From: Dan Williams <dan.j.williams@intel.com>
To: Alexey Kardashevskiy <aik@amd.com>,
Dan Williams <dan.j.williams@intel.com>,
<linux-coco@lists.linux.dev>, <linux-pci@vger.kernel.org>
Cc: <gregkh@linuxfoundation.org>, <lukas@wunner.de>,
<aneesh.kumar@kernel.org>, <suzuki.poulose@arm.com>,
<sameo@rivosinc.com>, <jgg@nvidia.com>, <zhiw@nvidia.com>,
Xu Yilun <yilun.xu@linux.intel.com>
Subject: Re: [PATCH v3 13/13] PCI/TSM: Add Guest TSM Support
Date: Tue, 20 May 2025 14:11:25 -0700 [thread overview]
Message-ID: <682ceffd717b4_1626e1006f@dwillia2-xfh.jf.intel.com.notmuch> (raw)
In-Reply-To: <363a3220-e43c-4965-b138-b85f09a5907b@amd.com>
Alexey Kardashevskiy wrote:
>
>
> On 16/5/25 15:47, Dan Williams wrote:
> > From: Xu Yilun <yilun.xu@linux.intel.com>
> >
> > Enable PCI TSM/TSM core to support assigned device authentication in
> > CoCo VM. The main changes are:
> >
> > - Add an ->accept() operation which also flags whether the TSM driver is
> > host or guest context.
> > - Re-purpose the 'connect' sysfs attribute in guest to lock down the
> > private configuration for the device.
> > - Add the 'accept' sysfs attribute for guest to accept the private
> > device into its TEE.
> > - Skip DOE setup/transfer for guest TSM managed devices.
> >
> > All private capable assigned PCI devices (TDI) start as shared. CoCo VM
> > should authenticate some of these devices and accept them in its TEE for
> > private memory access. TSM supports this authentication in 3 steps:
> > Connect, Attest and Accept.
> >
> > On Connect, CoCo VM requires hypervisor to finish all private
> > configurations to the device and put the device in TDISP CONFIG_LOCKED
> > state. Please note this verb has different meaning from host context. On
> > host, Connect means establish secure physical link (e.g. PCI IDE).
> >
> > On Attest, CoCo VM retrieves evidence from device and decide if the
> > device is good for accept. The CoCo VM kernel provides evidence,
> > userspace decides if the evidence is good based on its own strategy.
> >
> > On Accept, userspace has acknowledged the evidence and requires CoCo VM
> > kernel to enable private MMIO & DMA access. Usually it ends up by put
> > the device in TDISP RUN state.
> >
> > Currently only implement Connect & Accept to enable a minimum flow for
> > device shared <-> private conversion. There is no evidence retrieval
> > interfaces, only to assume the device evidences are always good without
> > attestation.
> >
> > The shared -> private conversion:
> >
> > echo 1 > /sys/bus/pci/devices/<...>/tsm/connect
> > echo 1 > /sys/bus/pci/devices/<...>/tsm/accept
> >
> > The private -> shared conversion:
> >
> > echo 0 > /sys/bus/pci/devices/<...>/tsm/connect
> >
> > Since the device's MMIO & DMA are all blocked after Connect & before
> > Accept, device drivers are not considered workable in this intermediate
> > state. The Connect and Accept transitions only proceed while the driver is
> > detached. Note this can be relaxed later with a callback to an enlightened
> > driver to coordinate the transition, but for now, require detachment.
> >
> > Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
> > Co-developed-by: Dan Williams <dan.j.williams@intel.com>
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > ---
> > drivers/pci/tsm.c | 160 +++++++++++++++++++++++++++++++++++-----
> > include/linux/pci-tsm.h | 15 +++-
> > 2 files changed, 152 insertions(+), 23 deletions(-)
> >
> > diff --git a/drivers/pci/tsm.c b/drivers/pci/tsm.c
> > index 219e40c5d4e7..794de2f258c3 100644
> > --- a/drivers/pci/tsm.c
> > +++ b/drivers/pci/tsm.c
> > @@ -124,6 +124,29 @@ static int pci_tsm_disconnect(struct pci_dev *pdev)
> > return 0;
> > }
> >
> > +/*
> > + * TDISP locked state temporarily makes the device inaccessible, do not
> > + * surprise live attached drivers
> > + */
> > +static int __driver_idle_connect(struct pci_dev *pdev)
>
> Do not need "__"...
I am ok to drop. The thought was to make this nuance stand-out more, as
one more level of indirection than typically necessary, but no need to
push that preference.
