Commit c4f414be authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'tsm-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm 

Pull TSM updates from Dan Williams:
 "A couple of updates to the maximum buffer sizes supported for the
  configfs-tsm-reports interface.

  This interface is a common transport that conveys the varied
  architecture specific launch attestation reports for confidential VMs.

   - Prepare the configfs-tsm-reports interface for passing larger
     attestation evidence blobs for "Device Identifier Composition
     Engine" (DICE) and Post Quantum Crypto (PQC)

   - Update the tdx-guest driver for DICE evidence (larger certificate
     chains and the CBOR Web Token schema)"

* tag 'tsm-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm:
  configfs-tsm-report: tdx_guest: Increase Quote buffer size to 128KB
  configfs-tsm-report: Increase TSM_REPORT_OUTBLOB_MAX to 16MB
  configfs-tsm-report: Document size limits for outblob attributes
parents bb7a3fc2 43185067

Documentation/ABI/testing/configfs-tsm-report

+16 −0
Original line number Diff line number Diff line
@@ -17,6 +17,12 @@ Description: 
		where the implementation is conveyed via the @provider

		attribute.



		This interface fails reads and sets errno to EFBIG when the

		report generated by @provider exceeds the configfs-tsm-report

		internal maximums. Contact the platform provider for the

		compatible security module, driver, and attestation library

		combination.



What:		/sys/kernel/config/tsm/report/$name/auxblob

Date:		October, 2023

KernelVersion:	v6.7
@@ -31,6 +37,9 @@ Description: 
		Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ.

		https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf



		See "EFBIG" comment in the @outblob description for potential

		error conditions.



What:		/sys/kernel/config/tsm/report/$name/manifestblob

Date:		January, 2024

KernelVersion:	v6.10
@@ -43,6 +52,9 @@ Description: 
		See 'service_provider' for information on the format of the

		manifest blob.



		See "EFBIG" comment in the @outblob description for potential

		error conditions.



What:		/sys/kernel/config/tsm/report/$name/provider

Date:		September, 2023

KernelVersion:	v6.7
@@ -61,6 +73,10 @@ Description: 
		Library Revision 0.8 Appendix 4,5

		https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf



		Intel TDX platforms with DICE-based attestation use CBOR Web Token

		(CWT) format for the Quote payload. This is indicated by the Quote

		size exceeding 8KB.



What:		/sys/kernel/config/tsm/report/$name/generation

Date:		September, 2023

KernelVersion:	v6.7

drivers/virt/coco/tdx-guest/tdx-guest.c

+3 −1
Original line number Diff line number Diff line
@@ -160,8 +160,10 @@ static void tdx_mr_deinit(const struct attribute_group *mr_grp) 
/*

 * Intel's SGX QE implementation generally uses Quote size less

 * than 8K (2K Quote data + ~5K of certificate blob).

 * DICE-based attestation uses layered evidence that requires

 * larger Quote size (~100K).

 */

#define GET_QUOTE_BUF_SIZE		SZ_8K

#define GET_QUOTE_BUF_SIZE		SZ_128K



#define GET_QUOTE_CMD_VER		1

include/linux/tsm.h

+1 −1
Original line number Diff line number Diff line
@@ -8,7 +8,7 @@ 
#include <linux/device.h>



#define TSM_REPORT_INBLOB_MAX 64

#define TSM_REPORT_OUTBLOB_MAX SZ_32K

#define TSM_REPORT_OUTBLOB_MAX SZ_16M



/*

 * Privilege level is a nested permission concept to allow confidential