Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp130153pxv; Thu, 8 Jul 2021 16:59:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNVsZqt1xRy/iHwWabQ2FCXRsxbYGTOYdKR0HW8riffrCUr7b0N/uJVFr6zz7ByMOYX7tF X-Received: by 2002:a17:906:3693:: with SMTP id a19mr25194922ejc.237.1625788777313; Thu, 08 Jul 2021 16:59:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625788777; cv=none; d=google.com; s=arc-20160816; b=QvOSvsY7vD3KOu2rzq7QYEPcHpygPOb6CE8tZkn3lwbYPGZm5TWLUROwSW2VXyyN/b VeqjPUrt1L5E0JtTW+rV9T2IG1qycgyTSqVKY/kG/4vJoiiVgk8Cr6djlDRiLKrOxbdj YSJK1c1fQsK+thy6DaamMF/h/JyraTelNd+aFecSEFw6DUX6qBS2jIgYfqbXx136WHEl GtwyNJkKNi7LSUanIQtmFl8HrsV76L/Cfqk0WKRrUqWxnduAc/URIcCl4YBh90Kqiru7 6Uwe7p+mbuSzoYUx4siG0D1rkVR/q3dAi5XpTLbt/PhkwZqieDkBjRTy3hj+tLy9SqiU jkOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=w8dPiSI3VIHsDTs9AqsxYsxeL+xwsGPYL/GXQBW59RM=; b=BA2yNT7/vmyZOJY9dgw9NBHUoAnhRHhaq7pVBPBQ21z7b+HpUVKp/7SLPa6x103lz/ 5Ac9eRNsOGN6fgs4Nrs81zNyAw57aNffTqOEjtQP5rRf7fJqvW3TwC4QWE5Ed80MZdvm VU4qJQI2EqUW50DK8TvE9Nc4qkiJhYk9uHIsYVoVW1eY804enYbPr8AZf5RfwTIMjOYz lVnJevgQdCfHVgw/RObSSd9jMrSevkBoHDZVivcfbzlO4NcmJDk9JSsKEr426THwY0wp EOYp4LobQTQBv7KvA1ikMQ4Ae32Mdl872GmaToZbi1tbx3Keo9wk+gYu5Lx9cYejgybm x+qQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id eb14si5201773edb.366.2021.07.08.16.59.15; Thu, 08 Jul 2021 16:59:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229953AbhGIAAM (ORCPT + 99 others); Thu, 8 Jul 2021 20:00:12 -0400 Received: from mga09.intel.com ([134.134.136.24]:6504 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229600AbhGIAAL (ORCPT ); Thu, 8 Jul 2021 20:00:11 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10039"; a="209582193" X-IronPort-AV: E=Sophos;i="5.84,225,1620716400"; d="scan'208";a="209582193" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2021 16:57:27 -0700 X-IronPort-AV: E=Sophos;i="5.84,225,1620716400"; d="scan'208";a="564724399" Received: from npujari-mobl.amr.corp.intel.com (HELO skuppusw-mobl5.amr.corp.intel.com) ([10.213.167.42]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2021 16:57:26 -0700 Subject: Re: [PATCH v2 5/6] platform/x86: intel_tdx_attest: Add TDX Guest attestation interface driver To: Dan Williams Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Peter Zijlstra , Andy Lutomirski , Hans de Goede , Mark Gross , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Peter H Anvin , Dave Hansen , Tony Luck , Andi Kleen , Kirill Shutemov , Sean Christopherson , Kuppuswamy Sathyanarayanan , X86 ML , Linux Kernel Mailing List , platform-driver-x86@vger.kernel.org, bpf@vger.kernel.org, Netdev References: <20210707204249.3046665-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210707204249.3046665-6-sathyanarayanan.kuppuswamy@linux.intel.com> From: "Kuppuswamy, Sathyanarayanan" Message-ID: <24d8fd58-36c1-0e89-4142-28f29e2c434b@linux.intel.com> Date: Thu, 8 Jul 2021 16:57:24 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/8/21 4:36 PM, Dan Williams wrote: >> +static int tdg_attest_open(struct inode *inode, struct file *file) >> +{ >> + /* >> + * Currently tdg_event_notify_handler is only used in attestation >> + * driver. But, WRITE_ONCE is used as benign data race notice. >> + */ >> + WRITE_ONCE(tdg_event_notify_handler, attestation_callback_handler); > Why is this ioctl not part of the driver that registered the interrupt We cannot club them because they are not functionally related. Even notification is a separate common feature supported by TDX and configured using SetupEventNotifyInterrupt hypercall. It is not related to TDX attestation. Attestation just uses event notification interface to get the quote completion event. > handler for this callback in the first instance? I've never seen this > style of cross-driver communication before. This is similar to x86_platform_ipi_callback() acrn_setup_intr_handler() use cases. > >> + >> + file->private_data = (void *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, >> + get_order(QUOTE_SIZE)); > Why does this driver abandon all semblance of type-safety and use > ->private_data directly? This also seems an easy way to consume > memory, just keep opening this device over and over again. > > AFAICS this buffer is only used ephemerally. I see no reason it needs > to be allocated once per open file. Unless you need several threads to > be running the attestation process in parallel just allocate a single > buffer at module init (statically defined or on the heap) and use a > lock to enforce only one user of this buffer at a time. That would > also solve your direct-map fracturing problem. Theoretically attestation requests can be sent in parallel. I have allocated the memory in open() call mainly for this reason. But current TDX ABI specification does not clearly specify this possibility and I am not sure whether TDX KVM supports it. Let me confirm about it again with TDX KVM owner. If such model is not currently supported, then I will move the memory allocation to init code. > > All that said, this new user ABI for passing blobs in and out of the > kernel is something that the keyutils API already does. Did you > consider add_key() / request_key() for this case? That would also be > the natural path for the end step of requesting the drive decrypt key. > I.e. a chain of key payloads starting with establishing the > attestation blob. I am not sure whether we can use keyutil interface for attestation. AFAIK, there are other use cases for attestation other than getting keys for encrypted drives. -- Sathyanarayanan Kuppuswamy Linux Kernel Developer