Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp23133rwb; Wed, 10 Aug 2022 18:26:39 -0700 (PDT) X-Google-Smtp-Source: AA6agR6gm6oyzLmpUYEOJTEtzWwXgTBzR5Vex6Tps1m99y8TpbYk6vbILPrQpHj0ReIqHX54Otj4 X-Received: by 2002:a05:6402:3293:b0:43e:4a21:af84 with SMTP id f19-20020a056402329300b0043e4a21af84mr29064267eda.170.1660181199637; Wed, 10 Aug 2022 18:26:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660181199; cv=none; d=google.com; s=arc-20160816; b=BOoubKQ6do3wQgv42YHhlnHj8a0/a0RiUMkpWdZKwHp6tZpMyHNsVIji9or7fjKXFG btr8VSnXtMYOKkeF9NVoVrMYb6Hol9iEyjACA61Zg35as4lZcW7JN1y45vRBi+ktt9Zj /NXkA/nTK+nnQTplI/u+2sq62luJfDsu8O5ZkNsfxJRWCdpWRxFHwgkp1XNe5aC4JoLX NBCnIFXNcUf7xI019IV65CxTsudUG0nIiHVnUDYrr3auQf1TbJB9koVyHHtnfVl7wRbv mHxb2EDR+X8kq45P7wAGHUvpkaf3WNaM8+CzLA2FNxP0jF8rQQddfL9AUMOP+klzT/aJ IACQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=xfXmVztj0c1F6cRi4TXGz1NUtmbmVqYvpYZwRtvc098=; b=qdWC2X097qiHrFszDP+xETSTDtdL5on8bb1oRmPRWCtQYFOPAHdovzgKM0FY5XP0Nn y6/t3Nu7DnobBLZlpt2gaDWw6lLLw53LBEbGhIwINKIkk8yU/4cSMAlLf2c8Q7BTdLom KRpXjcLoVDZqTqFz7Ci3B46vItM7mgBccIi8i7vb+TqOBXp8qbrUGW8cDY5LkMqNGf+e /BjCwsIiIwEy7LyYT/pxrpTfZvjdahbQkddiBhvdDmeYpNBoP0McYvPqiPS2BnsbwfUv KJAYTC/6QAkuLyNpY+m3ytLrI0AP+bdEV8cwUz/zM2WQdFwKHaCn4FDirknN/M5tuA9G fa/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jPIJ2Ppp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mh11-20020a170906eb8b00b00730bcbd396dsi43022ejb.406.2022.08.10.18.26.13; Wed, 10 Aug 2022 18:26:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jPIJ2Ppp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232985AbiHKA7T (ORCPT + 99 others); Wed, 10 Aug 2022 20:59:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39374 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229488AbiHKA7R (ORCPT ); Wed, 10 Aug 2022 20:59:17 -0400 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 791E676952 for ; Wed, 10 Aug 2022 17:59:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1660179556; x=1691715556; h=message-id:date:mime-version:to:cc:references:from: subject:in-reply-to:content-transfer-encoding; bh=TUJhIrJ6uTfGYZ2zcKvEOT9MqdA7gEk1m688zpHRHYs=; b=jPIJ2PppY7xhufzQ8iWuwX2f9VO54Wr/BtDEd7YregiBa7xl7FWs3EwT WyWb+sk84tHNe1dqtrHhWhWQxzpsvgs5nE9rRjCqPOXb2YETTXv2hS5v7 xQdhEUK4diWuCCywyb6KZkcL4b3tH+DbMx3ZEbd2OkIVqJZRL8OUgKKvw AHfxpIyKj2Mn1wSHmvwKoypK+AeFAd4+90Lagi+ObZNALy+mceitWNc7P pY5jWOe8vKd6K3TaxQ2BTM3FE91xxKRxgPfWXLEZ6P97CspX9s3arJsj+ jEz3yPfgQtR2uVe5iLM7Jixdy9yh43X4SFJiMV4aY1o0Q+d63GH3o6Wmu w==; X-IronPort-AV: E=McAfee;i="6400,9594,10435"; a="271004705" X-IronPort-AV: E=Sophos;i="5.93,228,1654585200"; d="scan'208";a="271004705" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Aug 2022 17:59:16 -0700 X-IronPort-AV: E=Sophos;i="5.93,228,1654585200"; d="scan'208";a="933114038" Received: from sarava2x-mobl1.gar.corp.intel.com (HELO [10.254.67.234]) ([10.254.67.234]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Aug 2022 17:59:15 -0700 Message-ID: Date: Wed, 10 Aug 2022 