]> www.infradead.org Git - nvme.git/commitdiff
KVM: TDX: Add new TDVMCALL status code for unsupported subfuncs
authorBinbin Wu <binbin.wu@linux.intel.com>
Tue, 10 Jun 2025 02:14:19 +0000 (10:14 +0800)
committerPaolo Bonzini <pbonzini@redhat.com>
Fri, 20 Jun 2025 17:09:31 +0000 (13:09 -0400)
Add the new TDVMCALL status code TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED and
return it for unimplemented TDVMCALL subfunctions.

Returning TDVMCALL_STATUS_INVALID_OPERAND when a subfunction is not
implemented is vague because TDX guests can't tell the error is due to
the subfunction is not supported or an invalid input of the subfunction.
New GHCI spec adds TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED to avoid the
ambiguity. Use it instead of TDVMCALL_STATUS_INVALID_OPERAND.

Before the change, for common guest implementations, when a TDX guest
receives TDVMCALL_STATUS_INVALID_OPERAND, it has two cases:
1. Some operand is invalid. It could change the operand to another value
   retry.
2. The subfunction is not supported.

For case 1, an invalid operand usually means the guest implementation bug.
Since the TDX guest can't tell which case is, the best practice for
handling TDVMCALL_STATUS_INVALID_OPERAND is stopping calling such leaf,
treating the failure as fatal if the TDVMCALL is essential or ignoring
it if the TDVMCALL is optional.

With this change, TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED could be sent to
old TDX guest that do not know about it, but it is expected that the
guest will make the same action as TDVMCALL_STATUS_INVALID_OPERAND.
Currently, no known TDX guest checks TDVMCALL_STATUS_INVALID_OPERAND
specifically; for example Linux just checks for success.

Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
[Return it for untrapped KVM_HC_MAP_GPA_RANGE. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
arch/x86/include/asm/shared/tdx.h
arch/x86/kvm/vmx/tdx.c

index 2f38203425980f539224bc2730bfc5e1afe4d18e..d8525e6ef50a24234246af5717e239a06c1e5459 100644 (file)
@@ -80,6 +80,7 @@
 #define TDVMCALL_STATUS_RETRY          0x0000000000000001ULL
 #define TDVMCALL_STATUS_INVALID_OPERAND        0x8000000000000000ULL
 #define TDVMCALL_STATUS_ALIGN_ERROR    0x8000000000000002ULL
+#define TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED    0x8000000000000003ULL
 
 /*
  * Bitmasks of exposed registers (with VMM).
index b952bc6732713910cd0de6bb14144fba84f3d099..5d100c240ab3fbe7e4e981d18ae5af29a6c0eb0c 100644 (file)
@@ -1212,11 +1212,13 @@ static int tdx_map_gpa(struct kvm_vcpu *vcpu)
        /*
         * Converting TDVMCALL_MAP_GPA to KVM_HC_MAP_GPA_RANGE requires
         * userspace to enable KVM_CAP_EXIT_HYPERCALL with KVM_HC_MAP_GPA_RANGE
-        * bit set.  If not, the error code is not defined in GHCI for TDX, use
-        * TDVMCALL_STATUS_INVALID_OPERAND for this case.
+        * bit set.  This is a base call so it should always be supported, but
+        * KVM has no way to ensure that userspace implements the GHCI correctly.
+        * So if KVM_HC_MAP_GPA_RANGE does not cause a VMEXIT, return an error
+        * to the guest.
         */
        if (!user_exit_on_hypercall(vcpu->kvm, KVM_HC_MAP_GPA_RANGE)) {
-               ret = TDVMCALL_STATUS_INVALID_OPERAND;
+               ret = TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED;
                goto error;
        }
 
@@ -1476,7 +1478,7 @@ static int handle_tdvmcall(struct kvm_vcpu *vcpu)
                break;
        }
 
-       tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
+       tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_SUBFUNC_UNSUPPORTED);
        return 1;
 }