lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250717183358.1332417-1-dan.j.williams@intel.com>
Date: Thu, 17 Jul 2025 11:33:48 -0700
From: Dan Williams <dan.j.williams@...el.com>
To: <linux-coco@...ts.linux.dev>, <linux-pci@...r.kernel.org>
CC: <linux-kernel@...r.kernel.org>, <bhelgaas@...gle.com>, <aik@....com>,
	<lukas@...ner.de>, Aneesh Kumar K.V <aneesh.kumar@...nel.org>,
	Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>, "Isaku
 Yamahata" <isaku.yamahata@...el.com>, John Allen <john.allen@....com>,
	Jonathan Cameron <Jonathan.Cameron@...wei.com>, Samuel Ortiz
	<sameo@...osinc.com>, Suzuki K Poulose <suzuki.poulose@....com>, Tom Lendacky
	<thomas.lendacky@....com>, Xiaoyao Li <xiaoyao.li@...el.com>, Xu Yi lun
	<yilun.xu@...ux.intel.com>, Yilun Xu <yilun.xu@...el.com>
Subject: [PATCH v4 00/10] PCI/TSM: Core infrastructure for PCI device security (TDISP)

Changes since v3 [1]:
- Move the TSM core out of the host/ subdirectory since it is shared
  with the guest (Aneesh)
- Support multiple simultaneous TSM providers (Jason, Alexey)
- Do not reuse the "connect" operation for both Link and Security state
  management (Aneesh, Alexey)
- Derive the pci_tsm instance type from details in the @pdev or @dsm
  properties (Aneesh)
- Delay TSM association until ->connect(), results in removing the need
  for the @state attribute
- Introduce reverse iterators for all PCI bus and function walking.
- Move all per-device context setup/teardown to
  pci_tsm_(constructor,destructor)
- Add pci_ide_stream_release() for scope-based cleanup of IDE setup
- Shorten the name of the "stream" sysfs link (Jonathan)
- misc fixups (Jonathan)
- Note creation of pci_host_bridge_type in changelog (Jonathan)
- Drop now unused PREP_PCI_IDE_SEL_ADDR1() and related macros (Jonathan)
- Open code PREP_PCI_IDE_SEL_RID_2 in its only caller (Jonathan)
- Clarify the specification Stream term from a Linux "stream" object
  (Jonathan)
- Convert samples/devsec/ to faux device (Jonathan)
- Drop Date: from ABI entries
- Add basic driver-api documentation to build kdoc
- Switch to ACQUIRE()
- Add an explicit 'disconnect' attribute
- Clarify the PCI_IDE_STREAM_MAX Kconfig help (Jonathan)
- Use unsigned variables from sel_ide_offset (Jonathan)

[1]: http://lore.kernel.org/20250516054732.2055093-1-dan.j.williams@intel.com

This set is available at tsm.git#staging (rebasing branch) or
tsm.git#devsec-20250717 (immutable tag). It passes a basic that
exercises load/unload of the samples/devsec/ modules and
connect/disconnect of the emulated device.

Status (complexity reductions):
-------------------------------

Between the support for multiple TSMs, the split of "Link" and
"Security" operations and inferring the type of 'struct pci_tsm' context
from its properties, the implementation shed complexity.

Now, ->probe() is only called in the sysfs::connect_store() path which
means that there is no need to track the PCI_TSM_INIT and
PCI_TSM_CONNECT states. Simply, when a Device Security Manager (DSM) is
connected, at that point all potential TDIs (assignable functions where
the DSM can manage its security state) are probed.

Now, initial determination of when the "tsm/" sysfs group appears
follows typical expectations. If at least one TSM device has been
registered prior to a DSM device being scanned, its "tsm/" attribute
group will appear. No more need for a pci_tsm_init() call via
pci_init_capabilities().

The pci_tsm_destroy() path is now simply arranging for
pci_tsm_disconnect() of all DSMs after all TDIs have gone through
->remove() callback. This is accomplished with new "reverse" iterators
for all PCI bus walks.

Next steps:
-----------
The campaign to graduate this out of tsm.git#staging and into mainline
starts in earnest when samples/devsec/ + 1 vendor implementation, or 2
vendor implementations can demonstrate the end-to-end flow (minus
attestation). That is the "consensus" event horizon where prior to that
it seems reasonable for impacted subsystem maintainers to opt-out of
reviewing all the fine details under debate. Suffice to say there are a
lot of fine details flying around.

To that end I expect it would help to have a tracking document in
tsm.git#staging that catalogs the open debates and the current leanings
of the staging tree. That is next in the hopper.

