Linux Confidential Computing Development
 help / color / mirror / Atom feed
From: Dan Williams <djbw@kernel.org>
To: linux-coco@lists.linux.dev
Cc: linux-pci@vger.kernel.org, driver-core@lists.linux.dev,
	ankita@nvidia.com, Aaron Tomlin <atomlin@atomlin.com>,
	Alexey Kardashevskiy <aik@amd.com>,
	Alistair Francis <alistair.francis@wdc.com>,
	"Aneesh Kumar K.V" <aneesh.kumar@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Bjorn Helgaas <bhelgaas@google.com>,
	Daniel Gomez <da.gomez@kernel.org>,
	Danilo Krummrich <dakr@kernel.org>,
	Dexuan Cui <decui@microsoft.com>,
	Donald Hunter <donald.hunter@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jakub Kicinski <kuba@kernel.org>, Jason Gunthorpe <jgg@ziepe.ca>,
	Luis Chamberlain <mcgrof@kernel.org>,
	Lukas Wunner <lukas@wunner.de>, Petr Pavlu <petr.pavlu@suse.com>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	Robin Murphy <robin.murphy@arm.com>,
	Sami Tolvanen <samitolvanen@google.com>,
	Samuel Ortiz <sameo@rivosinc.com>,
	Saravana Kannan <saravanak@google.com>,
	Will Deacon <will@kernel.org>,
	Xu Yilun <yilun.xu@linux.intel.com>
Subject: [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP)
Date: Sun,  5 Jul 2026 15:08:04 -0700	[thread overview]
Message-ID: <20260705220819.2472765-1-djbw@kernel.org> (raw)

Major changes since: "[PATCH v2 00/19] PCI/TSM: TEE I/O infrastructure" [1]
- Implement a new netlink schema for dumping large SPDM blobs (Jakub,
  Lukas)
- Introduce a device core implementation for evidence gathering given
  SPDM is applicable to devices outside of PCI (Lukas)
- Replace the "CC acceptance" mechanism with "Device Trust" (Greg,
  Jason)
- Fix TDISP report parsing to use bytes instead of pfns for the start
  value of an MMIO report (PCI spec clarification)
- Support the CCA expectation that MMIO reports are BAR aligned (Aneesh)

[1]: http://lore.kernel.org/20260303000207.1836586-1-dan.j.williams@intel.com

[ Note, this series is back to a v1 posting given the new theme of
  "Evidence and Trust". It defers some of the lower level details, like
  touching arch-level ioremap implementations to consult encrypted_iomem,
  until the higher order details are settled ].

---
Summary:
A threat model wants to arrange for devices to not be operated until
they present evidence. Add device evidence gathering, device trust
levels, and hook those up for the PCI/TSM (PCI device security protocol)
implementation.
---

Confidential Computing and other use cases specify a threat model where
devices are potentially adversarial. To date the device core trusts
devices and their drivers, and only specific buses have local
"adversary" device mitigations. The task is define a general trust
concept to up-level existing trust mitigations, and allow for
incremental tightening of mitigations across bus types and IOMMU
drivers.

Goals:
* Create a mechanism for booting with a limited set
  devices + drivers and permit selectively enabling more devices +
  drivers at runtime.
* Up-level bus specific trust mitigations like PCI
  untrusted to a core concept.
* Let buses coordinate entry into the TCB via the existing
  ->dma_configure() callback

The proposal considers existing trust mitigation in various buses.  The
PCI device "untrusted" flags is an example of limiting but not fully
blocking operation of a device. The USB interface authorized flag is an
example of not trusting a device to operate at all. The implementation
starts with these trust level DEVICE_TRUST_NONE, no operation of the
device, and DEVICE_TRUST_ADVERSARY, limited operation of the device.
For example, the PCI "untrusted" flag turns off device translation
capabilities (ATS) and strictly enforces IOMMU mappings, but otherwise
allows operation of the device.

The proposal does not currently incorporate other bus specific security
mechanisms that are independent of individual device operational trust.
For example, USB device (not interface) authorization and Thunderbolt
switch authorization are transport gates to other devices.  PCIe Link
Encryption is also a transport security mechanism that informs a trust
decision, but it is still possible to distrust a device with Link
Encryption and conversely distrust a device protected by Link
Encryption. Those security mechanisms are orthogonal to trust policy for
driver bind, address space access, and acceleration feature enabling.

