1. Patchew
  2. linux
  3. View series

[PATCH v2 0/4] tsm: Unified Measurement Register ABI for TVMs

Cedric Xing posted 4 patches 9 months, 3 weeks ago
There is a newer version of this series
Documentation/ABI/testing/sysfs-kernel-tsm |  20 ++
MAINTAINERS                                |   3 +-
arch/x86/coco/tdx/tdx.c                    |  36 +++
arch/x86/include/asm/shared/tdx.h          |   1 +
arch/x86/include/asm/tdx.h                 |   2 +
drivers/virt/coco/Kconfig                  |  17 +-
drivers/virt/coco/Makefile                 |   2 +
drivers/virt/coco/tdx-guest/Kconfig        |  24 +-
drivers/virt/coco/tdx-guest/tdx-guest.c    | 115 +++++++++
drivers/virt/coco/{tsm.c => tsm-core.c}    |   6 +-
drivers/virt/coco/tsm-mr.c                 | 383 +++++++++++++++++++++++++++++
include/linux/tsm.h                        |  65 +++++
samples/Kconfig                            |  13 +
samples/Makefile                           |   1 +
samples/tsm/Makefile                       |   2 +
samples/tsm/tsm_mr_sample.c                | 107 ++++++++
16 files changed, 789 insertions(+), 8 deletions(-)
[PATCH v2 0/4] tsm: Unified Measurement Register ABI for TVMs
Posted by Cedric Xing 9 months, 3 weeks ago 
NOTE: This patch series introduces the Measurement Register (MR) ABI, and
is a continuation of the RFC series on the same topic [1].

This patch series adds a unified interface to the TSM core, allowing TVM
(TEE VM) guest drivers to expose measurement registers (MRs) as attributes
(files) in sysfs. With this interface, applications can read and write
(extend) MRs like regular files, enabling usages like configuration
verification (e.g., verifying a TVM's configuration against digests stored
in static/immutable MRs like MRCONFIGID on TDX or HOSTDATA on SEV) and
runtime measurements (e.g., extending the measurement of a container image
to an RTMR before running it).

Patches included in this series:

- Patch 1 adds TSM APIs for TVM guest drivers to register/expose MRs
  through sysfs.
- Patch 2 provides a sample module demonstrating the usage of the new TSM
  APIs.
- The remaining patches update the TDX guest driver to expose TDX MRs
  through the new TSM APIs.

[1]: https://lore.kernel.org/linux-coco/20241210-tsm-rtmr-v3-0-5997d4dbda73@intel.com/

Signed-off-by: Cedric Xing <cedric.xing@intel.com>
---
Changes in v2:
- Added TSM_MR_MAXBANKS Kconfig option
- Updated Kconfig dependency for TSM_REPORTS
- Updated comments in include/linux/tsm.h
- Updated drivers/virt/coco/tsm-mr.c to use `IS_BUILTIN()` for determining
  if static buffer addresses can be converted to GPAs by `virt_to_phys()`
- Renamed function `tdx_mcall_rtmr_extend()` -> `tdx_mcall_extend_rtmr()`
- Link to v1: https://lore.kernel.org/r/20250212-tdx-rtmr-v1-0-9795dc49e132@intel.com

---
Cedric Xing (4):
      tsm: Add TVM Measurement Register support
      tsm: Add TSM measurement sample code
      x86/tdx: Add tdx_mcall_extend_rtmr() interface
      x86/tdx: Expose TDX MRs through TSM sysfs interface

 Documentation/ABI/testing/sysfs-kernel-tsm |  20 ++
 MAINTAINERS                                |   3 +-
 arch/x86/coco/tdx/tdx.c                    |  36 +++
 arch/x86/include/asm/shared/tdx.h          |   1 +
 arch/x86/include/asm/tdx.h                 |   2 +
 drivers/virt/coco/Kconfig                  |  17 +-
 drivers/virt/coco/Makefile                 |   2 +
 drivers/virt/coco/tdx-guest/Kconfig        |  24 +-
 drivers/virt/coco/tdx-guest/tdx-guest.c    | 115 +++++++++
 drivers/virt/coco/{tsm.c => tsm-core.c}    |   6 +-
 drivers/virt/coco/tsm-mr.c                 | 383 +++++++++++++++++++++++++++++
 include/linux/tsm.h                        |  65 +++++
 samples/Kconfig                            |  13 +
 samples/Makefile                           |   1 +
 samples/tsm/Makefile                       |   2 +
 samples/tsm/tsm_mr_sample.c                | 107 ++++++++
 16 files changed, 789 insertions(+), 8 deletions(-)
---
base-commit: d082ecbc71e9e0bf49883ee4afd435a77a5101b6
change-id: 20250209-tdx-rtmr-255479667146

Best regards,
-- 
Cedric Xing <cedric.xing@intel.com>
Re: [PATCH v2 0/4] tsm: Unified Measurement Register ABI for TVMs
Posted by Sathyanarayanan Kuppuswamy 9 months ago 
Hi Cedric,

On 2/23/25 7:20 PM, Cedric Xing wrote:
> NOTE: This patch series introduces the Measurement Register (MR) ABI, and
> is a continuation of the RFC series on the same topic [1].
>
> This patch series adds a unified interface to the TSM core, allowing TVM
> (TEE VM) guest drivers to expose measurement registers (MRs) as attributes
> (files) in sysfs. With this interface, applications can read and write
> (extend) MRs like regular files, enabling usages like configuration
> verification (e.g., verifying a TVM's configuration against digests stored
> in static/immutable MRs like MRCONFIGID on TDX or HOSTDATA on SEV) and
> runtime measurements (e.g., extending the measurement of a container image
> to an RTMR before running it).
>
> Patches included in this series:
>
> - Patch 1 adds TSM APIs for TVM guest drivers to register/expose MRs
>    through sysfs.
> - Patch 2 provides a sample module demonstrating the usage of the new TSM
>    APIs.
> - The remaining patches update the TDX guest driver to expose TDX MRs
>    through the new TSM APIs.

Any comment on the missing event log support? Extending the measurements
without logging the event should break the tractability feature. Can you add
info about why it is ok to just add extension support for now?


>
> [1]: https://lore.kernel.org/linux-coco/20241210-tsm-rtmr-v3-0-5997d4dbda73@intel.com/
>
> Signed-off-by: Cedric Xing <cedric.xing@intel.com>
> ---
> Changes in v2:
> - Added TSM_MR_MAXBANKS Kconfig option
> - Updated Kconfig dependency for TSM_REPORTS
> - Updated comments in include/linux/tsm.h
> - Updated drivers/virt/coco/tsm-mr.c to use `IS_BUILTIN()` for determining
>    if static buffer addresses can be converted to GPAs by `virt_to_phys()`
> - Renamed function `tdx_mcall_rtmr_extend()` -> `tdx_mcall_extend_rtmr()`
> - Link to v1: https://lore.kernel.org/r/20250212-tdx-rtmr-v1-0-9795dc49e132@intel.com
>
> ---
> Cedric Xing (4):
>        tsm: Add TVM Measurement Register support
>        tsm: Add TSM measurement sample code
>        x86/tdx: Add tdx_mcall_extend_rtmr() interface
>        x86/tdx: Expose TDX MRs through TSM sysfs interface
>
>   Documentation/ABI/testing/sysfs-kernel-tsm |  20 ++
>   MAINTAINERS                                |   3 +-
>   arch/x86/coco/tdx/tdx.c                    |  36 +++
>   arch/x86/include/asm/shared/tdx.h          |   1 +
>   arch/x86/include/asm/tdx.h                 |   2 +
>   drivers/virt/coco/Kconfig                  |  17 +-
>   drivers/virt/coco/Makefile                 |   2 +
>   drivers/virt/coco/tdx-guest/Kconfig        |  24 +-
>   drivers/virt/coco/tdx-guest/tdx-guest.c    | 115 +++++++++
>   drivers/virt/coco/{tsm.c => tsm-core.c}    |   6 +-
>   drivers/virt/coco/tsm-mr.c                 | 383 +++++++++++++++++++++++++++++
>   include/linux/tsm.h                        |  65 +++++
>   samples/Kconfig                            |  13 +
>   samples/Makefile                           |   1 +
>   samples/tsm/Makefile                       |   2 +
>   samples/tsm/tsm_mr_sample.c                | 107 ++++++++
>   16 files changed, 789 insertions(+), 8 deletions(-)
> ---
> base-commit: d082ecbc71e9e0bf49883ee4afd435a77a5101b6
> change-id: 20250209-tdx-rtmr-255479667146
>
> Best regards,

-- 
Sathyanarayanan Kuppuswamy
Linux Kernel Developer
Re: [PATCH v2 0/4] tsm: Unified Measurement Register ABI for TVMs
Posted by Xing, Cedric 9 months ago 
On 3/17/2025 6:15 PM, Sathyanarayanan Kuppuswamy wrote:
[...]
> Any comment on the missing event log support? Extending the measurements
> without logging the event should break the tractability feature. Can you 
> add
> info about why it is ok to just add extension support for now?
> 
The event log support was once proposed and discussed. Please see 
https://lore.kernel.org/all/20240907-tsm-rtmr-v1-0-12fc4d43d4e7@intel.com/ 
for details. In short, it's difficult to define a log format that fits 
all applications, and luckily it doesn't have to be solved in kernel 
mode, so we leave it out for now.
Re: [PATCH v2 0/4] tsm: Unified Measurement Register ABI for TVMs
Posted by James Bottomley 9 months ago 
On Mon, 2025-03-17 at 22:48 -0500, Xing, Cedric wrote:
> On 3/17/2025 6:15 PM, Sathyanarayanan Kuppuswamy wrote:
> [...]
> > Any comment on the missing event log support? Extending the
> > measurements without logging the event should break the
> > tractability feature. Can you add info about why it is ok to just
> > add extension support for now?
> > 
> The event log support was once proposed and discussed. Please see 
> https://lore.kernel.org/all/20240907-tsm-rtmr-v1-0-12fc4d43d4e7@intel.com/
>  
> for details. In short, it's difficult to define a log format that
> fits all applications, 

I also think the interface doesn't have much utility without a log (at
least the ability to write part).  However, I think the problem is the
quest for a single universal log.  If you just allow the reflected
consumers to use their own log format (and identify that format
somewhere in the filesystem) it still all works.  This would mean that
plugging in IMA becomes simple and it would obviously just use the IMA
log format.

