On Thu, Sep 08, 2022 at 01:36:00PM -0700, Dave Hansen wrote:
On 9/8/22 12:07, Sathyanarayanan Kuppuswamy wrote:
On 9/7/22 10:31 PM, Greg Kroah-Hartman wrote:
On Wed, Sep 07, 2022 at 05:27:20PM -0700, Kuppuswamy Sathyanarayanan wrote:
- /*
* Per TDX Module 1.0 specification, section titled* "TDG.MR.REPORT", REPORTDATA length is fixed as* TDX_REPORTDATA_LEN, TDREPORT length is fixed as* TDX_REPORT_LEN, and TDREPORT subtype is fixed as* 0. Also check for valid user pointers.*/- if (!req.reportdata || !req.tdreport || req.subtype ||
req.rpd_len != TDX_REPORTDATA_LEN ||req.tdr_len != TDX_REPORT_LEN)return -EINVAL;You never verify that your reserved[7] fields are actually set to 0, which means you can never use them in the future :(
Currently, we don't use those fields in our code. Why do we have to make sure they are set to zero?
Yes.
Can't we add checks when we really use them in future?
No.
This has been a hard learned lesson both by people writing software and designing hardware interfaces: if you _let_ folks pass garbage you have to _keep_ letting them pass garbage forever. It becomes part of the ABI.
I'm sorry you missed the memo on this one. But, this is one million percent a best practice across the industry. Please do it.
And it's documented in the Documentation/ directory as a requirement to do as well, the memo shouldn't have been missed :(