From: Dionna Amalie Glaze <dionnaglaze@google.com>
To: Samuel Ortiz <sameo@rivosinc.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Qinkun Bao <qinkun@google.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Xing, Cedric" <cedric.xing@intel.com>,
biao.lu@intel.com, linux-coco@lists.linux.dev,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v2 1/4] tsm: Runtime measurement register support
Date: Mon, 29 Jan 2024 08:57:49 -0800 [thread overview]
Message-ID: <CAAH4kHaToau86TiYFmLqVKETomYSUmb=d4OjXSKi03C6HWYAQw@mail.gmail.com> (raw)
In-Reply-To: <20240128212532.2754325-2-sameo@rivosinc.com>
The rtmr backend doesn't specify the digest size it expects to user
space, so rtmr_extend could be zero-fill, or provide a truncated
update, or be strict and return an error. Should the expected digest
size for writes not also be a RO attribute?
On Sun, Jan 28, 2024 at 1:27 PM Samuel Ortiz <sameo@rivosinc.com> wrote:
>
> Some confidential computing architecture (Intel TDX, ARM-CCA, RISC-V
> CoVE) provide the TVM (confidential computing guest) with a set of
> runtime measurement registers (RTMR). TVMs can extend those registers
> with their measurements at runtime, i.e. after the TVM initial
> measurements are finalized and the TVM actually runs.
>
> RTMRs are separated from the initial measurement registers set, and TSMs
> typically includes RTMR values into a distinct section of their signed
> attestion reports.
>
> We add support for extending and reading a TSM runtime measurement
> registers by extending the TSM ops structure with resp. an rtmr_extend()
> and an rtmr_read() function pointers. TSM providers/backends will
> implement those ops if they are capable of exposing RTMRs to their
> TVMs. This capability is now described by a tsm_capabilites structure,
> passed by the TSM provider to the TSM framework at registration time.
>
> TVMs can configure, extend and read RTMRs from the configfs-tsm interface.
>
> Signed-off-by: Samuel Ortiz <sameo@rivosinc.com>
> ---
> drivers/virt/coco/tsm.c | 80 +++++++++++++++++++++++++++++++++++++++++
> include/linux/tsm.h | 39 +++++++++++++++++++-
> 2 files changed, 118 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/virt/coco/tsm.c b/drivers/virt/coco/tsm.c
> index d1c2db83a8ca..1a8c3c096120 100644
> --- a/drivers/virt/coco/tsm.c
> +++ b/drivers/virt/coco/tsm.c
> @@ -11,6 +11,7 @@
> #include <linux/module.h>
> #include <linux/cleanup.h>
> #include <linux/configfs.h>
> +#include <linux/tpm.h>
>
> static struct tsm_provider {
> const struct tsm_ops *ops;
> @@ -50,6 +51,85 @@ enum tsm_data_select {
> TSM_CERTS,
> };
>
> +/**
> + * DOC: Trusted Security Module (TSM) Runtime Measurement Register (RTMR) Interface
> + *
> + * The TSM RTMR interface is a common ABI for allowing TVMs to extend
> + * and read measurement registers at runtime, i.e. after the TVM initial
> + * measurement is finalized. TSMs that support such capability will typically
> + * include all runtime measurement registers values into their signed
> + * attestation report, providing the TVM post-boot measurements to e.g. remote
> + * attestation services.
> + *
> + * A TVM uses the TSM RTMR configfs ABI to create all runtime measurement
> + * registers (RTMR) that it needs. Each created RTMR must be configured first
> + * before being readable and extensible. TVM configures an RTMR by setting its
> + * index and optionally by mapping it to one or more TCG PCR indexes.
> + *
> + * A TSM backend statically declares the number of RTMRs it supports and which
> + * hash algorithm must be used when extending them. This declaration is done
> + * through the tsm_capabilities structure, at TSM registration time (see
> + * tsm_register()).
> + */
> +
> +/**
> + * struct tsm_rtmr_state - tracks the state of a TSM RTMR.
> + * @index: The RTMR hardware index.
> + * @alg: The hash algorithm used for this RTMR.
> + * @digest: The RTMR cached digest value.
> + * @cached_digest: Is the RTMR cached digest valid or not.
> + * @cfg: The configfs item for this RTMR.
