Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3070622rdg;
        Tue, 17 Oct 2023 03:53:59 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFikct4PrDR46Fgi+NZ06fsI2en8tiovM3bhpOgmdV0FSE4Ki9YDY46aoHzZnNdUhrBAtD4
X-Received: by 2002:a17:902:fb87:b0:1ca:1c55:abcf with SMTP id lg7-20020a170902fb8700b001ca1c55abcfmr1803188plb.3.1697540039589;
        Tue, 17 Oct 2023 03:53:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697540039; cv=none;
        d=google.com; s=arc-20160816;
        b=RtiUJ0cD1IyWTzwG539ETchTMJknpplXvDenK6RVIADrB2KYnsOUZFdDKwu/urzcZc
         Rk/0MD9ezIJ6+u0xxrrCzQSKWHWl7Mux3WI7/On+YdOmgXDqNgvOy/Ac6c0rPDaNwoEG
         reKf4rzUag3SLxb80HEffLS8mJVzZ3ZLYevNob5cug7PAogWBpAUEbJ1Hj3E14w/P1W3
         EUQVSrv+x6p6qQxR4O2Rdr+eQWhmg/MEjgDgStB7w5mwUfm2r1Rgw9sKTNx18e9fHiRb
         3uoHsJr9zg6SaDLKzu1zzYA+lV4F0PnRzNyQdFw2RmWdd4Od27S3pQNdjSnJh/SGyAwV
         1VkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version;
        bh=ARsrENsLOtZ7Mp5iWyNi3KTSrWAUeqkKZXr3542/oqc=;
        fh=WtXE6ISztiqCRxc4Vn//rPDIA/Gd1QTe2iETVBmqm9I=;
        b=OXVI9pheaasQ76jVcM7NQbSLe62ufHCridwihH014ctxflKfVh+27brZyVNJMcXj9o
         z3Pdu4lgIOVYj9A7pUhhp2CaF0VAE0nyhohpYm+2PnWDPvkpMwXcARpqhL86U06rBWmu
         nAmHYn9hMRWEPI0ihv14p6J3GlelupMVeG3A1X204kLlL/N1H7YUs9pk+yeaDF7oMWC8
         7nchdVtW+nJpXcKkyQEj4rUJ+eL9eJy9Be7FpKBUOHDuI0H0ZfkzBZox0+8+gWeto04g
         9Cr2jHE3EoUjuv+Ax0sITwf4TXJM8uOGjEb/XvfJv0CxJmySU0a8rIrilpoOpTFC841z
         kXSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8])
        by mx.google.com with ESMTPS id y7-20020a17090322c700b001c62502d9fasi1529318plg.343.2023.10.17.03.53.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 17 Oct 2023 03:53:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by fry.vger.email (Postfix) with ESMTP id B144B804ADBC;
	Tue, 17 Oct 2023 03:53:56 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234953AbjJQKxm convert rfc822-to-8bit (ORCPT
        <rfc822;0x7f454c46@gmail.com> + 99 others);
        Tue, 17 Oct 2023 06:53:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35944 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234971AbjJQKxj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Oct 2023 06:53:39 -0400
Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31FA411A;
        Tue, 17 Oct 2023 03:53:36 -0700 (PDT)
Received: by mail-ot1-f45.google.com with SMTP id 46e09a7af769-6c6591642f2so1327420a34.1;
        Tue, 17 Oct 2023 03:53:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697540015; x=1698144815;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wX3CNYvnPcIE1Gw36elnUGyF6yogJQd6j7/KiRGcVg0=;
        b=DSNAq8bbK4FGgZ5St9n+lZXESgqaOowLerXpTZ1KufhY9kCXwh9MmJIwKzLrJzfcqA
         sGT1c3BYR0CHzMRAij2x2BaTokrPz+D9ee4mqBkkqc9AivHag9RQtKPkr0n1thsmxKyA
         XCOw8poHaVQxoeWlKX+WpFB9VNRYd1SGLvTo3A4qEwZ/PWTrdCKNVk3hbpJ2JKScLz9h
         huV28Y2uqbdFXP1fW4e7tVVPaYLlCfkfIX8L6BrsPqGMO6+h9zjIa+OoTC2o3eJ18n1B
         KPlImMIWwXVDguUmx1x/1Z9O0QJy95W8aPAxbeKNHC9XLx0uihH4Zt9ikkqO9IVnPm+J
         sWgQ==
X-Gm-Message-State: AOJu0YycHjEaATLYwLvIzYbDYC0rSSV2YgzJnlmZHfNv2fg6ITBwOfUS
        WADwRqz6uv7Im0NUUTjgGtfL5YWLPGSmr2bGWAWNMwxe
X-Received: by 2002:a4a:b304:0:b0:581:d5df:9cd2 with SMTP id
 m4-20020a4ab304000000b00581d5df9cd2mr1231598ooo.0.1697540015390; Tue, 17 Oct
 2023 03:53:35 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1697532085.git.kai.huang@intel.com> <7daec6d20bf93c2ff87268866d112ee8efd44e01.1697532085.git.kai.huang@intel.com>
In-Reply-To: <7daec6d20bf93c2ff87268866d112ee8efd44e01.1697532085.git.kai.huang@intel.com>
From:   "Rafael J. Wysocki" <rafael@kernel.org>
Date:   Tue, 17 Oct 2023 12:53:24 +0200
Message-ID: <CAJZ5v0ifJ5G7yOidiADkbwvuttVAVhVx6eSoJqBDeacZiGXZDg@mail.gmail.com>
Subject: Re: [PATCH v14 21/23] x86/virt/tdx: Handle TDX interaction with ACPI
 S3 and deeper states
To:     Kai Huang <kai.huang@intel.com>
Cc:     linux-kernel@vger.kernel.org, kvm@vger.kernel.org, x86@kernel.org,
        dave.hansen@intel.com, kirill.shutemov@linux.intel.com,
        peterz@infradead.org, tony.luck@intel.com, tglx@linutronix.de,
        bp@alien8.de, mingo@redhat.com, hpa@zytor.com, seanjc@google.com,
        pbonzini@redhat.com, rafael@kernel.org, david@redhat.com,
        dan.j.williams@intel.com, len.brown@intel.com, ak@linux.intel.com,
        isaku.yamahata@intel.com, ying.huang@intel.com, chao.gao@intel.com,
        sathyanarayanan.kuppuswamy@linux.intel.com, nik.borisov@suse.com,
        bagasdotme@gmail.com, sagis@google.com, imammedo@redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8BIT
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 17 Oct 2023 03:53:56 -0700 (PDT)