> > +{
> > + guard(device)(&pdev->dev);
> > + if (pdev->dev.driver)
> > + return -EBUSY;
>
> > + return tsm_ops->connect(pdev);
> > +}
> > +
> > +/*
> > + * When the registered ops support accept it indicates that this is a
> > + * TVM-side (guest) TSM operations structure. In this mode ->connect()
> > + * arranges for the TDI to enter TDISP LOCKED state, and ->accept()
> > + * transitions the device to RUN state.
> > + */
> > +static bool tvm_mode(void)
> > +{
> > + return !!tsm_ops->accept;
>
> tsm_ops->accept != NULL
Yeah, that is a bit more idiomatic.
> > +}
> > +
> > static int pci_tsm_connect(struct pci_dev *pdev)
> > {
> > struct pci_tsm_pf0 *tsm = to_pci_tsm_pf0(pdev->tsm);
> > @@ -138,13 +161,47 @@ static int pci_tsm_connect(struct pci_dev *pdev)
> > if (tsm->state >= PCI_TSM_CONNECT)
> > return 0;
> >
> > - rc = tsm_ops->connect(pdev);
> > + if (tvm_mode())
> > + rc = __driver_idle_connect(pdev);
>
> ... or just open code it here?
I will do with dropping the "__" and keeping the helper with the
comment to keep this function less busy.
> > + else
> > + rc = tsm_ops->connect(pdev);
> > if (rc)
> > return rc;
> > tsm->state = PCI_TSM_CONNECT;
> > return 0;
> > }
> >
> > +static int pci_tsm_accept(struct pci_dev *pdev)
> > +{
> > + struct pci_tsm_pf0 *tsm = to_pci_tsm_pf0(pdev->tsm);
> > + int rc;
> > +
> > + struct mutex *lock __free(tsm_ops_unlock) = tsm_ops_lock(tsm);
>
> Add an empty line.
I think we, as a community, are still figuring out the coding-style
around scope-based cleanup declarations, but I would argue, no empty
line required after mid-function variable declarations. Now, in this
case it is arguably not "mid-function", but all the other occurrences of
tsm_ops_lock() are checking the result on the immediate next line.
> > + if (!lock)
> > + return -EINTR;
> > +
> > + if (tsm->state < PCI_TSM_CONNECT)
> > + return -ENXIO;
> > + if (tsm->state >= PCI_TSM_ACCEPT)
> > + return 0;
> > +
> > + /*
> > + * "Accept" transitions a device to the run state, it is only suitable
> > + * to make that transition from a known DMA-idle (no active mappings)
> > + * state. The "driver detached" state is a coarse way to assert that
> > + * requirement.
>
> And then the userspace will modprobe the driver, which will enable BME
> and MSE which in turn will render the ERROR state, what is the plan
> here?
Right, so the notifier proposal [1] gave me pause because of perceived
complexity and my general reluctance to rely on the magic of notifiers
when an explicit sequence is easier to read/maintain. The proposal is
that drivers switch to TDISP aware setup helpers that understand that
BME and MSE were handled at LOCK. Becauase it is not just
pci_enable_device() / pci_set_master() awareness that is needed but also
pci_disable_device() / pci_clear_master() flows that need consideration
for avoiding/handling the TDISP ERROR state.
I.e. support for TDISP-unaware drivers is not a goal.
There are still details to work out like supporting drivers that want to
stay loaded over the UNLOCKED->LOCKED->RUN transitions, and whether the
"accept" UAPI triggers entry into "RUN" or still requires a driver to
perform that.
[1]: http://lore.kernel.org/20250218111017.491719-20-aik@amd.com
[..]
> > @@ -558,11 +675,11 @@ int pci_tsm_bind(struct pci_dev *pdev, struct kvm *kvm, u64 tdi_id)
> > if (!pdev->tsm)
> > return -EINVAL;
> >
> > - struct pci_dev *pf0_dev __free(pci_dev_put) = tsm_pf0_get(pdev);
> > - if (!pf0_dev)
> > + struct pci_dev *dsm_dev __free(pci_dev_put) = dsm_dev_get(pdev);
> > + if (!dsm_dev)
> > return -EINVAL;
>
> A bunch of changes like this one belong to 12/13.
Whoops, yes, missed that before sending.
[..]
> > @@ -135,6 +141,8 @@ struct pci_tsm_guest_req_info {
> > * @bind: establish a secure binding with the TVM
> > * @unbind: teardown the secure binding
> > * @guest_req: handle the vendor specific requests from TVM when bound
> > + * @accept: TVM-only operation to confirm that system policy allows
> > + * device to access private memory and be mapped with private mmio.
