Re: [PATCH 00/12] PCI device authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 12 Oct 2023 22:18:27 +1100
Alexey Kardashevskiy <aik@xxxxxxx> wrote:

> On 12/10/23 20:15, Lukas Wunner wrote:
> > On Tue, Oct 10, 2023 at 03:07:41PM +1100, Alexey Kardashevskiy wrote:  
> >> But the way SPDM is done now is that if the user (as myself) wants to let
> >> the firmware run SPDM - the only choice is disabling CONFIG_CMA completely
> >> as CMA is not a (un)loadable module or built-in (with some "blacklist"
> >> parameters), and does not provide a sysfs knob to control its tentacles.
> >> Kinda harsh.  
> > 
> > On AMD SEV-TIO, does the PSP perform SPDM exchanges with a device
> > *before* it is passed through to a guest?  If so, why does it do that?  
> 
> Yes, to set up IDE. SEV TIO is designed in a way that there is one 
> stream == set of keys per the PF's traffic class.
> 
> It is like this - imagine a TDISP+SRIOV device with hundreds VFs passed 
> through to hundreds VMs. The host still owns the PF, provides DOE for 
> the PSP, the PSP owns a handful of keys (one will do really, I have not 
> fully grasped the idea when one would want traffic classes but ok, up to 
> 8), and hundreds VFs work using this few (or one) keys, and the PF works 
> as well, just cannot know the IDE key (==cannot spy on VFs via something 
> like PCI bridge/retimer or logic analyzer). It is different than what 
> you are doing, DOE is the only common thing so far (or ever?).
> 
> btw the PSP is not able to initiate SPDM traffic by itself, when the 
> host decides it wants to setup IDE (via a PSP in SEV TIO), it talks to 
> the PSP which can return "I want to talk to the device, here are 
> req/resp buffers", in a loop, until the PSP returns something else.
> 
> > Dan and I discussed this off-list and Dan is arguing for lazy attestation,
> > i.e. the TSM should only have the need to perform SPDM exchanges with
> > the device when it is passed through.  
> 
> Well, I'd expect that in most cases VF is going to be passed through and 
> IDE setup is done via PF which won't be passed through in such cases as 
> it has to manage VFs.
> 
> > So the host enumerates the DOE protocols  
> 
> Yes.
> 
> > and authenticates the device.  
> 
> No objection here. But PSP will need to rerun this, but still via the 
> host's DOE.
> 
> > When the device is passed through, patch 12/12 ensures that the host
> > keeps its hands off of the device, thus affording the TSM exclusive
> > SPDM control.  
> 
> If a PF is passed through - I guess yes we could use that, but how is 
> this going to work for a VF?
> 
> > I agree that the commit message of 12/12 is utterly misleading in that
> > it says "the guest" is granted exclusive control.  It should say "the TSM"
> > instead.  (There might be implementations where the guest itself has
> > the role of the TSM and authenticates the device on its own behalf,
> > but PCIe r6.1 sec 11 uses the term "TSM" so that's what the commit
> > message needs to use.)  
> 
> This should work as long as DOE is still available (as of today).
> 
> > However apart from the necessary rewrite of the commit message and
> > perhaps a rename of the PCI_CMA_OWNED_BY_GUEST flag, I think patch 12/12
> > should already be doing exactly what you need -- provided that the
> > PSP doesn't perform SPDM exchanges before passthrough.  If it already
> > performs them, say, on boot, I'd like to understand the reason.  
> 
> In out design this does not have to happen on the host's boot. But I 
> wonder if some PF host driver authenticated some device and then we 
> create a bunch of VFs and pass the SPDM ownership of the PF to the PSP 
> to reauthentificate it again - the already running PF host driver may 
> become upset, may it? 12/12 assumes the host driver is VFIO-PCI but it 
> won't be, VFs will be bound to VFIO-PCI. Hope this all makes sense. Thanks,

Without some experiments with real drivers, will be hard to be sure, but
I'd expect it to be fine as the host driver bound after attestation (or
what's the point?)
In this patch set attestation only happens again on a reset or kicking it
because of new certs.  For reset, your PSP should be doing it all over again
anyway so that can happen after the host driver has dealt with the reset.
For the manual poking to retry attestation, if the model is we don't
load the driver until the attestation succeeds then that should be fine
(as driver not loaded).

The lock out needed for PF pass through doesn't apply given we are poking
it from the PSP via the host.

So I think patch 12 is irrelevant to your usecase rather than a problem.

May well be dragons in the corner cases.  If we need a lockout for
after the PSP gets involved, then fair enough.

Jonathan

> 
> 
> > 
> > Thanks,
> > 
> > Lukas  
> 




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux