On Tue, Jul 20, 2021 at 12:54:16PM -0700, Erdem Aktas wrote:

Now let's say the kernel wants to access a page for the first time, or
after a kexec it wants to make sure all the pages are private. it
needs to call tdx_hcall_gpa_intent or  tdg_accept_page individually.
If the page is already accepted, tdg_accept_page does not return any
error in the current implementation in v3. Depending on how this page
is being used, it's content is now "not zeroed" as opposed to what it
is being expected. Converting this to an attack is not trivial but
possible.

You mean when the TDVF is changed? In this case the unaccepted memory
will be a different memory type, so not lazy accept enabled kernels wouldn't
use it.

I did not see any #VE implementation to handle SEPT violations when a
page is in PENDING state. I am assuming that this needs to be
supported at some point (If not then we need to discuss the use cases
for such support).

We actually plan to disable those #VEs, to avoid any problems with
the system call gap. Instead the plan is that the kernel will know
in advance what memory has been accepted or not, and accept it before
touching.

-Andi