[RFC PATCH] x86/virt/tdx: Disable KEXEC in the presence of TDX

Linux Confidential Computing Development
 help / color / mirror / Atom feed

From: Nikolay Borisov <nik.borisov@suse.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, dave.hansen@linux.intel.com,
	linux-coco@lists.linux.dev,
	Nikolay Borisov <nik.borisov@suse.com>
Subject: [RFC PATCH] x86/virt/tdx: Disable KEXEC in the presence of TDX
Date: Thu, 18 Jan 2024 18:01:18 +0200	[thread overview]
Message-ID: <20240118160118.1899299-1-nik.borisov@suse.com> (raw)

TDX doesn't currently support kexec so disable the latter when TDX
is detected at boot time. If kexec must absolutely be supported then
TDX can be disabled from the bios.

Making this decision at run time rather than as a compile time option
allows distribution kernels to have both enabled and delegate to the
user whether they want to use TDX/Kexec.

Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
---

Sending as RFC as I don't know the reason why initially it was decided to
enforce the incompaibility between kexec/tdx at build time rather than runtime.

 arch/x86/Kconfig            | 1 -
 arch/x86/virt/vmx/tdx/tdx.c | 6 ++++++
 include/linux/kexec.h       | 1 +
 kernel/kexec_core.c         | 5 +++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 92c03cb99b3e..6c2b620b40d8 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1973,7 +1973,6 @@ config INTEL_TDX_HOST
 	depends on X86_X2APIC
 	select ARCH_KEEP_MEMBLOCK
 	depends on CONTIG_ALLOC
-	depends on !KEXEC_CORE
 	depends on X86_MCE
 	help
 	  Intel Trust Domain Extensions (TDX) protects guest VMs from malicious
diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
index 4d6826a76f78..270090bd7b5e 100644
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -20,6 +20,7 @@
 #include <linux/memblock.h>
 #include <linux/memory.h>
 #include <linux/minmax.h>
+#include <linux/kexec.h>
 #include <linux/sizes.h>
 #include <linux/pfn.h>
 #include <linux/align.h>
@@ -1473,6 +1474,11 @@ void __init tdx_init(void)
 		return;
 	}

+#ifdef CONFIG_KEXEC_CORE
+	kexec_disable();
+	pr_info("Disable Kexec. Turn off TDX in the BIOS to use KEXEC.\n");
+#endif
+
 #if defined(CONFIG_ACPI) && defined(CONFIG_SUSPEND)
 	pr_info("Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.\n");
 	acpi_suspend_lowlevel = NULL;
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 8227455192b7..c434c8569242 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -500,6 +500,7 @@ static inline int crash_hotplug_memory_support(void) { return 0; }
 static inline unsigned int crash_get_elfcorehdr_size(void) { return 0; }
 #endif

+extern void kexec_disable(void);
 #else /* !CONFIG_KEXEC_CORE */
 struct pt_regs;
 struct task_struct;
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index be5642a4ec49..8d3a2a04ff4d 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -927,6 +927,11 @@ struct kimage *kexec_image;
 struct kimage *kexec_crash_image;
 static int kexec_load_disabled;

+void kexec_disable(void)
+{
+	kexec_load_disabled = 1;
+}
+
 #ifdef CONFIG_SYSCTL
 static int kexec_limit_handler(struct ctl_table *table, int write,
 			       void *buffer, size_t *lenp, loff_t *ppos)
--
2.34.1

next             reply	other threads:[~2024-01-18 16:01 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-18 16:01 Nikolay Borisov [this message]
2024-01-18 21:31 ` [RFC PATCH] x86/virt/tdx: Disable KEXEC in the presence of TDX Huang, Kai
2024-01-19  0:49   ` Nikolay Borisov
2024-01-19  0:52     ` Huang, Kai
2024-01-19  0:55       ` Nikolay Borisov

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:92c03cb99b3 dfblob:4d6826a76f7 dfblob:8227455192b
dfblob:be5642a4ec4 dfblob:6c2b620b40d dfblob:270090bd7b5
dfblob:c434c856924 dfblob:8d3a2a04ff4
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240118160118.1899299-1-nik.borisov@suse.com \
    --to=nik.borisov@suse.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-kernel@vger.kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).