[GIT PULL] configs-tsm: Unified attestation report ABI for v6.7

From: Dan Williams <dan.j.williams@intel.com>
To: <torvalds@linux-foundation.org>
Cc: <linux-coco@lists.linux.dev>, Erdem Aktas <erdemaktas@google.com>,
	"Tom Lendacky" <thomas.lendacky@amd.com>,
	Peter Gonda <pgonda@google.com>, "Borislav Petkov" <bp@alien8.de>,
	Dionna Amalie Glaze <dionnaglaze@google.com>,
	"Jeremi Piotrowski" <jpiotrowski@linux.microsoft.com>,
	Samuel Ortiz <sameo@rivosinc.com>,
	Alexey Kardashevskiy <aik@amd.com>, <dave.hansen@linux.intel.com>,
	<x86@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] configs-tsm: Unified attestation report ABI for v6.7
Date: Thu, 2 Nov 2023 17:04:04 -0700	[thread overview]
Message-ID: <654438f4ca604_3f6029413@dwillia2-mobl3.amr.corp.intel.com.notmuch> (raw)

Hi Linus, please pull from:

  git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux tags/tsm-for-6.7

...to receive a cross-vendor mechanism for retrieving
confidential-computing attestation reports. This is coming from me
because I originated the proposal and there is no clear pre-existing
upstream path for cross-vendor confidential-computing device driver
infrastructure. I.e. it is not cleanly tip.git material, but it does
have acks from x86 maintainers, AMD devs, Intel devs, and Google devs
(who hold a near term interest in consuming it). It has appeared in
-next with no reported issues.

As for what this is...

In an ideal world there would be a cross-vendor standard attestation
report format for confidential guests along with a common device
definition to act as the transport.

In the real world the situation ended up with multiple platform vendors
inventing their own attestation report formats with the SEV-SNP
implementation being a first mover to define a custom sev-guest
character device and corresponding ioctl(). Later, this configfs-tsm
proposal intercepted an attempt to add a tdx-guest character device and
a corresponding new ioctl(). It also anticipated ARM and RISC-V showing
up with more chardevs and more ioctls().

The proposal takes for granted that Linux tolerates the vendor report
format differentiation until a standard arrives. From talking with folks
involved, it sounds like that standardization work is unlikely to
resolve anytime soon. It also takes the position that kernfs ABIs are
easier to maintain than ioctl(). The result is a shared configfs
mechanism to return per-vendor report-blobs with the option to later
support a standard when that arrives.

Part of the goal here also is to get the community into the
"uncomfortable, but beneficial to the long term maintainability of the
kernel" state of talking to each other about their differentiation and
opportunities to collaborate. Think of this like the device-driver
equivalent of the common memory-management infrastructure for
confidential-computing being built up in KVM.

As for establishing an "upstream path for cross-vendor
confidential-computing device driver infrastructure" this is something I
want to discuss at Plumbers. At present, the multiple vendor proposals
for assigning devices to confidential computing VMs likely needs a new
dedicated repository and maintainer team, but that is a discussion for
v6.8.

For now, Greg and Thomas have acked this approach and this is passing is
AMD, Intel, and Google tests.

---

The following changes since commit 6465e260f48790807eef06b583b38ca9789b6072:

  Linux 6.6-rc3 (2023-09-24 14:31:13 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux tags/tsm-for-6.7

for you to fetch changes up to f4738f56d1dc62aaba69b33702a5ab098f1b8c63:

  virt: tdx-guest: Add Quote generation support using TSM_REPORTS (2023-10-19 18:12:00 -0700)

----------------------------------------------------------------
configfs-tsm for v6.7

- Introduce configfs-tsm as a shared ABI for confidential computing
  attestation reports

- Convert sev-guest to additionally support configfs-tsm alongside its
  vendor specific ioctl()

- Added signed attestation report retrieval to the tdx-guest driver
  forgoing a new vendor specific ioctl()

- Misc. cleanups and a new __free() annotation for kvfree()

----------------------------------------------------------------
Dan Williams (6):
      virt: sevguest: Fix passing a stack buffer as a scatterlist target
      virt: coco: Add a coco/Makefile and coco/Kconfig
      configfs-tsm: Introduce a shared ABI for attestation reports
      virt: sevguest: Prep for kernel internal get_ext_report()
      mm/slab: Add __free() support for kvfree
      virt: sevguest: Add TSM_REPORTS support for SNP_GET_EXT_REPORT

Kuppuswamy Sathyanarayanan (1):
      virt: tdx-guest: Add Quote generation support using TSM_REPORTS

 Documentation/ABI/testing/configfs-tsm  |  82 ++++++
 MAINTAINERS                             |   8 +
 arch/x86/coco/tdx/tdx.c                 |  21 ++
 arch/x86/include/asm/shared/tdx.h       |   1 +
 arch/x86/include/asm/tdx.h              |   2 +
 drivers/virt/Kconfig                    |   6 +-
 drivers/virt/Makefile                   |   4 +-
 drivers/virt/coco/Kconfig               |  14 ++
 drivers/virt/coco/Makefile              |   8 +
 drivers/virt/coco/sev-guest/Kconfig     |   1 +
 drivers/virt/coco/sev-guest/sev-guest.c | 214 ++++++++++++++--
 drivers/virt/coco/tdx-guest/Kconfig     |   1 +
 drivers/virt/coco/tdx-guest/tdx-guest.c | 229 ++++++++++++++++-
 drivers/virt/coco/tsm.c                 | 425 ++++++++++++++++++++++++++++++++
 include/linux/slab.h                    |   2 +
 include/linux/tsm.h                     |  69 ++++++
 include/uapi/linux/psp-sev.h            |   1 +
 include/uapi/linux/sev-guest.h          |   4 +-
 18 files changed, 1055 insertions(+), 37 deletions(-)
 create mode 100644 Documentation/ABI/testing/configfs-tsm
 create mode 100644 drivers/virt/coco/Kconfig
 create mode 100644 drivers/virt/coco/Makefile
 create mode 100644 drivers/virt/coco/tsm.c
 create mode 100644 include/linux/tsm.h