Commit 3225f52c authored by Dan Williams's avatar Dan Williams
Browse files

PCI/TSM: Establish Secure Sessions and Link Encryption 



The PCIe 7.0 specification, section 11, defines the Trusted Execution
Environment (TEE) Device Interface Security Protocol (TDISP).  This
protocol definition builds upon Component Measurement and Authentication
(CMA), and link Integrity and Data Encryption (IDE). It adds support for
assigning devices (PCI physical or virtual function) to a confidential VM
such that the assigned device is enabled to access guest private memory
protected by technologies like Intel TDX, AMD SEV-SNP, RISCV COVE, or ARM
CCA.

The "TSM" (TEE Security Manager) is a concept in the TDISP specification
of an agent that mediates between a "DSM" (Device Security Manager) and
system software in both a VMM and a confidential VM. A VMM uses TSM ABIs
to setup link security and assign devices. A confidential VM uses TSM
ABIs to transition an assigned device into the TDISP "RUN" state and
validate its configuration. From a Linux perspective the TSM abstracts
many of the details of TDISP, IDE, and CMA. Some of those details leak
through at times, but for the most part TDISP is an internal
implementation detail of the TSM.

CONFIG_PCI_TSM adds an "authenticated" attribute and "tsm/" subdirectory
to pci-sysfs. Consider that the TSM driver may itself be a PCI driver.
Userspace can watch for the arrival of a "TSM" device,
/sys/class/tsm/tsm0/uevent KOBJ_CHANGE, to know when the PCI core has
initialized TSM services.

The operations that can be executed against a PCI device are split into
two mutually exclusive operation sets, "Link" and "Security" (struct
pci_tsm_{link,security}_ops). The "Link" operations manage physical link
security properties and communication with the device's Device Security
Manager firmware. These are the host side operations in TDISP. The
"Security" operations coordinate the security state of the assigned
virtual device (TDI). These are the guest side operations in TDISP.

Only "link" (Secure Session and physical Link Encryption) operations are
defined at this stage. There are placeholders for the device security
(Trusted Computing Base entry / exit) operations.

The locking allows for multiple devices to be executing commands
simultaneously, one outstanding command per-device and an rwsem
synchronizes the implementation relative to TSM registration/unregistration
events.

Thanks to Wu Hao for his work on an early draft of this support.

Cc: Lukas Wunner <lukas@wunner.de>
Cc: Samuel Ortiz <sameo@rivosinc.com>
Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
Reviewed-by: default avatarJonathan Cameron <jonathan.cameron@huawei.com>
Reviewed-by: default avatarAlexey Kardashevskiy <aik@amd.com>
Co-developed-by: default avatarXu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: default avatarXu Yilun <yilun.xu@linux.intel.com>
Link: https://patch.msgid.link/20251031212902.2256310-5-dan.j.williams@intel.com


Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
parent 215afa89

Documentation/ABI/testing/sysfs-bus-pci

+51 −0
Original line number Diff line number Diff line
@@ -621,3 +621,54 @@ Description: 
		number extended capability. The file is read only and due to

		the possible sensitivity of accessible serial numbers, admin

		only.



What:		/sys/bus/pci/devices/.../tsm/

Contact:	linux-coco@lists.linux.dev

Description:

		This directory only appears if a physical device function

		supports authentication (PCIe CMA-SPDM), interface security

		(PCIe TDISP), and is accepted for secure operation by the

		platform TSM driver. This attribute directory appears

		dynamically after the platform TSM driver loads. So, only after

		the /sys/class/tsm/tsm0 device arrives can tools assume that

		devices without a tsm/ attribute directory will never have one;

		before that, the security capabilities of the device relative to

		the platform TSM are unknown. See

		Documentation/ABI/testing/sysfs-class-tsm.



What:		/sys/bus/pci/devices/.../tsm/connect

Contact:	linux-coco@lists.linux.dev

Description:

		(RW) Write the name of a TSM (TEE Security Manager) device from

		/sys/class/tsm to this file to establish a connection with the

		device.  This typically includes an SPDM (DMTF Security

		Protocols and Data Models) session over PCIe DOE (Data Object

		Exchange) and may also include PCIe IDE (Integrity and Data

		Encryption) establishment. Reads from this attribute return the

		name of the connected TSM or the empty string if not

		connected. A TSM device signals its readiness to accept PCI

		connection via a KOBJ_CHANGE event.



What:		/sys/bus/pci/devices/.../tsm/disconnect

Contact:	linux-coco@lists.linux.dev

Description:

		(WO) Write the name of the TSM device that was specified

		to 'connect' to teardown the connection.



What:		/sys/bus/pci/devices/.../authenticated

Contact:	linux-pci@vger.kernel.org

Description:

		When the device's tsm/ directory is present device

		authentication (PCIe CMA-SPDM) and link encryption (PCIe IDE)

		are handled by the platform TSM (TEE Security Manager). When the

		tsm/ directory is not present this attribute reflects only the

		native CMA-SPDM authentication state with the kernel's

		certificate store.



		If the attribute is not present, it indicates that

		authentication is unsupported by the device, or the TSM has no

		available authentication methods for the device.



		When present and the tsm/ attribute directory is present, the

		authenticated attribute is an alias for the device 'connect'

		state. See the 'tsm/connect' attribute for more details.

Documentation/driver-api/pci/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ The Linux PCI driver implementer's API guide 


   pci

   p2pdma

   tsm



.. only::  subproject and html

Documentation/driver-api/pci/tsm.rst

0 → 100644
+21 −0
Original line number Diff line number Diff line 
.. SPDX-License-Identifier: GPL-2.0

.. include:: <isonum.txt>



========================================================

PCI Trusted Execution Environment Security Manager (TSM)

========================================================



Subsystem Interfaces

====================



.. kernel-doc:: include/linux/pci-ide.h

   :internal:



.. kernel-doc:: drivers/pci/ide.c

   :export:



.. kernel-doc:: include/linux/pci-tsm.h

   :internal:



.. kernel-doc:: drivers/pci/tsm.c

   :export:

MAINTAINERS

+3 −1
Original line number Diff line number Diff line
@@ -26118,8 +26118,10 @@ L: linux-coco@lists.linux.dev 
S:	Maintained

F:	Documentation/ABI/testing/configfs-tsm-report

F:	Documentation/driver-api/coco/

F:	Documentation/driver-api/pci/tsm.rst

F:	drivers/pci/tsm.c

F:	drivers/virt/coco/guest/

F:	include/linux/tsm*.h

F:	include/linux/*tsm*.h

F:	samples/tsm-mr/









TRUSTED SERVICES TEE DRIVER

























drivers/pci/Kconfig



+15
−0






























Original line number
Diff line number
Diff line







@@ -125,6 +125,21 @@ config PCI_ATS







config PCI_IDE









	bool



















config PCI_TSM









	bool "PCI TSM: Device security protocol support"









	select PCI_IDE









	select PCI_DOE









	select TSM









	help









	  The TEE (Trusted Execution Environment) Device Interface









	  Security Protocol (TDISP) defines a "TSM" as a platform agent









	  that manages device authentication, link encryption, link









	  integrity protection, and assignment of PCI device functions









	  (virtual or physical) to confidential computing VMs that can









	  access (DMA) guest private memory.



















	  Enable a platform TSM driver to use this capability.



















config PCI_DOE









	bool "Enable PCI Data Object Exchange (DOE) support"









	help