> > *
> > * @probe and @remove run in pci_tsm_rwsem held for write context. All
> > * other ops run under the @pdev->tsm->lock mutex and pci_tsm_rwsem held
> > @@ -150,6 +158,7 @@ struct pci_tsm_ops {
> > void (*unbind)(struct pci_tdi *tdi);
> > int (*guest_req)(struct pci_dev *pdev,
> > struct pci_tsm_guest_req_info *info);
> > + int (*accept)(struct pci_dev *pdev);
>
>
> When I posted my v1, I got several comments to not put host and guest
> callbacks together which makes sense (as only really "connect" and
> "status" are shared, and I am not sure I like dual use of "connect")
> and so did I in v2 and yet you are pushing for one struct for all?
Frankly, I missed that feedback and was focused on how to simply extend
PCI to understand TSM semantics.
Part of the motivation is reduce the number of details that
drivers/pci/tsm.c needs to consider. I.e. there is only one ops object
to manage. Can you share the lore links for the comments that convinced
you to change course? Maybe those folks can chime in again here, but I
might have been too focused my tdi_dev object model concerns to notice
those previously.
As for repurposing "connect" that also comes back to question of whether
userspace needs to see or care about that nuance. In the end "connect"
is "prepare this device for follow-on TSM + TDISP security operations".
If the "accept" attribute is present userspace can infer that it has
more work to get the device operational in the TEE. So the interface can
indeed be more verbose... but to what end?
next prev parent reply other threads:[~2025-05-20 21:12 UTC|newest]
Thread overview: 173+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-16 5:47 [PATCH v3 00/13] PCI/TSM: Core infrastructure for PCI device security (TDISP) Dan Williams
2025-05-16 5:47 ` [PATCH v3 01/13] coco/tsm: Introduce a core device for TEE Security Managers Dan Williams
2025-06-02 13:18 ` Jason Gunthorpe
2025-06-04 0:42 ` Dan Williams
2025-06-04 1:15 ` Dan Williams
2025-06-04 12:15 ` Jason Gunthorpe
2025-06-04 12:14 ` Jason Gunthorpe
2025-06-06 3:33 ` Alexey Kardashevskiy
2025-06-06 2:09 ` Alexey Kardashevskiy
2025-05-16 5:47 ` [PATCH v3 02/13] PCI/IDE: Enumerate Selective Stream IDE capabilities Dan Williams
2025-06-17 12:16 ` Jonathan Cameron
2025-07-12 22:31 ` dan.j.williams
2025-05-16 5:47 ` [PATCH v3 03/13] PCI/TSM: Authenticate devices via platform TSM Dan Williams
2025-05-21 15:32 ` Aneesh Kumar K.V
2025-06-03 19:53 ` Dan Williams
2025-06-04 8:04 ` Aneesh Kumar K.V
2025-06-17 12:51 ` Jonathan Cameron
2025-07-12 22:07 ` dan.j.williams
2025-08-26 1:31 ` Alexey Kardashevskiy
2025-08-26 23:54 ` dan.j.williams
2025-08-27 4:44 ` Alexey Kardashevskiy
2025-08-28 19:27 ` dan.j.williams
2025-08-26 3:08 ` Alexey Kardashevskiy
2025-08-26 23:58 ` dan.j.williams
2025-08-27 5:06 ` Alexey Kardashevskiy
2025-08-26 10:22 ` Alexey Kardashevskiy
2025-08-27 0:15 ` dan.j.williams
2025-08-27 5:02 ` Alexey Kardashevskiy
2025-08-28 19:32 ` dan.j.williams
2025-05-16 5:47 ` [PATCH v3 04/13] PCI: Enable host-bridge emulation for PCI_DOMAINS_GENERIC platforms Dan Williams