17:59:14 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Content-Language: en-US To: Thomas Gleixner , Dave Hansen , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "Shutemov, Kirill" , "Huang, Kai" Cc: "H. Peter Anvin" , linux-kernel@vger.kernel.org, "Gomez Iglesias, Antonio" , Pawan Gupta References: <20220809234000.783284-1-daniel.sneddon@linux.intel.com> <238ea612-5a25-9323-b31f-0a14493db2f7@linux.intel.com> <341ea6e9-d8f3-ee7a-6794-67408abbf047@linux.intel.com> <87r11nu52l.ffs@tglx> <83a0d220-1872-caba-4e7e-b6a366655cf2@linux.intel.com> <9888a920-37b8-9a1f-b887-6630492955c6@intel.com> <1d81ef6a-7505-fc13-ecbf-f3ca7a6fbfce@linux.intel.com> <87lervty0h.ffs@tglx> From: Daniel Sneddon Subject: Re: [PATCH] x86/apic: Don't disable x2APIC if locked In-Reply-To: <87lervty0h.ffs@tglx> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/10/22 17:38, Thomas Gleixner wrote: > On Wed, Aug 10 2022 at 17:01, Daniel Sneddon wrote: >> On 8/10/22 16:44, Dave Hansen wrote: >>> On 8/10/22 16:38, Daniel Sneddon wrote: >>>>> >>>>> config INTEL_TDX_GUEST >>>>> bool "Intel TDX (Trust Domain Extensions) - Guest Support" >>>>> depends on X86_64 && CPU_SUP_INTEL >>>>> depends on X86_X2APIC >>>> So I got some more input. SPR and newer will lock the APIC. >>> >>> Could you get a _little_ more clarity on this, please? Exactly how and >>> when will it be locked? What does the BIOS writer's guide say? Will >>> there be an explicit x2APIC lock option? Or, will it be implicitly >>> locked when SGX or TDX is enabled? >> >> The BIOS doesn't explicitly lock the APIC. The APIC will be locked if X2APIC >> mode is enabled when the BIOS does an MCHECK. X2APIC mode will be enabled if >> SGX or TDX are enabled. So when exactly does the BIOS do an MCHECK? That I'll >> have to get clarification on. > > Sorry, this is uncomprehensible word salad and none of this makes any > sense at all to me. > > Can you please explain this in comprehensible sentences understandable > by mere mortals? Basically if the BIOS is configured to enable SGX or TDX, it'll program the APIC to use x2APIC mode. At some point it'll have to run MCHECK (which is just an MSR write). When exactly the BIOS does this, I'm not sure. I've asked for clarification on that. At the point the BIOS does the MCHECK, if X2APIC mode is enabled, the ucode will set the LOCK bit, and any attempt after that to disable the APIC will result in the fault. Now, this assumes the BIOS will DTRT, and always enable x2APIC when SGX or TDX are enabled AND always perform the MCHECK, AND do those things in the right order. I'm not a BIOS guy so I have no idea where to even look to see if/where that is documented. I can certainly try to track that down if needed. I'm not sure if that's any clearer? I guess I could try some code: if (SGX_enabled() || TDX_enabled() set_x2apic_mode(); ..... MCHECK <-----At this point if x2APIC mode is on then the ucode set's the lock bit. ..... Hope that helps. > > Thanks, > > tglx