Commit 5e2cb28d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'tsm-for-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux 

Pull unified attestation reporting from Dan Williams:
 "In an ideal world there would be a cross-vendor standard attestation
  report format for confidential guests along with a common device
  definition to act as the transport.

  In the real world the situation ended up with multiple platform
  vendors inventing their own attestation report formats with the
  SEV-SNP implementation being a first mover to define a custom
  sev-guest character device and corresponding ioctl(). Later, this
  configfs-tsm proposal intercepted an attempt to add a tdx-guest
  character device and a corresponding new ioctl(). It also anticipated
  ARM and RISC-V showing up with more chardevs and more ioctls().

  The proposal takes for granted that Linux tolerates the vendor report
  format differentiation until a standard arrives. From talking with
  folks involved, it sounds like that standardization work is unlikely
  to resolve anytime soon. It also takes the position that kernfs ABIs
  are easier to maintain than ioctl(). The result is a shared configfs
  mechanism to return per-vendor report-blobs with the option to later
  support a standard when that arrives.

  Part of the goal here also is to get the community into the
  "uncomfortable, but beneficial to the long term maintainability of the
  kernel" state of talking to each other about their differentiation and
  opportunities to collaborate. Think of this like the device-driver
  equivalent of the common memory-management infrastructure for
  confidential-computing being built up in KVM.

  As for establishing an "upstream path for cross-vendor
  confidential-computing device driver infrastructure" this is something
  I want to discuss at Plumbers. At present, the multiple vendor
  proposals for assigning devices to confidential computing VMs likely
  needs a new dedicated repository and maintainer team, but that is a
  discussion for v6.8.

  For now, Greg and Thomas have acked this approach and this is passing
  is AMD, Intel, and Google tests.

  Summary:

   - Introduce configfs-tsm as a shared ABI for confidential computing
     attestation reports

   - Convert sev-guest to additionally support configfs-tsm alongside
     its vendor specific ioctl()

   - Added signed attestation report retrieval to the tdx-guest driver
     forgoing a new vendor specific ioctl()

   - Misc cleanups and a new __free() annotation for kvfree()"

* tag 'tsm-for-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux:
  virt: tdx-guest: Add Quote generation support using TSM_REPORTS
  virt: sevguest: Add TSM_REPORTS support for SNP_GET_EXT_REPORT
  mm/slab: Add __free() support for kvfree
  virt: sevguest: Prep for kernel internal get_ext_report()
  configfs-tsm: Introduce a shared ABI for attestation reports
  virt: coco: Add a coco/Makefile and coco/Kconfig
  virt: sevguest: Fix passing a stack buffer as a scatterlist target
parents b1dfbda8 f4738f56

Documentation/ABI/testing/configfs-tsm

0 → 100644
+82 −0
Original line number Diff line number Diff line 
What:		/sys/kernel/config/tsm/report/$name/inblob

Date:		September, 2023

KernelVersion:	v6.7

Contact:	linux-coco@lists.linux.dev

Description:

		(WO) Up to 64 bytes of user specified binary data. For replay

		protection this should include a nonce, but the kernel does not

		place any restrictions on the content.



What:		/sys/kernel/config/tsm/report/$name/outblob

Date:		September, 2023

KernelVersion:	v6.7

Contact:	linux-coco@lists.linux.dev

Description:

		(RO) Binary attestation report generated from @inblob and other

		options The format of the report is implementation specific

		where the implementation is conveyed via the @provider

		attribute.



What:		/sys/kernel/config/tsm/report/$name/auxblob

Date:		October, 2023

KernelVersion:	v6.7

Contact:	linux-coco@lists.linux.dev

Description:

		(RO) Optional supplemental data that a TSM may emit, visibility

		of this attribute depends on TSM, and may be empty if no

		auxiliary data is available.



		When @provider is "sev_guest" this file contains the

		"cert_table" from SEV-ES Guest-Hypervisor Communication Block

		Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ.

		https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf



What:		/sys/kernel/config/tsm/report/$name/provider

Date:		September, 2023

KernelVersion:	v6.7

Contact:	linux-coco@lists.linux.dev

Description:

		(RO) A name for the format-specification of @outblob like

		"sev_guest" [1] or "tdx_guest" [2] in the near term, or a

		common standard format in the future.



