPU *cpu);
 bool host_cpu_realizefn(CPUState *cs, Error **errp);
diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
index bb75eb06dad9..c906a76c4c0e 100644
--- a/target/i386/kvm/tdx.c
+++ b/target/i386/kvm/tdx.c
@@ -24,6 +24,7 @@ 
 
 #include "cpu.h"
 #include "cpu-internal.h"
+#include "host-cpu.h"
 #include "hw/i386/e820_memory_layout.h"
 #include "hw/i386/x86.h"
 #include "hw/i386/tdvf.h"
@@ -838,6 +839,13 @@  static int tdx_check_features(X86ConfidentialGuest *cg, CPUState *cs)
         return -1;
     }
 
+    if (cpu->phys_bits != host_cpu_phys_bits()) {
+        error_report("TDX requires guest CPU physical bits (%u) "
+                     "to match host CPU physical bits (%u)",
+                     cpu->phys_bits, host_cpu_phys_bits());
+        exit(1);
+    }
+
     return 0;
 }

[v7,51/52] i386/tdx: Validate phys_bits against host value

Commit Message

Comments

Patch