The PCIe 6.1 specification, section 11, introduces the Trusted
Execution Environment (TEE) Device Interface Security Protocol (TDISP).
This interface definition builds upon CMA, component measurement and
authentication, and IDE, link integrity and data encryption. It adds
support for establishing virtual functions within a device that can be
assigned to a confidential VM such that the assigned device is enabled
to access guest private memory protected by technologies like Intel TDX,
AMD SEV-SNP, RISCV COVE, or ARM CCA.
The "TSM" (TEE Security Manager) is a concept in the TDISP specification
of an agent that mediates between a device security manager (DSM) and
system software in both a VMM and a VM. From a Linux perspective the TSM
abstracts many of the details of TDISP, IDE, and CMA. Some of those
details leak through at times, but for the most part TDISP is an
internal implementation detail of the TSM.
Similar to the PCI core extensions to support CONFIG_PCI_CMA,
CONFIG_PCI_TSM builds upon that to reuse the "authenticated" sysfs
attribute, and add more properties + controls in a tsm/ subdirectory of
the PCI device sysfs interface. Unlike CMA that can depend on a local to
the PCI core implementation, PCI_TSM needs to be prepared for late
loading of the platform TSM driver. Consider that the TSM driver may
itself be a PCI driver. Userspace can depend on the common TSM device
uevent to know when the PCI core has TSM services enabled. The PCI
device tsm/ subdirectory is supplemented by the TSM device pci/
directory for platform global TSM properties + controls.
All vendor TSM implementations share the property of asking the VMM to
perform DOE mailbox operations on behalf of the TSM. That common
capability is centralized in PCI core code that invokes an ->exec()
operation callback potentially multiple times to service a given request
(struct pci_tsm_req). Future operations / verbs will be handled
similarly with the "request + exec" model. For now, only "connect" and
"disconnect" are implemented which at a minimum is expected to establish
IDE for the link.
In addition to requests the low-level TSM implementation is notified of
device arrival and departure events so that it can filter devices that
the TSM is not prepared to support, or otherwise setup and teardown
per-device context.
Cc: Wu Hao <hao.wu@xxxxxxxxx>
Cc: Yilun Xu <yilun.xu@xxxxxxxxx>
Cc: Lukas Wunner <lukas@xxxxxxxxx>
Cc: Samuel Ortiz <sameo@xxxxxxxxxxxx>
Cc: Alexey Kardashevskiy <aik@xxxxxxx>
Cc: Bjorn Helgaas <bhelgaas@xxxxxxxxxx>
Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
---
Documentation/ABI/testing/sysfs-bus-pci | 43 +++-
Documentation/ABI/testing/sysfs-class-tsm | 23 ++
drivers/pci/Kconfig | 15 +
drivers/pci/Makefile | 2
drivers/pci/cma.c | 5
drivers/pci/pci-sysfs.c | 3
drivers/pci/pci.h | 14 +
drivers/pci/probe.c | 1
drivers/pci/remove.c | 1
drivers/pci/tsm.c | 346 +++++++++++++++++++++++++++++
drivers/virt/coco/tsm/Makefile | 1
drivers/virt/coco/tsm/class.c | 22 +-
drivers/virt/coco/tsm/pci.c | 83 +++++++
drivers/virt/coco/tsm/tsm.h | 28 ++
include/linux/pci.h | 3
include/linux/tsm.h | 77 ++++++
include/uapi/linux/pci_regs.h | 3
17 files changed, 662 insertions(+), 8 deletions(-)
create mode 100644 drivers/pci/tsm.c
create mode 100644 drivers/virt/coco/tsm/pci.c
create mode 100644 drivers/virt/coco/tsm/tsm.h
diff --git a/Documentation/ABI/testing/sysfs-bus-pci b/Documentation/ABI/testing/sysfs-bus-pci
index 35b0e11fd0e6..0eef2128cf09 100644
--- a/Documentation/ABI/testing/sysfs-bus-pci
+++ b/Documentation/ABI/testing/sysfs-bus-pci
@@ -508,11 +508,16 @@ Description:
This file contains "native" if the device authenticated
successfully with CMA-SPDM (PCIe r6.1 sec 6.31). It contains
"none" if the device failed authentication (and may thus be
- malicious).
+ malicious). It transitions from "native" to "tsm" after
+ successful connection to a tsm, see the "connect" attribute
+ below.
Writing "native" to this file causes reauthentication with
kernel-selected keys and the kernel's certificate chain. That
- may be opportune after updating the .cma keyring.
+ may be opportune after updating the .cma keyring. Note
+ that once connected to a tsm this returns -EBUSY to attempts to
+ write "native", i.e. first disconnect from the tsm to retrigger
+ native authentication.
The file is not visible if authentication is unsupported
by the device.
@@ -529,3 +534,37 @@ Description:
The reason why authentication support could not be determined
is apparent from "dmesg". To probe for authentication support
again, exercise the "remove" and "rescan" attributes.
