Re: [PATCH v3 0/5] tsm-mr: Unified Measurement Register ABI for TVMs

[Dan Williams <dan.j.williams@intel.com>]

Cedric Xing wrote:
> NOTE: This patch series introduces the Measurement Register (MR) ABI, and
> is a continuation of the RFC series on the same topic [1].
> 
> Introduce the CONFIG_TSM_MEASUREMENTS helper library (tsm-mr) as a
> cross-vendor transport schema to allow TVM (TEE VM) guest drives to export

s/drives/drivers like tdx-guest/

> CC (Confidential Compute) architecture-specific MRs (Measurement Registers)
> as sysfs attributes/files. Enable applications to read, write/extend MRs
> like regular files, supporting various usages such as configuration
> verification (e.g., verify a TVM's configuration against digests stored in
> static/immutable MRs like MRCONFIGID on TDX or HOSTDATA on SEV) and runtime
> measurements (e.g., extend the measurement of a container image to an RTMR
> before running it).

What I do not see in this cover letter or patch1 is a brief summary of
the major assumptions contributing to the design for folks that have not
been closely following the threads. To me those are:

- Measurement registers are an architecture specific building block to
  enable attestation of system state. That can either be a vTPM
  application, or raw application direct use/extension of measurement
  values.

- By the nature of needing to expose architecture specific values the
  names and numbers of these measurements registers are not amenable to
  a shared transport mechanism like configs-tsm-reports, but the common
  operations are amenable to a shared library driven by a provided 'struct
  tsm_measurements' template.

> Patches included in this series:
> 
> - Patch 1 adds the tsm-mr library to help TVM guest drivers exposing MRs as
>   sysfs attributes.
> - Patch 2 provides a sample module demonstrating the usage of the new
>   tsm-mr library.
> - The remaining patches update the TDX guest driver to expose TDX MRs with
>   the help of the tsm-mr library.
> 
> [1]: https://lore.kernel.org/linux-coco/20241210-tsm-rtmr-v3-0-5997d4dbda73@intel.com/
> 
> Signed-off-by: Cedric Xing <cedric.xing@intel.com>
> ---
> Changes in v3:
> - tsm-mr: Separate measurement support (tsm-mr) from the original tsm
>   source code. Modules depending on tsm-mr should `select TSM_MEASUREMENTS`
>   in Kconfig.

It helps to note who gave the feedback leading to changes. Besides the
small courtesy of credit it also helps to speed conflict resolution
(blame) when the parties are aware of each other. So for v4 please note
changes like this:

---
Changes in v3:
- tsm-mr: Separate measurement support (tsm-mr) from the original tsm
  source code. Modules depending on tsm-mr should `select TSM_MEASUREMENTS`
  in Kconfig. (Dan)
[..]
---

Lastly it helps to declare what you expect to happen with these patches.
At a minimum these need an x86 ack. For upstream merge these can either
go through the tip tree, or I can take them through devsec.git with
other "TSM" work. Absent someone hollering, devsec.git is my
expectation.