| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250311094225.35129-1-sgarzare@redhat.com>
Date: Tue, 11 Mar 2025 10:42:21 +0100
From: Stefano Garzarella <sgarzare@...hat.com>
To: Jarkko Sakkinen <jarkko@...nel.org>
Cc: Peter Huewe <peterhuewe@....de>,
Tom Lendacky <thomas.lendacky@....com>,
Jason Gunthorpe <jgg@...pe.ca>,
x86@...nel.org,
linux-kernel@...r.kernel.org,
Borislav Petkov <bp@...en8.de>,
linux-integrity@...r.kernel.org,
Dov Murik <dovmurik@...ux.ibm.com>,
Dionna Glaze <dionnaglaze@...gle.com>,
linux-coco@...ts.linux.dev,
James Bottomley <James.Bottomley@...senPartnership.com>,
Claudio Carvalho <cclaudio@...ux.ibm.com>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Joerg Roedel <jroedel@...e.de>,
Stefano Garzarella <sgarzare@...hat.com>
Subject: [PATCH v3 0/4] Enlightened vTPM support for SVSM on SEV-SNP
AMD SEV-SNP defined a new mechanism for adding privileged levels (VMPLs)
in the context of a Confidential VM. These levels can be used to run the
guest OS at a lower privilege level than a Secure VM Service Module (SVSM).
In this way SVSM can be used to emulate those devices (such as TPM) that
cannot be delegated to an untrusted host.
The guest OS can talk to SVSM using a specific calling convention and
instructions (a kind of system call/hyper call) and request services such
as TPM emulation.
The main goal of this series is to add a driver for the vTPM defined by
the AMD SVSM spec [3]. The specification defines a protocol that a
SEV-SNP guest OS (running on VMPL >= 1) can use to discover and talk to
a vTPM emulated by the SVSM in the guest context, but at a more
privileged level (VMPL0).
This series is based on the RFC sent by James last year [1].
In the meantime, the patches have been maintained and tested in the
Coconut Linux fork [2] along with the work to support the vTPM
emulation in Coconut SVSM.
The first patch adds public APIs to use AMD SVSM vTPM. They use
SVSM_VTPM_QUERY call to probe for the vTPM device and SVSM_VTPM_CMD call
to execute vTPM operations as defined in the AMD SVSM spec [3].
The second patch adds an interface with helpers for the SVSM_VTPM_CMD calls
used by the vTPM protocol defined by the AMD SVSM spec and then used by the
third patch to implement the SVSM vTPM driver. The fourth patch simply
registers the platform device.
Since all SEV-SNP dependencies are now upstream, this series can be
applied directly to the Linus' tree.
These patches were tested in an AMD SEV-SNP guest running:
- a recent version of Coconut SVSM [4] containing an ephemeral vTPM
- a PoC [5] containing a stateful vTPM used for sealing/unsealing a LUKS key
Changelog:
v2 RFC -> v3
- Removed send_recv() ops and followed the ftpm driver implementing .status,
.req_complete_mask, .req_complete_val, etc. [Jarkko]
As we agreed, I will send another series with that patch to continue the
discussion along with the changes in this driver and ftpm driver.
- Renamed fill/parse functions [Tom]
- Renamed helpers header and prefix to make clear it's related to the
SVSM vTPM protocol and not to the TCG TPM Simulator
- Slimmed down snp_svsm_vtpm_probe() [Borislav]
- Removed link to the spec because those URLs are unstable [Borislav]
- Removed features check and any print related [Tom]
- Squashed "x86/sev: add SVSM call macros for the vTPM protocol" patch
with the next one [Borislav]
v1 -> v2 RFC: https://lore.kernel.org/linux-integrity/20250228170720.144739-1-sgarzare@redhat.com/
- Added send_recv() tpm_class_ops callback
- Removed the intermediate tpm_platform.ko driver
- Renamed tpm_platform.h to tpm_tcgsim.h and included some API to fill
TPM_SEND_COMMAND requests and parse responses from a device emulated using
the TCG Simulatore reference implementation
- Added public API in x86/sev usable to discover and talk with the SVSM vTPM
- Added the tpm-svsm platform driver in driver/char/tpm/
- Fixed some SVSM TPM related issues (resp_size as u32, don't fail on
features !=0, s/VTPM/vTPM)
v0 RFC -> v1: https://lore.kernel.org/linux-integrity/20241210143423.101774-1-sgarzare@redhat.com/
- Used SVSM_VTPM_QUERY to probe the TPM as Tom Lendacky suggested
- Changed references/links to TCG TPM repo since in the last year MS
donated the reference TPM implementation to the TCG.
- Addressed Dov Murik's comments:
https://lore.kernel.org/all/f7d0bd07-ba1b-894e-5e39-15fb1817bc8b@linux.ibm.com/
- Added a new patch with SVSM call macros for the vTPM protocol, following
what we already have for SVSM_CORE and SVSM_ATTEST
- Rebased on v6.13-rc2
Thanks,
Stefano
[1] https://lore.kernel.org/all/acb06bc7f329dfee21afa1b2ff080fe29b799021.camel@linux.ibm.com/
[2] https://github.com/coconut-svsm/linux/tree/svsm
[3] "Secure VM Service Module for SEV-SNP Guests"
Publication # 58019 Revision: 1.00
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf
[4] https://github.com/coconut-svsm/svsm/commit/6522c67e1e414f192a6f014b122ca8a1066e3bf5
[5] https://github.com/stefano-garzarella/snp-svsm-vtpm
Stefano Garzarella (4):
x86/sev: add SVSM vTPM probe/send_command functions
svsm: add header with SVSM_VTPM_CMD helpers
tpm: add SNP SVSM vTPM driver
x86/sev: register tpm-svsm platform device
arch/x86/include/asm/sev.h | 7 ++
include/linux/svsm_vtpm.h | 141 ++++++++++++++++++++++++++++++++++
arch/x86/coco/sev/core.c | 39 ++++++++++
drivers/char/tpm/tpm_svsm.c | 148 ++++++++++++++++++++++++++++++++++++
drivers/char/tpm/Kconfig | 10 +++
drivers/char/tpm/Makefile | 1 +
6 files changed, 346 insertions(+)
create mode 100644 include/linux/svsm_vtpm.h
create mode 100644 drivers/char/tpm/tpm_svsm.c
--
2.48.1
Powered by blists - more mailing lists