Reduce #VE, disable SEPT #VE and enable notification for zero step attack detection in TDX environment

2025-11-25 19:34:21 +08:00 · 2025-11-25 19:34:21 +08:00 · 2c9a11e43e
parent 2168b32d88
commit 2c9a11e43e
6 changed files with 17 additions and 8 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1941,9 +1941,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"

 [[package]]
 name = "tdx-guest"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3792a8dc443107e37c3804c655a4807605c8b275e986b0f08add336f01e49685"
+checksum = "15fda2de9c0a2fdcc22e802af4f7f1e8f609a206f34d30986e3cd974b04911f0"
 dependencies = [
 "bitflags 1.3.2",
 "iced-x86",
--- a/kernel/Cargo.toml
+++ b/kernel/Cargo.toml
@ -66,7 +66,7 @@ takeable = "0.2.2"
 cfg-if = "1.0"

 [target.x86_64-unknown-none.dependencies]
-tdx-guest = { version = "0.2.1", optional = true }
+tdx-guest = { version = "0.2.2", optional = true }

 [target.riscv64imac-unknown-none-elf.dependencies]
 riscv = { version = "0.15.0", features = ["s-mode"] }
--- a/kernel/comps/virtio/Cargo.toml
+++ b/kernel/comps/virtio/Cargo.toml
@ -27,7 +27,7 @@ log = "0.4"
 int-to-c-enum = { path = "../../libs/int-to-c-enum" }

 [target.x86_64-unknown-none.dependencies]
-tdx-guest = { version = "0.2.1", optional = true }
+tdx-guest = { version = "0.2.2", optional = true }

 [features]
 all = ["cvm_guest"]
--- a/ostd/Cargo.toml
+++ b/ostd/Cargo.toml
@ -57,7 +57,7 @@ iced-x86 = { version = "1.21.0", default-features = false, features = [
    "decoder",
    "gas",
 ], optional = true }
-tdx-guest = { version = "0.2.1", optional = true }
+tdx-guest = { version = "0.2.2", optional = true }
 unwinding = { version = "=0.2.5", default-features = false, features = ["fde-gnu-eh-frame-hdr", "hide-trace", "panic", "personality", "unwinder"] }

 [target.riscv64imac-unknown-none-elf.dependencies]
--- a/ostd/libs/linux-bzimage/setup/Cargo.toml
+++ b/ostd/libs/linux-bzimage/setup/Cargo.toml
@ -24,7 +24,7 @@ xmas-elf = "0.10.0"
 log = "0.4.20"
 uefi = { version = "0.32.0", features = ["global_allocator", "panic_handler", "logger", "qemu"]}
 uefi-raw = "0.8.0"
-tdx-guest = { version = "0.2.1", optional = true }
+tdx-guest = { version = "0.2.2", optional = true }

 [features]
 default = ["cvm_guest"]
--- a/ostd/src/arch/x86/mod.rs
+++ b/ostd/src/arch/x86/mod.rs
@ -21,15 +21,24 @@ pub(crate) mod tdx_guest;

 #[cfg(feature = "cvm_guest")]
 pub(crate) fn init_cvm_guest() {
-    match ::tdx_guest::init_tdx() {
+    use ::tdx_guest::{
+        disable_sept_ve, init_tdx, metadata, reduce_unnecessary_ve,
+        tdcall::{write_td_metadata, InitError},
+    };
+    match init_tdx() {
        Ok(td_info) => {
+            reduce_unnecessary_ve().unwrap();
+            disable_sept_ve(td_info.attributes).unwrap();
+            // Enable notification for zero step attack detection.
+            write_td_metadata(metadata::NOTIFY_ENABLES, 1, 1).unwrap();
+
            crate::early_println!(
                "[kernel] Intel TDX initialized\n[kernel] td gpaw: {}, td attributes: {:?}",
                td_info.gpaw,
                td_info.attributes
            );
        }
-        Err(::tdx_guest::tdcall::InitError::TdxGetVpInfoError(td_call_error)) => {
+        Err(InitError::TdxGetVpInfoError(td_call_error)) => {
            panic!(
                "[kernel] Intel TDX not initialized, Failed to get TD info: {:?}",
                td_call_error