From: <dan.j.williams@intel.com>
To: Jason Gunthorpe <jgg@nvidia.com>, Lukas Wunner <lukas@wunner.de>
Cc: <dan.j.williams@intel.com>,
Alistair Francis <alistair23@gmail.com>, <bhelgaas@google.com>,
<rust-for-linux@vger.kernel.org>, <akpm@linux-foundation.org>,
<linux-pci@vger.kernel.org>, <Jonathan.Cameron@huawei.com>,
<linux-cxl@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<alex.gaynor@gmail.com>, <benno.lossin@proton.me>,
<boqun.feng@gmail.com>, <a.hindborg@kernel.org>,
<gary@garyguo.net>, <bjorn3_gh@protonmail.com>,
<tmgross@umich.edu>, <ojeda@kernel.org>,
<wilfred.mallawa@wdc.com>, <aliceryhl@google.com>,
Alistair Francis <alistair.francis@wdc.com>,
<aneesh.kumar@kernel.org>, <yilun.xu@linux.intel.com>,
<aik@amd.com>
Subject: Re: [RFC v3 00/27] lib: Rust implementation of SPDM
Date: Thu, 19 Feb 2026 12:07:25 -0800 [thread overview]
Message-ID: <69976d7d39c60_2f4a1009@dwillia2-mobl4.notmuch> (raw)
In-Reply-To: <20260219173937.GH723117@nvidia.com>
Jason Gunthorpe wrote:
> On Thu, Feb 19, 2026 at 04:07:58PM +0100, Lukas Wunner wrote:
> > On Thu, Feb 19, 2026 at 10:31:29AM -0400, Jason Gunthorpe wrote:
> > > On Thu, Feb 19, 2026 at 03:15:34PM +0100, Lukas Wunner wrote:
> > > > The way this works in my series (and I presume Alistair's) is that
> > > > trusted root certificates for devices need to be added to the .cma
> > > > keyring.
> > > >
> > > > This can be done from user space using keyctl(1) or some other utility
> > > > that can talk to the kernel's existing keyctl ABI.
> > >
> > > I really don't like this from a verification perspective. We don't
> > > want the kernel checking signatures, that is the verifier's job.
> >
> > On resume from system sleep, the device is put into D0 already in the
> > ->resume_noirq() phase and drivers are free to access it already at
> > that point. However a verifier in user space cannot be queried
> > at that point because user space is still frozen.
> >
> > Likewise after recovery from DPC or AER, the device has been reset
> > and needs to be reauthenticated, yet user space may be unavailable
> > because the device that has been reset may contain the root partition
> > or may be the NIC that you need to query your remote attestation service.
> >
> > There is no way around some form of in-kernel device authentication
> > to accommodate such use cases.
>
> I'm arguing there are two very different steps here that must be kept
> separate. Verification is done when the device is first seen and the
> kernel is told it is OK to use the device.
>
> A same-device check is performed if an already verified and accepted
> device resumes or RAS's in some way.
>
> same-device does not mean run a kernel verification against the kernel
> keyring, as a second verification could be tricked into accepting
> something that has changed and defeat the userspace verifier.
>
> Instead the implementation should capture information when the device
> is accepted by the verifier and on resume/RAS it should compare the
> device against that captured information and determine if it is still
> the same device.
>
> The key north star must be that the userspace verifier alone decides
> if the device is acceptable and if the kernel is configured to
> auto-re-accept the device later on RAS/resume it must not permit a
> device that is different from what userspace approved. In other words
> it is not a verification on resume, it is just a kernel side
> confirmation the device hasn't been changed.
>
> Hence no keyring should be involved in resume.
I am also struggling to see a role for the .cma keyring as long as the
kernel eventually has a method to cache cert-chain, measurements, and
for TDISP, interface report digests. Support for a recovery flow is not
the first dragon to slay though as just establishing device trust in the
first instance without RAS concerns is a significant amount of work.
Linux should not over index on native bare-metal CMA because that
mechanism only tells you that the SPDM session with device firmware
(DSM) is authenticated, it does nothing to ensure that the kernel's view
of the device's MMIO is and remains associated with that DSM. Better
than nothing, yes, but it certainly assumes a less sophisticated threat
model than TDISP.
So the current 'authenticated' PCI sysfs attribute can simply indicate
"SPDM collateral (cert chain + measurements) available", and leave all
the decisions about what do with that collateral to userspace. For cases
where the full lock + accept TDISP flow is not available the only policy
knob that userspace has is to decline to attach a driver.
Once we have that userspace can optionally tell the kernel to cache
digests for automatic re-accept / keep driver bound, or userspace can
plan to do another round trip with the verifier for recovery if the
device bounces out of the TCB.
My current thought is take and adapt the netlink interface to retrieve
cert chains, change the certificate slot for the authentication attempt,
and retrieve device measurements. None of that requires the x509 parser.
