Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp4563542rwd; Sun, 4 Jun 2023 07:57:48 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6dqaihvmIYK2rFmrrcslLfRCSDa/PMKQNUz4FiCkn6AEKo0vuvGlmiCwuJOPYY+eK1psF+ X-Received: by 2002:a05:6e02:810:b0:33b:3d21:7db3 with SMTP id u16-20020a056e02081000b0033b3d217db3mr15221813ilm.27.1685890668466; Sun, 04 Jun 2023 07:57:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685890668; cv=none; d=google.com; s=arc-20160816; b=WZ1n0ORI0i3zQyObArCv4NUNOkXtE3cOd/KjfzmbsiM1BcwfqXk+SiduCEZkEX485z iECRsFPY/KfvQofuHCg2kaAdQ7fKUGmpiTXBHpaKLej4nZfcgX7jPSgYywiGRPQ6kFHk kIRj3X1OkJswrD9Itg7z2IznJeiXh8IsVUhhZPFYdbsVZL7K37eBSEKjEMc7jaN4ibo1 pxGsiG+dp9IfttWFkMPD0TDF7xH1l73+vMZ6D59iHciYQXKphAQVgVIDJ0/ZZNbZXDt3 954l7g/5jU4QwcPh3qp6hGrp9LcguKAfs/ZO1bPKw6OsgpEXLyIE4nZLjzYV+K4SOxzt CMvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=zrH4UbXtiCrEZlZO35UwPaWlgtRLNZT9eEqb0M1nRcY=; b=wKSAfWDZX0qLEcPXJDBTgnTAgnlRFtOeTSpGZtYTeicRsOQZH+WrZt1XX2h+sBJl1/ GRjJNgcZ2I+uebAhJXwf5kxzt5Rv92xgsRP7VOGHz/28GURkAn2nzFswuo02auRYxLQ4 9PG+qQ2BSK9vpoQj5wCMzWLoyI57vcMt7TblzB5RV+ha9UTfoN/2e0M+66wu23rZeokS DmTBQCb7dfWy7E4VDrpIJoYmiSt4oO0dtqwnzsduqKH3b8o97YK5hKLnCZ8Ms9TQoPKk 7FJbvZU3nupE8OjMvFnhAgRFJNoH3uhsJv3d9DiXRHu5Jl0CRWyEO3pCMwN4nRmZxh4p Aacg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="XE/Ab69+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i4-20020a636d04000000b0053f3d04e66csi4350761pgc.699.2023.06.04.07.57.36; Sun, 04 Jun 2023 07:57:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="XE/Ab69+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232316AbjFDObG (ORCPT + 99 others); Sun, 4 Jun 2023 10:31:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51652 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231768AbjFDOam (ORCPT ); Sun, 4 Jun 2023 10:30:42 -0400 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6606B1B6; Sun, 4 Jun 2023 07:30:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1685889035; x=1717425035; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=NE9SvDWlxjKkJmtHRhd4yPtLD1ElHWnYUmIkHeViI64=; b=XE/Ab69+AA9PGSKzLOUBUSOjBPeaW1NA4RIq2zE404WXojVmIMYAh81D 8Cpyb1CjJ+oQyAw4zAhB1ht0ypz+RglvAgTlQEmqwYTw1wjNE/jF0zopi rcHT21yceW3ikIFxtOfceYQ/Ohgf0i2ZGFbGgBUcmgzVZOodTUPRaoWlD xtACumEczz1xicYNJKUvHb21rBqmV0NmFGGYXHAxTcJgVEuQSU1bQjOom 9d82TNjsJq4PQ3KyhGvcPa1ICLEji4i5r9UoyoopTGxk9vO/Sx/KNTwD0 ZxUazmWa5obYJ474n1Vm5Qfc7vrW2Vm+mEJs9frRTI1skoOYaVUYZPEyW A==; X-IronPort-AV: E=McAfee;i="6600,9927,10731"; a="353683673" X-IronPort-AV: E=Sophos;i="6.00,217,1681196400"; d="scan'208";a="353683673" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jun 2023 07:29:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10731"; a="1038501199" X-IronPort-AV: E=Sophos;i="6.00,217,1681196400"; d="scan'208";a="1038501199" Received: from tdhastx-mobl2.amr.corp.intel.com (HELO khuang2-desk.gar.corp.intel.com) ([10.212.50.31]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jun 2023 07:29:14 -0700 From: Kai Huang To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: linux-mm@kvack.org, dave.hansen@intel.com, kirill.shutemov@linux.intel.com, tony.luck@intel.com, peterz@infradead.org, tglx@linutronix.de, seanjc@google.com, pbonzini@redhat.com, david@redhat.com, dan.j.williams@intel.com, rafael.j.wysocki@intel.com, ying.huang@intel.com, reinette.chatre@intel.com, len.brown@intel.com, ak@linux.intel.com, isaku.yamahata@intel.com, chao.gao@intel.com, sathyanarayanan.kuppuswamy@linux.intel.com, bagasdotme@gmail.com, sagis@google.com, imammedo@redhat.com, kai.huang@intel.com Subject: [PATCH v11 17/20] x86/kexec: Flush cache of TDX private memory Date: Mon, 5 Jun 2023 02:27:30 +1200 Message-Id: <17bcbe3e154415ee7a4c77489809a3db0c5ddf3f.1685887183.git.kai.huang@intel.