On 12/10/23 20:15, Lukas Wunner wrote:
On Tue, Oct 10, 2023 at 03:07:41PM +1100, Alexey Kardashevskiy wrote:
But the way SPDM is done now is that if the user (as myself) wants to let
the firmware run SPDM - the only choice is disabling CONFIG_CMA completely
as CMA is not a (un)loadable module or built-in (with some "blacklist"
parameters), and does not provide a sysfs knob to control its tentacles.
Kinda harsh.
On AMD SEV-TIO, does the PSP perform SPDM exchanges with a device
*before* it is passed through to a guest? If so, why does it do that?
Yes, to set up IDE. SEV TIO is designed in a way that there is one
stream == set of keys per the PF's traffic class.
It is like this - imagine a TDISP+SRIOV device with hundreds VFs passed
through to hundreds VMs. The host still owns the PF, provides DOE for
the PSP, the PSP owns a handful of keys (one will do really, I have not
fully grasped the idea when one would want traffic classes but ok, up to
8), and hundreds VFs work using this few (or one) keys, and the PF works
as well, just cannot know the IDE key (==cannot spy on VFs via something
like PCI bridge/retimer or logic analyzer). It is different than what
you are doing, DOE is the only common thing so far (or ever?).
btw the PSP is not able to initiate SPDM traffic by itself, when the
host decides it wants to setup IDE (via a PSP in SEV TIO), it talks to
the PSP which can return "I want to talk to the device, here are
req/resp buffers", in a loop, until the PSP returns something else.
Dan and I discussed this off-list and Dan is arguing for lazy attestation,
i.e. the TSM should only have the need to perform SPDM exchanges with
the device when it is passed through.
Well, I'd expect that in most cases VF is going to be passed through and
IDE setup is done via PF which won't be passed through in such cases as
it has to manage VFs.
So the host enumerates the DOE protocols
Yes.
and authenticates the device.
No objection here. But PSP will need to rerun this, but still via the
host's DOE.
When the device is passed through, patch 12/12 ensures that the host
keeps its hands off of the device, thus affording the TSM exclusive
SPDM control.
If a PF is passed through - I guess yes we could use that, but how is
this going to work for a VF?
I agree that the commit message of 12/12 is utterly misleading in that
it says "the guest" is granted exclusive control. It should say "the TSM"
instead. (There might be implementations where the guest itself has
the role of the TSM and authenticates the device on its own behalf,
but PCIe r6.1 sec 11 uses the term "TSM" so that's what the commit
message needs to use.)
This should work as long as DOE is still available (as of today).
However apart from the necessary rewrite of the commit message and
perhaps a rename of the PCI_CMA_OWNED_BY_GUEST flag, I think patch 12/12
should already be doing exactly what you need -- provided that the
PSP doesn't perform SPDM exchanges before passthrough. If it already
performs them, say, on boot, I'd like to understand the reason.
In out design this does not have to happen on the host's boot. But I
wonder if some PF host driver authenticated some device and then we
create a bunch of VFs and pass the SPDM ownership of the PF to the PSP
to reauthentificate it again - the already running PF host driver may
become upset, may it? 12/12 assumes the host driver is VFIO-PCI but it
won't be, VFs will be bound to VFIO-PCI. Hope this all makes sense. Thanks,
Thanks,
Lukas
--
Alexey