| Message ID | 20250129095902.16391-4-adrian.hunter@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | KVM: TDX: TD vcpu enter/exit | expand |
On 1/29/2025 5:58 PM, Adrian Hunter wrote: > TDX VMs have protected state. Accordingly, set arch.has_protected_state to > true. > > This will cause the following IOCTL functions to return an error: > > kvm_arch_vcpu_ioctl() case KVM_GET_SREGS2 > kvm_arch_vcpu_ioctl() case KVM_SET_SREGS2 > kvm_arch_vcpu_ioctl_get_regs() > kvm_arch_vcpu_ioctl_set_regs() > kvm_arch_vcpu_ioctl_get_sregs() > kvm_arch_vcpu_ioctl_set_sregs() > kvm_vcpu_ioctl_x86_get_debugregs() > kvm_vcpu_ioctl_x86_set_debugregs > kvm_vcpu_ioctl_x86_get_xcrs() > kvm_vcpu_ioctl_x86_set_xcrs() > > In addition, the following will error for confidential FPU state: > > kvm_vcpu_ioctl_x86_get_xsave () > kvm_vcpu_ioctl_x86_get_xsave2() > kvm_vcpu_ioctl_x86_set_xsave() > kvm_arch_vcpu_ioctl_get_fpu() > kvm_arch_vcpu_ioctl_set_fpu() > > And finally, in accordance with commit 66155de93bcf ("KVM: x86: Disallow > read-only memslots for SEV-ES and SEV-SNP (and TDX)"), read-only > memslots will be disallowed. > > Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> > --- > TD vcpu enter/exit v2: > - New patch > --- > arch/x86/kvm/vmx/tdx.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c > index ea9498028212..a7ebdafdfd82 100644 > --- a/arch/x86/kvm/vmx/tdx.c > +++ b/arch/x86/kvm/vmx/tdx.c > @@ -553,6 +553,7 @@ int tdx_vm_init(struct kvm *kvm) > { > struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm); > > + kvm->arch.has_protected_state = true; This can be squashed into the one that implements the tdx_vm_init(); > kvm->arch.has_private_mem = true; > > /*
On 20/02/25 14:35, Xiaoyao Li wrote: > On 1/29/2025 5:58 PM, Adrian Hunter wrote: >> TDX VMs have protected state. Accordingly, set arch.has_protected_state to >> true. >> >> This will cause the following IOCTL functions to return an error: >> >> kvm_arch_vcpu_ioctl() case KVM_GET_SREGS2 >> kvm_arch_vcpu_ioctl() case KVM_SET_SREGS2 >> kvm_arch_vcpu_ioctl_get_regs() >> kvm_arch_vcpu_ioctl_set_regs() >> kvm_arch_vcpu_ioctl_get_sregs() >> kvm_arch_vcpu_ioctl_set_sregs() >> kvm_vcpu_ioctl_x86_get_debugregs() >> kvm_vcpu_ioctl_x86_set_debugregs >> kvm_vcpu_ioctl_x86_get_xcrs() >> kvm_vcpu_ioctl_x86_set_xcrs() >> >> In addition, the following will error for confidential FPU state: >> >> kvm_vcpu_ioctl_x86_get_xsave () >> kvm_vcpu_ioctl_x86_get_xsave2() >> kvm_vcpu_ioctl_x86_set_xsave() >> kvm_arch_vcpu_ioctl_get_fpu() >> kvm_arch_vcpu_ioctl_set_fpu() >> >> And finally, in accordance with commit 66155de93bcf ("KVM: x86: Disallow >> read-only memslots for SEV-ES and SEV-SNP (and TDX)"), read-only >> memslots will be disallowed. >> >> Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> >> --- >> TD vcpu enter/exit v2: >> - New patch >> --- >> arch/x86/kvm/vmx/tdx.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c >> index ea9498028212..a7ebdafdfd82 100644 >> --- a/arch/x86/kvm/vmx/tdx.c >> +++ b/arch/x86/kvm/vmx/tdx.c >> @@ -553,6 +553,7 @@ int tdx_vm_init(struct kvm *kvm) >> { >> struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm); >> + kvm->arch.has_protected_state = true; > > This can be squashed into the one that implements the tdx_vm_init(); This has been done in kvm-coco-queue. We have re-based on kvm-coco-queue so we in-sync on this.
diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index ea9498028212..a7ebdafdfd82 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -553,6 +553,7 @@ int tdx_vm_init(struct kvm *kvm) { struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm); + kvm->arch.has_protected_state = true; kvm->arch.has_private_mem = true; /*
TDX VMs have protected state. Accordingly, set arch.has_protected_state to true. This will cause the following IOCTL functions to return an error: kvm_arch_vcpu_ioctl() case KVM_GET_SREGS2 kvm_arch_vcpu_ioctl() case KVM_SET_SREGS2 kvm_arch_vcpu_ioctl_get_regs() kvm_arch_vcpu_ioctl_set_regs() kvm_arch_vcpu_ioctl_get_sregs() kvm_arch_vcpu_ioctl_set_sregs() kvm_vcpu_ioctl_x86_get_debugregs() kvm_vcpu_ioctl_x86_set_debugregs kvm_vcpu_ioctl_x86_get_xcrs() kvm_vcpu_ioctl_x86_set_xcrs() In addition, the following will error for confidential FPU state: kvm_vcpu_ioctl_x86_get_xsave () kvm_vcpu_ioctl_x86_get_xsave2() kvm_vcpu_ioctl_x86_set_xsave() kvm_arch_vcpu_ioctl_get_fpu() kvm_arch_vcpu_ioctl_set_fpu() And finally, in accordance with commit 66155de93bcf ("KVM: x86: Disallow read-only memslots for SEV-ES and SEV-SNP (and TDX)"), read-only memslots will be disallowed. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> --- TD vcpu enter/exit v2: - New patch --- arch/x86/kvm/vmx/tdx.c | 1 + 1 file changed, 1 insertion(+)