[0/2] x86/tdx: Enforce no #VE on private memory accesses

Message ID	20221028141220.29217-1-kirill.shutemov@linux.intel.com
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> To: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@intel.com, luto@kernel.org, peterz@infradead.org Cc: sathyanarayanan.kuppuswamy@linux.intel.com, ak@linux.intel.com, dan.j.williams@intel.com, david@redhat.com, hpa@zytor.com, seanjc@google.com, thomas.lendacky@amd.com, elena.reshetova@intel.com, x86@kernel.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Subject: [PATCH 0/2] x86/tdx: Enforce no #VE on private memory accesses Date: Fri, 28 Oct 2022 17:12:18 +0300 Message-Id: <20221028141220.29217-1-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	x86/tdx: Enforce no #VE on private memory accesses \| [0/2] x86/tdx: Enforce no #VE on private memory accesses [1/2] x86/tdx: Extract GET_INFO call from get_cc_mask() [2/2] x86/tdx: Do not allow #VE due to EPT violation on the private memory

Message ID

20221028141220.29217-1-kirill.shutemov@linux.intel.com

Headers

Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
To: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
        dave.hansen@intel.com, luto@kernel.org, peterz@infradead.org
Cc: sathyanarayanan.kuppuswamy@linux.intel.com, ak@linux.intel.com,
        dan.j.williams@intel.com, david@redhat.com, hpa@zytor.com,
        seanjc@google.com, thomas.lendacky@amd.com,
        elena.reshetova@intel.com, x86@kernel.org,
        linux-kernel@vger.kernel.org,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: [PATCH 0/2] x86/tdx: Enforce no #VE on private memory accesses
Date: Fri, 28 Oct 2022 17:12:18 +0300
Message-Id: <20221028141220.29217-1-kirill.shutemov@linux.intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

x86/tdx: Enforce no #VE on private memory accesses |

Message

Kirill A. Shutemov Oct. 28, 2022, 2:12 p.m. UTC

  As described in 9a22bf6debbf ("x86/traps: Add #VE support for TDX
guest"), kernel relies on "no #VE on access to private memory" to keep
guest secure from attacks against syscall gap or NMI entry code.

SEPT_VE_DISABLE TD attribute controls TDX module behaviour on EPT
violation.

The attribute must be set to avoid #VE. Refuse to boot the guest if it
is not.

Kirill A. Shutemov (1):
  x86/tdx: Do not allow #VE due to EPT violation on the private memory

Kuppuswamy Sathyanarayanan (1):
  x86/tdx: Extract GET_INFO call from get_cc_mask()

 arch/x86/coco/tdx/tdx.c | 74 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 69 insertions(+), 5 deletions(-)