Re: [PATCH kernel v2 0/5] PCI/TSM: Enabling core infrastructure on

[<dan.j.williams@intel.com>]

Alexey Kardashevskiy wrote:
> Here are some patches to begin enabling SEV-TIO on AMD.
> 
> SEV-TIO allows guests to establish trust in a device that supports TEE
> Device Interface Security Protocol (TDISP, defined in PCIe r6.0+) and
> then interact with the device via private memory.
> 
> In order to streamline upstreaming process, a common TSM infrastructure
> is being developed in collaboration with Intel+ARM+RiscV. There is
> Documentation/driver-api/pci/tsm.rst with proposed phases:
> 1. IDE: encrypt PCI, host only
> 2. TDISP: lock + accept flow, host and guest, interface report
> 3. Enable secure MMIO + DMA: IOMMUFD, KVM changes
> 4. Device attestation: certificates, measurements
> 
> This is phase1 == IDE only.
> 
> SEV TIO spec:
> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58271.pdf
> 
> Acronyms:
> TEE - Trusted Execution Environments, a concept of managing trust
> between the host and devices
> TSM - TEE Security Manager (TSM), an entity which ensures security on
> the host
> PSP - AMD platform secure processor (also "ASP", "AMD-SP"), acts as TSM
> on AMD.
> SEV TIO - the TIO protocol implemented by the PSP and used by the host
> GHCB - guest/host communication block - a protocol for guest-to-host
> communication via a shared page
> TDISP - TEE Device Interface Security Protocol (PCIe).
> 
> 
> Flow:
> - Boot host OS, load CCP which registers itself as a TSM
> - PCI TSM creates sysfs nodes under "tsm" subdirectory in for all
>   TDISP-capable devices
> - Enable IDE via "echo tsm0 >
>     /sys/bus/pci/devices/0000:e1:00.0/tsm/connect"
> - observe "secure" in stream states in "lspci" for the rootport and endpoint
> 
> 
> This is pushed out to
> https://github.com/AMDESE/linux-kvm/commits/tsm-staging
> 
> The full "WIP" trees and configs are here:
> https://github.com/AMDESE/AMDSEV/blob/tsm/stable-commits
> 
> 
> The previous conversation is here:
> https://lore.kernel.org/r/20251111063819.4098701-1-aik@amd.com
> https://lore.kernel.org/r/20250218111017.491719-1-aik@amd.com
> 
> This is based on sha1
> f7ae6d4ec652 Dan Williams "PCI/TSM: Add 'dsm' and 'bound' attributes for dependent functions".
> 
> Please comment. Thanks.

This looks ok to me. If the AMD IOMMU and CCP maintainers can give it an
ack I can queue this for v6.19, but let me know if the timing is too
tight and this needs to circle around for v6.20.

Note that if this is deferred then the PCI/TSM core, that has been
soaking in linux-next [1], will also be deferred as at least one
consumer needs to go in with the core infrastructure. It is already the
case that TEE I/O for CCA and TDX have dependencies that will not
resolve in time for v6.19 merge.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm.git/log/?h=next