LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Kuppuswamy Sathyanarayanan  <sathyanarayanan.kuppuswamy@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Andy Lutomirski <luto@kernel.org>
Cc: Peter H Anvin <hpa@zytor.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Tony Luck <tony.luck@intel.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Andi Kleen <ak@linux.intel.com>,
	Kirill Shutemov <kirill.shutemov@linux.intel.com>,
	Sean Christopherson <seanjc@google.com>,
	Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
	x86@kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 4/4] x86/tdx: Add tdg_debug_enabled() interface
Date: Mon, 19 Jul 2021 21:33:38 -0700	[thread overview]
Message-ID: <20210720043338.2123695-5-sathyanarayanan.kuppuswamy@linux.intel.com> (raw)
In-Reply-To: <20210720043338.2123695-1-sathyanarayanan.kuppuswamy@linux.intel.com>

A guest TD is defined as debuggable if its ATTRIBUTES.DEBUG bit is 1.
In this mode, the host VMM can use Intel TDX functions to access
secret TD state that is not accessible for non-debuggable TDs. A
debuggable TD is, by nature, untrusted.

Since the TD’s ATTRIBUTES are included in the TDG.MR.REPORT, the TD’s
debuggability state can be known to any third party to which the TD
attests. TD Attributes are initialized during TD INIT call. You can get
more details about debug features in Intel Trust Domain Extensions
(Intel TDX) Module Architecture specification, sec 13.3.

Add a new interface to detect the TDX debug mode. This will be used by
follow-on patches. Examples of its usage are, when adding command line
debug options to disable TDX features like driver or port filter,
tdg_debug_enabled() is used to make sure it is used only in debug
mode.

https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1eas-v0.85.039.pdf

Reviewed-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
---
 arch/x86/include/asm/tdx.h | 1 +
 arch/x86/kernel/tdx.c      | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
index 665c8cf57d5b..1c0d4bf693a3 100644
--- a/arch/x86/include/asm/tdx.h
+++ b/arch/x86/include/asm/tdx.h
@@ -67,6 +67,7 @@ enum tdx_map_type {
 
 #ifdef CONFIG_INTEL_TDX_GUEST
 
+bool tdg_debug_enabled(void);
 void __init tdx_early_init(void);
 
 bool tdx_prot_guest_has(unsigned long flag);
diff --git a/arch/x86/kernel/tdx.c b/arch/x86/kernel/tdx.c
index 9b0361218863..fcf2743481b7 100644
--- a/arch/x86/kernel/tdx.c
+++ b/arch/x86/kernel/tdx.c
@@ -123,6 +123,11 @@ phys_addr_t tdg_shared_mask(void)
 	return 1ULL << (td_info.gpa_width - 1);
 }
 
+bool tdg_debug_enabled(void)
+{
+	return td_info.attributes & BIT(0);
+}
+
 static void tdg_get_info(void)
 {
 	u64 ret;
-- 
2.25.1


  parent reply	other threads:[~2021-07-20  4:34 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-20  4:33 [PATCH v2 0/4] Add TDX Guest Support (Debug support) Kuppuswamy Sathyanarayanan
2021-07-20  4:33 ` [PATCH v2 1/4] x86/tdx: Add #VE tracepoint Kuppuswamy Sathyanarayanan
2021-07-20  4:33 ` [PATCH v2 2/4] x86/tdx: Add TDCALL tracepoint Kuppuswamy Sathyanarayanan
2021-07-20  4:33 ` [PATCH v2 3/4] x86/tdx: Expose TDX Guest #VE count in /proc/interrupts Kuppuswamy Sathyanarayanan
2021-07-20  4:33 ` Kuppuswamy Sathyanarayanan [this message]
2021-07-20 16:34   ` [PATCH v2 4/4] x86/tdx: Add tdg_debug_enabled() interface Dave Hansen
2021-07-20 17:37     ` Kuppuswamy, Sathyanarayanan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210720043338.2123695-5-sathyanarayanan.kuppuswamy@linux.intel.com \
    --to=sathyanarayanan.kuppuswamy@linux.intel.com \
    --cc=ak@linux.intel.com \
    --cc=bp@alien8.de \
    --cc=dan.j.williams@intel.com \
    --cc=dave.hansen@intel.com \
    --cc=hpa@zytor.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=knsathya@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=seanjc@google.com \
    --cc=tglx@linutronix.de \
    --cc=tony.luck@intel.com \
    --cc=x86@kernel.org \
    --subject='Re: [PATCH v2 4/4] x86/tdx: Add tdg_debug_enabled() interface' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).