2025-05-16 5:47 ` [PATCH v3 05/13] PCI: vmd: Switch to pci_bus_find_emul_domain_nr() Dan Williams
2025-05-16 5:47 ` [PATCH v3 06/13] samples/devsec: Introduce a PCI device-security bus + endpoint sample Dan Williams
2025-06-17 13:30 ` Jonathan Cameron
2025-07-13 1:58 ` dan.j.williams
2025-05-16 5:47 ` [PATCH v3 07/13] PCI: Add PCIe Device 3 Extended Capability enumeration Dan Williams
2025-06-17 13:36 ` Jonathan Cameron
2025-05-16 5:47 ` [PATCH v3 08/13] PCI/IDE: Add IDE establishment helpers Dan Williams
2025-06-17 14:04 ` Jonathan Cameron
2025-07-14 18:25 ` dan.j.williams
2025-07-03 2:59 ` Alexey Kardashevskiy
2025-05-16 5:47 ` [PATCH v3 09/13] PCI/IDE: Report available IDE streams Dan Williams
2025-05-18 12:48 ` kernel test robot
2025-06-17 14:16 ` Jonathan Cameron
2025-07-14 20:16 ` dan.j.williams
2025-05-16 5:47 ` [PATCH v3 10/13] PCI/TSM: Report active " Dan Williams
2025-06-17 14:21 ` Jonathan Cameron
2025-07-14 20:49 ` dan.j.williams
2025-05-16 5:47 ` [PATCH v3 11/13] samples/devsec: Add sample IDE establishment Dan Williams
2025-06-17 14:26 ` Jonathan Cameron
2025-07-14 20:59 ` dan.j.williams
2025-05-16 5:47 ` [PATCH v3 12/13] PCI/TSM: support TDI related operations for host TSM driver Dan Williams
2025-05-16 6:52 ` Xu Yilun
2025-05-20 7:17 ` Aneesh Kumar K.V
2025-05-21 9:35 ` Xu Yilun
2025-05-26 5:05 ` Aneesh Kumar K.V
2025-05-26 7:52 ` Alexey Kardashevskiy
2025-05-26 15:44 ` Aneesh Kumar K.V
2025-05-27 1:01 ` Alexey Kardashevskiy
2025-05-27 11:48 ` Aneesh Kumar K.V
2025-05-27 13:06 ` Jason Gunthorpe
2025-05-27 14:26 ` Aneesh Kumar K.V
2025-05-27 14:45 ` Jason Gunthorpe
2025-05-28 12:17 ` Aneesh Kumar K.V
2025-05-28 16:42 ` Jason Gunthorpe
2025-05-28 16:52 ` Jason Gunthorpe
2025-05-29 9:30 ` Xu Yilun
2025-05-29 13:43 ` Aneesh Kumar K.V
2025-05-29 14:09 ` Jason Gunthorpe
2025-05-30 3:00 ` Alexey Kardashevskiy
2025-05-30 13:21 ` Jason Gunthorpe
2025-05-29 13:49 ` Xu Yilun
2025-05-29 14:05 ` Jason Gunthorpe
2025-05-29 3:03 ` Alexey Kardashevskiy
2025-05-29 13:34 ` Aneesh Kumar K.V
2025-05-29 13:37 ` [RFC PATCH 1/3] coco: tsm: Add tsm_bind/unbind helpers Aneesh Kumar K.V (Arm)
2025-05-29 13:37 ` [RFC PATCH 2/3] iommufd/viommu: Add support to associate viommu with kvm instance Aneesh Kumar K.V (Arm)
2025-05-29 14:13 ` Jason Gunthorpe
2025-05-29 13:37 ` [RFC PATCH 3/3] iommufd/tsm: Add tsm_bind/unbind iommufd ioctls Aneesh Kumar K.V (Arm)
2025-05-29 14:32 ` Jason Gunthorpe
2025-05-30 8:33 ` Aneesh Kumar K.V
2025-05-30 18:18 ` Jason Gunthorpe
2025-05-31 16:25 ` Xu Yilun
2025-06-02 4:52 ` Alexey Kardashevskiy
2025-06-02 17:17 ` Xu Yilun
2025-06-04 1:47 ` Alexey Kardashevskiy
2025-06-04 5:02 ` Xu Yilun
2025-06-04 12:37 ` Jason Gunthorpe
2025-06-06 15:40 ` Xu Yilun
2025-06-06 16:34 ` Jason Gunthorpe
2025-06-09 4:47 ` Xu Yilun
2025-06-02 11:08 ` Aneesh Kumar K.V
2025-06-02 16:25 ` Xu Yilun
2025-06-02 16:48 ` Jason Gunthorpe
2025-06-03 4:05 ` Xu Yilun
2025-06-03 12:11 ` Jason Gunthorpe
2025-06-04 5:58 ` Xu Yilun
2025-06-04 12:36 ` Jason Gunthorpe
2025-06-05 3:05 ` Xu Yilun
