On Thu, 2025-10-30 at 13:09 -0700, Sean Christopherson wrote: > WARN and terminate the VM if TDH_MR_EXTEND fails, as extending the > measurement should fail if and only if there is a KVM bug, or if the S-EPT > mapping is invalid. Now that KVM makes all state transitions mutually > exclusive via tdx_vm_state_guard, it should be impossible for S-EPT > mappings to be removed between kvm_tdp_mmu_map_private_pfn() and > tdh_mr_extend(). > > Holding slots_lock prevents zaps due to memslot updates, > filemap_invalidate_lock() prevents zaps due to guest_memfd PUNCH_HOLE, > vcpu->mutex locks prevents updates from other vCPUs, kvm->lock prevents > VM-scoped ioctls from creating havoc (e.g. by creating new vCPUs), and all > usage of kvm_zap_gfn_range() is mutually exclusive with S-EPT entries that > can be used for the initial image. > > For kvm_zap_gfn_range(), the call from sev.c is obviously mutually > exclusive, TDX disallows KVM_X86_QUIRK_IGNORE_GUEST_PAT so the same goes > for kvm_noncoherent_dma_assignment_start_or_stop(), and > __kvm_set_or_clear_apicv_inhibit() is blocked by virtue of holding all > VM and vCPU mutexes (and the APIC page has its own non-guest_memfd memslot > and so can't be used for the initial image, which means that too is > mutually exclusive irrespective of locking). > > Opportunistically return early if the region doesn't need to be measured > in order to reduce line lengths and avoid wraps. Similarly, immediately > and explicitly return if TDH_MR_EXTEND fails to make it clear that KVM > needs to bail entirely if extending the measurement fails. > > Signed-off-by: Sean Christopherson <[email protected]>
Reviewed-by: Kai Huang <[email protected]>