+
+What: /sys/bus/pci/devices/.../tsm/
+Date: January 2024
+Contact: linux-coco@xxxxxxxxxxxxxxx
+Description:
+ This directory only appears if a device supports CMA and IDE,
+ and only after a TSM driver has loaded and accepted / setup this
+ PCI device. Similar to the 'authenticated' attribute, trigger
+ "remove" and "rescan" to retry the initialization. See
+ Documentation/ABI/testing/sysfs-class-tsm for enumerating the
+ platform's TSM capabilities.
+
+What: /sys/bus/pci/devices/.../tsm/connect
+Date: January 2024
+Contact: linux-coco@xxxxxxxxxxxxxxx
+Description:
+ (RW) Writing "1" to this file triggers the TSM to establish a
+ secure connection with the device. This typically includes an
+ SPDM (DMTF Security Protocols and Data Models) session over PCIe
+ DOE (Data Object Exchange) and PCIe IDE (Integrity and Data
+ Encryption) establishment. For TSMs and devices that support
+ both modes of IDE ("link" and "selective") the "connect_mode"
+ attribute selects the mode.
+
+What: /sys/bus/pci/devices/.../tsm/connect_mode
+Date: January 2024
+Contact: linux-coco@xxxxxxxxxxxxxxx
+Description:
+ (RO) Returns the available connection modes optionally with
+ brackets around the currently active mode if the device is
+ connected. For example it may show "link selective" for a
+ disconnected device, "link [selective]" for a selective
+ connected device, and it may hide a mode that is not supported
+ by the device or TSM.
diff --git a/Documentation/ABI/testing/sysfs-class-tsm b/Documentation/ABI/testing/sysfs-class-tsm
index 304b50b53e65..77957882738a 100644
--- a/Documentation/ABI/testing/sysfs-class-tsm
+++ b/Documentation/ABI/testing/sysfs-class-tsm
@@ -10,3 +10,26 @@ Description:
For software TSMs instantiated by a software module, @host is a
directory with attributes for that TSM, and those attributes are
documented below.
+
+
+What: /sys/class/tsm/tsm0/pci/link_capable
+Date: January, 2024
+Contact: linux-coco@xxxxxxxxxxxxxxx
+Description:
+ (RO) When present this returns "1\n" to indicate that the TSM
+ supports establishing Link IDE with a given root-port attached
+ device. See "tsm/connect_mode" in
+ Documentation/ABI/testing/sysfs-bus-pci
+
+
+What: /sys/class/tsm/tsm0/pci/selective_streams
+Date: January, 2024
+Contact: linux-coco@xxxxxxxxxxxxxxx
+Description:
+ (RO) When present this returns the number of currently available
+ selective IDE streams available to the TSM. When a stream id is
+ allocated this number is decremented and a link to the PCI
+ device(s) consuming the stream(s) appears alonside this
+ attribute in the /sys/class/tsm/tsm0/pci/ directory. See
+ "tsm/connect" and "tsm/connect_mode" in
+ Documentation/ABI/testing/sysfs-bus-pci.
diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
index a5c3cadddd6f..11d788038d19 100644
--- a/drivers/pci/Kconfig
+++ b/drivers/pci/Kconfig
@@ -129,6 +129,21 @@ config PCI_CMA
A PCI DOE mailbox is used as transport for DMTF SPDM based
authentication, measurement and secure channel establishment.
+config PCI_TSM
+ bool "TEE Security Manager for Device Security"
+ depends on PCI_CMA
+ depends on TSM
+ help
+ The TEE (Trusted Execution Environment) Device Interface
+ Security Protocol (TDISP) defines a "TSM" as a platform agent
+ that manages device authentication, link encryption, link
+ integrity protection, and assignment of PCI device functions
+ (virtual or physical) to confidential computing VMs that can
+ access (DMA) guest private memory.
+
+ Say Y to enable the PCI subsystem to enable the IDE and
+ TDISP capabilities of devices via TSM semantics.
+
config PCI_DOE
bool
diff --git a/drivers/pci/Makefile b/drivers/pci/Makefile
index cc8b5d1d15b9..c4117d67ea83 100644
--- a/drivers/pci/Makefile
+++ b/drivers/pci/Makefile
@@ -38,6 +38,8 @@ obj-$(CONFIG_PCI_CMA) += cma.o cma.asn1.o
$(obj)/cma.o: $(obj)/cma.asn1.h
$(obj)/cma.asn1.o: $(obj)/cma.asn1.c $(obj)/cma.asn1.h
+obj-$(CONFIG_PCI_TSM) += tsm.o
+
# Endpoint library must be initialized before its users
obj-$(CONFIG_PCI_ENDPOINT) += endpoint/
diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c
index be7d2bb21b4c..5a69e9919589 100644
--- a/drivers/pci/cma.c
+++ b/drivers/pci/cma.c
@@ -39,6 +39,9 @@ static ssize_t authenticated_store(struct device *dev,
if (!sysfs_streq(buf, "native"))
return -EINVAL;
+ if (pci_tsm_authenticated(pdev))
+ return -EBUSY;
+
rc = pci_cma_reauthenticate(pdev);
if (rc)
return rc;
