Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 799E4C05027 for ; Thu, 26 Jan 2023 13:32:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236668AbjAZNcX (ORCPT ); Thu, 26 Jan 2023 08:32:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42546 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236013AbjAZNcP (ORCPT ); Thu, 26 Jan 2023 08:32:15 -0500 Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11E25210C for ; Thu, 26 Jan 2023 05:32:14 -0800 (PST) Received: by mail-wm1-x335.google.com with SMTP id iv8-20020a05600c548800b003db04a0a46bso4144115wmb.0 for ; Thu, 26 Jan 2023 05:32:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=hvXTfjErGpMP8uOLDwmTjxkzwIedC4pHfuHn5jXJ8N0=; b=qSz3i+Nk4N2o0AemsRlY4Y1kvJX0QWS/ebt8ampVtbMQJog/GsNN/nHJrdTqc08+KU Uw2lbHFjidj8JTAOcNFi1TpWGyvIB+pj4YDsirHFqftcK7Dae7wFeYYlU3daBS5q6O4J 4LOaY6/1cfkafaEzTU8ZXBpFvW9eS1dW0XgjD1dZFFY0tcDI02D237KJn+JXjR6phgnh jOpNbb5SMNwjBwce++SDxth6ZQ+0R2khbjAsXWoKdmHx2k0KD6+r1ky0KnN2BgK40Y4W 4UNeq43CoU9gkSfpUFHt4Hyhex0QXygxXvr/3bxMnNx5ZCbSXdiJroNNBuMpfgzNCUnU TOgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hvXTfjErGpMP8uOLDwmTjxkzwIedC4pHfuHn5jXJ8N0=; b=viuJxfifTbDHOYYFuHfYvPUKQajXILm6oiH+iMC4agSY0VBjEyxNHbkgaG1LMGKs9b w4+UFJKU7qXWfTttgnS+t0I6WLiHK3ikjwNG0esZwigntCgNaM1E/BQr11iEPyvs8KRH YdKSRljsgHpXIYYV/kJKsGHTCTdjcE+xCnzCmcVRl83EFrmFVZtW3qxSyvyaNImgeF91 4/1IXhx0gSAgDT28torzQ3uC0zKmFTKBXnG9eH1coLApKPOTdqDBSurEQIhNZBguAghb c1z6RHZDok8yQUHlp/qAwUyFHJ2jGGSWvVt+txfDLdvVrO1aHVBPxpeuz7GUZHnnyjqd wSiA== X-Gm-Message-State: AFqh2kojgoiB+XPcWjp+5as/SVhpB0nXFv8N0tli7dkPC/nrCW+GB+IL htRvfshno8ohiwvac41t+7bd2A== X-Google-Smtp-Source: AMrXdXsvke9/I5SEmOUuX2fmA7FDEbfmJeFpKph8uM2MNd6/2VY4XfLs4JIZluGNUbgzvZmtCNlL8A== X-Received: by 2002:a1c:f310:0:b0:3db:15d9:1485 with SMTP id q16-20020a1cf310000000b003db15d91485mr29420414wmq.39.1674739932598; Thu, 26 Jan 2023 05:32:12 -0800 (PST) Received: from vermeer ([2a01:cb1d:81a9:dd00:b570:b34c:ffd4:c805]) by smtp.gmail.com with ESMTPSA id n13-20020a05600c500d00b003db2b81660esm5006955wmr.21.2023.01.26.05.32.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Jan 2023 05:32:11 -0800 (PST) Date: Thu, 26 Jan 2023 14:32:09 +0100 From: Samuel Ortiz To: "Dr. David Alan Gilbert" Cc: Lukas Wunner , Greg Kroah-Hartman , "Reshetova, Elena" , "Shishkin, Alexander" , "Shutemov, Kirill" , "Kuppuswamy, Sathyanarayanan" , "Kleen, Andi" , "Hansen, Dave" , Thomas Gleixner , Peter Zijlstra , Mika Westerberg , "Michael S. Tsirkin" , Jason Wang , "Poimboe, Josh" , "aarcange@redhat.com" , Cfir Cohen , Marc Orr , "jbachmann@google.com" , "pgonda@google.com" , "keescook@chromium.org" , James Morris , Michael Kelley , "Lange, Jon" , "linux-coco@lists.linux.dev" , Linux Kernel Mailing List , Jonathan Cameron , linux-pci@vger.kernel.org Subject: Re: Linux guest kernel threat model for Confidential Computing Message-ID: References: <20230125215333.GA18160@wunner.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 26, 2023 at 10:48:50AM +0000, Dr. David Alan Gilbert wrote: > * Lukas Wunner (lukas@wunner.de) wrote: > > [cc += Jonathan Cameron, linux-pci] > > > > On Wed, Jan 25, 2023 at 02:57:40PM +0000, Dr. David Alan Gilbert wrote: > > > Greg Kroah-Hartman (gregkh@linuxfoundation.org) wrote: > > > > Great, so why not have hardware attestation also for your devices you > > > > wish to talk to? Why not use that as well? Then you don't have to > > > > worry about anything in the guest. > > > > > > There were some talks at Plumbers where PCIe is working on adding that; > > > it's not there yet though. I think that's PCIe 'Integrity and Data > > > Encryption' (IDE - sigh), and PCIe 'Security Prtocol and Data Model' - > > > SPDM. I don't know much of the detail of those, just that they're far > > > enough off that people aren't depending on them yet. > > > > CMA/SPDM (PCIe r6.0 sec 6.31) is in active development on this branch: > > > > https://github.com/l1k/linux/commits/doe > > Thanks for the pointer - I'll go and hunt down that spec. > > > It will allow for authentication of PCIe devices. Goal is to submit > > this quarter (Q1). Afterwards we'll look into retrieving measurements > > via CMA/SPDM and bringing up IDE encryption. > > > > It's a kernel-native implementation which uses the existing crypto and > > keys infrastructure and is wired into the appropriate places in the > > PCI core to authenticate devices on enumeration and reauthenticate > > when CMA/SPDM state is lost (after resume from D3cold, after a > > Secondary Bus Reset and after a DPC-induced Hot Reset). > > > > The device authentication service afforded here is generic. > > It is up to users and vendors to decide how to employ it, > > be it for "confidential computing" or something else. > > As Samuel asks about who is doing the challenge; but I guess there are > also things like what happens when the host controls intermediate > switches You'd want to protect that through IDE selective streams. > and BAR access and when only VFs are passed to guests. TDISP aims at addressing that afaiu. Once the VF (aka TDI) is locked, any changes to its BAR(s) or any PF MMIO that would affect the VF would get the VF back to unlocked (and let the guest reject it). Cheers, Samuel.