Hi, On 5/24/23 2:33 PM, Chong Cai wrote: > Tested-by: Qinkun Bao <qinkun@xxxxxxxxxx> > > Thanks Sathyanarayanan for the new patch! This patch is critical for > our use case. > We built a guest image with the patch, and verified it works for us, > when using a host kernel built with https://github.com/intel/tdx repo. Qinkun Bao/Chong Cai, thanks for testing it. I really appreciate the help. Dave/Boris, could you please take a look at this patch set? > > On Sun, May 14, 2023 at 12:24 AM Kuppuswamy Sathyanarayanan > <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx> wrote: >> >> Hi All, >> >> In TDX guest, the attestation process is used to verify the TDX guest >> trustworthiness to other entities before provisioning secrets to the >> guest. >> >> The TDX guest attestation process consists of two steps: >> >> 1. TDREPORT generation >> 2. Quote generation. >> >> The First step (TDREPORT generation) involves getting the TDX guest >> measurement data in the format of TDREPORT which is further used to >> validate the authenticity of the TDX guest. The second step involves >> sending the TDREPORT to a Quoting Enclave (QE) server to generate a >> remotely verifiable Quote. TDREPORT by design can only be verified on >> the local platform. To support remote verification of the TDREPORT, >> TDX leverages Intel SGX Quoting Enclave to verify the TDREPORT >> locally and convert it to a remotely verifiable Quote. Although >> attestation software can use communication methods like TCP/IP or >> vsock to send the TDREPORT to QE, not all platforms support these >> communication models. So TDX GHCI specification [1] defines a method >> for Quote generation via hypercalls. Please check the discussion from >> Google [2] and Alibaba [3] which clarifies the need for hypercall based >> Quote generation support. This patch set adds this support. >> >> Support for TDREPORT generation already exists in the TDX guest driver. >> This patchset extends the same driver to add the Quote generation >> support. >> >> Following are the details of the patch set: >> >> Patch 1/3 -> Adds event notification IRQ support. >> Patch 2/3 -> Adds Quote generation support. >> Patch 3/3 -> Adds selftest support for Quote generation feature. >> >> [1] https://cdrdv2.intel.com/v1/dl/getContent/726790, section titled "TDG.VP.VMCALL<GetQuote>". >> [2] https://lore.kernel.org/lkml/CAAYXXYxxs2zy_978GJDwKfX5Hud503gPc8=1kQ-+JwG_kA79mg@xxxxxxxxxxxxxx/ >> [3] https://lore.kernel.org/lkml/a69faebb-11e8-b386-d591-dbd08330b008@xxxxxxxxxxxxxxxxx/ >> >> Kuppuswamy Sathyanarayanan (3): >> x86/tdx: Add TDX Guest event notify interrupt support >> virt: tdx-guest: Add Quote generation support >> selftests/tdx: Test GetQuote TDX attestation feature >> >> Documentation/virt/coco/tdx-guest.rst | 11 ++ >> arch/x86/coco/tdx/tdx.c | 194 +++++++++++++++++++ >> arch/x86/include/asm/tdx.h | 8 + >> drivers/virt/coco/tdx-guest/tdx-guest.c | 175 ++++++++++++++++- >> include/uapi/linux/tdx-guest.h | 44 +++++ >> tools/testing/selftests/tdx/tdx_guest_test.c | 65 ++++++- >> 6 files changed, 490 insertions(+), 7 deletions(-) >> >> -- >> 2.34.1 >> -- Sathyanarayanan Kuppuswamy Linux Kernel Developer