With that in place native CMA SPDM can be modeled as just another TSM
driver that only addresses a subset of the TDISP threat model.
There are 2 flows depending on whether the TSM driver suports the
comprehensive security of the "lock+accept" model or not:
---
# $tsmN is a class device registered by one of amd-tio, intel-tdx,
# arm-cca, or when this spdm library is available a kernel-pci-cma TSM
# driver
# The "lock+accept" model is not available for any of the current tsm
# drivers on bare metal, only the "connect" flow. The connect flow gets
# you an SPDM secure session at a minimum and optionally IDE as well. It
# is a less comprehensive security model than TDISP
echo $tsmN > /sys/bus/pci/devices/$pci_dev/tsm/connect
# Alternatively, when a TDISP interface is assigned, the TSM driver
# publishes "lock+accept" attributes. This provides the comprehensive
# security model that closes "DSM is and remains associated to device
# MMIO" TOCTOU problem.
echo $tsmN > /sys/bus/pci/devices/$pci_dev/tsm/lock
# In either of the above cases the
# /sys/bus/pci/devices/$pci_dev/authenticated attribute toggles to 1 and
# userspace is able to use PCI netlink to gather evidence with nonces
...collect (with netlink) / validate evidence...
# When verifier is satisfied bind the driver, or in the Confidential
# Computing / TDISP case, first "accept" the device so that it is
# allowed to access private memory
echo 1 > /sys/bus/pci/devices/$pci_dev/tsm/accept
echo $pci_dev > /sys/bus/pci/drivers/$driver/bind
---
next prev parent reply other threads:[~2026-02-19 20:07 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 3:29 [RFC v3 00/27] lib: Rust implementation of SPDM alistair23
2026-02-11 3:29 ` [RFC v3 01/27] rust: add untrusted data abstraction alistair23
2026-02-11 3:29 ` [RFC v3 02/27] X.509: Make certificate parser public alistair23
2026-02-11 3:29 ` [RFC v3 03/27] X.509: Parse Subject Alternative Name in certificates alistair23
2026-02-11 3:29 ` [RFC v3 04/27] X.509: Move certificate length retrieval into new helper alistair23
2026-02-11 3:29 ` [RFC v3 05/27] certs: Create blacklist keyring earlier alistair23
2026-02-11 3:29 ` [RFC v3 06/27] rust: add bindings for hash.h alistair23
2026-02-19 14:48 ` Gary Guo
2026-03-02 16:18 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 07/27] rust: error: impl From<FromBytesWithNulError> for Kernel Error alistair23
2026-02-19 14:49 ` Gary Guo
2026-03-13 2:20 ` Alistair Francis
2026-03-13 10:35 ` Alice Ryhl
2026-02-11 3:29 ` [RFC v3 08/27] lib: rspdm: Initial commit of Rust SPDM alistair23
2026-03-02 17:09 ` Jonathan Cameron
2026-03-13 3:44 ` Alistair Francis
2026-02-11 3:29 ` [RFC v3 09/27] PCI/CMA: Authenticate devices on enumeration alistair23
2026-02-16 4:25 ` Aksh Garg
2026-02-11 3:29 ` [RFC v3 10/27] PCI/CMA: Validate Subject Alternative Name in certificates alistair23
2026-02-11 3:29 ` [RFC v3 11/27] PCI/CMA: Reauthenticate devices on reset and resume alistair23
2026-02-11 3:29 ` [RFC v3 12/27] lib: rspdm: Support SPDM get_version alistair23
2026-02-11 4:00 ` Wilfred Mallawa
2026-03-03 11:36 ` Jonathan Cameron
2026-03-13 5:35 ` Alistair Francis
2026-03-13 5:53 ` Miguel Ojeda
2026-03-13 5:55 ` Miguel Ojeda
2026-03-16 17:16 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 13/27] lib: rspdm: Support SPDM get_capabilities alistair23
2026-02-11 4:08 ` Wilfred Mallawa
2026-03-03 12:09 ` Jonathan Cameron
2026-03-03 18:07 ` Miguel Ojeda
2026-03-20 4:32 ` Alistair Francis
2026-02-11 3:29 ` [RFC v3 14/27] lib: rspdm: Support SPDM negotiate_algorithms alistair23
2026-03-03 13:46 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 15/27] lib: rspdm: Support SPDM get_digests alistair23
2026-03-03 14:29 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 16/27] lib: rspdm: Support SPDM get_certificate alistair23