2025-06-10 7:05 ` Alexey Kardashevskiy
2025-06-10 18:19 ` Jason Gunthorpe
2025-06-11 1:26 ` Alexey Kardashevskiy
2025-06-10 4:47 ` Alexey Kardashevskiy
2025-06-10 18:21 ` Jason Gunthorpe
2025-06-12 4:15 ` Xu Yilun
2025-06-03 5:00 ` Aneesh Kumar K.V
2025-06-03 10:50 ` Xu Yilun
2025-06-03 12:14 ` Jason Gunthorpe
2025-06-04 5:31 ` Xu Yilun
2025-06-04 12:31 ` Jason Gunthorpe
2025-06-05 3:25 ` Xu Yilun
2025-06-05 14:54 ` Jason Gunthorpe
2025-06-09 6:10 ` Xu Yilun
2025-06-09 16:42 ` Suzuki K Poulose
2025-06-09 18:07 ` Jason Gunthorpe
2025-06-10 7:31 ` Alexey Kardashevskiy
2025-06-12 5:44 ` Xu Yilun
2025-06-03 12:18 ` Jason Gunthorpe
2025-06-04 1:06 ` Dan Williams
2025-06-04 12:18 ` Jason Gunthorpe
2025-06-02 12:47 ` Jason Gunthorpe
2025-06-03 3:47 ` Xu Yilun
2025-06-03 12:08 ` Jason Gunthorpe
2025-06-04 6:39 ` Xu Yilun
2025-06-04 12:39 ` Jason Gunthorpe
2025-06-05 1:56 ` Xu Yilun
2025-07-15 10:29 ` Xu Yilun
2025-07-15 13:09 ` Jason Gunthorpe
2025-07-16 15:41 ` Xu Yilun
2025-07-16 16:31 ` Jason Gunthorpe
2025-07-17 8:28 ` Xu Yilun
2025-07-17 12:43 ` Jason Gunthorpe
2025-07-18 9:15 ` Xu Yilun
2025-07-18 12:26 ` Jason Gunthorpe
2025-07-20 2:37 ` Xu Yilun
2025-05-30 2:44 ` [PATCH v3 12/13] PCI/TSM: support TDI related operations for host TSM driver Alexey Kardashevskiy
2025-05-27 10:25 ` Suzuki K Poulose
2025-06-03 22:47 ` Dan Williams
2025-06-04 1:35 ` Alexey Kardashevskiy
2025-06-04 1:52 ` Dan Williams
2025-06-04 1:54 ` Dan Williams
2025-06-05 10:56 ` Alexey Kardashevskiy
2025-06-07 1:56 ` Dan Williams
2025-06-11 4:40 ` Alexey Kardashevskiy
2025-06-13 3:06 ` Dan Williams
2025-06-03 22:40 ` Dan Williams
2025-05-19 10:20 ` Alexey Kardashevskiy
2025-05-20 20:12 ` Dan Williams
2025-05-21 9:28 ` Xu Yilun
2025-05-26 8:08 ` Alexey Kardashevskiy
2025-05-29 14:20 ` Xu Yilun
2025-05-30 2:54 ` Alexey Kardashevskiy
2025-05-31 15:26 ` Xu Yilun
2025-06-02 4:51 ` Alexey Kardashevskiy
2025-06-02 18:51 ` Xu Yilun
2025-06-03 19:12 ` Dan Williams
2025-07-07 7:17 ` Aneesh Kumar K.V
2025-05-20 5:20 ` Aneesh Kumar K.V
2025-05-20 21:12 ` Dan Williams
2025-05-16 5:47 ` [PATCH v3 13/13] PCI/TSM: Add Guest TSM Support Dan Williams
2025-05-19 10:20 ` Alexey Kardashevskiy
2025-05-20 21:11 ` Dan Williams [this message]
2025-05-22 4:07 ` Alexey Kardashevskiy
2025-06-03 22:26 ` Dan Williams
2025-06-03 22:33 ` Jason Gunthorpe
2025-06-10 8:31 ` Alexey Kardashevskiy
2025-07-11 23:04 ` dan.j.williams
2025-05-20 9:25 ` Aneesh Kumar K.V
2025-05-20 21:27 ` Dan Williams
2025-05-20 11:00 ` Aneesh Kumar K.V
2025-05-20 21:31 ` Dan Williams
2025-06-03 19:07 ` Dan Williams
2025-05-21 15:03 ` Xu Yilun
2025-06-03 19:20 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=682ceffd717b4_1626e1006f@dwillia2-xfh.jf.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=aik@amd.com \
--cc=aneesh.kumar@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-pci@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=sameo@rivosinc.com \
--cc=suzuki.poulose@arm.com \
--cc=yilun.xu@linux.intel.com \
--cc=zhiw@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).