From: Pavel Machek <pavel@denx.de>
To: Jonathan McDowell <noodles@fb.com>
Cc: "greg@kroah.com" <greg@kroah.com>,
Dmitrii Okunev <xaionaro@fb.com>,
"qiaowei.ren@intel.com" <qiaowei.ren@intel.com>,
"mjg59@srcf.ucam.org" <mjg59@srcf.ucam.org>,
"xiaoyan.zhang@intel.com" <xiaoyan.zhang@intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"gang.wei@intel.com" <gang.wei@intel.com>,
"platform-driver-x86@vger.kernel.org"
<platform-driver-x86@vger.kernel.org>
Subject: Re: [discuss] Improve and merge a driver proposed in 2013: sysfs interfaces to access TXT config space
Date: Tue, 22 Feb 2022 10:31:01 +0100 [thread overview]
Message-ID: <20220222093101.GA23654@amd> (raw)
In-Reply-To: <0cf678e0b01bf421f3db6693a15ac4060501a80a.camel@fb.com>
[-- Attachment #1: Type: text/plain, Size: 4260 bytes --]
On Fri 2022-02-18 18:05:47, Jonathan McDowell wrote:
> On Thu, 2022-02-17 at 13:37 +0100, Pavel Machek wrote:
> > On Thu 2022-02-17 13:34:40, greg@kroah.com wrote:
> > > On Thu, Feb 17, 2022 at 11:47:21AM +0000, Dmitrii Okunev wrote:
> > > > Hello!
> > > >
> > > > As far as I see the patch wasn't merged. And I see that this is
> > > > the only unsolved thread in the discussion:
> > > >
> > > > On Thu, 2013-05-16 at 18:03 +0200, Pavel Machek wrote:
> > > > > On Tue 2013-05-14 01:24:43, Qiaowei Ren wrote:
> > > > > > These interfaces are located in
> > > > > > /sys/devices/platform/intel_txt/config,
> > > > > > and including totally 37 files, providing access to Intel TXT
> > > > > > configuration registers.
> > > > >
> > > > > This looks like very wrong interface... equivalent of /dev/mem.
> > > >
> > > > As an active user of these registers I hope it will be merged, so
> > > > I would like to improve this patch (or rewrite it from scratch)
> > > > to make that happen. Otherwise one have to do hackery around
> > > > `/dev/mem`, which also creates problems with proper access
> > > > control.
> > > >
> > > > To be able to improve the patch, could somebody clarify why
> > > > exactly this is a "very wrong interface"?
> > > >
> > > > > > +What: /sys/devices/platform/intel_txt/config/STS_ra
> > > > > > w
> > > > > > +Date: May 2013
> > > > > > +KernelVersion: 3.9
> > > > > > +Contact: "Qiaowei Ren" <qiaowei.ren@intel.com>
> > > > > > +Description: TXT.STS is the general status register. This
> > > > > > read-
> > > > > > only register
> > > > > > + is used by AC modules and the MLE to get the
> > > > > > status
> > > > > > of various
> > > > > > + Intel TXT features.
> > > > >
> > > > > This is not enough to allow people to understand what this
> > > > > does/should do, nor does it allow (for example) ARM people to
> > > > > implement something compatible.
> > > > >
> > > > > Is there specific reason why "better" interface is impossible?
> > > >
> > > > I would love to reuse Intel's public documentation [1] to provide
> > > > a proper description (with bit layout of the value).
> > > >
> > > > [1] https://cdrdv2.intel.com/v1/dl/getContent/315168
> > > >
> > > > > [...], nor does it allow (for example) ARM people to
> > > > > implement something compatible.
> > > >
> > > > Do I understand correctly that a proper documentation of the
> > > > registers solves the problem?
> > > >
> > > > > Is there specific reason why "better" interface is impossible?
> > > >
> > > > What are specific problems with the current interface?
> > >
> > > What do you mean by "current" here? You are referring to an email
> > > from 2013, 9 years ago.
> > >
> > > If you want to propose the change again, correctly update the patch
> > > and submit it that way.
> >
> > I don't believe taking hardware registers and exposing them 1-to-1 in
> > sysfs is the way to go.
> >
> > We would like same /sys interface on different hardware, and simply
> > exposing Intel's registers in /sys will not do the job.
>
> So, for our particular use case what we want to be able to see is the
> status of the TXT device, so when attestation fails it's possible to
> diagnose where that might have happened. At a minimum details from the
> status register are folded into the first measurement, and the error
> register can provide valuable insight as to what the TXT device thinks
> failed.
>
> At present these details are retrieved from /dev/mem, but this is less
> than ideal and prevents the use of, say, kernel lockdown. As a result
> we'd like to export the appropriate details via sysfs. These are likely
> to be extremely security block implementation specific, so I'm not
> clear that a generic agnostic interface is appropriate to retrieve
> these details.
> Do you have the same objection to a read only set of information
> (rather than the full control offered by the initial submission)?
Might be a job for debugfs?
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2022-02-22 9:31 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-13 17:24 [PATCH v2 0/3] Intel TXT driver Qiaowei Ren
2013-05-13 17:24 ` [PATCH v2 1/3] driver: add TXT driver in kernel Qiaowei Ren
2013-05-13 17:31 ` Matthew Garrett
2013-05-13 17:31 ` Matthew Garrett
2013-05-14 1:49 ` Ren, Qiaowei
2013-05-14 1:49 ` Ren, Qiaowei
2013-05-13 17:24 ` [PATCH v2 2/3] driver: provide sysfs interfaces to access TXT config space Qiaowei Ren
2013-05-13 17:35 ` Matthew Garrett
2013-05-13 17:35 ` Matthew Garrett
2013-05-14 1:46 ` Ren, Qiaowei
2013-05-14 1:46 ` Ren, Qiaowei
2013-05-16 16:03 ` Pavel Machek
2013-05-17 8:50 ` Ren, Qiaowei
2013-05-17 8:50 ` Ren, Qiaowei
2013-05-17 18:07 ` Pavel Machek
2013-05-17 18:07 ` Pavel Machek
2022-02-17 11:47 ` [discuss] Improve and merge a driver proposed in 2013: " Dmitrii Okunev
2022-02-17 12:34 ` greg
2022-02-17 12:37 ` Pavel Machek
2022-02-18 18:05 ` Jonathan McDowell
2022-02-22 9:31 ` Pavel Machek [this message]
2022-03-09 10:40 ` [RFC PATCH] platform/x86: Add sysfs interface for Intel TXT status Jonathan McDowell
2022-03-09 10:48 ` Greg KH
2022-03-09 10:58 ` Jonathan McDowell
2022-03-09 11:29 ` Greg KH
2022-03-09 10:53 ` Matthew Garrett
2022-03-09 17:55 ` Jonathan McDowell
2022-04-12 14:23 ` [RFC PATCH v2] platform/x86: Add securityfs interface for " Jonathan McDowell
2013-05-13 17:24 ` [PATCH v2 3/3] driver: provide sysfs interfaces to access SMX parameter Qiaowei Ren
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220222093101.GA23654@amd \
--to=pavel@denx.de \
--cc=gang.wei@intel.com \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=noodles@fb.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=qiaowei.ren@intel.com \
--cc=xaionaro@fb.com \
--cc=xiaoyan.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.