Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp40223iob; Wed, 27 Apr 2022 18:28:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx3AHIjEkjfRjXpHdBykpd6UHNYVmPLrmoSOrJSIdtJAK9HNwpNYtF6UT3nNyPinNOQp9Yh X-Received: by 2002:a17:902:a502:b0:151:8289:b19 with SMTP id s2-20020a170902a50200b0015182890b19mr31342627plq.149.1651109305100; Wed, 27 Apr 2022 18:28:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651109305; cv=none; d=google.com; s=arc-20160816; b=hnClTD2iSKabmEIj6kX4XneH7XgOeTimjiCez7lLcFSe5vb2dR2bC1Kb8sIHLNknfc SANRHnA8cTE8+qMiZG8hDVMhBDDLR21pTVf/+IZX+2jIsFwMHerriCqK0fOOJgPPgmze aFertqkeK0kirQSpvzwzt7sGLWrsbukjKO+Og37WnUgo09CTK+WSm2RZj+TZpsP/CasQ qLoOpuEbVp6MdKw8T7cHwO5Mkt/2V6g4XM66FStCGYHq4USK5PpYipoDhiCmnKVlNN1k 49C3I+VFxHQ4EmqZJojOmOaGPDj+M6Hwkb2TD3U0DGuWLyHgBVu3jB5TnPYbJrQWecDh OzDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=Hkl9ZUhZrAQ0nSMrx0EO4LKmUWlcx/HdAUozKqZgbiE=; b=lZP0VQ5EJZMzWM+Cir2SuHyJ2I1CvjQNywUkcyQHSJOqQ2JjBEdwWu36AS8DchHJPO eDNYJZAQTb3JIpr1O4U2yneIJQcSFGwcmioD3OZcfq+xgf7Nt12tN4uKg1OnjFk9vBub iDDHhxvwVTp2aivzhZwZ6xcS/bIfWRpBvpxykU4M/Pwk6Ni6MdrJJcchQ0gZg57XaEya wCh/sJGgkV6pldp9N0PSGHbVYwK3lWRb0BxdHjmqFYV3jQWAm/9C0jnFZHILA/8NHoPL ztPR0R8aJon1fCHOWH0KxCPM8ZTQGMrYTeLdcjo5DQ61Jkth7km+k31IeysKI5UGhOyN m7og== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GwkrA2Tn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x12-20020a63310c000000b003aa38d53172si2912249pgx.48.2022.04.27.18.28.04; Wed, 27 Apr 2022 18:28:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GwkrA2Tn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238658AbiD1Axl (ORCPT + 99 others); Wed, 27 Apr 2022 20:53:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238547AbiD1Axh (ORCPT ); Wed, 27 Apr 2022 20:53:37 -0400 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 990075F242; Wed, 27 Apr 2022 17:50:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651107023; x=1682643023; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=ftKko8hp3u4j+pAON3LHYDZNP7jOD3MOWDTywquN4O0=; b=GwkrA2TnqWcZz24HAGXt/HW16IsG1MGO0XEpOGd5FvJfHKHAlWcaUazG 5YqGBjTJCvx+a/5KnR55BiLVJbvsMIrOBCcIbVjBCHuvguQpdICFSab8U HrC/fS3lULOvoWBs2U8MatBmsfNiHtKvk6AK089E7bFKdoXUSH6++Xs7R QAUWd8MjtoDo+PZCec0QyDqxNrIzX8rvLxY1FUdhcua+yhaNs94ehGlr7 dExT576pUL11U4oBqHq4WVU7R+I/zVDn+6hZSXs7rom1a5o9wRWYxNUu4 d8uW2NUklHKO1HUUIXvTU8eWO9PEq2MuONLmOtC6wt96t35EEsolCZHoJ g==; X-IronPort-AV: E=McAfee;i="6400,9594,10330"; a="253500432" X-IronPort-AV: E=Sophos;i="5.90,294,1643702400"; d="scan'208";a="253500432" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 17:50:23 -0700 X-IronPort-AV: E=Sophos;i="5.90,294,1643702400"; d="scan'208";a="513979915" Received: from lcdaughe-mobl1.amr.corp.intel.com (HELO [10.212.72.252]) ([10.212.72.252]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 17:50:22 -0700 Message-ID: Date: Wed, 27 Apr 2022 17:50:37 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v3 00/21] TDX host kernel support Content-Language: en-US To: Kai Huang , linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, pbonzini@redhat.com, len.brown@intel.com, tony.luck@intel.com, rafael.j.wysocki@intel.com, reinette.chatre@intel.com, dan.j.williams@intel.com, peterz@infradead.org, ak@linux.intel.com, kirill.shutemov@linux.intel.com, sathyanarayanan.kuppuswamy@linux.intel.com, isaku.yamahata@intel.com References: <522e37eb-68fc-35db-44d5-479d0088e43f@intel.com> <9b388f54f13b34fe684ef77603fc878952e48f87.camel@intel.com> From: Dave Hansen In-Reply-To: <9b388f54f13b34fe684ef77603fc878952e48f87.camel@intel.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/27/22 17:37, Kai Huang wrote: > On Wed, 2022-04-27 at 14:59 -0700, Dave Hansen wrote: >> In 5 years, if someone takes this code and runs it on Intel hardware >> with memory hotplug, CPU hotplug, NVDIMMs *AND* TDX support, what happens? > > I thought we could document this in the documentation saying that this code can > only work on TDX machines that don't have above capabilities (SPR for now). We > can change the code and the documentation when we add the support of those > features in the future, and update the documentation. > > If 5 years later someone takes this code, he/she should take a look at the > documentation and figure out that he/she should choose a newer kernel if the > machine support those features. > > I'll think about design solutions if above doesn't look good for you. No, it doesn't look good to me. You can't just say: /* * This code will eat puppies if used on systems with hotplug. */ and merrily await the puppy bloodbath. If it's not compatible, then you have to *MAKE* it not compatible in a safe, controlled way. >> You can't just ignore the problems because they're not present on one >> version of the hardware. Please, please read this again ^^ >> What about all the concerns about TDX module configuration changing? > > Leaving the TDX module in fully initialized state or shutdown state (in case of > error during it's initialization) to the new kernel is fine. If the new kernel > doesn't use TDX at all, then the TDX module won't access memory using it's > global TDX KeyID. If the new kernel wants to use TDX, it will fail on the very > first SEAMCALL when it tries to initialize the TDX module, and won't use > SEAMCALL to call the TDX module again. If the new kernel doesn't follow this, > then it is a bug in the new kernel, or the new kernel is malicious, in which > case it can potentially corrupt the data. But I don't think we need to consider > this as if the new kernel is malicious, then it can corrupt data anyway. > > Does this make sense? No, I'm pretty lost. But, I'll look at the next version of this with fresh eyes and hopefully you'll have had time to streamline the text by then.