Some confidential computing architectures (Intel TDX, ARM CCA, RISC-V CoVE) provide their guests with a set of measurements registers that can be extended at runtime, i.e. after the initial, host-initiated measurements of the TVM are finalized. Those runtime measurement registers (RTMR) are isolated from the host accessible ones but TSMs include them in their signed attestation reports. All architectures supporting RTMRs expose a similar interface to their TVMs: An extension command/call that takes a measurement value and an RTMR index to extend it with, and a readback command for reading an RTMR value back (taking an RTMR index as an argument as well). This patch series builds an architecture agnostic, configfs-based ABI for userspace to extend and read RTMR values back. It extends the current TSM ops structure and each confidential computing architecture can implement this extension to provide RTMR support. Changes since v1 [1]: - Removed the abilty for userspace to configure the TCG PCR mappings. The configfs attribute for the TCG PCR mapping is now RO, and the mapping is passed from the TSM provider as a static bitmap. - Document the added tsm-configs attributes. TODO: - Event log support. [1] https://lore.kernel.org/lkml/20240114223532.290550-1-sameo@xxxxxxxxxxxx/ --- Samuel Ortiz (4): tsm: Runtime measurement register support tsm: Add RTMRs to the configfs-tsm hierarchy tsm: Map RTMRs to TCG TPM PCRs tsm: Allow for extending and reading configured RTMRs Documentation/ABI/testing/configfs-tsm | 36 +++ drivers/virt/coco/Kconfig | 1 + drivers/virt/coco/tsm.c | 376 +++++++++++++++++++++++++ include/linux/tsm.h | 39 ++- 4 files changed, 451 insertions(+), 1 deletion(-) -- 2.42.0