Original Cover letter:
----------------------

Trusted execution environment (TEE) Device Interface Security Protocol
(TDISP) is a chapter name in the PCI specification. It describes an
alphabet soup of mechanisms, SPDM, CMA, IDE, TSM/DSM, that system
software uses to establish trust in a device and assign it to a
confidential virtual machine (CVM). It is protocol for dynamically
extending the trusted computing boundary (TCB) of a CVM with a PCI
device interface that can issue DMA to CVM private memory.

The acronym soup problem is enhanced by every major platform vendor
having distinct TEE Security Manager (TSM) API implementations /
capabilities, and to a lesser extent, every potential endpoint Device
Security Manager (DSM) having its own idiosyncratic behaviors around
TDISP state transitions.

Despite all that opportunity for differentiation, there is a significant
portion of the implementation that is cross-vendor common. However, it
is difficult to develop, debate, test and settle all those pieces absent
a low level TSM driver implementation to pull it all together.

The proposal, of which this set is the first phase, is incrementally
develop the shared infrastructure on top of a sample TSM driver
implementation to enable clean vendor agnostic discussions about the
commons. "samples/devsec/" is meant to be: just enough emulation to
exercise all the core infrastructure, a reference implementation, and a
simple unit test. The sample also enables coordination with the native
PCI device security effort [2].

[2]: http://lore.kernel.org/cover.1719771133.git.lukas@wunner.de

Dan Williams (10):
  coco/tsm: Introduce a core device for TEE Security Managers
  PCI/IDE: Enumerate Selective Stream IDE capabilities
  PCI: Introduce pci_walk_bus_reverse(), for_each_pci_dev_reverse()
  PCI/TSM: Authenticate devices via platform TSM
  samples/devsec: Introduce a PCI device-security bus + endpoint sample
  PCI: Add PCIe Device 3 Extended Capability enumeration
  PCI/IDE: Add IDE establishment helpers
  PCI/IDE: Report available IDE streams
  PCI/TSM: Report active IDE streams
  samples/devsec: Add sample IDE establishment

 Documentation/ABI/testing/sysfs-bus-pci       |  51 ++
 Documentation/ABI/testing/sysfs-class-tsm     |  19 +
 .../ABI/testing/sysfs-devices-pci-host-bridge |  29 +
 Documentation/driver-api/pci/index.rst        |   1 +
 Documentation/driver-api/pci/tsm.rst          |  12 +
 MAINTAINERS                                   |   7 +-
 drivers/base/bus.c                            |  38 +
 drivers/pci/Kconfig                           |  28 +
 drivers/pci/Makefile                          |   2 +
 drivers/pci/bus.c                             |  37 +
 drivers/pci/ide.c                             | 578 ++++++++++++++
 drivers/pci/pci-sysfs.c                       |   4 +
 drivers/pci/pci.h                             |  17 +
 drivers/pci/probe.c                           |  25 +-
 drivers/pci/remove.c                          |   3 +
 drivers/pci/search.c                          |  63 +-
 drivers/pci/tsm.c                             | 554 ++++++++++++++
 drivers/virt/coco/Kconfig                     |   3 +
 drivers/virt/coco/Makefile                    |   2 +
 drivers/virt/coco/tsm-core.c                  | 198 +++++
 include/linux/device/bus.h                    |   3 +
 include/linux/pci-ide.h                       |  72 ++
 include/linux/pci-tsm.h                       | 158 ++++
 include/linux/pci.h                           |  36 +
 include/linux/tsm.h                           |  15 +
 include/uapi/linux/pci_regs.h                 |  89 +++
 samples/Kconfig                               |  16 +
 samples/Makefile                              |   1 +
 samples/devsec/Makefile                       |  10 +
 samples/devsec/bus.c                          | 711 ++++++++++++++++++
 samples/devsec/common.c                       |  26 +
 samples/devsec/devsec.h                       |  40 +
 samples/devsec/tsm.c                          | 241 ++++++
 33 files changed, 3078 insertions(+), 11 deletions(-)
 create mode 100644 Documentation/ABI/testing/sysfs-class-tsm
 create mode 100644 Documentation/driver-api/pci/tsm.rst
 create mode 100644 drivers/pci/ide.c
 create mode 100644 drivers/pci/tsm.c
 create mode 100644 drivers/virt/coco/tsm-core.c
 create mode 100644 include/linux/pci-ide.h
 create mode 100644 include/linux/pci-tsm.h
 create mode 100644 samples/devsec/Makefile
 create mode 100644 samples/devsec/bus.c
 create mode 100644 samples/devsec/common.c
 create mode 100644 samples/devsec/devsec.h
 create mode 100644 samples/devsec/tsm.c


base-commit: df877487cac3509cbae2625181e7ad6748afed24
-- 
2.50.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