On Thu, May 19, 2022 at 10:42 PM Lukas Wunner <lukas@xxxxxxxxx> wrote: > > On Wed, May 18, 2022 at 06:43:39AM -0700, Christoph Hellwig wrote: > > On Sat, May 14, 2022 at 03:55:21PM +0200, Lukas Wunner wrote: > > > Circling back to the SPDM/IDE topic, while NVMe is now capable of > > > reliably recovering from errors, it does expect the kernel to handle > > > recovery within a few seconds. I'm not sure we can continue to > > > guarantee that if the kernel depends on user space to perform > > > re-authentication with SPDM after reset. That's another headache > > > that we could avoid with in-kernel SPDM authentication. > > > > I wonder if we need kernel bundled and tightly controlled userspace > > code for these kinds of things (also for NVMe/NFS TLS). That is, > > bundle a userspace ELF file or files with a module which is unpacked > > to or accessible by a ramfs-style file systems. Then allow executing > > it without any interaction with the normal userspace, and non-pagable > > memory. That way we can reuse existing userspace code, have really > > nice address space isolation but avoid all the deadlock potential > > of normal userspace code. And I don't think it would be too hard to > > implement either. > > Just as a reminder, on resume from system sleep, IDE needs to be > set up by pci_pm_resume_noirq() to comply with the existing assumption > that a PCI driver's ->resume_noirq callback may access the device. > > At that point (device) interrupts are disabled, so it's not possible > to e.g. read certificates from disk or perform an OCSP request. > So the bundled userspace code would have to conform to a number of > severe restrictions to avoid resume issues. Recall that OS managed IDE is somewhat of a stop-gap / special case as typically the OS kernel is outside of the platform trust boundary for things like TDX. I imagine suspend in the presence of IDE would be platform firmware managed, not OS managed. Certificate validation can always move internal to the kernel later if a concrete need arises, but it is difficult to go the other way, to kick out certificate validation from the kernel if it proves not to be needed. Otherwise, a ring3/ userspace helper that can live in non-pageable memory to avoid scenarios like this sounds like a capability that would be worth having regardless.