> + */
> +struct tsm_rtmr_state {
> + u32 index;
> + enum hash_algo alg;
> + u8 digest[TSM_DIGEST_MAX];
> + bool cached_digest;
> + struct config_item cfg;
> +};
> +
> +static bool is_rtmr_configured(struct tsm_rtmr_state *rtmr_state)
> +{
> + return rtmr_state->index != U32_MAX;
> +}
> +
> +/**
> + * struct tsm_rtmrs_state - tracks the state of all RTMRs for a TSM.
> + * @rtmrs: The array of all created RTMRs.
> + * @tcg_map: A mapping between TCG PCR and RTMRs, indexed by PCR indexes.
> + * Entry `i` on this map points to an RTMR that covers TCG PCR[i] for the TSM
> + * hash algorithm.
> + * @group: The configfs group for a TSM RTMRs.
> + */
> +static struct tsm_rtmrs_state {
> + struct tsm_rtmr_state **rtmrs;
> + const struct tsm_rtmr_state *tcg_map[TPM2_PLATFORM_PCR];
> + struct config_group *group;
> +} *tsm_rtmrs;
> +
> +static int tsm_rtmr_read(struct tsm_provider *tsm, u32 idx,
> + u8 *digest, size_t digest_size)
> +{
> + if (tsm->ops && tsm->ops->rtmr_read)
> + return tsm->ops->rtmr_read(idx, digest, digest_size);
> +
> + return -ENXIO;
> +}
> +
> +static int tsm_rtmr_extend(struct tsm_provider *tsm, u32 idx,
> + const u8 *digest, size_t digest_size)
> +{
> + if (tsm->ops && tsm->ops->rtmr_extend)
> + return tsm->ops->rtmr_extend(idx, digest, digest_size);
> +
> + return -ENXIO;
> +}
> +
> +static struct tsm_rtmr_state *to_tsm_rtmr_state(struct config_item *cfg)
> +{
> + return container_of(cfg, struct tsm_rtmr_state, cfg);
> +}
> +
> static struct tsm_report *to_tsm_report(struct config_item *cfg)
> {
> struct tsm_report_state *state =
> diff --git a/include/linux/tsm.h b/include/linux/tsm.h
> index de8324a2223c..a546983c24fc 100644
> --- a/include/linux/tsm.h
> +++ b/include/linux/tsm.h
> @@ -2,11 +2,13 @@
> #ifndef __TSM_H
> #define __TSM_H
>
> +#include <crypto/hash_info.h>
> #include <linux/sizes.h>
> #include <linux/types.h>
>
> #define TSM_INBLOB_MAX 64
> #define TSM_OUTBLOB_MAX SZ_32K
> +#define TSM_DIGEST_MAX SHA512_DIGEST_SIZE
>
> /*
> * Privilege level is a nested permission concept to allow confidential
> @@ -42,12 +44,44 @@ struct tsm_report {
> u8 *auxblob;
> };
>
> +#define TSM_MAX_RTMR 32
> +
> +/**
> + * struct tsm_rtmr_desc - Describes a TSM Runtime Measurement Register (RTMR).
> + * @hash_alg: The hash algorithm used to extend this runtime measurement
> + * register.
> + * @tcg_pcr_mask: A bit mask of all TCG PCRs mapped to this RTMR.
> + */
> +struct tsm_rtmr_desc {
> + enum hash_algo hash_alg;
> + unsigned long tcg_pcr_mask;
> +};
> +
> +/**
> + * struct tsm_capabilities - Describes a TSM capabilities.
> + * @num_rtmrs: The number of Runtime Measurement Registers (RTMR) available from
> + * a TSM.
> + * @rtmr_hash_alg: The hash algorithm used to extend a runtime measurement
> + * register.
> + */
> +struct tsm_capabilities {
> + size_t num_rtmrs;
> + const struct tsm_rtmr_desc *rtmrs;
> +};
> +
> /**
> * struct tsm_ops - attributes and operations for tsm instances
> * @name: tsm id reflected in /sys/kernel/config/tsm/report/$report/provider
> * @privlevel_floor: convey base privlevel for nested scenarios
> + * @capabilities: Describe the TSM capabilities, e.g. the number of available
> + * runtime measurement registers (see `struct tsm_capabilities`).
> * @report_new: Populate @report with the report blob and auxblob
> - * (optional), return 0 on successful population, or -errno otherwise
> + * (optional), return 0 on successful population, or -errno
> + * otherwise
> + * @rtmr_extend: Extend an RTMR with the provided digest.
