On Tue, Jul 16, 2024 at 07:17:55AM +0900, Damien Le Moal wrote: > Of note though is that in the case of SCSI/ATA storage, the device > (the HDD or SSD) is not the one doing DMA directly to the host/guest > memory. That is the adapter (the HBA). So we could ask ourselves if > it makes sense to authenticate storage devices without the HBA being > authenticated first. For sure, you have to have all parts of the equation authenticated before you can turn on access to trusted memory. Is there some way these non DOE messages channel bind the attestation they return to the PCI TDISP encryption keys? What is the sequence you are after? > And for PCI nvme devices that can support SPDM either through either > PCI DOE or SPDM-over-storage (SECURITY SEND/RECV commands), then I > guess we need some special handling/config to allow (or not) > SPDM-over-storage authentication as that will require the device > driver to be loaded and to execute some commands before > authentication can happen. I'm not sure those commands make sense in a PCI context? They make more sense to me in a NVMe over Network scenario where you could have the attestation bind a TLS secret.. Still, my remarks from before stand, it looks like it is going to be complex to flip a device from non-trusted to trusted. Jason