Linux 6.13-rc5 To See Fix For Intel TDX CoCo VMs Potentially Leaking Decrypted Memory

Written by Michael Larabel in Intel on 29 December 2024 at 06:24 AM EST. Add A Comment
INTEL
The x86 fixes pull request was sent out this morning ahead of the Linux 6.13-rc5 kernel being released later today. Both x86 fixes this week pertain to Intel bits: a self-test issue on upcoming Intel FRED (Flexible Return and Event Delivery) systems and also an issue of Intel TDX confidential computing VM guests potentially leaking decrypted memory within the unrecoverable error handling.

The fix for the Intel Trust Domain Extensions (TDX) handling with confidential computing (CoCo) VMs is around the unrecoverable error handling to not potentially leak decrypted memory. The patch explains:
"In CoCo VMs it is possible for the untrusted host to cause set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues.

Leak the decrypted memory when set_memory_decrypted() fails, and don't need to print an error since set_memory_decrypted() will call WARN_ONCE()."

This fix for the TDX CoCo guest code is just a one-liner to avoid calling free_pages_exact() and to just return instead.

Intel TDX diagram from Intel


These Intel TDX and FRED fixes for this week's Linux 6.13-rc5 kernel can be found via this pull request that should be merged to mainline in the coming hours. Both fixes are also marked for back-porting to the Linux stable kernel branches so in the coming days they should also work their way to new Linux LTS/stable point releases.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week