On Tue, Oct 17, 2023 at 12:17 PM Kai Huang <kai.huang@intel.com> wrote:
>
> TDX cannot survive from S3 and deeper states.  The hardware resets and
> disables TDX completely when platform goes to S3 and deeper.  Both TDX
> guests and the TDX module get destroyed permanently.
>
> The kernel uses S3 to support suspend-to-ram, and S4 or deeper states to
> support hibernation.  The kernel also maintains TDX states to track
> whether it has been initialized and its metadata resource, etc.  After
> resuming from S3 or hibernation, these TDX states won't be correct
> anymore.
>
> Theoretically, the kernel can do more complicated things like resetting
> TDX internal states and TDX module metadata before going to S3 or
> deeper, and re-initialize TDX module after resuming, etc, but there is
> no way to save/restore TDX guests for now.
>
> Until TDX supports full save and restore of TDX guests, there is no big
> value to handle TDX module in suspend and hibernation alone.  To make
> things simple, just choose to make TDX mutually exclusive with S3 and
> hibernation.
>
> Note the TDX module is initialized at runtime.  To avoid having to deal
> with the fuss of determining TDX state at runtime, just choose TDX vs S3
> and hibernation at kernel early boot.  It's a bad user experience if the
> choice of TDX and S3/hibernation is done at runtime anyway, i.e., the
> user can experience being able to do S3/hibernation but later becoming
> unable to due to TDX being enabled.
>
> Disable TDX in kernel early boot when hibernation is available, and give
> a message telling the user to disable hibernation via kernel command
> line in order to use TDX.  Currently there's no mechanism exposed by the
> hibernation code to allow other kernel code to disable hibernation once
> for all.
>
> Disable ACPI S3 by setting acpi_suspend_lowlevel function pointer to
> NULL when TDX is enabled by the BIOS.  This avoids having to modify the
> ACPI code to disable ACPI S3 in other ways.
>
> Also give a message telling the user to disable TDX in the BIOS in order
> to use ACPI S3.  A new kernel command line can be added in the future if
> there's a need to let user disable TDX host via kernel command line.
>
> Signed-off-by: Kai Huang <kai.huang@intel.com>
> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> ---
>
> v13 -> v14:
>  - New patch
>
> ---
>  arch/x86/virt/vmx/tdx/tdx.c | 23 +++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
>
> diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
> index e82f0adeea4d..1d0f1045dd33 100644
> --- a/arch/x86/virt/vmx/tdx/tdx.c
> +++ b/arch/x86/virt/vmx/tdx/tdx.c
> @@ -28,10 +28,12 @@
>  #include <linux/sort.h>
>  #include <linux/log2.h>
>  #include <linux/reboot.h>
> +#include <linux/suspend.h>
>  #include <asm/msr-index.h>
>  #include <asm/msr.h>
>  #include <asm/page.h>
>  #include <asm/special_insns.h>
> +#include <asm/acpi.h>
>  #include <asm/tdx.h>
>  #include "tdx.h"
>
> @@ -1427,6 +1429,22 @@ static int __init tdx_init(void)
>                 return -ENODEV;
>         }
>
> +#define HIBERNATION_MSG                \
> +       "Disable TDX due to hibernation is available. Use 'nohibernate' command line to disable hibernation."

