Re: [PATCH v3] x86/virt/tdx: Enforce no indirect calls of TDX assembly

From: Huang, Kai
Date: Mon Jun 09 2025 - 06:37:39 EST

Next message: Nikita Zhandarovich: "Re: [PATCH] media: usb: siano: do not free urb-specific transfer buffer"
Previous message: Em Sharnoff: "Re: [PATCH] x86/mm: Handle alloc failure in phys_*_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2025-06-06 at 08:58 -0700, Dave Hansen wrote:
> It doesn't really "enforce" anything. But, oh well, I'll just fix it up
> when I apply it early next week. Here's what I'll probably apply:

Thanks!

>
> x86/virt/tdx: Avoid indirect calls to TDX assembly functions
>
> Two 'static inline' TDX helper functions (sc_retry() and
> sc_retry_prerr()) take function pointer arguments which refer to
> assembly functions. Normally, the compiler inlines the TDX helper,
> realizes that the function pointer targets are completely static -- thus
> can be resolved at compile time -- and generates direct call instructions.
>
> But, other times (like when CONFIG_CC_OPTIMIZE_FOR_SIZE=y), the compiler
> declines to inline the helpers and will instead generate indirect call
> instructions.
>
> Indirect calls to assembly functions require special annotation (for
> various Control Flow Integrity mechanisms). But TDX assembly functions
> lack the special annotations and can only be called directly.
>
> Annotate both the helpers as '__always_inline' to prod the compiler into
> maintaining the direct calls. There is no guarantee here, but Peter has
> volunteered to report the compiler bug if this assumption ever breaks[1].
>
> ...
>
> > This was found through randconfig testing, presumably setting
> > CONFIG_CC_OPTIMIZE_FOR_SIZE=1 when objtool spewed a bunch of these:
> >
> > vmlinux.o: warning: objtool: tdh_mem_range_block+0x7e: relocation to
> > !ENDBR: __seamcall_ret+0x0
> >
> > Link: https://lore.kernel.org/lkml/20250605145914.GW39944@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ [1]

And sorry that I somehow missed the Fixes tag here.

Since sc_retry() and sc_retry_prerr() were introduced in two (contiguous)
commits, perhaps we need to add two Fixes tags:

Fixes: 1e66a7e27539 ("x86/virt/tdx: Handle SEAMCALL no entropy error in
common code")
Fixes: df01f5ae07dd ("x86/virt/tdx: Add SEAMCALL error printing for module
initialization")

Please let me know if you need anything more from me.

Next message: Nikita Zhandarovich: "Re: [PATCH] media: usb: siano: do not free urb-specific transfer buffer"
Previous message: Em Sharnoff: "Re: [PATCH] x86/mm: Handle alloc failure in phys_*_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]