> + * Return 0 on successful extension, or -errno otherwise.
> + * @rtmr_read: Reads the value of an RTMR.
> + * Return the number of bytes read or -errno for errors.
> *
> * Implementation specific ops, only one is expected to be registered at
> * a time i.e. only one of "sev-guest", "tdx-guest", etc.
> @@ -55,7 +89,10 @@ struct tsm_report {
> struct tsm_ops {
> const char *name;
> const unsigned int privlevel_floor;
> + const struct tsm_capabilities capabilities;
> int (*report_new)(struct tsm_report *report, void *data);
> + int (*rtmr_extend)(u32 idx, const u8 *digest, size_t digest_size);
> + ssize_t (*rtmr_read)(u32 idx, u8 *digest, size_t digest_size);
> };
>
> extern const struct config_item_type tsm_report_default_type;
> --
> 2.42.0
>
--
-Dionna Glaze, PhD (she/her)
next prev parent reply other threads:[~2024-01-29 16:58 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-28 21:25 [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI Samuel Ortiz
2024-01-28 21:25 ` [RFC PATCH v2 1/4] tsm: Runtime measurement register support Samuel Ortiz
2024-01-29 16:57 ` Dionna Amalie Glaze [this message]
2024-02-01 22:03 ` Jarkko Sakkinen
2024-01-28 21:25 ` [RFC PATCH v2 2/4] tsm: Add RTMRs to the configfs-tsm hierarchy Samuel Ortiz
2024-01-28 22:38 ` Kuppuswamy Sathyanarayanan
2024-02-01 22:05 ` Jarkko Sakkinen
2024-02-21 16:16 ` Mikko Ylinen
2024-01-28 21:25 ` [RFC PATCH v2 3/4] tsm: Map RTMRs to TCG TPM PCRs Samuel Ortiz
2024-01-28 22:44 ` Kuppuswamy Sathyanarayanan
2024-02-02 6:18 ` James Bottomley
2024-01-28 21:25 ` [RFC PATCH v2 4/4] tsm: Allow for extending and reading configured RTMRs Samuel Ortiz
2024-05-11 2:57 ` James Bottomley
2024-05-13 10:16 ` Samuel Ortiz
2024-05-13 14:03 ` James Bottomley
2024-05-14 5:08 ` Samuel Ortiz
2024-05-16 8:33 ` Xing, Cedric
2024-02-01 22:02 ` [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI Jarkko Sakkinen
2024-02-02 6:24 ` James Bottomley
2024-02-02 23:07 ` Dan Middleton
2024-02-03 6:03 ` James Bottomley
2024-02-03 7:13 ` Kuppuswamy Sathyanarayanan
2024-02-03 10:27 ` James Bottomley
2024-02-06 8:34 ` Xing, Cedric
2024-02-06 8:57 ` James Bottomley
2024-02-07 2:02 ` Dan Williams
2024-02-07 20:16 ` Xing, Cedric
2024-02-07 21:08 ` Kuppuswamy Sathyanarayanan
2024-02-07 21:46 ` James Bottomley
2024-02-09 20:58 ` Dan Williams
2024-02-13 7:36 ` Xing, Cedric
2024-02-13 16:05 ` James Bottomley
2024-02-14 8:54 ` Xing, Cedric
2024-02-15 6:14 ` Dan Williams
2024-02-16 2:05 ` Xing, Cedric
2024-03-05 1:19 ` Xing, Cedric
2024-04-17 20:23 ` Dan Middleton
2024-02-13 16:54 ` Mikko Ylinen
2024-02-15 22:44 ` Dr. Greg
2024-02-22 15:45 ` Lukas Wunner
2024-08-19 21:25 ` Qinkun Bao
2024-08-20 13:19 ` Samuel Ortiz
2024-08-20 19:44 ` Qinkun Bao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAH4kHaToau86TiYFmLqVKETomYSUmb=d4OjXSKi03C6HWYAQw@mail.gmail.com' \
--to=dionnaglaze@google.com \
--cc=biao.lu@intel.com \
--cc=cedric.xing@intel.com \
--cc=dan.j.williams@intel.com \
--cc=jiewen.yao@intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=qinkun@google.com \
--cc=sameo@rivosinc.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).