From: Sathyanarayanan Kuppuswamy <sathyanarayanan.kuppuswamy@linux.intel.com>
To: Dave Hansen <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org
Cc: "H . Peter Anvin" <hpa@zytor.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Tony Luck <tony.luck@intel.com>, Andi Kleen <ak@linux.intel.com>,
Kai Huang <kai.huang@intel.com>,
Wander Lairson Costa <wander@redhat.com>,
Isaku Yamahata <isaku.yamahata@gmail.com>,
marcelo.cerri@canonical.com, tim.gardner@canonical.com,
khalid.elmously@canonical.com, philip.cox@canonical.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v9 0/6] Add TDX Guest Attestation support
Date: Wed, 24 Aug 2022 11:16:07 -0700 [thread overview]
Message-ID: <1481d6c6-7d59-cd06-2c44-2ed534d3070a@linux.intel.com> (raw)
In-Reply-To: <bb006b7a-525a-3f1b-0fc4-1620bb5bd3ba@intel.com>
Hi,
On 8/24/22 10:12 AM, Dave Hansen wrote:
> On 7/27/22 20:44, Kuppuswamy Sathyanarayanan wrote:
>> An Intel SGX Quoting Enclave (QE), written specifically to support
>> quoting Intel TDX TDs, uses EVERIFYREPORT2, to help check the integrity
>> of the TDG.MR.REPORT. If it passes, the QE can use a certified quote
>> signing key to sign a quote containing the guest TD’s measurements and
>> the additional data being quoted.
>
> (maintainer hat firmly in place, not speaking as an Intel person here...)
>
> Let's say Intel tires of SGX and zaps it from server CPUs just like it
> did clients. Or, that Intel decides that TDX is really cool and wants
> it on SGX-free clients in addition to servers.
>
> Can the guest ABI which is introduced here work for a future attestation
> architecture that does not involve SGX?
Yes. ABI introduced here is agnostic to QE implementation. For getting a
signed Quote, the guest will pass TDREPORT with length as input and expect
signed Quote with length as output. This requirement is valid irrespective
of QE implementation(SGX/no-SGX).
As you can see below, in our ABI we pass TDREPORT with "tdx_quote_hdr" in a
buffer. Upon successful completion of the request, we expect Quote in the
same buffer with proper header details. Such header format is generic and
should work well in non-SGX environment you have mentioned as well.
Input buffer -> [tdx_quote_hdr][TDREPORT]
Output buffer -> [tdx_quote_hdr][Quote]
struct tdx_quote_hdr {
/* Quote version, filled by TD */
__u64 version;
/* Status code of Quote request, filled by VMM */
__u64 status;
/* Length of TDREPORT, filled by TD */
__u32 in_len;
/* Length of Quote, filled by VMM */
__u32 out_len;
/* Actual Quote data or TDREPORT on input */
__u64 data[0];
};
/* struct tdx_quote_req: Request to generate TD Quote using TDREPORT
*
* @buf : Pass user data that includes TDREPORT as input. Upon
* successful completion of IOCTL, output is copied
* back to the same buffer.
* @len : Length of the Quote buffer.
*/
struct tdx_quote_req {
__u64 buf; // buf with header and data
__u64 len;
};
--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer
prev parent reply other threads:[~2022-08-24 18:16 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-28 3:44 [PATCH v9 0/6] Add TDX Guest Attestation support Kuppuswamy Sathyanarayanan
2022-07-28 3:44 ` [PATCH v9 1/6] x86/tdx: Add TDX Guest attestation interface driver Kuppuswamy Sathyanarayanan
2022-08-10 19:09 ` Borislav Petkov
2022-08-10 19:27 ` Sathyanarayanan Kuppuswamy
2022-08-18 14:18 ` Borislav Petkov
2022-08-18 14:40 ` Sathyanarayanan Kuppuswamy
2022-08-18 14:54 ` Borislav Petkov
2022-08-18 16:25 ` Dave Hansen
2022-08-19 0:22 ` Huang, Kai
2022-08-22 21:19 ` Dave Hansen
2022-08-22 21:36 ` Borislav Petkov
2022-08-22 21:44 ` Dave Hansen
2022-08-22 22:41 ` Sathyanarayanan Kuppuswamy
2022-08-24 15:56 ` Borislav Petkov
2022-08-24 16:56 ` Sathyanarayanan Kuppuswamy
2022-08-29 3:14 ` Huang, Kai
2022-08-29 8:05 ` Wang, Wei W
2022-08-30 2:25 ` Huang, Kai
2022-08-23 19:36 ` Sathyanarayanan Kuppuswamy
2022-08-24 15:55 ` Borislav Petkov
2022-07-28 3:44 ` [PATCH v9 2/6] selftests: tdx: Test GetReport TDX attestation feature Kuppuswamy Sathyanarayanan
2022-07-28 10:32 ` Kai Huang
2022-08-01 17:49 ` Sathyanarayanan Kuppuswamy
2022-08-02 0:08 ` Kai Huang
2022-07-28 3:44 ` [PATCH v9 3/6] x86/tdx: Add TDX Guest event notify interrupt support Kuppuswamy Sathyanarayanan
2022-07-28 10:18 ` Kai Huang
2022-08-01 21:39 ` Sathyanarayanan Kuppuswamy
2022-07-28 3:44 ` [PATCH v9 4/6] x86/coco: Add cc_decrypted_alloc/free() interfaces Kuppuswamy Sathyanarayanan
2022-07-28 3:44 ` [PATCH v9 5/6] x86/tdx: Add Quote generation support Kuppuswamy Sathyanarayanan
2022-07-28 3:44 ` [PATCH v9 6/6] selftests: tdx: Test GetQuote TDX attestation feature Kuppuswamy Sathyanarayanan
2022-08-24 17:12 ` [PATCH v9 0/6] Add TDX Guest Attestation support Dave Hansen
2022-08-24 18:16 ` Sathyanarayanan Kuppuswamy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1481d6c6-7d59-cd06-2c44-2ed534d3070a@linux.intel.com \
--to=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=ak@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=isaku.yamahata@gmail.com \
--cc=kai.huang@intel.com \
--cc=khalid.elmously@canonical.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.cerri@canonical.com \
--cc=mingo@redhat.com \
--cc=philip.cox@canonical.com \
--cc=tglx@linutronix.de \
--cc=tim.gardner@canonical.com \
--cc=tony.luck@intel.com \
--cc=wander@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.