From: James Bottomley <jejb@linux.ibm.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>
Cc: Claudio Siqueira de Carvalho <cclaudio@ibm.com>,
Joerg Roedel <jroedel@suse.com>,
"Lange, Jon" <jlange@microsoft.com>,
"Dong, Eddie" <eddie.dong@intel.com>,
"Johnson, Simon P" <simon.p.johnson@intel.com>,
"Reshetova, Elena" <elena.reshetova@intel.com>,
"Nakajima, Jun" <jun.nakajima@intel.com>
Subject: Re: question on vTPM interface in coconut-svsm
Date: Thu, 28 Mar 2024 08:03:11 -0400 [thread overview]
Message-ID: <e2912269a273824e05714174fc04d45361ce71b5.camel@linux.ibm.com> (raw)
In-Reply-To: <MW4PR11MB58727350055C0E00D6CA0DC08C3B2@MW4PR11MB5872.namprd11.prod.outlook.com>
On Thu, 2024-03-28 at 06:29 +0000, Yao, Jiewen wrote:
[...]
> At same time, we have also prototyped vTPM support for TD-
> partitioning based on coconut-svsm [1]. For vTPM interface, we just
> reused the original TCG defined CRB interface in TCG PTP
> specification [7].
If I could ask: where's the code for this? We also did a CRB prototype
for the first papers on SVSM vTPM:
https://dl.acm.org/doi/abs/10.1145/3627106.3627112
But we found several difficulties with the CRB interface that doing a
platform one overcomes.
> We modified coconut-svsm to provide TPM CRB device model + TPM2
> library reference code. It is similar to [3]. The only difference is
> that we don't use vTPM protocol [4], but use TPM CRB interface [7].
> We mapped the TPM CRB MMIO (0xfed40000) as private MMIO which is only
> accessible between trusted L1-VMM (coconut-SVSM) and L2-Guest
> (Linux).
So how do you do this? we had the CRB ACPI tables set up by QEMU for
the above, which requires modifying QEMU to provide the TPM description
but not activate any backend interface (i.e. a new configuration flag).
The second problem is that ACPI described regions are by default, being
device buffers, shared not private (i.e. anyone can snoop the TPM
commands). You can modify the OS to override this, but then you need a
very specific recognition of the TPM as being provided by the SVSM not
QEMU otherwise you'll block any emulated or real CRB TPM device when
total memory encryption is enabled.
Finally the start mechanisms are bit or ASL method based. The bit
based one is just too much overhead if you handle the fault in the SVSM
and the start method doesn't provide enough sophistication to activate
the SVSM entry protocol. We eventually modified the CRB driver to do
the SVSM start but, again, this is hard to reconcile with a standard
CRB interface.
> The untrusted host VMM cannot access the TPM CRB MMIO.
> The TPM CRB interface is reported via TCG defined TPM2 ACPI table
> [8]. The TPM2 ACPI table exposes StartMethod as
> EFI_TPM2_ACPI_TABLE_START_METHOD_COMMAND_RESPONSE_BUFFER_INTERFACE
> (6), see [9]. And we don't need _DSM for StartMethod, see [10].
So publishing the code for this would allow us to evaluate whether it
might work for SEV-SNP as well but our experience above tells us it was
a lot of code modification in the OS and QEMU and even more (which we
didn't do) to make the CRB driver still work with non-SVSM devices,
which is why it's easier to do a small and simple platform device which
requires small OS modifications, no QEMU changes and an easy attach
when the SVSM is present.
James
next prev parent reply other threads:[~2024-03-28 12:03 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <MW4PR11MB5872CE9BEF8361203F72EDFD8C3B2@MW4PR11MB5872.namprd11.prod.outlook.com>
2024-03-28 6:29 ` question on vTPM interface in coconut-svsm Yao, Jiewen
2024-03-28 8:11 ` Reshetova, Elena
2024-03-28 9:11 ` Joerg Roedel
2024-03-28 12:03 ` James Bottomley [this message]
2024-03-28 12:22 ` Jeremi Piotrowski
2024-03-28 12:33 ` James Bottomley
2024-03-28 13:41 ` Jeremi Piotrowski
2024-03-28 13:54 ` James Bottomley
2024-03-28 14:09 ` Jeremi Piotrowski
2024-07-04 3:07 ` Coconut-SVSM - vTPM support for Intel TD Partitioning Yao, Jiewen
2024-08-01 22:38 ` Yao, Jiewen
2024-08-02 5:23 ` Dionna Amalie Glaze
2024-08-02 10:02 ` Yao, Jiewen
2024-08-02 12:27 ` James Bottomley
2024-08-02 15:40 ` James Bottomley
2024-08-03 1:54 ` Dionna Amalie Glaze
2024-08-03 2:19 ` James Bottomley
2024-08-05 9:55 ` Reshetova, Elena
2024-08-05 15:21 ` James Bottomley
2024-08-06 8:21 ` Reshetova, Elena
2024-08-06 15:51 ` Claudio Siqueira de Carvalho
2024-08-06 16:23 ` James Bottomley
2024-08-07 11:28 ` Reshetova, Elena
2024-08-07 12:21 ` James Bottomley
2024-08-07 16:04 ` Reshetova, Elena
2024-08-16 3:38 ` Yao, Jiewen
2024-08-16 16:13 ` Dionna Amalie Glaze
2024-08-19 5:54 ` Yao, Jiewen
2024-08-06 16:19 ` James Bottomley
2024-08-07 8:46 ` Reshetova, Elena
2024-08-16 3:09 ` Yao, Jiewen
2024-08-16 3:27 ` Yao, Jiewen
2024-04-08 8:50 ` question on vTPM interface in coconut-svsm Joerg Roedel
2024-04-08 15:05 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e2912269a273824e05714174fc04d45361ce71b5.camel@linux.ibm.com \
--to=jejb@linux.ibm.com \
--cc=cclaudio@ibm.com \
--cc=eddie.dong@intel.com \
--cc=elena.reshetova@intel.com \
--cc=jiewen.yao@intel.com \
--cc=jlange@microsoft.com \
--cc=jroedel@suse.com \
--cc=jun.nakajima@intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=simon.p.johnson@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).