2026-03-03 14:51 ` Jonathan Cameron
2026-03-31 2:37 ` Alistair Francis
2026-03-31 13:19 ` Gary Guo
2026-02-11 3:29 ` [RFC v3 17/27] crypto: asymmetric_keys - Load certificate parsing early in boot alistair23
2026-02-11 3:29 ` [RFC v3 18/27] KEYS: Load keyring and certificates " alistair23
2026-02-11 3:29 ` [RFC v3 19/27] PCI/CMA: Support built in X.509 certificates alistair23
2026-02-11 3:29 ` [RFC v3 20/27] crypto: sha: Load early in boot alistair23
2026-03-03 14:52 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 21/27] crypto: ecdsa: " alistair23
2026-03-03 14:54 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 22/27] lib: rspdm: Support SPDM certificate validation alistair23
2026-03-03 15:00 ` Jonathan Cameron
2026-03-31 3:29 ` Alistair Francis
2026-03-31 10:11 ` Miguel Ojeda
2026-04-01 1:48 ` Alistair Francis
2026-04-01 10:37 ` Miguel Ojeda
2026-02-11 3:29 ` [RFC v3 23/27] rust: allow extracting the buffer from a CString alistair23
2026-02-19 14:50 ` Gary Guo
2026-02-11 3:29 ` [RFC v3 24/27] lib: rspdm: Support SPDM challenge alistair23
2026-03-03 16:54 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 25/27] PCI/CMA: Expose in sysfs whether devices are authenticated alistair23
2026-02-11 3:29 ` [RFC v3 26/27] rust: add bindings for hash_info alistair23
2026-02-11 3:29 ` [RFC v3 27/27] rspdm: Multicast received signatures via netlink alistair23
2026-02-19 10:19 ` Lukas Wunner
2026-02-12 5:56 ` [RFC v3 00/27] lib: Rust implementation of SPDM dan.j.williams
2026-02-18 2:12 ` Alistair Francis
2026-04-09 3:39 ` Alistair Francis
2026-04-13 5:42 ` Alistair Francis
2026-04-17 2:35 ` Dan Williams
2026-04-17 4:34 ` Lukas Wunner
2026-04-17 5:20 ` Alistair Francis
2026-05-02 1:34 ` Dan Williams (nvidia)
2026-05-05 8:56 ` Alistair Francis
2026-02-17 23:56 ` Jason Gunthorpe
2026-02-18 2:17 ` Alistair Francis
2026-02-18 23:40 ` dan.j.williams
2026-02-19 0:56 ` Jason Gunthorpe
2026-02-19 5:05 ` dan.j.williams
2026-02-19 12:41 ` Jason Gunthorpe
2026-02-19 14:15 ` Lukas Wunner
2026-02-19 14:31 ` Jason Gunthorpe
2026-02-19 15:07 ` Lukas Wunner
2026-02-19 17:39 ` Jason Gunthorpe
2026-02-19 20:07 ` dan.j.williams [this message]
2026-02-20 8:30 ` Lukas Wunner
2026-02-20 14:10 ` Jason Gunthorpe
2026-02-21 18:46 ` Lukas Wunner
2026-02-21 23:29 ` dan.j.williams
2026-02-23 17:15 ` Jonathan Cameron
2026-02-23 19:11 ` dan.j.williams
2026-02-24 14:33 ` Jason Gunthorpe
2026-03-05 4:17 ` dan.j.williams
2026-03-05 12:48 ` Jason Gunthorpe
2026-03-05 19:49 ` dan.j.williams
2026-03-09 11:39 ` Jonathan Cameron
2026-03-09 12:31 ` Jason Gunthorpe
2026-03-09 15:33 ` Jonathan Cameron
2026-03-09 15:59 ` Jason Gunthorpe
2026-03-09 18:00 ` Jonathan Cameron
2026-03-09 20:40 ` Jason Gunthorpe
2026-03-09 23:11 ` DanX Williams
2026-02-24 14:16 ` Jason Gunthorpe
2026-02-24 15:54 ` Lukas Wunner
2026-02-25 14:50 ` Jason Gunthorpe
2026-02-19 14:40 ` Greg KH
2026-02-20 7:46 ` Lukas Wunner
2026-02-20 9:14 ` Greg KH
2026-02-20 11:45 ` Lukas Wunner
2026-02-20 11:57 ` Greg KH
2026-02-19 9:34 ` Lukas Wunner
2026-02-19 12:43 ` Jason Gunthorpe
2026-02-19 18:48 ` dan.j.williams
2026-02-19 9:13 ` Lukas Wunner
2026-02-19 18:42 ` dan.j.williams
2026-02-19 11:24 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69976d7d39c60_2f4a1009@dwillia2-mobl4.notmuch \
--to=dan.j.williams@intel.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=a.hindborg@kernel.org \
--cc=aik@amd.com \
--cc=akpm@linux-foundation.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=alistair.francis@wdc.com \
--cc=alistair23@gmail.com \
--cc=aneesh.kumar@kernel.org \
--cc=benno.lossin@proton.me \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=gary@garyguo.net \
--cc=jgg@nvidia.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
--cc=wilfred.mallawa@wdc.com \
--cc=yilun.xu@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox