Set can_trust_host if TDX debug bit is set (#1635)

Release backport of PR #1501 and PR #1627.

If the debug bit is set in the VM's TDX attributes, the host can be
trusted. This change gets the TD report in the boot shim and checks the
debug bit. If it's set, parse the dynamic command line to allow
enabling, e.g., confidential debugging.

Note that microsoft/OHCL-Linux-Kernel#79 will
need to be resolved before hardware debug can be disabled in the
manifest.

Author: stunes-ms

Cargo.lock

@@ -3399,7 +3399,6 @@ dependencies = [
  "thiserror 2.0.12",
  "tracing",
  "tracing-subscriber",
- "underhill_confidentiality",
  "vbs_defs",
  "x86defs",
  "zerocopy 0.8.24",
@@ -4828,6 +4827,7 @@ dependencies = [
  "sha2",
  "sidecar_defs",
  "tdcall",
+ "tdx_guest_device",
  "underhill_confidentiality",
  "x86defs",
  "zerocopy 0.8.24",
@@ -6728,6 +6728,7 @@ version = "0.0.0"
 dependencies = [
  "hvdef",
  "memory_range",
+ "tdx_guest_device",
  "thiserror 2.0.12",
  "tracing",
  "x86defs",
@@ -6737,6 +6738,7 @@ dependencies = [
 name = "tdx_guest_device"
 version = "0.0.0"
 dependencies = [
+ "bitfield-struct 0.10.1",
  "nix 0.27.1",
  "static_assertions",
  "thiserror 2.0.12",

openhcl/openhcl_attestation_protocol/Cargo.toml

@@ -11,7 +11,7 @@ open_enum.workspace = true
 guid.workspace = true
 mesh.workspace = true
 sev_guest_device.workspace = true
-tdx_guest_device.workspace = true
+tdx_guest_device = { workspace = true, features = ["std"] }
 
 base64.workspace = true
 base64-serde.workspace = true

openhcl/openhcl_boot/Cargo.toml

@@ -30,6 +30,7 @@ zerocopy.workspace = true
 [target.'cfg(target_arch = "x86_64")'.dependencies]
 safe_intrinsics.workspace = true
 tdcall.workspace = true
+tdx_guest_device.workspace = true
 x86defs.workspace = true
 
 [build-dependencies]

openhcl/openhcl_boot/src/arch/x86_64/tdx.rs

@@ -13,6 +13,8 @@ use tdcall::Tdcall;
 use tdcall::TdcallInput;
 use tdcall::TdcallOutput;
 use tdcall::tdcall_map_gpa;
+use tdx_guest_device::protocol::TdReport;
+use x86defs::tdx::TdCallResult;
 
 /// Perform a tdcall instruction with the specified inputs.
 fn tdcall(input: TdcallInput) -> TdcallOutput {
@@ -119,3 +121,8 @@ pub fn get_tdx_tsc_reftime() -> Option<u64> {
     }
     None
 }
+
+/// Gets the TdReport.
+pub fn get_tdreport(report: &mut TdReport) -> Result<(), TdCallResult> {
+    tdcall::tdcall_mr_report(&mut TdcallInstruction, report)
+}

openhcl/openhcl_boot/src/main.rs

@@ -73,6 +73,7 @@ fn build_kernel_command_line(
     cmdline: &mut ArrayString<COMMAND_LINE_SIZE>,
     partition_info: &PartitionInfo,
     can_trust_host: bool,
+    is_confidential_debug: bool,
     sidecar: Option<&SidecarConfig<'_>>,
 ) -> Result<(), CommandLineTooLong> {
     // For reference:
@@ -254,6 +255,14 @@ fn build_kernel_command_line(
         )?;
     }
 
+    if is_confidential_debug {
+        write!(
+            cmdline,
+            "{}=1 ",
+            underhill_confidentiality::OPENHCL_CONFIDENTIAL_DEBUG_ENV_VAR_NAME
+        )?;
+    }
+
     // Only when explicitly supported by Host.
     // TODO: Move from command line to device tree when stabilized.
     if partition_info.nvme_keepalive && !partition_info.vtl2_pool_memory.is_empty() {
@@ -581,6 +590,29 @@ fn get_ref_time(isolation: IsolationType) -> Option<u64> {
     }
 }
 
+fn get_hw_debug_bit(isolation: IsolationType) -> bool {
+    match isolation {
+        #[cfg(target_arch = "x86_64")]
+        IsolationType::Tdx => {
+            use tdx_guest_device::protocol::TdReport;
+
+            use crate::arch::tdx::get_tdreport;
+
+            let mut report = off_stack!(PageAlign<TdReport>, zeroed());
+            match get_tdreport(&mut report.0) {
+                Ok(()) => report.0.td_info.td_info_base.attributes.debug(),
+                Err(_) => false,
+            }
+        }
+        #[cfg(target_arch = "x86_64")]
+        IsolationType::Snp => {
+            // Not implemented yet for SNP.
+            false
+        }
+        _ => false,
+    }
+}
+
 fn shim_main(shim_params_raw_offset: isize) -> ! {
     let p = shim_parameters(shim_params_raw_offset);
     if p.isolation_type == IsolationType::None {
@@ -615,8 +647,10 @@ fn shim_main(shim_params_raw_offset: isize) -> ! {
         log!("openhcl_boot: early debugging enabled");
     }
 