I'm not sure if this new symbol is really necessary.

The message could be as simple as "Initialization failed: Hibernation
support is enabled" (assuming a properly defined pr_fmt()), because
that carries enough information about the reason for the failure IMO.

How to address it can be documented elsewhere.

> +       /*
> +        * Note hibernation_available() can vary when it is called at
> +        * runtime as it checks secretmem_active() and cxl_mem_active()
> +        * which can both vary at runtime.  But here at early_init() they
> +        * both cannot return true, thus when hibernation_available()
> +        * returns false here, hibernation is disabled by either
> +        * 'nohibernate' or LOCKDOWN_HIBERNATION security lockdown,
> +        * which are both permanent.
> +        */

IIUC, the role of the comment is to document the fact that it is OK to
use hiberation_available() here, because it cannot return "false"
intermittently at this point, so I would just say "At this point,
hibernation_available() indicates whether or not hibernation support
has been permanently disabled", without going into all of the details
(which are irrelevant IMO and may change in the future).

> +       if (hibernation_available()) {
> +               pr_err("initialization failed: %s\n", HIBERNATION_MSG);
> +               return -ENODEV;
> +       }
> +
>         err = register_memory_notifier(&tdx_memory_nb);
>         if (err) {
>                 pr_err("initialization failed: register_memory_notifier() failed (%d)\n",
> @@ -1442,6 +1460,11 @@ static int __init tdx_init(void)
>                 return -ENODEV;
>         }
>
> +#ifdef CONFIG_ACPI
> +       pr_info("Disable ACPI S3 suspend. Turn off TDX in the BIOS to use ACPI S3.\n");
> +       acpi_suspend_lowlevel = NULL;
> +#endif

It would be somewhat nicer to have a helper for setting this pointer.

> +
>         /*
>          * Just use the first TDX KeyID as the 'global KeyID' and
>          * leave the rest for TDX guests.
> --