The hypervisor is an untrusted entity for TDX guests. It cannot be used to boot secondary CPUs. The function hv_vtl_wakeup_secondary_cpu() cannot be used.
Instead, the virtual firmware boots the secondary CPUs and places them in a state to transfer control to the kernel using the wakeup mailbox. The firmware enumerates the mailbox via either an ACPI table or a DeviceTree node. If the wakeup mailbox is present, the kernel updates the APIC callback wakeup_secondary_cpu_64() to use it. Reviewed-by: Dexuan Cui <[email protected]> Reviewed-by: Michael Kelley <[email protected]> Signed-off-by: Ricardo Neri <[email protected]> --- Changes in v8: - None Changes in v7: - None Changes in v6: - Added Reviewed-by tag from Dexuan. Thanks! Changes in v5: - None Changes in v4: - Added Reviewed-by tag from Michael. Thanks! Changes in v3: - Unconditionally use the wakeup mailbox in a TDX confidential VM. (Michael). - Edited the commit message for clarity. Changes in v2: - None --- arch/x86/hyperv/hv_vtl.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/x86/hyperv/hv_vtl.c b/arch/x86/hyperv/hv_vtl.c index 2af825f7a447..fa4e7fda2868 100644 --- a/arch/x86/hyperv/hv_vtl.c +++ b/arch/x86/hyperv/hv_vtl.c @@ -272,7 +272,15 @@ int __init hv_vtl_early_init(void) panic("XSAVE has to be disabled as it is not supported by this module.\n" "Please add 'noxsave' to the kernel command line.\n"); - apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); + /* + * TDX confidential VMs do not trust the hypervisor and cannot use it to + * boot secondary CPUs. Instead, they will be booted using the wakeup + * mailbox if detected during boot. See setup_arch(). + * + * There is no paravisor present if we are here. + */ + if (!hv_isolation_type_tdx()) + apic_update_callback(wakeup_secondary_cpu_64, hv_vtl_wakeup_secondary_cpu); return 0; } -- 2.43.0
