tdcall_report/TdxReport assumes that all memory is identity mapped. TDG.MR.REPORT takes a guest physical address, but tdcall_report simply converts a pointer to an u64 without translating the virtual address to a physical address.
td_call should be marked as unsafe as it can be used to violate Rust's aliasing rules.
tdvmcall_mmio_read does nothing to enforce that the value read contains a valid bit-pattern for T. It should either be marked as unsafe with a SAFETY comment stating that it may only be used for types for which all bit-patterns are safe or it should check the bit-pattern e.g. using zerocopy or bytemuck. It also doesn't check that the size of the T doesn't exceed 8 bytes.
tdvmcall_get_quote also assumes a identity mapping. Furthermore having buffer be a &mut [u8] doesn't work because mutable references may never be created to hypervisor-shared memory as the hypervisor is free to alias and modify that memory in violation of Rust's rules.
tdcall_accept_page, td_accept_pages, and td_accept_memory should be marked as unsafe as they could be used to violate Rust's memory aliasing rules.
tdcall_vp_write should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by writing the address of a shared reference into VMX_VIRTUAL_APIC_PAGE_ADDRESS_FULL_ENCODE.
tdcall_vp_enter should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by using the address of a shared reference as the gpa parameter.
tdcall_mem_page_attr_wr should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by providing write access to the address of a shared reference to an untrusted L2 guest.
Other functions that may or may not need to be marked as unsafe: tdcall_servtd_wr, tdcall_vm_write.
tdcall_report/TdxReportassumes that all memory is identity mapped.TDG.MR.REPORTtakes a guest physical address, buttdcall_reportsimply converts a pointer to anu64without translating the virtual address to a physical address.td_callshould be marked as unsafe as it can be used to violate Rust's aliasing rules.tdvmcall_mmio_readdoes nothing to enforce that the value read contains a valid bit-pattern forT. It should either be marked as unsafe with aSAFETYcomment stating that it may only be used for types for which all bit-patterns are safe or it should check the bit-pattern e.g. usingzerocopyorbytemuck. It also doesn't check that the size of theTdoesn't exceed 8 bytes.tdvmcall_get_quotealso assumes a identity mapping. Furthermore havingbufferbe a&mut [u8]doesn't work because mutable references may never be created to hypervisor-shared memory as the hypervisor is free to alias and modify that memory in violation of Rust's rules.tdcall_accept_page,td_accept_pages, andtd_accept_memoryshould be marked as unsafe as they could be used to violate Rust's memory aliasing rules.tdcall_vp_writeshould be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by writing the address of a shared reference intoVMX_VIRTUAL_APIC_PAGE_ADDRESS_FULL_ENCODE.tdcall_vp_entershould be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by using the address of a shared reference as thegpaparameter.tdcall_mem_page_attr_wrshould be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by providing write access to the address of a shared reference to an untrusted L2 guest.Other functions that may or may not need to be marked as unsafe:
tdcall_servtd_wr,tdcall_vm_write.