lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Apr 2024 09:28:22 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Dan Williams <dan.j.williams@...el.com>, linux-kernel@...r.kernel.org,
 x86@...nel.org, linux-coco@...ts.linux.dev, svsm-devel@...onut-svsm.dev
Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
 Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
 "H. Peter Anvin" <hpa@...or.com>, Andy Lutomirski <luto@...nel.org>,
 Peter Zijlstra <peterz@...radead.org>, Michael Roth <michael.roth@....com>,
 Ashish Kalra <ashish.kalra@....com>
Subject: Re: [PATCH v4 13/15] x86/sev: Take advantage of configfs visibility
 support in TSM

On 4/29/24 08:35, Tom Lendacky wrote:
> On 4/26/24 16:58, Dan Williams wrote:
>> Tom Lendacky wrote:
>>> The TSM attestation report support provides multiple configfs attribute
>>> types (both for standard and binary attributes) to allow for additional
>>> attributes to be displayed for SNP as compared to TDX. With the ability
>>> to hide attributes via configfs, consoldate the multiple attribute 
>>> groups
>>> into a single standard attribute group and a single binary attribute
>>> group. Modify the TDX support to hide the attributes that were 
>>> previously
>>> "hidden" as a result of registering the selective attribute groups.
>>>
>>> Co-developed-by: Dan Williams <dan.j.williams@...el.com>
>>> Signed-off-by: Dan Williams <dan.j.williams@...el.com>
>>> Signed-off-by: Tom Lendacky <thomas.lendacky@....com>
>>> ---
>>>   drivers/virt/coco/sev-guest/sev-guest.c |  3 +-
>>>   drivers/virt/coco/tdx-guest/tdx-guest.c | 29 ++++++++-
>>>   drivers/virt/coco/tsm.c                 | 82 ++++++++++++-------------
>>>   include/linux/tsm.h                     | 41 ++++++++++---
>>>   4 files changed, 102 insertions(+), 53 deletions(-)
>> [..]
>>> diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c 
>>> b/drivers/virt/coco/tdx-guest/tdx-guest.c
>>> index 1253bf76b570..964af57f345c 100644
>>> --- a/drivers/virt/coco/tdx-guest/tdx-guest.c
>>> +++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
>> [..]
>>> @@ -249,6 +250,30 @@ static int tdx_report_new(struct tsm_report 
>>> *report, void *data)
>>>       return ret;
>>>   }
>>> +static bool tdx_report_attr_visible(struct config_item *item,
>>> +                    struct configfs_attribute *attr, int n)
>>> +{
>>> +    switch (n) {
>>> +    case TSM_REPORT_GENERATION:
>>> +    case TSM_REPORT_PROVIDER:
>>> +        return true;
>>> +    }
>>> +
>>> +    return false;
>>> +}
>>> +
>>> +static bool tdx_report_bin_attr_visible(struct config_item *item,
>>> +                    struct configfs_bin_attribute *attr, int n)
>>> +{
>>> +    switch (n) {
>>> +    case TSM_REPORT_INBLOB:
>>> +    case TSM_REPORT_OUTBLOB:
>>> +        return true;
>>> +    }
>>> +
>>> +    return false;
>>> +}
>>
>> Why do these callbacks need @item and @attr?
> 
> It is a generic callback from configfs, so outside of TSM, an 
> implementation may find it useful to have these. But, with the code 
> change to require the callback at the attribute level, now, these can be 
> eliminated.
> 
>>
>> [..]
>>> +static bool tsm_report_is_visible(struct config_item *item,
>>> +                  struct configfs_attribute *attr, int n)
>>
>> Per the comment on where to find the is_visible() callbacks for a given
>> item type, I expect the need to pass @item here goes away when this can
>> assume that there is only one way to have is_visible() invoked for
>> @attr, right?
> 
> Yes.

But as I look closer, there is only a single ops callback pair 
(is_visible() and is_bin_visible()), so as long there is never another 
group / subdir defined under the TSM report, this works. But if another 
group is added, then the item parameter would likely be needed or the 
ops callback would have to be updated to differentiate for the vendor 
(SNP/TDX).

Thanks,
Tom

> 
> Thanks,
> Tom
> 
>>
>> Other than that, this conversion looks good to me.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