diff mbox series

[RFC,1/5] PCI/CMA: Prepare to interoperate with TSM authentication

Message ID 170660663177.224441.2104783746551322918.stgit@dwillia2-xfh.jf.intel.com (mailing list archive)
State Superseded
Delegated to: Bjorn Helgaas
Headers show
Series Towards a shared TSM sysfs-ABI for Confidential Computing | expand

Commit Message

Dan Williams Jan. 30, 2024, 9:23 a.m. UTC
A TSM (TEE Security Manager) is a platform agent that facilitates TEE
I/O (device assignment for confidential VMs). It uses PCI CMA, IDE, and
TDISP to authenticate, encrypt/integrity-protect the link, and bind
device-virtual-functions capable of accessing private memory to
confidential VMs (TVMs).

Unlike native PCI CMA many of the details of establishing a connection
between a device (DSM) and the TSM are abstracted through platform APIs.
I.e. in the native case Linux picks the keys and validates the
certificates, in the TSM case Linux just sees a "success" from invoking
a "connect" API with the TSM.

SPDM only allows for one session-owner per transport (DOE), so the
expectation is that authentication will only ever be in the "native"
established case, or the "tsm" established case.

Convert the "authenticated" attribute to reflect {"none", "native"}
rather than {"0", "1"} in preparation for a follow-on {"none", "native",
"tsm"} possibility.

Note: Expect this patch gets folded into "PCI/CMA: Expose in sysfs
      whether devices are authenticated" and assume Linux never ships
      the binary authenticated ABI.

Cc: Wu Hao <hao.wu@intel.com>
Cc: Yilun Xu <yilun.xu@intel.com>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Samuel Ortiz <sameo@rivosinc.com>
Cc: Alexey Kardashevskiy <aik@amd.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 Documentation/ABI/testing/sysfs-bus-pci |   14 ++++++++------
 drivers/pci/cma.c                       |    7 ++++++-
 2 files changed, 14 insertions(+), 7 deletions(-)

Comments

Bjorn Helgaas Feb. 8, 2024, 10:09 p.m. UTC | #1
On Tue, Jan 30, 2024 at 01:23:51AM -0800, Dan Williams wrote:
> A TSM (TEE Security Manager) is a platform agent that facilitates TEE
> I/O (device assignment for confidential VMs). It uses PCI CMA, IDE, and
> TDISP to authenticate, encrypt/integrity-protect the link, and bind
> device-virtual-functions capable of accessing private memory to
> confidential VMs (TVMs).
> 
> Unlike native PCI CMA many of the details of establishing a connection
> between a device (DSM) and the TSM are abstracted through platform APIs.
> I.e. in the native case Linux picks the keys and validates the
> certificates, in the TSM case Linux just sees a "success" from invoking
> a "connect" API with the TSM.
> 
> SPDM only allows for one session-owner per transport (DOE), so the
> expectation is that authentication will only ever be in the "native"
> established case, or the "tsm" established case.

Holy cow, this is tasty nested acronym soup.  TEE, CMA, IDE, TDISP,
TVM, DSM, SPDM, DOE?  I know these will all become common knowledge in
a few years, but this is a big mouthful right now.  Is there any
overview or glossary in Documentation/ or similar?

Bjorn
diff mbox series

Patch

diff --git a/Documentation/ABI/testing/sysfs-bus-pci b/Documentation/ABI/testing/sysfs-bus-pci
index bec7c197451e..35b0e11fd0e6 100644
--- a/Documentation/ABI/testing/sysfs-bus-pci
+++ b/Documentation/ABI/testing/sysfs-bus-pci
@@ -505,12 +505,14 @@  What:		/sys/bus/pci/devices/.../authenticated
 Date:		November 2023
 Contact:	Lukas Wunner <lukas@wunner.de>
 Description:
-		This file contains 1 if the device authenticated successfully
-		with CMA-SPDM (PCIe r6.1 sec 6.31).  It contains 0 if the
-		device failed authentication (and may thus be malicious).
-
-		Writing anything to this file causes reauthentication.
-		That may be opportune after updating the .cma keyring.
+		This file contains "native" if the device authenticated
+		successfully with CMA-SPDM (PCIe r6.1 sec 6.31). It contains
+		"none" if the device failed authentication (and may thus be
+		malicious).
+
+		Writing "native" to this file causes reauthentication with
+		kernel-selected keys and the kernel's certificate chain.  That
+		may be opportune after updating the .cma keyring.
 
 		The file is not visible if authentication is unsupported
 		by the device.
diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c
index fb9bb5a637a5..be7d2bb21b4c 100644
--- a/drivers/pci/cma.c
+++ b/drivers/pci/cma.c
@@ -36,6 +36,9 @@  static ssize_t authenticated_store(struct device *dev,
 	    (pdev->cma_init_failed || pdev->doe_init_failed))
 		return -ENOTTY;
 
+	if (!sysfs_streq(buf, "native"))
+		return -EINVAL;
+
 	rc = pci_cma_reauthenticate(pdev);
 	if (rc)
 		return rc;
@@ -52,7 +55,9 @@  static ssize_t authenticated_show(struct device *dev,
 	    (pdev->cma_init_failed || pdev->doe_init_failed))
 		return -ENOTTY;
 
-	return sysfs_emit(buf, "%u\n", spdm_authenticated(pdev->spdm_state));
+	if (spdm_authenticated(pdev->spdm_state))
+		return sysfs_emit(buf, "native\n");
+	return sysfs_emit(buf, "none\n");
 }
 static DEVICE_ATTR_RW(authenticated);