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There are two problems in terms of using kexec() to boot to a new kernel when the old kernel has enabled TDX: 1) Part of the memory pages are still TDX private pages; 2) There might be dirty cachelines associated with TDX private pages. The first problem doesn't matter on the platforms w/o the "partial write machine check" erratum. KeyID 0 doesn't have integrity check. If the new kernel wants to use any non-zero KeyID, it needs to convert the memory to that KeyID and such conversion would work from any KeyID. However the old kernel needs to guarantee there's no dirty cacheline left behind before booting to the new kernel to avoid silent corruption from later cacheline writeback (Intel hardware doesn't guarantee cache coherency across different KeyIDs). There are two things that the old kernel needs to do to achieve that: 1) Stop accessing TDX private memory mappings: a. Stop making TDX module SEAMCALLs (TDX global KeyID); b. Stop TDX guests from running (per-guest TDX KeyID). 2) Flush any cachelines from previous TDX private KeyID writes. For 2), use wbinvd() to flush cache in stop_this_cpu(), following SME support. And in this way 1) happens for free as there's no TDX activity between wbinvd() and the native_halt(). Flushing cache in stop_this_cpu() only flushes cache on remote cpus. On the cpu which does kexec(), unlike SME which does the cache flush in relocate_kernel(), do the cache flush right after stopping remote cpus in machine_shutdown(). This is because on the platforms with above erratum, the kernel needs to convert all TDX private pages back to normal before a fast warm reset reboot or booting to the new kernel in kexec(). Flushing cache in relocate_kernel() only covers the kexec() but not the fast warm reset reboot. Theoretically, cache flush is only needed when the TDX module has been initialized. However initializing the TDX module is done on demand at runtime, and it takes a mutex to read the module status. Just check whether TDX is enabled by the BIOS instead to flush cache. Signed-off-by: Kai Huang Reviewed-by: Isaku Yamahata --- v10 -> v11: - Fixed a bug that cache for rebooting cpu isn't flushed for TDX private memory. - Updated changelog accordingly. v9 -> v10: - No change. v8 -> v9: - Various changelog enhancement and fix (Dave). - Improved comment (Dave). v7 -> v8: - Changelog: - Removed "leave TDX module open" part due to shut down patch has been removed. v6 -> v7: - Improved changelog to explain why don't convert TDX private pages back to normal. --- arch/x86/kernel/process.c | 7 ++++++- arch/x86/kernel/reboot.c | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c index dac41a0072ea..0ce66deb9bc8 100644 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -780,8 +780,13 @@ void __noreturn stop_this_cpu(void *dummy) * * Test the CPUID bit directly because the machine might've cleared * X86_FEATURE_SME due to cmdline options. + * + * The TDX module or guests might have left dirty cachelines + * behind. Flush them to avoid corruption from later writeback. + * Note that this flushes on all systems where TDX is possible, + * but does not actually check that TDX was in use. */ - if (cpuid_eax(0x8000001f) & BIT(0)) + if (cpuid_eax(0x8000001f) & BIT(0) || platform_tdx_enabled()) native_wbinvd(); for (;;) { /* diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c index 3adbe97015c1..b3d0e015dae2 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -32,6 +32,7 @@ #include #include #include +#include /* * Power off function, if any @@ -695,6 +696,20 @@ void native_machine_shutdown(void) local_irq_disable(); stop_other_cpus(); #endif + /* + * stop_other_cpus() has flushed all dirty cachelines of TDX + * private memory on remote cpus. Unlike SME, which does the + * cache flush on _this_ cpu in the relocate_kernel(), flush + * the cache for _this_ cpu here. This is because on the + * platforms with "partial write machine check" erratum the + * kernel needs to convert all TDX private pages back to normal + * before a fast warm reset reboot or booting to the new kernel + * in kexec(), and the cache flush must be done before that. + * Flushing cache in relocate_kernel() only covers the kexec() + * but not the fast warm reset reboot. + */ + if (platform_tdx_enabled()) + native_wbinvd(); lapic_shutdown(); restore_boot_irq_mode(); -- 2.40.1