On Fri, Mar 07, 2025 at 01:19:11PM +1100, Alexey Kardashevskiy wrote:
>
>
> On 6/3/25 17:47, Xu Yilun wrote:
> > On Wed, Mar 05, 2025 at 03:28:42PM -0400, Jason Gunthorpe wrote:
> > > On Mon, Mar 03, 2025 at 01:32:47PM +0800, Xu Yilun wrote:
> > > > All these settings cannot really take function until guest verifies them
> > > > and does TDISP start. Guest verification does not (should not) need host
> > > > awareness.
> > > >
> > > > Our solution is, separate the secure DMA setting and secure device setting
> > > > in different components, iommufd & vfio.
> > > >
> > > > Guest require bind:
> > > > - ioctl(iommufd, IOMMU_VIOMMU_ALLOC, {.type = IOMMU_VIOMMU_TYPE_KVM_VALID,
> > > > .kvm_fd = kvm_fd,
> > > > .out_viommu_id = &viommu_id});
> > > > - ioctl(iommufd, IOMMU_HWPT_ALLOC, {.flag = IOMMU_HWPT_ALLOC_TRUSTED,
> > > > .pt_id = viommu_id,
> > > > .out_hwpt_id = &hwpt_id});
> > > > - ioctl(vfio_fd, VFIO_DEVICE_ATTACH_IOMMUFD_PT, {.pt_id = hwpt_id})
> > > > - do secure DMA setting in Intel iommu driver.
> > > >
> > > > - ioctl(vfio_fd, VFIO_DEVICE_TSM_BIND, ...)
> > > > - do bind in Intel TSM driver.
> > >
> > > Except what do command do you issue to the secure world for TSM_BIND
> > > and what are it's argument? Again you can't include the vBDF or vIOMMU
> > > ID here.
> >
> > Bind for TDX doesn't require vBDF or vIOMMU ID. The seamcall is like:
> >
> > u64 tdh_devif_create(u64 stream_id, // IDE stream ID, PF0 stuff
> > u64 devif_id, // TDI ID, it is the host BDF
> > u64 tdr_pa, // TDX VM core metadate page, TDX Connect uses it as CoCo-VM ID
> > u64 devifcs_pa) // metadate page provide to firmware
>
>
> (offtopic) is there a public spec with this command defined?
Sorry, there is no public TDX Connect SPEC yet.
Thanks,
Yilun
