From: <dan.j.williams@intel.com>
To: <dan.j.williams@intel.com>,
Jonathan Cameron <jonathan.cameron@huawei.com>,
<dan.j.williams@intel.com>
Cc: Lukas Wunner <lukas@wunner.de>, Jason Gunthorpe <jgg@nvidia.com>,
"Alistair Francis" <alistair23@gmail.com>, <bhelgaas@google.com>,
<rust-for-linux@vger.kernel.org>, <akpm@linux-foundation.org>,
<linux-pci@vger.kernel.org>, <linux-cxl@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <alex.gaynor@gmail.com>,
<benno.lossin@proton.me>, <boqun.feng@gmail.com>,
<a.hindborg@kernel.org>, <gary@garyguo.net>,
<bjorn3_gh@protonmail.com>, <tmgross@umich.edu>,
<ojeda@kernel.org>, <wilfred.mallawa@wdc.com>,
<aliceryhl@google.com>,
Alistair Francis <alistair.francis@wdc.com>,
<aneesh.kumar@kernel.org>, <yilun.xu@linux.intel.com>,
<aik@amd.com>, Mathieu Poirier <mathieu.poirier@linaro.org>,
Thomas Fossati <thomas.fossati@linaro.org>
Subject: Re: [RFC v3 00/27] lib: Rust implementation of SPDM
Date: Wed, 4 Mar 2026 20:17:24 -0800 [thread overview]
Message-ID: <69a903d4511e4_6423c1004d@dwillia2-mobl4.notmuch> (raw)
In-Reply-To: <699ca65b5ff9b_1cc510019@dwillia2-mobl4.notmuch>
dan.j.williams@ wrote:
[..]
> > For that caching the public key bit, I'm not clear on whether you intend
> > to do that from kernel side (which I think I'd prefer) or have user space
> > squirt that key back in again? If we are doing it in kernel we can
> > at least always verify the transcript is self consistent and refuse to
> > give anything to user space if it's not consistent (other than debug material).
> > By self consistent I mean we verify the signature against the device provided
> > cert (might as well verify whole chain as that's trivial given we have to partly
> > parse them anyway to find the cert). I don't think it maters hugely if
> > we do this in kernel beyond advantage of removing a few foot guns and
> > simplifying the userpace interface to "I'm fine with the provided transcript
> > for use when I'm not here next time" write. Disadvantage is we use the
> > cert parsing code (which is there anyway) and parse it all twice - once
> > in kernel and probably again in userspace or at some remote verifier.
>
> Right, the proposal is cache the public-key from pci_tsm_ops::connect()
> and at least require that the resulting transcript from that session
> establishment is properly self-signed. No point in continuing with a TSM
> implementation that is not self-consistent.
So I ended up dropping this bit of the proposal because there is no need
for the kernel to be involved in any decision about the validity and
sufficiency of device evidence. Userspace has everything it needs to
make that initial determination. "Authenticated" simply means "evidence
ready".
Automatic device recovery into the TCB is a separate concern that needs
to be prepared to handle more than just "is this device able to generate
a fresh signature with the same cert chain that userspace saw before".
Yes, that is a minimal requirement but not sufficient for many cases.
For example cases that want to validate measurements, interface reports,
or opt-out of recovery because SPDM session loss is fatal.
I had a chat with Lukas about what I think that looks like this morning
and offered to summarize that in this thread. Note, this description is
assuming the drivers/pci/tsm/evidence.c implementation started here [1].
[1]: http://lore.kernel.org/20260303000207.1836586-9-dan.j.williams@intel.com
Authenticate a device
=====================
Look in /sys/class/tsm to find a tsmN device which will be either an
instance associated with native kernel PCI CMA/SPDM or a platform tsm
like the one provided by AMD SEV-TIO, ARM CCA, Intel TDX, etc...
echo tsmN > /sys/bus/pci/devices/$device/tsm/connect
Once that succeeds the PCI/TSM evidence netlink interface is available
to dump any signatures created during that session establishment.
After userspace is happy with that evidence it can bind a driver.
If running in a confidential VM where the TSM driver is capable of
securing more than just an SPDM session the interface is:
echo tsmN > /sys/bus/pci/devices/$device/tsm/lock
Similar evidence can be collected, and when userspace is happy with it
it can accept the device:
echo 1 > /sys/bus/pci/devices/$device/tsm/accept
...and bind a driver.
Auto-recover device (future work)
=================================
By default, devices fall out of the TCB on recovery events for the TDISP
case and need userspace to rerun the lock and accept flow. For the
native SPDM CMA case the default is that the kernel continues to operate
the device post recovery and only userspace polling could detect device
replacement.