		[1]: SEV Secure Nested Paging Firmware ABI Specification

		Revision 1.55 Table 22

		https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf



		[2]: Intel® Trust Domain Extensions Data Center Attestation

		Primitives : Quote Generation Library and Quote Verification

		Library Revision 0.8 Appendix 4,5

		https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf



What:		/sys/kernel/config/tsm/report/$name/generation

Date:		September, 2023

KernelVersion:	v6.7

Contact:	linux-coco@lists.linux.dev

Description:

		(RO) The value in this attribute increments each time @inblob or

		any option is written. Userspace can detect conflicts by

		checking generation before writing to any attribute and making

		sure the number of writes matches expectations after reading

		@outblob, or it can prevent conflicts by creating a report

		instance per requesting context.



What:		/sys/kernel/config/tsm/report/$name/privlevel

Date:		September, 2023

KernelVersion:	v6.7

Contact:	linux-coco@lists.linux.dev

Description:

		(WO) Attribute is visible if a TSM implementation provider

		supports the concept of attestation reports for TVMs running at

		different privilege levels, like SEV-SNP "VMPL", specify the

		privilege level via this attribute.  The minimum acceptable

		value is conveyed via @privlevel_floor and the maximum

		acceptable value is TSM_PRIVLEVEL_MAX (3).



What:		/sys/kernel/config/tsm/report/$name/privlevel_floor

Date:		September, 2023

KernelVersion:	v6.7

Contact:	linux-coco@lists.linux.dev

Description:

		(RO) Indicates the minimum permissible value that can be written

		to @privlevel.

MAINTAINERS

+8 −0
Original line number Diff line number Diff line
@@ -22058,6 +22058,14 @@ W: https://github.com/srcres258/linux-doc 
T:	git git://github.com/srcres258/linux-doc.git doc-zh-tw

F:	Documentation/translations/zh_TW/









TRUSTED SECURITY MODULE (TSM) ATTESTATION REPORTS









M:	Dan Williams <dan.j.williams@intel.com>









L:	linux-coco@lists.linux.dev









S:	Maintained









F:	Documentation/ABI/testing/configfs-tsm









F:	drivers/virt/coco/tsm.c









F:	include/linux/tsm.h

















TTY LAYER AND SERIAL DRIVERS









M:	Greg Kroah-Hartman <gregkh@linuxfoundation.org>









M:	Jiri Slaby <jirislaby@kernel.org>

























arch/x86/coco/tdx/tdx.c



+21
−0






























Original line number
Diff line number
Diff line







@@ -106,6 +106,27 @@ int tdx_mcall_get_report0(u8 *reportdata, u8 *tdreport)







}









EXPORT_SYMBOL_GPL(tdx_mcall_get_report0);



















/**









 * tdx_hcall_get_quote() - Wrapper to request TD Quote using GetQuote









 *                         hypercall.









 * @buf: Address of the directly mapped shared kernel buffer which









 *       contains TDREPORT. The same buffer will be used by VMM to









 *       store the generated TD Quote output.









 * @size: size of the tdquote buffer (4KB-aligned).









 *









 * Refer to section titled "TDG.VP.VMCALL<GetQuote>" in the TDX GHCI









 * v1.0 specification for more information on GetQuote hypercall.









 * It is used in the TDX guest driver module to get the TD Quote.









 *









 * Return 0 on success or error code on failure.









 */









u64 tdx_hcall_get_quote(u8 *buf, size_t size)









{









	/* Since buf is a shared memory, set the shared (decrypted) bits */









	return _tdx_hypercall(TDVMCALL_GET_QUOTE, cc_mkdec(virt_to_phys(buf)), size, 0, 0);









}









EXPORT_SYMBOL_GPL(tdx_hcall_get_quote);



















static void __noreturn tdx_panic(const char *msg)









{









	struct tdx_module_args args = {
































arch/x86/include/asm/shared/tdx.h



+1
−0






























Original line number
Diff line number
Diff line







@@ -23,6 +23,7 @@

















/* TDX hypercall Leaf IDs */









#define TDVMCALL_MAP_GPA		0x10001









#define TDVMCALL_GET_QUOTE		0x10002









#define TDVMCALL_REPORT_FATAL_ERROR	0x10003



















#define TDVMCALL_STATUS_RETRY		1
































arch/x86/include/asm/tdx.h



+2
−0






























Original line number
Diff line number
Diff line







@@ -56,6 +56,8 @@ bool tdx_early_handle_ve(struct pt_regs *regs);

















int tdx_mcall_get_report0(u8 *reportdata, u8 *tdreport);



















u64 tdx_hcall_get_quote(u8 *buf, size_t size);



















#else



















static inline void tdx_early_init(void) { };