Re: [PATCH v7 12/20] x86/virt/tdx: Create TDMRs to cover all TDX memory regions

[Dave Hansen <dave.hansen@intel.com>]

On 11/20/22 16:26, Kai Huang wrote:
> The kernel configures TDX-usable memory regions by passing an array of
> "TD Memory Regions" (TDMRs) to the TDX module.  Each TDMR contains the
> information of the base/size of a memory region, the base/size of the
> associated Physical Address Metadata Table (PAMT) and a list of reserved
> areas in the region.
> 
> Create a number of TDMRs to cover all TDX memory regions.  To keep it
> simple, always try to create one TDMR for each memory region.  As the
> first step only set up the base/size for each TDMR.
> 
> Each TDMR must be 1G aligned and the size must be in 1G granularity.
> This implies that one TDMR could cover multiple memory regions.  If a
> memory region spans the 1GB boundary and the former part is already
> covered by the previous TDMR, just create a new TDMR for the remaining
> part.
> 
> TDX only supports a limited number of TDMRs.  Disable TDX if all TDMRs
> are consumed but there is more memory region to cover.

Good changelog.  This patch is doing *one* thing.

>  arch/x86/virt/vmx/tdx/tdx.c | 104 +++++++++++++++++++++++++++++++++++-
>  1 file changed, 103 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
> index 26048c6b0170..57b448de59a0 100644
> --- a/arch/x86/virt/vmx/tdx/tdx.c
> +++ b/arch/x86/virt/vmx/tdx/tdx.c
> @@ -445,6 +445,24 @@ static int build_tdx_memory(void)
>  	return ret;
>  }
>  
> +/* TDMR must be 1gb aligned */
> +#define TDMR_ALIGNMENT		BIT_ULL(30)
> +#define TDMR_PFN_ALIGNMENT	(TDMR_ALIGNMENT >> PAGE_SHIFT)
> +
> +/* Align up and down the address to TDMR boundary */
> +#define TDMR_ALIGN_DOWN(_addr)	ALIGN_DOWN((_addr), TDMR_ALIGNMENT)
> +#define TDMR_ALIGN_UP(_addr)	ALIGN((_addr), TDMR_ALIGNMENT)
> +
> +static inline u64 tdmr_start(struct tdmr_info *tdmr)
> +{
> +	return tdmr->base;
> +}

I'm always skeptical that it's a good idea to take this in code:

	tdmr->base

and make it this:

	tdmr_start(tdmr)

because the helper is *LESS* compact than the open-coded form!  I hope
I'm proven wrong.

> +static inline u64 tdmr_end(struct tdmr_info *tdmr)
> +{
> +	return tdmr->base + tdmr->size;
> +}
> +
>  /* Calculate the actual TDMR_INFO size */
>  static inline int cal_tdmr_size(void)
>  {
> @@ -492,14 +510,98 @@ static struct tdmr_info *alloc_tdmr_array(int *array_sz)
>  	return alloc_pages_exact(*array_sz, GFP_KERNEL | __GFP_ZERO);
>  }
>  
> +static struct tdmr_info *tdmr_array_entry(struct tdmr_info *tdmr_array,
> +					  int idx)
> +{
> +	return (struct tdmr_info *)((unsigned long)tdmr_array +
> +			cal_tdmr_size() * idx);
> +}

FWIW, I think it's probably a bad idea to have 'struct tdmr_info *'
types floating around since:

	tmdr_info_array[0]

works, but:

	tmdr_info_array[1]

will blow up in your face.  It would almost make sense to have

struct tdmr_info_list {
	struct tdmr_info *first_tdmr;
}

and then pass around pointers to the 'struct tdmr_info_list'.  Maybe
that's overkill, but it is kinda silly to call something an array if []
doesn't work on it.

> +/*
> + * Create TDMRs to cover all TDX memory regions.  The actual number
> + * of TDMRs is set to @tdmr_num.
> + */
> +static int create_tdmrs(struct tdmr_info *tdmr_array, int *tdmr_num)
> +{
> +	struct tdx_memblock *tmb;
> +	int tdmr_idx = 0;
> +
> +	/*
> +	 * Loop over TDX memory regions and create TDMRs to cover them.
> +	 * To keep it simple, always try to use one TDMR to cover
> +	 * one memory region.
> +	 */

This seems like it might tend to under-utilize TDMRs.  I'm sure this is
done for simplicity, but is it OK?  Why is it OK?  How are you sure this
won't bite us later?