The result is device trust is an input to the driver core and IOMMU
layers. A bus can opt to sync its local bind policy, address space
access, and acceleration features to the trust level, or treat it as an
overriding second-stage policy from the bus's first stage mechanism.

The trust levels established at enumeration and enforced at driver
attach are DEVICE_TRUST_{NONE,ADVERSARY,AUTO,TCB}:

* NONE: no usage of the device unless the trust is explicitly overridden
  by user policy specified via a driver flag, module flag, or uapi (TBD).

* ADVERSARY: needs acknowledgement from the bus and IOMMU / DMA layers
  that the device is limited to strict IOMMU translation behavior. Drivers
  can use this as a signal to limit functionality. This designation
  implies follow-on IOMMU and bus enabling work for features like
  arranging for the device to attach to a blocked IOMMU domain when
  detached from a driver.

* AUTO: typical / historical Linux driver model.

* TCB: a trust level that only exists in Confidential Computing
  environments. When acked by the IOMMU / DMA layer it enables the device
  to issue direct-DMA to private/encrypted addresses or otherwise attach to
  a secure vIOMMU within the TCB.

Overview of changes:
Patches 1-6: Update netlink to be able to support large blob
transfers that the SPDM standard requires. SPDM can be associated with
any device type, so the implementation lands in the device core with
PCI/TSM as the first consumer.

Patches 7-9: Introduce DEVICE_TRUST_NONE and DEVICE_TRUST_ADVERSARY.
Support blocking driver bind by default, and allow either build policy
or module policy to override the the trust level.

Patches 10-12,14-15: Plumb the PCI/TSM support for the PCI device
security (TDISP) protocol to transition the device through
UNLOCKED->LOCKED->RUN.

Patch 13: Support access to private memory either by the bus either
coordinating with a TSM driver, or relying on the bus provider to have
already arranged access (paravisor case).

This passes basic checkout with the sample TSM driver and a sample
netlink client for the device evidence facility. Those patches are only
on the git tree for now [2].

[2]: https://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm.git/log/?h=devsec-phase2

Dan Williams (15):
  netlink: specs: Introduce multi-message blobs for SPDM
  tools: ynl: Teach pyynl to handle blobs
  tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes
  device core: Introduce "device evidence" over netlink
  device core: Add "device evidence" 'validate' command
  PCI/TSM: Add device evidence support
  modules: Document the global async_probe parameter
  device core: Initial device trust infrastructure
  PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY
  PCI/TSM: Add device interface security LOCKED support
  PCI/TSM: Add device interface security RUN support
  PCI/TSM: Add device interface security DMA enable/disable
  PCI, device core: Add private memory access for DEVICE_TRUST_TCB
  PCI/TSM: Create MMIO descriptors via TDISP Report
  PCI/TSM: Add relative MMIO offset support?

