From 2c9a11e43e82cd6321003f8d0de0d590632340cd Mon Sep 17 00:00:00 2001 From: Hsy-Intel Date: Tue, 25 Nov 2025 19:34:21 +0800 Subject: [PATCH] Reduce #VE, disable SEPT #VE and enable notification for zero step attack detection in TDX environment --- Cargo.lock | 4 ++-- kernel/Cargo.toml | 2 +- kernel/comps/virtio/Cargo.toml | 2 +- ostd/Cargo.toml | 2 +- ostd/libs/linux-bzimage/setup/Cargo.toml | 2 +- ostd/src/arch/x86/mod.rs | 13 +++++++++++-- 6 files changed, 17 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ba2e3c930..0890f5520 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1941,9 +1941,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tdx-guest" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3792a8dc443107e37c3804c655a4807605c8b275e986b0f08add336f01e49685" +checksum = "15fda2de9c0a2fdcc22e802af4f7f1e8f609a206f34d30986e3cd974b04911f0" dependencies = [ "bitflags 1.3.2", "iced-x86", diff --git a/kernel/Cargo.toml b/kernel/Cargo.toml index e5eb4671b..8cbbc5725 100644 --- a/kernel/Cargo.toml +++ b/kernel/Cargo.toml @@ -66,7 +66,7 @@ takeable = "0.2.2" cfg-if = "1.0" [target.x86_64-unknown-none.dependencies] -tdx-guest = { version = "0.2.1", optional = true } +tdx-guest = { version = "0.2.2", optional = true } [target.riscv64imac-unknown-none-elf.dependencies] riscv = { version = "0.15.0", features = ["s-mode"] } diff --git a/kernel/comps/virtio/Cargo.toml b/kernel/comps/virtio/Cargo.toml index 04559688e..a22210fa5 100644 --- a/kernel/comps/virtio/Cargo.toml +++ b/kernel/comps/virtio/Cargo.toml @@ -27,7 +27,7 @@ log = "0.4" int-to-c-enum = { path = "../../libs/int-to-c-enum" } [target.x86_64-unknown-none.dependencies] -tdx-guest = { version = "0.2.1", optional = true } +tdx-guest = { version = "0.2.2", optional = true } [features] all = ["cvm_guest"] diff --git a/ostd/Cargo.toml b/ostd/Cargo.toml index f58354416..344af4deb 100644 --- a/ostd/Cargo.toml +++ b/ostd/Cargo.toml @@ -57,7 +57,7 @@ iced-x86 = { version = "1.21.0", default-features = false, features = [ "decoder", "gas", ], optional = true } -tdx-guest = { version = "0.2.1", optional = true } +tdx-guest = { version = "0.2.2", optional = true } unwinding = { version = "=0.2.5", default-features = false, features = ["fde-gnu-eh-frame-hdr", "hide-trace", "panic", "personality", "unwinder"] } [target.riscv64imac-unknown-none-elf.dependencies] diff --git a/ostd/libs/linux-bzimage/setup/Cargo.toml b/ostd/libs/linux-bzimage/setup/Cargo.toml index a518acba3..73d1aead5 100644 --- a/ostd/libs/linux-bzimage/setup/Cargo.toml +++ b/ostd/libs/linux-bzimage/setup/Cargo.toml @@ -24,7 +24,7 @@ xmas-elf = "0.10.0" log = "0.4.20" uefi = { version = "0.32.0", features = ["global_allocator", "panic_handler", "logger", "qemu"]} uefi-raw = "0.8.0" -tdx-guest = { version = "0.2.1", optional = true } +tdx-guest = { version = "0.2.2", optional = true } [features] default = ["cvm_guest"] diff --git a/ostd/src/arch/x86/mod.rs b/ostd/src/arch/x86/mod.rs index 5638a219e..93d5ab698 100644 --- a/ostd/src/arch/x86/mod.rs +++ b/ostd/src/arch/x86/mod.rs @@ -21,15 +21,24 @@ pub(crate) mod tdx_guest; #[cfg(feature = "cvm_guest")] pub(crate) fn init_cvm_guest() { - match ::tdx_guest::init_tdx() { + use ::tdx_guest::{ + disable_sept_ve, init_tdx, metadata, reduce_unnecessary_ve, + tdcall::{write_td_metadata, InitError}, + }; + match init_tdx() { Ok(td_info) => { + reduce_unnecessary_ve().unwrap(); + disable_sept_ve(td_info.attributes).unwrap(); + // Enable notification for zero step attack detection. + write_td_metadata(metadata::NOTIFY_ENABLES, 1, 1).unwrap(); + crate::early_println!( "[kernel] Intel TDX initialized\n[kernel] td gpaw: {}, td attributes: {:?}", td_info.gpaw, td_info.attributes ); } - Err(::tdx_guest::tdcall::InitError::TdxGetVpInfoError(td_call_error)) => { + Err(InitError::TdxGetVpInfoError(td_call_error)) => { panic!( "[kernel] Intel TDX not initialized, Failed to get TD info: {:?}", td_call_error