Commit aed4dde2 authored by Isaku Yamahata's avatar Isaku Yamahata Committed by Paolo Bonzini
Browse files

x86/virt/tdx: Add tdx_guest_keyid_alloc/free() to alloc and free TDX guest KeyID 



Intel TDX protects guest VMs from malicious host and certain physical
attacks. Pre-TDX Intel hardware has support for a memory encryption
architecture called MK-TME, which repurposes several high bits of
physical address as "KeyID". The BIOS reserves a sub-range of MK-TME
KeyIDs as "TDX private KeyIDs".

Each TDX guest must be assigned with a unique TDX KeyID when it is
created. The kernel reserves the first TDX private KeyID for
crypto-protection of specific TDX module data which has a lifecycle that
exceeds the KeyID reserved for the TD's use. The rest of the KeyIDs are
left for TDX guests to use.

Create a small KeyID allocator. Export
tdx_guest_keyid_alloc()/tdx_guest_keyid_free() to allocate and free TDX
guest KeyID for KVM to use.

Don't provide the stub functions when CONFIG_INTEL_TDX_HOST=n since they
are not supposed to be called in this case.

Signed-off-by: default avatarIsaku Yamahata <isaku.yamahata@intel.com>
Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
Message-ID: <20241030190039.77971-5-rick.p.edgecombe@intel.com>
Acked-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 4caf32da

arch/x86/include/asm/tdx.h

+3 −0
Original line number Diff line number Diff line
@@ -122,6 +122,9 @@ int tdx_cpu_enable(void); 
int tdx_enable(void);

const char *tdx_dump_mce_info(struct mce *m);



int tdx_guest_keyid_alloc(void);

void tdx_guest_keyid_free(unsigned int keyid);



struct tdx_td {

	/* TD root structure: */

	struct page *tdr_page;

arch/x86/virt/vmx/tdx/tdx.c

+17 −0
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ 
#include <linux/log2.h>

#include <linux/acpi.h>

#include <linux/suspend.h>

#include <linux/idr.h>

#include <asm/page.h>

#include <asm/special_insns.h>

#include <asm/msr-index.h>
@@ -43,6 +44,8 @@ static u32 tdx_global_keyid __ro_after_init; 
static u32 tdx_guest_keyid_start __ro_after_init;

static u32 tdx_nr_guest_keyids __ro_after_init;



static DEFINE_IDA(tdx_guest_keyid_pool);



static DEFINE_PER_CPU(bool, tdx_lp_initialized);



static struct tdmr_info_list tdx_tdmr_list;
@@ -1459,6 +1462,20 @@ void __init tdx_init(void) 
	check_tdx_erratum();

}



int tdx_guest_keyid_alloc(void)

{

	return ida_alloc_range(&tdx_guest_keyid_pool, tdx_guest_keyid_start,

			       tdx_guest_keyid_start + tdx_nr_guest_keyids - 1,

			       GFP_KERNEL);

}

EXPORT_SYMBOL_GPL(tdx_guest_keyid_alloc);



void tdx_guest_keyid_free(unsigned int keyid)

{

	ida_free(&tdx_guest_keyid_pool, keyid);

}

EXPORT_SYMBOL_GPL(tdx_guest_keyid_free);



static inline u64 tdx_tdr_pa(struct tdx_td *td)

{

	return page_to_phys(td->tdr_page);