On 19/10/23 06:58, Dan Williams wrote:
Jonathan Cameron wrote:
On Tue, 3 Oct 2023 21:30:58 +0200
Lukas Wunner <lukas@xxxxxxxxx> wrote:
On Tue, Oct 03, 2023 at 04:40:48PM +0100, Jonathan Cameron wrote:
On Thu, 28 Sep 2023 19:32:42 +0200 Lukas Wunner <lukas@xxxxxxxxx> wrote:
At any given time, only a single entity in a physical system may have
an SPDM connection to a device. That's because the GET_VERSION request
(which begins an authentication sequence) resets "the connection and all
context associated with that connection" (SPDM 1.3.0 margin no 158).
Thus, when a device is passed through to a guest and the guest has
authenticated it, a subsequent authentication by the host would reset
the device's CMA-SPDM session behind the guest's back.
Prevent by letting the guest claim exclusive CMA ownership of the device
during passthrough. Refuse CMA reauthentication on the host as long.
After passthrough has concluded, reauthenticate the device on the host.
Is there anything stopping a PF presenting multiple CMA capable DOE
instances? I'd expect them to have their own contexts if they do..
The spec does not seem to *explicitly* forbid a PF having multiple
CMA-capable DOE instances, but PCIe r6.1 sec 6.31.3 says:
"The instance of DOE used for CMA-SPDM must support ..."
Note the singular ("The instance"). It seems to suggest that the
spec authors assumed there's only a single DOE instance for CMA-SPDM.
It's a little messy and a bit of American vs British English I think.
If it said
"The instance of DOE used for a specific CMA-SPDM must support..."
then it would clearly allow multiple instances. However, conversely,
I don't read that sentence as blocking multiple instances (even though
I suspect you are right and the author was thinking of there being one).
Could you (as an English native speaker) comment on the clarity of the
two sentences "Prevent ... as long." above, as Ilpo objected to them?
The antecedent of "Prevent" is the undesirable behaviour in the preceding
sentence (host resets guest's SPDM connection).
The antecedent of "as long" is "during passthrough" in the preceding
sentence.
Is that clear and understandable for an English native speaker or
should I rephrase?
Not clear enough to me as it stands. That "as long" definitely feels
like there is more to follow it as Ilpo noted.
Maybe reword as something like
Prevent this by letting the guest claim exclusive ownership of the device
during passthrough ensuring problematic CMA reauthentication by the host
is blocked.
My contribution to the prose here is to clarify that this mechanism is
less about "appoint the guest as the exslusive owner" and more about
"revoke the bare-metal host as the authentication owner".
In fact I don't see how the guest can ever claim to "own" CMA since
config-space is always emulated to the guest.
No difference to the PSP and the baremetal linux for this matter as the
PSP does not have direct access to the config space either.
So the guest will always
be in a situation where it needs to proxy SPDM related operations. The
proxy is either terminated in the host as native SPDM on behalf of the
guest, or further proxied to the platform-TSM.
So let's just clarify that at assignment, host control is revoked, and
the guest is afforded the opportunity to re-establish authentication
either by asking the host re-authenticate on the guest's behalf, or
asking the platform-tsm to authenticate the device on the guest's
behalf.
...and even there the guest does not know if it is accessing a 1:1 VF:PF
device representation, or one VF instance of PF where the PF
authentication answer only occurs once for all potential VFs.
Actually, that brings up a question about when to revoke host
authentication in the VF assignment case? That seems to be a policy
decision that the host needs to make globally for all VFs of a PF. If
the guest is going to opt-in to relying on the host's authentication
decision then the revoking early may not make sense.
It may be a
decision that needs to be deferred until the guest makes its intentions
clear, and the host will need to have policy around how to resolve
conflicts between guestA wants "native" and guestB wants "platform-TSM".
If the VFs those guests are using map to the same PF then only one
policy can be in effect.
To own IDE, the guest will have to have exclusive access to the portion
of RC responsible for the IDE keys. Which is doable but requires passing
through both RC and the device and probably everything between these
two. It is going to be quite different "host-native" and
"guest-native". How IDE keys are going to be programmed into the RC on
Intel?
--
Alexey