> +	list_for_each_entry(tmb, &tdx_memlist, list) {
> +		struct tdmr_info *tdmr;
> +		u64 start, end;
> +
> +		tdmr = tdmr_array_entry(tdmr_array, tdmr_idx);
> +		start = TDMR_ALIGN_DOWN(tmb->start_pfn << PAGE_SHIFT);
> +		end = TDMR_ALIGN_UP(tmb->end_pfn << PAGE_SHIFT);

Nit: a little vertical alignment can make this much more readable:

		start = TDMR_ALIGN_DOWN(tmb->start_pfn << PAGE_SHIFT);
		end   = TDMR_ALIGN_UP  (tmb->end_pfn   << PAGE_SHIFT);

> +
> +		/*
> +		 * If the current TDMR's size hasn't been initialized,
> +		 * it is a new TDMR to cover the new memory region.
> +		 * Otherwise, the current TDMR has already covered the
> +		 * previous memory region.  In the latter case, check
> +		 * whether the current memory region has been fully or
> +		 * partially covered by the current TDMR, since TDMR is
> +		 * 1G aligned.
> +		 */

Again, we have a comment over a if() block that describes what the
individual steps in the block do.  *Plus* each individual step is
*ALREADY* commented.  What purpose does this comment serve?

> +		if (tdmr->size) {
> +			/*
> +			 * Loop to the next memory region if the current
> +			 * block has already been fully covered by the
> +			 * current TDMR.
> +			 */
> +			if (end <= tdmr_end(tdmr))
> +				continue;
> +
> +			/*
> +			 * If part of the current memory region has
> +			 * already been covered by the current TDMR,
> +			 * skip the already covered part.
> +			 */
> +			if (start < tdmr_end(tdmr))
> +				start = tdmr_end(tdmr);
> +
> +			/*
> +			 * Create a new TDMR to cover the current memory
> +			 * region, or the remaining part of it.
> +			 */
> +			tdmr_idx++;
> +			if (tdmr_idx >= tdx_sysinfo.max_tdmrs)
> +				return -E2BIG;
> +
> +			tdmr = tdmr_array_entry(tdmr_array, tdmr_idx);
> +		}
> +
> +		tdmr->base = start;
> +		tdmr->size = end - start;
> +	}
> +
> +	/* @tdmr_idx is always the index of last valid TDMR. */
> +	*tdmr_num = tdmr_idx + 1;
> +
> +	return 0;
> +}

Seems like a positive return value could be the number of populated
TDMRs.  That would get rid of the int* argument.

>  /*
>   * Construct an array of TDMRs to cover all TDX memory ranges.
>   * The actual number of TDMRs is kept to @tdmr_num.
>   */

OK, so something else allocated the 'tdmr_array' and it's being passed
in here to fill it out.  "construct" and "create" are both near synonyms
for "allocate", which isn't even being done here.

We want something here that will make it clear that this function is
taking an already populated list of TDMRs and filling it out.
"fill_tmdrs()" seems like it might be a better choice.

This is also a place where better words can help.  If the function is
called "construct", then there's *ZERO* value in using the same word in
the comment.  Using a word that is a close synonym but that can contrast
it with something different would be really nice, say:

This is also a place where the calling convention can be used to add
clarity.  If you implicitly use a global variable, you have to explain
that.  But, if you pass *in* a variable, it's a lot more clear.

Take this, for instance:

/*
 * Take the memory referenced in @tdx_memlist and populate the
 * preallocated @tmdr_array, following all the special alignment
 * and size rules for TDMR.
 */
static int fill_out_tdmrs(struct list_head *tdx_memlist,
			  struct tdmr_info *tdmr_array)
{
...

That's 100% crystal clear about what's going on.  You know what the
inputs are and the outputs.  You also know why this is even necessary.
It's implied a bit, but it's because TDMRs have special rules about
size/alignment and tdx_memlists do not.

>  static int construct_tdmrs(struct tdmr_info *tdmr_array, int *tdmr_num)
>  {
> +	int ret;
> +
> +	ret = create_tdmrs(tdmr_array, tdmr_num);
> +	if (ret)
> +		goto err;
> +
>  	/* Return -EINVAL until constructing TDMRs is done */
> -	return -EINVAL;
> +	ret = -EINVAL;
> +err:
> +	return ret;
>  }
>  
>  /*