mbox series

[RFC,v2,0/6] Towards a shared TSM sysfs-ABI for Confidential Computing

Message ID 171291190324.3532867.13480405752065082171.stgit@dwillia2-xfh.jf.intel.com (mailing list archive)
Headers show
Series Towards a shared TSM sysfs-ABI for Confidential Computing | expand

Message

Dan Williams April 12, 2024, 8:51 a.m. UTC
Here is a revised attempt at creating a shared sysfs-ABI for the concept
of a TSM (TEE Security Manager) as described by PCIe TDISP (PCIe 6.2
Section 11 TEE Device Interface Security Protocol). It remains an RFC
until at least one vendor (Intel, AMD, Rivos...) completes integration
with their low level TSM driver. I am actively working on that with Hao
Wu and Yilun Xu, but if another vendor adopts this before us, great.

Changes since v1: [1]
* Major simplifications:
  * Drop the 'struct pci_tsm_req' concept (Yilun), but keep a common
    @exec entry point from the PCI core to the low level driver.
  * Drop Link IDE and related sysfs attributes (Alexey). This
    sophistication may come back later, but no need to tackle that
    complexity now.
  * Move policy choice of requiring native CMA before TSM connection
    to userspace policy. This removes the need to build on top of the
    moving CMA baseline, and these series can now be considered on
    indpendent timelines.
* Create a guest/ vs host/ split in drivers/virt/coco/ (Sathya)
* Require a parent device for the common TSM class device (Jonathan)
* Create a 'tdx' virtual bus and 'tdx_tsm' device to parent the TSM
  class device
* Create a 'tdx_tsm' for the low-level TDX calls
* Rebase on v6.9-rc1 that includes a DEFINE_SYSFS_GROUP_VISIBLE()
* Cleanup usage of __free() to match the proposed style guide [2]
  (Jonathan)
* Cleanup, clarifications, and fixes (Kevin)
* Improve the cover letter prose below (Bjorn, Kevin)

[1]: http://lore.kernel.org/r/170660662589.224441.11503798303914595072.stgit@dwillia2-xfh.jf.intel.com
[2]: http://lore.kernel.org/r/171140738438.1574931.15717256954707430472.stgit@dwillia2-xfh.jf.intel.com

Confidential Computing (CC) introduces the concept of hardware protected
(integrity and confidentiality) guest private memory. The next phase of
that journey is private memory access for guest assigned devices. To
date, assigned devices for CC guests are constrained to accessing shared
memory, unprotected clear-text memory. That mode incurs a bounce buffer
performance penalty as every DMA (direct-memory-access) performed by the
device must be later copied from shared-to-private memory for
device-write and private-to-shared copies for device-reads.

The PCIe TEE Device Interface Security Protocol (TDISP) arranges for
devices to be permitted to DMA to private memory directly, but it
requires significant infrastructure to authenticate, validate, and
provision a virtual-device interface to be used in CC guest.

TDISP specifies a TEE Security Manager (TSM) as a platform agent that
can manage the IOMMU, PCI host, and endpoint Device Security Manager
capabilities to convert an guest assigned device (physical function or
sriov-virtual function) into private mode operation.

What follows is common shared infrastructure for the PCI core to
interface with the platform TSM and a TDX as an example low level
consumer of these core capabilities.

Enable the PCI core to export a "connect" verb via sysfs for a given
device which, when the low level platform implementation is added,
arranges for the device to be authenticated and its link protected by
encryption and integrity checks.

---

Dan Williams (6):
      configfs-tsm: Namespace TSM report symbols
      coco/guest: Move shared guest CC infrastructure to drivers/virt/coco/guest/
      x86/tdx: Introduce a "tdx" subsystem and "tsm" device
      coco/tsm: Introduce a class device for TEE Security Managers
      PCI/TSM: Authenticate devices via platform TSM
      tdx_tsm: TEE Security Manager driver for TDX


 Documentation/ABI/testing/sysfs-bus-pci |   46 +++++
 MAINTAINERS                             |    7 +
 arch/x86/include/asm/shared/tdx.h       |    3 
 arch/x86/virt/vmx/tdx/tdx.c             |   70 ++++++++
 drivers/pci/Kconfig                     |   13 +
 drivers/pci/Makefile                    |    2 
 drivers/pci/pci-sysfs.c                 |    4 
 drivers/pci/pci.h                       |   10 +
 drivers/pci/probe.c                     |    1 
 drivers/pci/remove.c                    |    1 
 drivers/pci/tsm.c                       |  270 +++++++++++++++++++++++++++++++
 drivers/virt/coco/Kconfig               |    8 -
 drivers/virt/coco/Makefile              |    3 
 drivers/virt/coco/guest/Kconfig         |    7 +
 drivers/virt/coco/guest/Makefile        |    2 
 drivers/virt/coco/guest/tsm_report.c    |   32 ++--
 drivers/virt/coco/host/Kconfig          |   12 +
 drivers/virt/coco/host/Makefile         |    8 +
 drivers/virt/coco/host/tdx_tsm.c        |   68 ++++++++
 drivers/virt/coco/host/tsm-core.c       |  131 +++++++++++++++
 drivers/virt/coco/sev-guest/sev-guest.c |    8 -
 drivers/virt/coco/tdx-guest/tdx-guest.c |    8 -
 include/linux/pci-tsm.h                 |   80 +++++++++
 include/linux/pci.h                     |   11 +
 include/linux/tsm.h                     |   31 ++--
 include/uapi/linux/pci_regs.h           |    4 
 26 files changed, 795 insertions(+), 45 deletions(-)
 create mode 100644 drivers/pci/tsm.c
 create mode 100644 drivers/virt/coco/guest/Kconfig
 create mode 100644 drivers/virt/coco/guest/Makefile
 rename drivers/virt/coco/{tsm.c => guest/tsm_report.c} (92%)
 create mode 100644 drivers/virt/coco/host/Kconfig
 create mode 100644 drivers/virt/coco/host/Makefile
 create mode 100644 drivers/virt/coco/host/tdx_tsm.c
 create mode 100644 drivers/virt/coco/host/tsm-core.c
 create mode 100644 include/linux/pci-tsm.h

base-commit: 4cece764965020c22cff7665b18a012006359095