All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Williams <dan.j.williams@intel.com>
To: Lukas Wunner <lukas@wunner.de>
Cc: Christoph Hellwig <hch@infradead.org>,
	Jonathan Cameron <Jonathan.Cameron@huawei.com>,
	Gavin Hindman <gavin.hindman@intel.com>,
	Linuxarm <linuxarm@huawei.com>,
	"Weiny, Ira" <ira.weiny@intel.com>,
	Linux PCI <linux-pci@vger.kernel.org>,
	linux-cxl@vger.kernel.org, CHUCK_LEVER <chuck.lever@oracle.com>
Subject: Re: [RFC PATCH 0/1] DOE usage with pcie/portdrv
Date: Fri, 20 May 2022 08:37:50 -0700	[thread overview]
Message-ID: <CAPcyv4iWGb7baQSsjjLJFuT1E11X8cHYdZoGXsNd+B9GHtsxLw@mail.gmail.com> (raw)
In-Reply-To: <20220520054214.GB22631@wunner.de>

On Thu, May 19, 2022 at 10:42 PM Lukas Wunner <lukas@wunner.de> wrote:
>
> On Wed, May 18, 2022 at 06:43:39AM -0700, Christoph Hellwig wrote:
> > On Sat, May 14, 2022 at 03:55:21PM +0200, Lukas Wunner wrote:
> > > Circling back to the SPDM/IDE topic, while NVMe is now capable of
> > > reliably recovering from errors, it does expect the kernel to handle
> > > recovery within a few seconds.  I'm not sure we can continue to
> > > guarantee that if the kernel depends on user space to perform
> > > re-authentication with SPDM after reset.  That's another headache
> > > that we could avoid with in-kernel SPDM authentication.
> >
> > I wonder if we need kernel bundled and tightly controlled userspace
> > code for these kinds of things (also for NVMe/NFS TLS).  That is,
> > bundle a userspace ELF file or files with a module which is unpacked
> > to or accessible by a ramfs-style file systems.  Then allow executing
> > it without any interaction with the normal userspace, and non-pagable
> > memory.  That way we can reuse existing userspace code, have really
> > nice address space isolation but avoid all the deadlock potential
> > of normal userspace code.  And I don't think it would be too hard to
> > implement either.
>
> Just as a reminder, on resume from system sleep, IDE needs to be
> set up by pci_pm_resume_noirq() to comply with the existing assumption
> that a PCI driver's ->resume_noirq callback may access the device.
>
> At that point (device) interrupts are disabled, so it's not possible
> to e.g. read certificates from disk or perform an OCSP request.
> So the bundled userspace code would have to conform to a number of
> severe restrictions to avoid resume issues.

Recall that OS managed IDE is somewhat of a stop-gap / special case as
typically the OS kernel is outside of the platform trust boundary for
things like TDX. I imagine suspend in the presence of IDE would be
platform firmware managed, not OS managed. Certificate validation can
always move internal to the kernel later if a concrete need arises,
but it is difficult to go the other way, to kick out certificate
validation from the kernel if it proves not to be needed. Otherwise, a
ring3/ userspace helper that can live in non-pageable memory to avoid
scenarios like this sounds like a capability that would be worth
having regardless.

  reply	other threads:[~2022-05-20 15:38 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-03 15:34 [RFC PATCH 0/1] DOE usage with pcie/portdrv Jonathan Cameron
2022-05-03 15:34 ` [RFC PATCH 1/1] pcie/portdrv: Hack in DOE and CDAT support Jonathan Cameron
2022-05-04  4:01   ` kernel test robot
2022-05-06 22:40 ` [RFC PATCH 0/1] DOE usage with pcie/portdrv Dan Williams
2022-05-07 10:18   ` Lukas Wunner
2022-05-09  9:48     ` Jonathan Cameron
2022-05-11 19:13       ` Lukas Wunner
2022-05-11 19:19         ` Lukas Wunner
2022-05-11 19:43           ` Dan Williams
2022-05-14 13:55             ` Lukas Wunner
2022-05-16 17:01               ` Dan Williams
2022-05-27  9:39                 ` Lukas Wunner
2022-05-18 13:43               ` Christoph Hellwig
2022-05-18 15:08                 ` Dan Williams
2022-05-20  5:42                 ` Lukas Wunner
2022-05-20 15:37                   ` Dan Williams [this message]
2022-05-20 15:42                     ` Chuck Lever III
2022-05-11 19:42         ` Dan Williams
2022-05-11 20:22           ` Hindman, Gavin
2022-05-11 21:04             ` Dan Williams
2022-05-14 13:31           ` Lukas Wunner
2022-05-16 16:53             ` Dan Williams
2022-05-09  9:33   ` Jonathan Cameron

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPcyv4iWGb7baQSsjjLJFuT1E11X8cHYdZoGXsNd+B9GHtsxLw@mail.gmail.com \
    --to=dan.j.williams@intel.com \
    --cc=Jonathan.Cameron@huawei.com \
    --cc=chuck.lever@oracle.com \
    --cc=gavin.hindman@intel.com \
    --cc=hch@infradead.org \
    --cc=ira.weiny@intel.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=linuxarm@huawei.com \
    --cc=lukas@wunner.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.