| Message ID | 20250503191515.24041-14-ricardo.neri-calderon@linux.intel.com |
|---|---|
| State | New |
| Headers | show |
| Series | x86/hyperv/hv_vtl: Use a wakeup mailbox to boot secondary CPUs | expand |
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Sent: Saturday, May 3, 2025 12:15 PM > > The hypervisor is an untrusted entity for TDX guests. It cannot be used > to boot secondary CPUs. The function hv_vtl_wakeup_secondary_cpu() cannot > be used. > > Instead, the virtual firmware boots the secondary CPUs and places them in > a state to transfer control to the kernel using the wakeup mailbox. > > The kernel updates the APIC callback wakeup_secondary_cpu_64() to use > the mailbox if detected early during boot (enumerated via either an ACPI > table or a DeviceTree node). > > Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> > --- > Changes since v2: > - Unconditionally use the wakeup mailbox in a TDX confidential VM. > (Michael). > - Edited the commit message for clarity. > > Changes since v1: > - None > --- > arch/x86/hyperv/hv_vtl.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/hyperv/hv_vtl.c b/arch/x86/hyperv/hv_vtl.c > index cd48bedd21f0..30a5a0c156c1 100644 > --- a/arch/x86/hyperv/hv_vtl.c > +++ b/arch/x86/hyperv/hv_vtl.c > @@ -299,7 +299,15 @@ int __init hv_vtl_early_init(void) > panic("XSAVE has to be disabled as it is not supported by this module.\n" > "Please add 'noxsave' to the kernel command line.\n"); > > - apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); > + /* > + * TDX confidential VMs do not trust the hypervisor and cannot use it to > + * boot secondary CPUs. Instead, they will be booted using the wakeup > + * mailbox if detected during boot. See setup_arch(). > + * > + * There is no paravisor present if we are here. > + */ > + if (!hv_isolation_type_tdx()) > + apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); > > return 0; > } > -- > 2.43.0 Reviewed-by: Michael Kelley <mhklinux@outlook.com>
On Tue, May 20, 2025 at 01:35:02AM +0000, Michael Kelley wrote: > From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Sent: Saturday, May 3, 2025 12:15 PM > > > > The hypervisor is an untrusted entity for TDX guests. It cannot be used > > to boot secondary CPUs. The function hv_vtl_wakeup_secondary_cpu() cannot > > be used. > > > > Instead, the virtual firmware boots the secondary CPUs and places them in > > a state to transfer control to the kernel using the wakeup mailbox. > > > > The kernel updates the APIC callback wakeup_secondary_cpu_64() to use > > the mailbox if detected early during boot (enumerated via either an ACPI > > table or a DeviceTree node). > > > > Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> > > --- > > Changes since v2: > > - Unconditionally use the wakeup mailbox in a TDX confidential VM. > > (Michael). > > - Edited the commit message for clarity. > > > > Changes since v1: > > - None > > --- > > arch/x86/hyperv/hv_vtl.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/arch/x86/hyperv/hv_vtl.c b/arch/x86/hyperv/hv_vtl.c > > index cd48bedd21f0..30a5a0c156c1 100644 > > --- a/arch/x86/hyperv/hv_vtl.c > > +++ b/arch/x86/hyperv/hv_vtl.c > > @@ -299,7 +299,15 @@ int __init hv_vtl_early_init(void) > > panic("XSAVE has to be disabled as it is not supported by this module.\n" > > "Please add 'noxsave' to the kernel command line.\n"); > > > > - apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); > > + /* > > + * TDX confidential VMs do not trust the hypervisor and cannot use it to > > + * boot secondary CPUs. Instead, they will be booted using the wakeup > > + * mailbox if detected during boot. See setup_arch(). > > + * > > + * There is no paravisor present if we are here. > > + */ > > + if (!hv_isolation_type_tdx()) > > + apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); > > > > return 0; > > } > > -- > > 2.43.0 > > Reviewed-by: Michael Kelley <mhklinux@outlook.com> Thank you very much for your review!
diff --git a/arch/x86/hyperv/hv_vtl.c b/arch/x86/hyperv/hv_vtl.c index cd48bedd21f0..30a5a0c156c1 100644 --- a/arch/x86/hyperv/hv_vtl.c +++ b/arch/x86/hyperv/hv_vtl.c @@ -299,7 +299,15 @@ int __init hv_vtl_early_init(void) panic("XSAVE has to be disabled as it is not supported by this module.\n" "Please add 'noxsave' to the kernel command line.\n"); - apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); + /* + * TDX confidential VMs do not trust the hypervisor and cannot use it to + * boot secondary CPUs. Instead, they will be booted using the wakeup + * mailbox if detected during boot. See setup_arch(). + * + * There is no paravisor present if we are here. + */ + if (!hv_isolation_type_tdx()) + apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); return 0; }
The hypervisor is an untrusted entity for TDX guests. It cannot be used to boot secondary CPUs. The function hv_vtl_wakeup_secondary_cpu() cannot be used. Instead, the virtual firmware boots the secondary CPUs and places them in a state to transfer control to the kernel using the wakeup mailbox. The kernel updates the APIC callback wakeup_secondary_cpu_64() to use the mailbox if detected early during boot (enumerated via either an ACPI table or a DeviceTree node). Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> --- Changes since v2: - Unconditionally use the wakeup mailbox in a TDX confidential VM. (Michael). - Edited the commit message for clarity. Changes since v1: - None --- arch/x86/hyperv/hv_vtl.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)