On Tue, Oct 03, 2023 at 09:30:58PM +0200, Lukas Wunner wrote: > On Tue, Oct 03, 2023 at 04:40:48PM +0100, Jonathan Cameron wrote: > > On Thu, 28 Sep 2023 19:32:42 +0200 Lukas Wunner <lukas@xxxxxxxxx> wrote: > > > At any given time, only a single entity in a physical system may have > > > an SPDM connection to a device. That's because the GET_VERSION request > > > (which begins an authentication sequence) resets "the connection and all > > > context associated with that connection" (SPDM 1.3.0 margin no 158). > > > > > > Thus, when a device is passed through to a guest and the guest has > > > authenticated it, a subsequent authentication by the host would reset > > > the device's CMA-SPDM session behind the guest's back. > > > > > > Prevent by letting the guest claim exclusive CMA ownership of the device > > > during passthrough. Refuse CMA reauthentication on the host as long. > > > After passthrough has concluded, reauthenticate the device on the host. > Could you (as an English native speaker) comment on the clarity of the > two sentences "Prevent ... as long." above, as Ilpo objected to them? > > The antecedent of "Prevent" is the undesirable behaviour in the preceding > sentence (host resets guest's SPDM connection). I think this means "prevent a reauthentication by the host behind the guest's back" (which seems to match the first diff hunk), but I agree it would be helpful to make the connection clearer, e.g., When passing a device through to a guest, mark it as "CMA owned exclusively by the guest" for the duration of the passthrough to prevent the host from reauthenticating and resetting the device's CMA-SPDM session. > The antecedent of "as long" is "during passthrough" in the preceding > sentence. "as long" definitely needs something to connect it with the passthrough. Bjorn