To go beyond those defaults the kernel needs userpsace to tell it how to
re-validate the device. I think that can be as simple as a netlink
message to store hashes of cert chains or measurements and then use
those in a new challenge / response with the device with a kernel
decided nonce. It can also be more sophisiticated than that. The
point is that it will be use case dependendent, policy driven, and
separate from the "connect" or "lock" flow.
The equivalent behavior to what is present in this SPDM proposal is
extend drivers/pci/tsm/evidence.c to add a netlink operation that tells
the kernel to cache the public-key and challenge the device regenerate a
valid signature. Then plumb all the recovery paths to call a new
'struct pci_tsm_ops::revalidate()' operation in all the same places
where this patch set wants to reauthenticate. Later when something more
sophisticated than "challenge the device to create a signature" comes
along it can reuse those revalidate() hooks.
Auto-authenticate devices (future work)
=======================================
One of the nice aspects of the .cma keyring proposal is that it would be
amenable to CONFIG_SYSTEM_EXTRA_CERTIFICATE. Give the kernel the
certificate to validate device signatures without needing to ask
userspace. That still comes with the caveat that it is not sufficient
for the cases that care about more than mere signature verification. I
am not opposed to that being built just that it is not a policy that is
implied by the device "authenticated" state. It is policy that is
incremental to the base which makes no assumptions about kernel
verification.
next prev parent reply other threads:[~2026-03-05 4:17 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 3:29 [RFC v3 00/27] lib: Rust implementation of SPDM alistair23
2026-02-11 3:29 ` [RFC v3 01/27] rust: add untrusted data abstraction alistair23
2026-02-11 3:29 ` [RFC v3 02/27] X.509: Make certificate parser public alistair23
2026-02-11 3:29 ` [RFC v3 03/27] X.509: Parse Subject Alternative Name in certificates alistair23
2026-02-11 3:29 ` [RFC v3 04/27] X.509: Move certificate length retrieval into new helper alistair23
2026-02-11 3:29 ` [RFC v3 05/27] certs: Create blacklist keyring earlier alistair23
2026-02-11 3:29 ` [RFC v3 06/27] rust: add bindings for hash.h alistair23
2026-02-19 14:48 ` Gary Guo
2026-03-02 16:18 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 07/27] rust: error: impl From<FromBytesWithNulError> for Kernel Error alistair23
2026-02-19 14:49 ` Gary Guo
2026-03-13 2:20 ` Alistair Francis
2026-03-13 10:35 ` Alice Ryhl
2026-02-11 3:29 ` [RFC v3 08/27] lib: rspdm: Initial commit of Rust SPDM alistair23
2026-03-02 17:09 ` Jonathan Cameron
2026-03-13 3:44 ` Alistair Francis
2026-02-11 3:29 ` [RFC v3 09/27] PCI/CMA: Authenticate devices on enumeration alistair23
2026-02-16 4:25 ` Aksh Garg
2026-02-11 3:29 ` [RFC v3 10/27] PCI/CMA: Validate Subject Alternative Name in certificates alistair23
2026-02-11 3:29 ` [RFC v3 11/27] PCI/CMA: Reauthenticate devices on reset and resume alistair23
2026-02-11 3:29 ` [RFC v3 12/27] lib: rspdm: Support SPDM get_version alistair23
2026-02-11 4:00 ` Wilfred Mallawa
2026-03-03 11:36 ` Jonathan Cameron
2026-03-13 5:35 ` Alistair Francis
2026-03-13 5:53 ` Miguel Ojeda
2026-03-13 5:55 ` Miguel Ojeda
2026-03-16 17:16 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 13/27] lib: rspdm: Support SPDM get_capabilities alistair23
2026-02-11 4:08 ` Wilfred Mallawa
2026-03-03 12:09 ` Jonathan Cameron
2026-03-03 18:07 ` Miguel Ojeda
2026-03-20 4:32 ` Alistair Francis
2026-02-11 3:29 ` [RFC v3 14/27] lib: rspdm: Support SPDM negotiate_algorithms alistair23
2026-03-03 13:46 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 15/27] lib: rspdm: Support SPDM get_digests alistair23
2026-03-03 14:29 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 16/27] lib: rspdm: Support SPDM get_certificate alistair23