 drivers/base/Kconfig                          |  91 +++
 drivers/pci/Kconfig                           |   2 +
 drivers/base/Makefile                         |   2 +
 drivers/pci/Makefile                          |   2 +-
 drivers/pci/tsm/Makefile                      |   8 +
 Documentation/ABI/stable/sysfs-module         |  17 +
 Documentation/ABI/testing/sysfs-bus-pci       |  47 +-
 Documentation/ABI/testing/sysfs-class-tsm     |  19 +
 Documentation/driver-api/pci/tsm.rst          |  47 ++
 Documentation/netlink/genetlink-legacy.yaml   |   6 +
 Documentation/netlink/genetlink.yaml          |   7 +
 Documentation/netlink/netlink-raw.yaml        |   7 +
 .../netlink/specs/device-evidence.yaml        | 203 ++++++
 drivers/base/base.h                           |  15 +
 drivers/base/device-evidence-netlink.h        |  25 +
 include/linux/device.h                        |   3 +
 include/linux/device/evidence.h               |  88 +++
 include/linux/device/trust.h                  |  56 ++
 include/linux/ioport.h                        |   2 +
 include/linux/module.h                        |   6 +-
 include/linux/pci-tsm.h                       | 104 +++-
 include/linux/pci.h                           |  13 +-
 include/uapi/linux/device-evidence.h          | 111 ++++
 tools/net/ynl/lib/ynl-priv.h                  |   4 +
 tools/net/ynl/lib/ynl.h                       |  14 +
 drivers/base/core.c                           |   7 +
 drivers/base/dd.c                             |   5 +
 drivers/base/device-evidence-netlink.c        |  58 ++
 drivers/base/evidence.c                       | 495 +++++++++++++++
 drivers/base/trust.c                          | 103 ++++
 drivers/iommu/amd/iommu.c                     |   2 +-
 drivers/iommu/dma-iommu.c                     |  13 +-
 drivers/iommu/intel/iommu.c                   |   2 +-
 drivers/iommu/iommu.c                         |   2 +-
 drivers/pci/ats.c                             |   2 +-
 drivers/pci/pci-driver.c                      |  25 +-
 drivers/pci/pci.c                             |   2 +-
 drivers/pci/probe.c                           |  10 +-
 drivers/pci/quirks.c                          |   4 +-
 drivers/pci/{tsm.c => tsm/core.c}             | 579 +++++++++++++++++-
 drivers/pci/tsm/evidence.c                    | 110 ++++
 drivers/virt/coco/tsm-core.c                  |  43 +-
 kernel/module/main.c                          |  13 +
 kernel/resource.c                             |   8 +
 tools/net/ynl/lib/ynl.c                       |  33 +
 MAINTAINERS                                   |   6 +-
 tools/net/ynl/pyynl/lib/nlspec.py             |  12 +
 tools/net/ynl/pyynl/lib/ynl.py                |  62 +-
 tools/net/ynl/pyynl/ynl_gen_c.py              |  80 ++-
 49 files changed, 2509 insertions(+), 66 deletions(-)
 create mode 100644 drivers/pci/tsm/Makefile
 create mode 100644 Documentation/netlink/specs/device-evidence.yaml
 create mode 100644 drivers/base/device-evidence-netlink.h
 create mode 100644 include/linux/device/evidence.h
 create mode 100644 include/linux/device/trust.h
 create mode 100644 include/uapi/linux/device-evidence.h
 create mode 100644 drivers/base/device-evidence-netlink.c
 create mode 100644 drivers/base/evidence.c
 create mode 100644 drivers/base/trust.c
 rename drivers/pci/{tsm.c => tsm/core.c} (61%)
 create mode 100644 drivers/pci/tsm/evidence.c


base-commit: dc59e4fea9d83f03bad6bddf3fa2e52491777482
-- 
2.54.0


             reply	other threads:[~2026-07-05 22:08 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05 22:08 Dan Williams [this message]
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-06 13:45   ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-06 13:49   ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-06 12:42   ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55   ` Dan Williams (nvidia)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260705220819.2472765-1-djbw@kernel.org \
    --to=djbw@kernel.org \
    --cc=aik@amd.com \
    --cc=alistair.francis@wdc.com \
    --cc=aneesh.kumar@kernel.org \
    --cc=ankita@nvidia.com \
    --cc=arnd@arndb.de \
    --cc=atomlin@atomlin.com \
    --cc=bhelgaas@google.com \
    --cc=da.gomez@kernel.org \
    --cc=dakr@kernel.org \
    --cc=decui@microsoft.com \
    --cc=donald.hunter@gmail.com \
    --cc=driver-core@lists.linux.dev \
    --cc=gregkh@linuxfoundation.org \
    --cc=jgg@ziepe.ca \
    --cc=kuba@kernel.org \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-pci@vger.kernel.org \
    --cc=lukas@wunner.de \
    --cc=mcgrof@kernel.org \
    --cc=petr.pavlu@suse.com \
    --cc=rafael@kernel.org \
    --cc=robin.murphy@arm.com \
    --cc=sameo@rivosinc.com \
    --cc=samitolvanen@google.com \
    --cc=saravanak@google.com \
    --cc=will@kernel.org \
    --cc=yilun.xu@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox