Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1131353pxb; Wed, 29 Sep 2021 18:10:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxDuae5k41eKArhOZFTWvcs9iyQhGjhTAcuHyzDCIJfwBcj0JYqwvOQzrn6hqZb+O2DRZXu X-Received: by 2002:a50:becf:: with SMTP id e15mr3803443edk.114.1632964245958; Wed, 29 Sep 2021 18:10:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632964245; cv=none; d=google.com; s=arc-20160816; b=QdXb2+ESb/uGQ4qyA3xNgbCxplHsZqYkIwDhu63srzZGGZVSM6WidjP1ehT+GEQqkL M/uSCSrQDODVQ3lh3Bh1krImyA3L7myl0gdSzM6Uc5z8KSoChum8yRE3MWDg2CDIa1KK XCK/mCEYPsnboDUv+hYozkA+2504C3xcXsEPhkrQOz93UTTqOUWOTl5I0c3tL5Vnbke7 thfL+G4y2J/UA8DINE3zkX3+Fjz/wAsPhrQ1g7H4Uvs9w5IotmZpL2BO1JHvdzngyVgH M133lADZHT8iyFwkb5PS5CWKtiXENuaoXtZONFRArslhJj4HkP0wrO/SsMRh7yjihMoa VNEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=uyHFuRhSLvRpDdpXe5pwW4DQ4IEO9QlopJzszaqZm5E=; b=j0Uw91fwOw1Q45kzN+gR1DBXAC2PyBNVaKq/JfgocOkFzu0HFuNnL3b27fAC42/Bbl Yf/mhkEVQx/pLjPA1nOWm6dl3icB6uoyi/nRW02/x23Zs/yI+c6JU5n7GgmavJKOCZi9 W4OMXwyjsU58AT5ripJkM2kS3Sn+MymCYokNRGuFyPvuaRccChRvoOLECqUnTBUNCqZ+ U6ocuQAj46htQODtF97tTEhUdDDyVkAXBuEY53FXoYlXwTb8HAKIR/ieYsuE6UPdbYhx wQT85Cd3Itq+qCBZpFTuYmN4ehmXR7tjOzWhtjX/SY0XOVyYA75DoJ6I/0Q/+KN0G35D OygA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t7si2560748edd.36.2021.09.29.18.10.22; Wed, 29 Sep 2021 18:10:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347651AbhI3BHY (ORCPT + 99 others); Wed, 29 Sep 2021 21:07:24 -0400 Received: from mga02.intel.com ([134.134.136.20]:24480 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347505AbhI3BHQ (ORCPT ); Wed, 29 Sep 2021 21:07:16 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10122"; a="212330112" X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="212330112" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:34 -0700 X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="521027373" Received: from yzhu3-mobl.amr.corp.intel.com (HELO skuppusw-desk1.amr.corp.intel.com) ([10.254.37.25]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:33 -0700 From: Kuppuswamy Sathyanarayanan To: Greg Kroah-Hartman , Borislav Petkov Cc: x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , "Michael S . Tsirkin" , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest Date: Wed, 29 Sep 2021 18:05:09 -0700 Message-Id: <20210930010511.3387967-5-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Confidential guest platforms like TDX have a requirement to allow only trusted devices. By default the confidential-guest core will arrange for all devices to default to unauthorized (via dev_default_authorization) in device_initialize(). Since virtio driver is already hardened against the attack from the un-trusted host, override the confidential computing default unauthorized state Reviewed-by: Dan Williams Signed-off-by: Kuppuswamy Sathyanarayanan --- drivers/virtio/virtio.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c index 588e02fb91d3..377b0ccdc503 100644 --- a/drivers/virtio/virtio.c +++ b/drivers/virtio/virtio.c @@ -5,6 +5,8 @@ #include #include #include +#include +#include #include /* Unique numbering for virtio devices. */ @@ -390,6 +392,13 @@ int register_virtio_device(struct virtio_device *dev) dev->config_enabled = false; dev->config_change_pending = false; + /* + * For Confidential guest (like TDX), virtio devices are + * trusted. So set authorized status as true. + */ + if (cc_platform_has(CC_ATTR_GUEST_DEVICE_FILTER)) + dev->dev.authorized = true; + /* We always start by resetting the device, in case a previous * driver messed it up. This also tests that code path a little. */ dev->config->reset(dev); -- 2.25.1