Please backport 980a573621ea to 6.12, 6.14

Please backport 980a573621ea to 6.12, 6.14

[Dionna Amalie Glaze]

980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")

This is a dependent commit for the series of patches to add the AMD
SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but
not support for the critical component for boot integrity that follows
the SEV-SNP threat model. That series
https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/
is applied at tip but is not yet in the mainline.

I have confirmed that this patch applies cleanly. Stefano's patch
series needs a minor tweak to the first patch due to the changed
surrounding function declarations in arch/x86/include/asm/sev.h
https://github.com/deeglaze/amdese-linux/commits/vtpm612/
I've independently tested the patches.

-- 
-Dionna Glaze, PhD, CISSP, CCSP (she/her)

Re: Please backport 980a573621ea to 6.12, 6.14

[Greg KH]

On Thu, May 01, 2025 at 09:48:59AM -0700, Dionna Amalie Glaze wrote:
> 980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")
> 
> This is a dependent commit for the series of patches to add the AMD
> SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but
> not support for the critical component for boot integrity that follows
> the SEV-SNP threat model. That series
> https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/
> is applied at tip but is not yet in the mainline.

How does this fix a bug in these stable branches now?

> I have confirmed that this patch applies cleanly. Stefano's patch
> series needs a minor tweak to the first patch due to the changed
> surrounding function declarations in arch/x86/include/asm/sev.h
> https://github.com/deeglaze/amdese-linux/commits/vtpm612/
> I've independently tested the patches.

Have you read the stable kernel rules text?

totally confused,

greg k-h

Re: Please backport 980a573621ea to 6.12, 6.14

[Dionna Amalie Glaze]

On Thu, May 1, 2025 at 11:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Thu, May 01, 2025 at 09:48:59AM -0700, Dionna Amalie Glaze wrote:
> > 980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")
> >
> > This is a dependent commit for the series of patches to add the AMD
> > SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but
> > not support for the critical component for boot integrity that follows
> > the SEV-SNP threat model. That series
> > https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/
> > is applied at tip but is not yet in the mainline.
>
> How does this fix a bug in these stable branches now?

I find that the inability to use the main purpose of SVSM support for
trusted boot integrity is a security bug according to the SEV-SNP
threat model.
This is a dependency already in mainline for the support patches
mentioned below. If you prefer to submit them all together, then
ignore this.

>
> > I have confirmed that this patch applies cleanly. Stefano's patch
> > series needs a minor tweak to the first patch due to the changed
> > surrounding function declarations in arch/x86/include/asm/sev.h
> > https://github.com/deeglaze/amdese-linux/commits/vtpm612/
> > I've independently tested the patches.
>
> Have you read the stable kernel rules text?
>

Yes, though admittedly I'm looking for a generous read. I haven't yet
proposed those patches for stable because I'm waiting for them to make
their way through tip to get to the mainline.

> totally confused,
>

Not my intent. This is my first time proposing a change to stable, so
apologies if I got it wrong.

> greg k-h

-- 
-Dionna Glaze, PhD, CISSP, CCSP (she/her)

Re: Please backport 980a573621ea to 6.12, 6.14

[Greg KH]

On Thu, May 01, 2025 at 01:06:34PM -0700, Dionna Amalie Glaze wrote:
> On Thu, May 1, 2025 at 11:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, May 01, 2025 at 09:48:59AM -0700, Dionna Amalie Glaze wrote:
> > > 980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")
> > >
> > > This is a dependent commit for the series of patches to add the AMD
> > > SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but
> > > not support for the critical component for boot integrity that follows
> > > the SEV-SNP threat model. That series
> > > https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/
> > > is applied at tip but is not yet in the mainline.
> >
> > How does this fix a bug in these stable branches now?
> 
> I find that the inability to use the main purpose of SVSM support for
> trusted boot integrity is a security bug according to the SEV-SNP
> threat model.

That is a new feature, sorry.  Just use new kernel versions if you wish
to have this.

greg k-h