From a non-repudiable record point of view there are definite reasons
why mutually distrusting subsystems would want their own PCR and log
anyway (so they can do separated replay), so I think supporting
multiple logs is definitely a requirement.  If we have multiple logs,
there's not much of a problem with multiple formats.

> and luckily it doesn't have to be solved in kernel  mode, so we leave
> it out for now.

The problem, that will be hard to do a pure userspace solution for, is
that adding a log entry and extending the PCR should be as close to
atomic as you can get them.

Regards,

James
Re: [PATCH v2 0/4] tsm: Unified Measurement Register ABI for TVMs
Posted by Jianxiong Gao 9 months, 3 weeks ago 
On Sun, Feb 23, 2025 at 7:23 PM Cedric Xing <cedric.xing@intel.com> wrote:
>
> NOTE: This patch series introduces the Measurement Register (MR) ABI, and
> is a continuation of the RFC series on the same topic [1].
>
> This patch series adds a unified interface to the TSM core, allowing TVM
> (TEE VM) guest drivers to expose measurement registers (MRs) as attributes
> (files) in sysfs. With this interface, applications can read and write
> (extend) MRs like regular files, enabling usages like configuration
> verification (e.g., verifying a TVM's configuration against digests stored
> in static/immutable MRs like MRCONFIGID on TDX or HOSTDATA on SEV) and
> runtime measurements (e.g., extending the measurement of a container image
> to an RTMR before running it).
>
> Patches included in this series:
>
> - Patch 1 adds TSM APIs for TVM guest drivers to register/expose MRs
>   through sysfs.
> - Patch 2 provides a sample module demonstrating the usage of the new TSM
>   APIs.
> - The remaining patches update the TDX guest driver to expose TDX MRs
>   through the new TSM APIs.
>
> [1]: https://lore.kernel.org/linux-coco/20241210-tsm-rtmr-v3-0-5997d4dbda73@intel.com/
>
> Signed-off-by: Cedric Xing <cedric.xing@intel.com>
> ---
> Changes in v2:
> - Added TSM_MR_MAXBANKS Kconfig option
> - Updated Kconfig dependency for TSM_REPORTS
> - Updated comments in include/linux/tsm.h
> - Updated drivers/virt/coco/tsm-mr.c to use `IS_BUILTIN()` for determining
>   if static buffer addresses can be converted to GPAs by `virt_to_phys()`
> - Renamed function `tdx_mcall_rtmr_extend()` -> `tdx_mcall_extend_rtmr()`
> - Link to v1: https://lore.kernel.org/r/20250212-tdx-rtmr-v1-0-9795dc49e132@intel.com
>
> ---
> Cedric Xing (4):
>       tsm: Add TVM Measurement Register support
>       tsm: Add TSM measurement sample code
>       x86/tdx: Add tdx_mcall_extend_rtmr() interface
>       x86/tdx: Expose TDX MRs through TSM sysfs interface
>
>  Documentation/ABI/testing/sysfs-kernel-tsm |  20 ++
>  MAINTAINERS                                |   3 +-
>  arch/x86/coco/tdx/tdx.c                    |  36 +++
>  arch/x86/include/asm/shared/tdx.h          |   1 +
>  arch/x86/include/asm/tdx.h                 |   2 +
>  drivers/virt/coco/Kconfig                  |  17 +-
>  drivers/virt/coco/Makefile                 |   2 +
>  drivers/virt/coco/tdx-guest/Kconfig        |  24 +-
>  drivers/virt/coco/tdx-guest/tdx-guest.c    | 115 +++++++++
>  drivers/virt/coco/{tsm.c => tsm-core.c}    |   6 +-
>  drivers/virt/coco/tsm-mr.c                 | 383 +++++++++++++++++++++++++++++
>  include/linux/tsm.h                        |  65 +++++
>  samples/Kconfig                            |  13 +
>  samples/Makefile                           |   1 +
>  samples/tsm/Makefile                       |   2 +
>  samples/tsm/tsm_mr_sample.c                | 107 ++++++++
>  16 files changed, 789 insertions(+), 8 deletions(-)
> ---
> base-commit: d082ecbc71e9e0bf49883ee4afd435a77a5101b6
> change-id: 20250209-tdx-rtmr-255479667146
>
> Best regards,
> --
> Cedric Xing <cedric.xing@intel.com>
>
>
Tested-by: Jianxiong Gao <jxgao@google.com>
I have verified that the patchset works on Google Cloud.

-- 
Jianxiong Gao

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.