* Re: [PATCH kernel v2 0/5] PCI/TSM: Enabling core infrastructure on
[not found] <20251121080629.444992-1-aik@amd.com>
@ 2025-11-22 3:35 ` Alexey Kardashevskiy
2025-11-25 14:17 ` Joerg Roedel
0 siblings, 1 reply; 2+ messages in thread
From: Alexey Kardashevskiy @ 2025-11-22 3:35 UTC (permalink / raw)
To: linux-kernel
Cc: linux-crypto, Tom Lendacky, John Allen, Herbert Xu,
David S. Miller, Ashish Kalra, Joerg Roedel,
Suravee Suthikulpanit, Will Deacon, Robin Murphy,
Borislav Petkov (AMD), Kim Phillips, Jerry Snitselaar,
Vasant Hegde, Jason Gunthorpe, Gao Shiyuan, Sean Christopherson,
Nikunj A Dadhania, Michael Roth, Amit Shah, Peter Gonda, iommu,
linux-coco@lists.linux.dev, Dan Williams
I should have cc'ed linux-coco@lists.linux.dev. And vim ate "AMD" from the subject line. Should I repost now? Thanks,
On 21/11/25 19:06, Alexey Kardashevskiy wrote:
> Here are some patches to begin enabling SEV-TIO on AMD.
>
> SEV-TIO allows guests to establish trust in a device that supports TEE
> Device Interface Security Protocol (TDISP, defined in PCIe r6.0+) and
> then interact with the device via private memory.
>
> In order to streamline upstreaming process, a common TSM infrastructure
> is being developed in collaboration with Intel+ARM+RiscV. There is
> Documentation/driver-api/pci/tsm.rst with proposed phases:
> 1. IDE: encrypt PCI, host only
> 2. TDISP: lock + accept flow, host and guest, interface report
> 3. Enable secure MMIO + DMA: IOMMUFD, KVM changes
> 4. Device attestation: certificates, measurements
>
> This is phase1 == IDE only.
>
> SEV TIO spec:
> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58271.pdf
>
> Acronyms:
> TEE - Trusted Execution Environments, a concept of managing trust
> between the host and devices
> TSM - TEE Security Manager (TSM), an entity which ensures security on
> the host
> PSP - AMD platform secure processor (also "ASP", "AMD-SP"), acts as TSM
> on AMD.
> SEV TIO - the TIO protocol implemented by the PSP and used by the host
> GHCB - guest/host communication block - a protocol for guest-to-host
> communication via a shared page
> TDISP - TEE Device Interface Security Protocol (PCIe).
>
>
> Flow:
> - Boot host OS, load CCP which registers itself as a TSM
> - PCI TSM creates sysfs nodes under "tsm" subdirectory in for all
> TDISP-capable devices
> - Enable IDE via "echo tsm0 >
> /sys/bus/pci/devices/0000:e1:00.0/tsm/connect"
> - observe "secure" in stream states in "lspci" for the rootport and endpoint
>
>
> This is pushed out to
> https://github.com/AMDESE/linux-kvm/commits/tsm-staging
>
> The full "WIP" trees and configs are here:
> https://github.com/AMDESE/AMDSEV/blob/tsm/stable-commits
>
>
> The previous conversation is here:
> https://lore.kernel.org/r/20251111063819.4098701-1-aik@amd.com
> https://lore.kernel.org/r/20250218111017.491719-1-aik@amd.com
>
> This is based on sha1
> f7ae6d4ec652 Dan Williams "PCI/TSM: Add 'dsm' and 'bound' attributes for dependent functions".
>
> Please comment. Thanks.
>
>
>
> Alexey Kardashevskiy (5):
> ccp: Make snp_reclaim_pages and __sev_do_cmd_locked public
> psp-sev: Assign numbers to all status codes and add new
> iommu/amd: Report SEV-TIO support
> crypto: ccp: Enable SEV-TIO feature in the PSP when supported
> crypto/ccp: Implement SEV-TIO PCIe IDE (phase1)
>
> drivers/crypto/ccp/Kconfig | 1 +
> drivers/crypto/ccp/Makefile | 8 +
> drivers/crypto/ccp/sev-dev-tio.h | 142 ++++
> drivers/crypto/ccp/sev-dev.h | 9 +
> drivers/iommu/amd/amd_iommu_types.h | 1 +
> include/linux/amd-iommu.h | 2 +
> include/linux/psp-sev.h | 17 +-
> include/uapi/linux/psp-sev.h | 66 +-
> drivers/crypto/ccp/sev-dev-tio.c | 863 ++++++++++++++++++++
> drivers/crypto/ccp/sev-dev-tsm.c | 405 +++++++++
> drivers/crypto/ccp/sev-dev.c | 69 +-
> drivers/iommu/amd/init.c | 9 +
> 12 files changed, 1556 insertions(+), 36 deletions(-)
> create mode 100644 drivers/crypto/ccp/sev-dev-tio.h
> create mode 100644 drivers/crypto/ccp/sev-dev-tio.c
> create mode 100644 drivers/crypto/ccp/sev-dev-tsm.c
>
--
Alexey
^ permalink raw reply [flat|nested] 2+ messages in thread