-    let can_trust_host =
-        p.isolation_type == IsolationType::None || static_options.confidential_debug;
+    let hw_debug_bit = get_hw_debug_bit(p.isolation_type);
+    let can_trust_host = p.isolation_type == IsolationType::None
+        || static_options.confidential_debug
+        || hw_debug_bit;
 
     let boot_reftime = get_ref_time(p.isolation_type);
 
@@ -628,6 +662,12 @@ fn shim_main(shim_params_raw_offset: isize) -> ! {
             Err(e) => panic!("unable to read device tree params {}", e),
         };
 
+    // Confidential debug will show up in boot_options only if included in the
+    // static command line, or if can_trust_host is true (so the dynamic command
+    // line has been parsed).
+    let is_confidential_debug = (can_trust_host && p.isolation_type != IsolationType::None)
+        || partition_info.boot_options.confidential_debug;
+
     // Fill out the non-devicetree derived parts of PartitionInfo.
     if !p.isolation_type.is_hardware_isolated()
         && hvcall().vtl() == Vtl::Vtl2
@@ -697,6 +737,7 @@ fn shim_main(shim_params_raw_offset: isize) -> ! {
         &mut cmdline,
         partition_info,
         can_trust_host,
+        is_confidential_debug,
         sidecar.as_ref(),
     )
     .unwrap();

openhcl/underhill_core/src/worker.rs

@@ -127,6 +127,7 @@ use tracing::Instrument;
 use tracing::instrument;
 use uevent::UeventListener;
 use underhill_attestation::AttestationType;
+use underhill_confidentiality::confidential_debug_enabled;
 use underhill_threadpool::AffinitizedThreadpool;
 use underhill_threadpool::ThreadpoolBuilder;
 use virt::Partition;
@@ -1589,6 +1590,10 @@ async fn new_underhill_vm(
         );
     }
 
+    if confidential_debug_enabled() {
+        tracing::warn!(CVM_ALLOWED, "confidential debug enabled");
+    }
+
     // Create the `AttestationVmConfig` from `dps`, which will be used in
     // - stateful mode (the attestation is not suppressed)
     // - stateless mode (isolated VM with attestation suppressed)

support/tdx_guest_device/Cargo.toml

@@ -6,7 +6,11 @@ name = "tdx_guest_device"
 edition.workspace = true
 rust-version.workspace = true
 
+[features]
+std = []
+
 [dependencies]
+bitfield-struct.workspace = true
 static_assertions.workspace = true
 zerocopy.workspace = true
 [target.'cfg(target_os = "linux")'.dependencies]

support/tdx_guest_device/src/ioctl.rs

@@ -3,6 +3,7 @@
 
 //! The module implements the Linux TDX Guest APIs based on ioctl.
 
+#![cfg(feature = "std")]
 // UNSAFETY: unsafe needed to make ioctl calls.
 #![expect(unsafe_code)]
 

support/tdx_guest_device/src/lib.rs

@@ -4,6 +4,8 @@
 //! The crate includes the abstraction layer of Linux TDX Guest APIs and
 //! definitions of data structures according to TDX specification.
 
+#![cfg_attr(not(feature = "std"), no_std)]
+
 pub mod protocol;
 
 #[cfg(target_os = "linux")]

support/tdx_guest_device/src/protocol.rs

@@ -3,6 +3,7 @@
 
 //! The module includes the definitions of data structures according to TDX specification.
 
+use bitfield_struct::bitfield;
 use zerocopy::FromBytes;
 use zerocopy::Immutable;
 use zerocopy::IntoBytes;
@@ -135,12 +136,52 @@ pub struct TdInfo {
 /// Run-time extendable measurement register.
 pub type Rtmr = [u8; 48];
 
+/// See `ATTRIBUTES` in Table 3.9, "Intel TDX Module v1.5 ABI specification", March 2024.
+#[bitfield(u64)]
+#[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
+pub struct TdAttributes {
+    #[bits(1)]
+    pub debug: bool,
+    #[bits(3)]
+    _reserved1: u8,
+    #[bits(1)]
+    pub hgs_plus_prof: bool,
+    #[bits(1)]
+    pub perf_prof: bool,
+    #[bits(1)]
+    pub pmt_prof: bool,
+    #[bits(9)]
+    _reserved2: u16,
+    #[bits(7)]
+    _reserved_p: u8,
+    #[bits(4)]
+    _reserved_n: u8,
+    #[bits(1)]
+    pub lass: bool,
+    #[bits(1)]
+    pub sept_ve_disable: bool,
+    #[bits(1)]
+    pub migratable: bool,
+    #[bits(1)]
+    pub pks: bool,
+    #[bits(1)]
+    pub kl: bool,
+    #[bits(24)]
+    _reserved3: u32,
+    #[bits(6)]
+    _reserved4: u32,
+    #[bits(1)]
+    pub tpa: bool,
+    #[bits(1)]
+    pub perfmon: bool,
+}
+
 /// See `TDINFO_BASE` in Table 3.34, "Intel TDX Module v1.5 ABI specification", March 2024.
 #[repr(C)]
 #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
 pub struct TdInfoBase {
     /// TD's attributes
-    pub attributes: [u8; 8],
+    pub attributes: TdAttributes,
     /// TD's XFAM
     pub xfam: [u8; 8],
     /// Measurement of the initial contents of the TDX in SHA384