| Message ID | 170660663177.224441.2104783746551322918.stgit@dwillia2-xfh.jf.intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Bjorn Helgaas |
| Headers | show |
| Series | Towards a shared TSM sysfs-ABI for Confidential Computing | expand |
On Tue, Jan 30, 2024 at 01:23:51AM -0800, Dan Williams wrote: > A TSM (TEE Security Manager) is a platform agent that facilitates TEE > I/O (device assignment for confidential VMs). It uses PCI CMA, IDE, and > TDISP to authenticate, encrypt/integrity-protect the link, and bind > device-virtual-functions capable of accessing private memory to > confidential VMs (TVMs). > > Unlike native PCI CMA many of the details of establishing a connection > between a device (DSM) and the TSM are abstracted through platform APIs. > I.e. in the native case Linux picks the keys and validates the > certificates, in the TSM case Linux just sees a "success" from invoking > a "connect" API with the TSM. > > SPDM only allows for one session-owner per transport (DOE), so the > expectation is that authentication will only ever be in the "native" > established case, or the "tsm" established case. Holy cow, this is tasty nested acronym soup. TEE, CMA, IDE, TDISP, TVM, DSM, SPDM, DOE? I know these will all become common knowledge in a few years, but this is a big mouthful right now. Is there any overview or glossary in Documentation/ or similar? Bjorn
diff --git a/Documentation/ABI/testing/sysfs-bus-pci b/Documentation/ABI/testing/sysfs-bus-pci index bec7c197451e..35b0e11fd0e6 100644 --- a/Documentation/ABI/testing/sysfs-bus-pci +++ b/Documentation/ABI/testing/sysfs-bus-pci @@ -505,12 +505,14 @@ What: /sys/bus/pci/devices/.../authenticated Date: November 2023 Contact: Lukas Wunner <lukas@wunner.de> Description: - This file contains 1 if the device authenticated successfully - with CMA-SPDM (PCIe r6.1 sec 6.31). It contains 0 if the - device failed authentication (and may thus be malicious). - - Writing anything to this file causes reauthentication. - That may be opportune after updating the .cma keyring. + This file contains "native" if the device authenticated + successfully with CMA-SPDM (PCIe r6.1 sec 6.31). It contains + "none" if the device failed authentication (and may thus be + malicious). + + Writing "native" to this file causes reauthentication with + kernel-selected keys and the kernel's certificate chain. That + may be opportune after updating the .cma keyring. The file is not visible if authentication is unsupported by the device. diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c index fb9bb5a637a5..be7d2bb21b4c 100644 --- a/drivers/pci/cma.c +++ b/drivers/pci/cma.c @@ -36,6 +36,9 @@ static ssize_t authenticated_store(struct device *dev, (pdev->cma_init_failed || pdev->doe_init_failed)) return -ENOTTY; + if (!sysfs_streq(buf, "native")) + return -EINVAL; + rc = pci_cma_reauthenticate(pdev); if (rc) return rc; @@ -52,7 +55,9 @@ static ssize_t authenticated_show(struct device *dev, (pdev->cma_init_failed || pdev->doe_init_failed)) return -ENOTTY; - return sysfs_emit(buf, "%u\n", spdm_authenticated(pdev->spdm_state)); + if (spdm_authenticated(pdev->spdm_state)) + return sysfs_emit(buf, "native\n"); + return sysfs_emit(buf, "none\n"); } static DEVICE_ATTR_RW(authenticated);
A TSM (TEE Security Manager) is a platform agent that facilitates TEE I/O (device assignment for confidential VMs). It uses PCI CMA, IDE, and TDISP to authenticate, encrypt/integrity-protect the link, and bind device-virtual-functions capable of accessing private memory to confidential VMs (TVMs). Unlike native PCI CMA many of the details of establishing a connection between a device (DSM) and the TSM are abstracted through platform APIs. I.e. in the native case Linux picks the keys and validates the certificates, in the TSM case Linux just sees a "success" from invoking a "connect" API with the TSM. SPDM only allows for one session-owner per transport (DOE), so the expectation is that authentication will only ever be in the "native" established case, or the "tsm" established case. Convert the "authenticated" attribute to reflect {"none", "native"} rather than {"0", "1"} in preparation for a follow-on {"none", "native", "tsm"} possibility. Note: Expect this patch gets folded into "PCI/CMA: Expose in sysfs whether devices are authenticated" and assume Linux never ships the binary authenticated ABI. Cc: Wu Hao <hao.wu@intel.com> Cc: Yilun Xu <yilun.xu@intel.com> Cc: Lukas Wunner <lukas@wunner.de> Cc: Samuel Ortiz <sameo@rivosinc.com> Cc: Alexey Kardashevskiy <aik@amd.com> Cc: Bjorn Helgaas <bhelgaas@google.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> --- Documentation/ABI/testing/sysfs-bus-pci | 14 ++++++++------ drivers/pci/cma.c | 7 ++++++- 2 files changed, 14 insertions(+), 7 deletions(-)