2026-03-03 14:51 ` Jonathan Cameron
2026-03-31 2:37 ` Alistair Francis
2026-03-31 13:19 ` Gary Guo
2026-02-11 3:29 ` [RFC v3 17/27] crypto: asymmetric_keys - Load certificate parsing early in boot alistair23
2026-02-11 3:29 ` [RFC v3 18/27] KEYS: Load keyring and certificates " alistair23
2026-02-11 3:29 ` [RFC v3 19/27] PCI/CMA: Support built in X.509 certificates alistair23
2026-02-11 3:29 ` [RFC v3 20/27] crypto: sha: Load early in boot alistair23
2026-03-03 14:52 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 21/27] crypto: ecdsa: " alistair23
2026-03-03 14:54 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 22/27] lib: rspdm: Support SPDM certificate validation alistair23
2026-03-03 15:00 ` Jonathan Cameron
2026-03-31 3:29 ` Alistair Francis
2026-03-31 10:11 ` Miguel Ojeda
2026-04-01 1:48 ` Alistair Francis
2026-04-01 10:37 ` Miguel Ojeda
2026-02-11 3:29 ` [RFC v3 23/27] rust: allow extracting the buffer from a CString alistair23
2026-02-19 14:50 ` Gary Guo
2026-02-11 3:29 ` [RFC v3 24/27] lib: rspdm: Support SPDM challenge alistair23
2026-03-03 16:54 ` Jonathan Cameron
2026-02-11 3:29 ` [RFC v3 25/27] PCI/CMA: Expose in sysfs whether devices are authenticated alistair23
2026-02-11 3:29 ` [RFC v3 26/27] rust: add bindings for hash_info alistair23
2026-02-11 3:29 ` [RFC v3 27/27] rspdm: Multicast received signatures via netlink alistair23
2026-02-19 10:19 ` Lukas Wunner
2026-02-12 5:56 ` [RFC v3 00/27] lib: Rust implementation of SPDM dan.j.williams
2026-02-18 2:12 ` Alistair Francis
2026-04-09 3:39 ` Alistair Francis
2026-04-13 5:42 ` Alistair Francis
2026-04-17 2:35 ` Dan Williams
2026-04-17 4:34 ` Lukas Wunner
2026-04-17 5:20 ` Alistair Francis
2026-05-02 1:34 ` Dan Williams (nvidia)
2026-05-05 8:56 ` Alistair Francis
2026-02-17 23:56 ` Jason Gunthorpe
2026-02-18 2:17 ` Alistair Francis
2026-02-18 23:40 ` dan.j.williams
2026-02-19 0:56 ` Jason Gunthorpe
2026-02-19 5:05 ` dan.j.williams
2026-02-19 12:41 ` Jason Gunthorpe
2026-02-19 14:15 ` Lukas Wunner
2026-02-19 14:31 ` Jason Gunthorpe
2026-02-19 15:07 ` Lukas Wunner
2026-02-19 17:39 ` Jason Gunthorpe
2026-02-19 20:07 ` dan.j.williams
2026-02-20 8:30 ` Lukas Wunner
2026-02-20 14:10 ` Jason Gunthorpe
2026-02-21 18:46 ` Lukas Wunner
2026-02-21 23:29 ` dan.j.williams
2026-02-23 17:15 ` Jonathan Cameron
2026-02-23 19:11 ` dan.j.williams
2026-02-24 14:33 ` Jason Gunthorpe
2026-03-05 4:17 ` dan.j.williams [this message]
2026-03-05 12:48 ` Jason Gunthorpe
2026-03-05 19:49 ` dan.j.williams
2026-03-09 11:39 ` Jonathan Cameron
2026-03-09 12:31 ` Jason Gunthorpe
2026-03-09 15:33 ` Jonathan Cameron
2026-03-09 15:59 ` Jason Gunthorpe
2026-03-09 18:00 ` Jonathan Cameron
2026-03-09 20:40 ` Jason Gunthorpe
2026-03-09 23:11 ` DanX Williams
2026-02-24 14:16 ` Jason Gunthorpe
2026-02-24 15:54 ` Lukas Wunner
2026-02-25 14:50 ` Jason Gunthorpe
2026-02-19 14:40 ` Greg KH
2026-02-20 7:46 ` Lukas Wunner
2026-02-20 9:14 ` Greg KH
2026-02-20 11:45 ` Lukas Wunner
2026-02-20 11:57 ` Greg KH
2026-02-19 9:34 ` Lukas Wunner
2026-02-19 12:43 ` Jason Gunthorpe
2026-02-19 18:48 ` dan.j.williams
2026-02-19 9:13 ` Lukas Wunner
2026-02-19 18:42 ` dan.j.williams
2026-02-19 11:24 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69a903d4511e4_6423c1004d@dwillia2-mobl4.notmuch \
--to=dan.j.williams@intel.com \
--cc=a.hindborg@kernel.org \
--cc=aik@amd.com \
--cc=akpm@linux-foundation.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=alistair.francis@wdc.com \
--cc=alistair23@gmail.com \
--cc=aneesh.kumar@kernel.org \
--cc=benno.lossin@proton.me \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=gary@garyguo.net \
--cc=jgg@nvidia.com \
--cc=jonathan.cameron@huawei.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mathieu.poirier@linaro.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=thomas.fossati@linaro.org \
--cc=tmgross@umich.edu \
--cc=wilfred.mallawa@wdc.com \
--cc=yilun.xu@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox