Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp17345131rwd; Tue, 27 Jun 2023 01:28:39 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6npHrD9qW9DCguQczIsXdFmJ0zE4jHeq9EndbIxTQqTiJOusWtbADBm2PhQNkoATCFQ/cA X-Received: by 2002:aa7:d852:0:b0:51d:ad45:38c0 with SMTP id f18-20020aa7d852000000b0051dad4538c0mr480582eds.32.1687854518822; Tue, 27 Jun 2023 01:28:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687854518; cv=none; d=google.com; s=arc-20160816; b=YTIIAQG8EjdD7cc/JXi9PovtWFTCVtr1LbekMfa28/usETHsGtsigAm82DVVx0b7Ip 3cI9Au2ZD4zGKChGaYEO97ClkHC83uwkwnPoqJNbjUJi4oD+GydWgJuX5ue/lUI2bfSC 5ZlRj0rJ1V//kAahi2/WQDpHvv5AKbeOOJyKhq3EkX3k1HXJeuYSKegBwkbPDGyLKgie 2yl+JKR3/A7MJ9T82/KhM2UkaTr00vk5tlM1l16K0ifch7CaL43AiDuJ6GZDhanFI6bv Z44nTJRy/uGkcnn86NUu7HmArSIvORNVBXiXoiG/V+UkhNQBfITvswOzGJbQ2xxO744x bLHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=6/PlesO2yc7J0M0ez9vNMmpy4Sw/yrJpXbgL5YEpqPo=; fh=uES/ufDndqzrPLQGpO/Jyx5S6P8mv6t1QaIxaCkMXqE=; b=dCBoM9oyCjXQGd34+6uIlA/IRp1uwnttqmOd6WwNJFQ57a7lgXIavQc42Zv1ojX5iW 7yXXnVda2DxFQMLl63RT+PaTtvo5cHXhwNcwIJFES6dqbPoL2nRlL0NmQjq9umr0djoB SMij5DenjmySVEIpf4h6yOz8+D4iAYpdOzTUZpJ7ZQFzvi1wrjmdQe8mFmUtsX9Afoj5 8pGx4+X3iqixCtqGu6/Yfir9XhJaVOCOIZXpvFlVQptGPVQ+8zcoHbNEq7KXn03rAYeH y35m8E0YskAW9ViPTjIkIHrK7kofhmQnwSVA9Em5Ksap1jeQDjmYz43UvAhaqE4fQ/mJ 5KeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=bQwAZxoW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m21-20020a50ef15000000b0051a5428b952si3436392eds.580.2023.06.27.01.28.13; Tue, 27 Jun 2023 01:28:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=bQwAZxoW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231640AbjF0Hu6 (ORCPT + 99 others); Tue, 27 Jun 2023 03:50:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43386 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231547AbjF0Hut (ORCPT ); Tue, 27 Jun 2023 03:50:49 -0400 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67BE5297D for ; Tue, 27 Jun 2023 00:50:31 -0700 (PDT) Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-98934f000a5so505641566b.2 for ; Tue, 27 Jun 2023 00:50:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687852230; x=1690444230; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6/PlesO2yc7J0M0ez9vNMmpy4Sw/yrJpXbgL5YEpqPo=; b=bQwAZxoWB6E2WY7I4fXXrTkwiGW8Q+FBD0Mnb4fTXoziEoQ5gByHx/4vebns6dNpk5 WuojIMrZzyD/DnuBWVTpStVv9gClUVaJ6JjT7ZAAvtJvyRdGiabkl/rvg+VhCVakj0fw ZLeF7iHxxt3qMhhlUrS2JzHrd/BLFOWsayPmeietJ+SpprSmY3HoYK353sq2HelWPvu0 ssRvv418pXfKhpH3+Q2qc7mFlq7clRY19EZJd1fPJh34GjxQTHqwSGJjfL8rV4/ajb3g w3muIzK2awRbDHZZ0zQmB5qS3cKulXE9QdvSfc3uEbQBgEUKaEy5aBJm/M7U/3Yn644l kDwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687852230; x=1690444230; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6/PlesO2yc7J0M0ez9vNMmpy4Sw/yrJpXbgL5YEpqPo=; b=fc3O+1Vpve23wbIHxJybTUrXKBZtWRfaofO/cjOWClUsgAh7vb6c6CLflSaqQEueXh +QueJzT0tWIjuo/Q0fzuxqhzKK9/H/P0HMuQqyBCsxP+MVcd9h+herpuenHc5jChZD4o y60EhH4ztRBEy1ZjyIR/bRGFrdkyGogIWi52JAYmpd1CMy1gchAqSfxLTizpigCpOJ/W YfUR8XZrpcWv06K6i+3fBKhGDgSLSUCfO1vZoVmWUBbChoZL8BzvPku7/rsnWhgRBjGd OpAam3CS20vl1Mf3EgpuqnMCfTp4jgVJOVMqoRdK6LQ0XREkM5UfQIFKPEF5kb3KaI6I CI/w== X-Gm-Message-State: AC+VfDw5qSpxVDsCn3nOaM+MOK2oSCYI/zmyp7/LGT4HRmpgv6X0Hw7A dJ4UD1yNB+QR40wl/Sl1dl0pb9TyGiO0PVdJBHhhMQ== X-Received: by 2002:a17:907:7f04:b0:991:f6d0:9bc1 with SMTP id qf4-20020a1709077f0400b00991f6d09bc1mr2598779ejc.66.1687852229607; Tue, 27 Jun 2023 00:50:29 -0700 (PDT) MIME-Version: 1.0 References: <64966b842becf_142af8294a5@dwillia2-xfh.jf.intel.com.notmuch> <649914ab3de4d_8e17829490@dwillia2-xfh.jf.intel.com.notmuch> In-Reply-To: <649914ab3de4d_8e17829490@dwillia2-xfh.jf.intel.com.notmuch> From: Chong Cai Date: Tue, 27 Jun 2023 00:50:16 -0700 Message-ID: Subject: Re: [PATCH v3 0/3] TDX Guest Quote generation support To: Dan Williams Cc: Sathyanarayanan Kuppuswamy , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, Shuah Khan , Jonathan Corbet , "H . Peter Anvin" , "Kirill A . Shutemov" , Tony Luck , Wander Lairson Costa , Erdem Aktas , Dionna Amalie Glaze , Qinkun Bao , Guorui Yu , Du Fan , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 25, 2023 at 9:32=E2=80=AFPM Dan Williams wrote: > > Sathyanarayanan Kuppuswamy wrote: > > > > > > On 6/23/23 9:05 PM, Dan Williams wrote: > > > Kuppuswamy Sathyanarayanan wrote: > > >> Hi All, > > >> > > >> In TDX guest, the attestation process is used to verify the TDX gues= t > > >> trustworthiness to other entities before provisioning secrets to the > > >> guest. > > >> > > >> The TDX guest attestation process consists of two steps: > > >> > > >> 1. TDREPORT generation > > >> 2. Quote generation. > > >> > > >> The First step (TDREPORT generation) involves getting the TDX guest > > >> measurement data in the format of TDREPORT which is further used to > > >> validate the authenticity of the TDX guest. The second step involves > > >> sending the TDREPORT to a Quoting Enclave (QE) server to generate a > > >> remotely verifiable Quote. TDREPORT by design can only be verified o= n > > >> the local platform. To support remote verification of the TDREPORT, > > >> TDX leverages Intel SGX Quoting Enclave to verify the TDREPORT > > >> locally and convert it to a remotely verifiable Quote. Although > > >> attestation software can use communication methods like TCP/IP or > > >> vsock to send the TDREPORT to QE, not all platforms support these > > >> communication models. So TDX GHCI specification [1] defines a method > > >> for Quote generation via hypercalls. Please check the discussion fro= m > > >> Google [2] and Alibaba [3] which clarifies the need for hypercall ba= sed > > >> Quote generation support. This patch set adds this support. > > >> > > >> Support for TDREPORT generation already exists in the TDX guest driv= er. > > >> This patchset extends the same driver to add the Quote generation > > >> support. > > > > > > I missed that the TDREPORT ioctl() and this character device are alre= ady > > > upstream. The TDREPORT ioctl() if it is only needed for quote generat= ion > > > seems a waste because it just retrieves a blob that needs to be turne= d > > > around and injected back into the kernel to generate a quote. > > > > Although the end goal is to generate the quote, the method the user cho= oses to > > achieve it may differ for a variety of reasons. In this case, we're try= ing to > > support the use case where the user will use methods like TCP/IP or vso= ck to > > generate the Quote. They can use the GET_REPORT IOCTL to get the TDREPO= RT and > > send it to the quoting enclave via the above-mentioned methods. TDVMCA= LL-based > > quote generation is intended for users who, for a variety of security r= easons, do > > not wish to use the methods described above. > > This flexibility could be supported with keys if necessary, although I > would want to hear strong reasons not a "variety of reasons" why > everyone cannot use a unified approach. ABI proliferation has a > maintenance cost and a collaboration cost. It is within the kernel > community's right to judge the cost of ABI flexibility and opt for a > constrained implementation if that cost is too high. > > What I would ask of those who absolutely cannot support the TDVMCALL > method is to contribute a solution that intercepts the "upcall" to the > platform "guest_attest_ops" and turn it into a typical keys upcall to > userspace that can use the report data with a vsock tunnel. > > That way the end result is still the same, a key established with the > TDX Quote evidence contained within a Linux-defined envelope. I agree a unified ABI across vendors would be ideal in the long term. However, it sounds like a non-trivial task and could take quite some time to achieve. Given there's already an AMD equivalent approach upstreamed, can we also allow this TDVMCALL patch as an intermediate step to unblock various TDX attestation user cases while targeting unified ABI? The TDVMCALL here is quite isolated and serves a very specific purpose, it should be very low risk to other kernel features and easy to be reverted in the future.