From: Dan Williams <dan.j.williams@intel.com>
To: "Giani, Dhaval" <Dhaval.Giani@amd.com>,
Paolo Bonzini <pbonzini@redhat.com>,
"Kardashevskiy, Alexey" <Alexey.Kardashevskiy@amd.com>,
"Kaplan, David" <David.Kaplan@amd.com>,
"steffen.eiden@ibm.com" <steffen.eiden@ibm.com>,
"yilun.xu@intel.com" <yilun.xu@intel.com>,
Suzuki K P <suzuki.kp@gmail.com>,
"Powell, Jeremy" <Jeremy.Powell@amd.com>,
"dan.j.williams@intel.com" <dan.j.williams@intel.com>,
"atishp04@gmail.com" <atishp04@gmail.com>
Cc: "linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>, <lukas@wunner.de>
Subject: RE: KVM Forum BoF on I/O + secure virtualization
Date: Mon, 5 Jun 2023 19:43:23 -0700 [thread overview]
Message-ID: <647e9d4be14dd_142af8294b2@dwillia2-xfh.jf.intel.com.notmuch> (raw)
In-Reply-To: <MW4PR12MB7213E05A15C3F45CA6F9E93B8D4EA@MW4PR12MB7213.namprd12.prod.outlook.com>
[ add Lukas ]
Giani, Dhaval wrote:
> [AMD Official Use Only - General]
>
> Hi all,
>
> We have proposed a trusted I/O BoF session at KVM forum this year. I wanted
> to kick off the discussion to maximize the 25 mins we have.
>
> By trusted I/O, I mean using TDISP to have “trusted” communications with a
> device using something like AMD SEV-TIO [1] or Intel’s TDX connect [2].
>
> Some topics we would like to discuss are
> o What is the device model like?
> o Do we enlighten the PCI subsystem?
> o Do we enlighten device drivers?
One observation in relation to these first questions is something that
has been brewing since SPDM and IDE were discussed at Plumbers 2022.
https://lpc.events/event/16/contributions/1304/
Namely, that there is value in the base specs on the way to the full
vendor TSM implementations. I.e. that if the Linux kernel can aspire to
the role of a TSM it becomes easier to incrementally add proxying to a
platform TSM later. In the meantime, platforms and endpoints that
support CMA / SPDM and PCIe/CXL IDE but not full "trusted I/O" still
gain incremental benefit.
The first proof point for that idea is teaching the PCI core to perform
CMA / SPDM session establishment and provide that result to drivers.
That is what Lukas has been working on after picking up Jonathan's
initial SPDM RFC. I expect the discussion on those forthcoming patches
starts to answer device-model questions around attestation.
> o What does the guest need to know from the device?
> o How does the attestation workflow work?
> o Generic vs vendor specific TSMs
>
> Some of these topics may be better suited for LPC,
Maybe, but there's so much to discuss that the more opportunities to
collaborate on the details the better.
> however we want to get the discussion going from the KVM perspective
> and continue wider discussions at LPC.
While I worry that my points above are more suited to something like a
PCI Micro-conference than a KVM BoF, I think the nature of "trusted I/O"
requires those tribes to talk more to each other.
next prev parent reply other threads:[~2023-06-06 2:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <c2db1a80-722b-c807-76b5-b8672cb0db09@redhat.com>
2023-06-02 18:04 ` KVM Forum BoF on I/O + secure virtualization Giani, Dhaval
2023-06-06 2:43 ` Dan Williams [this message]
2023-06-07 23:18 ` Alexey Kardashevskiy
2023-06-08 9:12 ` Lukas Wunner
2023-06-08 14:32 ` Kaplan, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=647e9d4be14dd_142af8294b2@dwillia2-xfh.jf.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=Alexey.Kardashevskiy@amd.com \
--cc=David.Kaplan@amd.com \
--cc=Dhaval.Giani@amd.com \
--cc=Jeremy.Powell@amd.com \
--cc=atishp04@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=lukas@wunner.de \
--cc=pbonzini@redhat.com \
--cc=steffen.eiden@ibm.com \
--cc=suzuki.kp@gmail.com \
--cc=yilun.xu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox