Here are some patches to begin enabling SEV-TIO on AMD.

SEV-TIO allows guests to establish trust in a device that supports TEE
Device Interface Security Protocol (TDISP, defined in PCIe r6.0+) and
then interact with the device via private memory.

In order to streamline upstreaming process, a common TSM infrastructure
is being developed in collaboration with Intel+ARM+RiscV. There is
Documentation/driver-api/pci/tsm.rst with proposed phases:
1. IDE: encrypt PCI, host only
2. TDISP: lock + accept flow, host and guest, interface report
3. Enable secure MMIO + DMA: IOMMUFD, KVM changes
4. Device attestation: certificates, measurements

This is phase1 == IDE only.

SEV TIO spec:
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58271.pdf

Acronyms:
TEE - Trusted Execution Environments, a concept of managing trust
between the host and devices
TSM - TEE Security Manager (TSM), an entity which ensures security on
the host
PSP - AMD platform secure processor (also "ASP", "AMD-SP"), acts as TSM
on AMD.
SEV TIO - the TIO protocol implemented by the PSP and used by the host
GHCB - guest/host communication block - a protocol for guest-to-host
communication via a shared page
TDISP - TEE Device Interface Security Protocol (PCIe).


Flow:
- Boot host OS, load CCP which registers itself as a TSM
- PCI TSM creates sysfs nodes under "tsm" subdirectory in for all
  TDISP-capable devices
- Enable IDE via "echo tsm0 >
    /sys/bus/pci/devices/0000:e1:00.0/tsm/connect"
- observe "secure" in stream states in "lspci" for the rootport and endpoint


This is pushed out to
https://github.com/AMDESE/linux-kvm/commits/tsm-staging

The full "WIP" trees and configs are here:
https://github.com/AMDESE/AMDSEV/blob/tsm/stable-commits


The previous conversation is here:
https://lore.kernel.org/r/20251111063819.4098701-1-aik@amd.com
https://lore.kernel.org/r/20250218111017.491719-1-aik@amd.com

This is based on sha1
f7ae6d4ec652 Dan Williams "PCI/TSM: Add 'dsm' and 'bound' attributes for dependent functions".

Please comment. Thanks.



Alexey Kardashevskiy (5):
  ccp: Make snp_reclaim_pages and __sev_do_cmd_locked public
  psp-sev: Assign numbers to all status codes and add new
  iommu/amd: Report SEV-TIO support
  crypto: ccp: Enable SEV-TIO feature in the PSP when supported
  crypto/ccp: Implement SEV-TIO PCIe IDE (phase1)

 drivers/crypto/ccp/Kconfig          |   1 +
 drivers/crypto/ccp/Makefile         |   8 +
 drivers/crypto/ccp/sev-dev-tio.h    | 142 ++++
 drivers/crypto/ccp/sev-dev.h        |   9 +
 drivers/iommu/amd/amd_iommu_types.h |   1 +
 include/linux/amd-iommu.h           |   2 +
 include/linux/psp-sev.h             |  17 +-
 include/uapi/linux/psp-sev.h        |  66 +-
 drivers/crypto/ccp/sev-dev-tio.c    | 863 ++++++++++++++++++++
 drivers/crypto/ccp/sev-dev-tsm.c    | 405 +++++++++
 drivers/crypto/ccp/sev-dev.c        |  69 +-
 drivers/iommu/amd/init.c            |   9 +
 12 files changed, 1556 insertions(+), 36 deletions(-)
 create mode 100644 drivers/crypto/ccp/sev-dev-tio.h
 create mode 100644 drivers/crypto/ccp/sev-dev-tio.c
 create mode 100644 drivers/crypto/ccp/sev-dev-tsm.c

-- 
2.51.1

I should have cc'ed linux-coco@lists.linux.dev. And vim ate "AMD" from the subject line. Should I repost now? Thanks,


On 21/11/25 19:06, Alexey Kardashevskiy wrote:
> Here are some patches to begin enabling SEV-TIO on AMD.
> 
> SEV-TIO allows guests to establish trust in a device that supports TEE
> Device Interface Security Protocol (TDISP, defined in PCIe r6.0+) and
> then interact with the device via private memory.
> 
> In order to streamline upstreaming process, a common TSM infrastructure
> is being developed in collaboration with Intel+ARM+RiscV. There is
> Documentation/driver-api/pci/tsm.rst with proposed phases:
> 1. IDE: encrypt PCI, host only
> 2. TDISP: lock + accept flow, host and guest, interface report
> 3. Enable secure MMIO + DMA: IOMMUFD, KVM changes
> 4. Device attestation: certificates, measurements
> 
> This is phase1 == IDE only.
> 
> SEV TIO spec:
> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58271.pdf
> 
> Acronyms:
> TEE - Trusted Execution Environments, a concept of managing trust
> between the host and devices
> TSM - TEE Security Manager (TSM), an entity which ensures security on
> the host
> PSP - AMD platform secure processor (also "ASP", "AMD-SP"), acts as TSM
> on AMD.
> SEV TIO - the TIO protocol implemented by the PSP and used by the host
> GHCB - guest/host communication block - a protocol for guest-to-host
> communication via a shared page
> TDISP - TEE Device Interface Security Protocol (PCIe).
> 
> 
> Flow:
> - Boot host OS, load CCP which registers itself as a TSM
> - PCI TSM creates sysfs nodes under "tsm" subdirectory in for all
>    TDISP-capable devices
> - Enable IDE via "echo tsm0 >
>      /sys/bus/pci/devices/0000:e1:00.0/tsm/connect"
> - observe "secure" in stream states in "lspci" for the rootport and endpoint
> 
> 
> This is pushed out to
> https://github.com/AMDESE/linux-kvm/commits/tsm-staging
> 
> The full "WIP" trees and configs are here:
> https://github.com/AMDESE/AMDSEV/blob/tsm/stable-commits
> 
> 
> The previous conversation is here:
> https://lore.kernel.org/r/20251111063819.4098701-1-aik@amd.com
> https://lore.kernel.org/r/20250218111017.491719-1-aik@amd.com
> 
> This is based on sha1
> f7ae6d4ec652 Dan Williams "PCI/TSM: Add 'dsm' and 'bound' attributes for dependent functions".
> 
> Please comment. Thanks.
> 
> 
> 
> Alexey Kardashevskiy (5):
>    ccp: Make snp_reclaim_pages and __sev_do_cmd_locked public
>    psp-sev: Assign numbers to all status codes and add new
>    iommu/amd: Report SEV-TIO support
>    crypto: ccp: Enable SEV-TIO feature in the PSP when supported
>    crypto/ccp: Implement SEV-TIO PCIe IDE (phase1)
> 
>   drivers/crypto/ccp/Kconfig          |   1 +
>   drivers/crypto/ccp/Makefile         |   8 +
>   drivers/crypto/ccp/sev-dev-tio.h    | 142 ++++
>   drivers/crypto/ccp/sev-dev.h        |   9 +
>   drivers/iommu/amd/amd_iommu_types.h |   1 +
>   include/linux/amd-iommu.h           |   2 +
>   include/linux/psp-sev.h             |  17 +-
>   include/uapi/linux/psp-sev.h        |  66 +-
>   drivers/crypto/ccp/sev-dev-tio.c    | 863 ++++++++++++++++++++
>   drivers/crypto/ccp/sev-dev-tsm.c    | 405 +++++++++
>   drivers/crypto/ccp/sev-dev.c        |  69 +-
>   drivers/iommu/amd/init.c            |   9 +
>   12 files changed, 1556 insertions(+), 36 deletions(-)
>   create mode 100644 drivers/crypto/ccp/sev-dev-tio.h
>   create mode 100644 drivers/crypto/ccp/sev-dev-tio.c
>   create mode 100644 drivers/crypto/ccp/sev-dev-tsm.c
> 

-- 
Alexey

Hey Alexey,

On Sat, Nov 22, 2025 at 02:35:03PM +1100, Alexey Kardashevskiy wrote:
> I should have cc'ed linux-coco@lists.linux.dev. And vim ate "AMD" from the
> subject line. Should I repost now? Thanks,

A full repost it not needed, imho. Just reply with linux-coco on CC for
awareness. Everyone on that list can then lookup the full thread on lore.

Just make sure to Cc linux-coco on the next version.

Regards,

	Joerg

Alexey Kardashevskiy wrote:
> Here are some patches to begin enabling SEV-TIO on AMD.
> 
> SEV-TIO allows guests to establish trust in a device that supports TEE
> Device Interface Security Protocol (TDISP, defined in PCIe r6.0+) and
> then interact with the device via private memory.
> 
> In order to streamline upstreaming process, a common TSM infrastructure
> is being developed in collaboration with Intel+ARM+RiscV. There is
> Documentation/driver-api/pci/tsm.rst with proposed phases:
> 1. IDE: encrypt PCI, host only
> 2. TDISP: lock + accept flow, host and guest, interface report
> 3. Enable secure MMIO + DMA: IOMMUFD, KVM changes
> 4. Device attestation: certificates, measurements
> 
> This is phase1 == IDE only.
> 
> SEV TIO spec:
> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58271.pdf
> 
> Acronyms:
> TEE - Trusted Execution Environments, a concept of managing trust
> between the host and devices
> TSM - TEE Security Manager (TSM), an entity which ensures security on
> the host
> PSP - AMD platform secure processor (also "ASP", "AMD-SP"), acts as TSM
> on AMD.
> SEV TIO - the TIO protocol implemented by the PSP and used by the host
> GHCB - guest/host communication block - a protocol for guest-to-host
> communication via a shared page
> TDISP - TEE Device Interface Security Protocol (PCIe).
> 
> 
> Flow:
> - Boot host OS, load CCP which registers itself as a TSM
> - PCI TSM creates sysfs nodes under "tsm" subdirectory in for all
>   TDISP-capable devices
> - Enable IDE via "echo tsm0 >
>     /sys/bus/pci/devices/0000:e1:00.0/tsm/connect"
> - observe "secure" in stream states in "lspci" for the rootport and endpoint
> 
> 
> This is pushed out to
> https://github.com/AMDESE/linux-kvm/commits/tsm-staging
> 
> The full "WIP" trees and configs are here:
> https://github.com/AMDESE/AMDSEV/blob/tsm/stable-commits
> 
> 
> The previous conversation is here:
> https://lore.kernel.org/r/20251111063819.4098701-1-aik@amd.com
> https://lore.kernel.org/r/20250218111017.491719-1-aik@amd.com
> 
> This is based on sha1
> f7ae6d4ec652 Dan Williams "PCI/TSM: Add 'dsm' and 'bound' attributes for dependent functions".
> 
> Please comment. Thanks.

This looks ok to me. If the AMD IOMMU and CCP maintainers can give it an
ack I can queue this for v6.19, but let me know if the timing is too
tight and this needs to circle around for v6.20.

Note that if this is deferred then the PCI/TSM core, that has been
soaking in linux-next [1], will also be deferred as at least one
consumer needs to go in with the core infrastructure. It is already the
case that TEE I/O for CCA and TDX have dependencies that will not
resolve in time for v6.19 merge.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm.git/log/?h=next

On 11/25/25 14:38, dan.j.williams@intel.com wrote:
> Alexey Kardashevskiy wrote:
>> Here are some patches to begin enabling SEV-TIO on AMD.
>>
>> SEV-TIO allows guests to establish trust in a device that supports TEE
>> Device Interface Security Protocol (TDISP, defined in PCIe r6.0+) and
>> then interact with the device via private memory.
>>
>> In order to streamline upstreaming process, a common TSM infrastructure
>> is being developed in collaboration with Intel+ARM+RiscV. There is
>> Documentation/driver-api/pci/tsm.rst with proposed phases:
>> 1. IDE: encrypt PCI, host only
>> 2. TDISP: lock + accept flow, host and guest, interface report
>> 3. Enable secure MMIO + DMA: IOMMUFD, KVM changes
>> 4. Device attestation: certificates, measurements
>>
>> This is phase1 == IDE only.
>>
>> SEV TIO spec:
>> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58271.pdf
>>
>> Acronyms:
>> TEE - Trusted Execution Environments, a concept of managing trust
>> between the host and devices
>> TSM - TEE Security Manager (TSM), an entity which ensures security on
>> the host
>> PSP - AMD platform secure processor (also "ASP", "AMD-SP"), acts as TSM
>> on AMD.
>> SEV TIO - the TIO protocol implemented by the PSP and used by the host
>> GHCB - guest/host communication block - a protocol for guest-to-host
>> communication via a shared page
>> TDISP - TEE Device Interface Security Protocol (PCIe).
>>
>>
>> Flow:
>> - Boot host OS, load CCP which registers itself as a TSM
>> - PCI TSM creates sysfs nodes under "tsm" subdirectory in for all
>>   TDISP-capable devices
>> - Enable IDE via "echo tsm0 >
>>     /sys/bus/pci/devices/0000:e1:00.0/tsm/connect"
>> - observe "secure" in stream states in "lspci" for the rootport and endpoint
>>
>>
>> This is pushed out to
>> https://github.com/AMDESE/linux-kvm/commits/tsm-staging
>>
>> The full "WIP" trees and configs are here:
>> https://github.com/AMDESE/AMDSEV/blob/tsm/stable-commits
>>
>>
>> The previous conversation is here:
>> https://lore.kernel.org/r/20251111063819.4098701-1-aik@amd.com
>> https://lore.kernel.org/r/20250218111017.491719-1-aik@amd.com
>>
>> This is based on sha1
>> f7ae6d4ec652 Dan Williams "PCI/TSM: Add 'dsm' and 'bound' attributes for dependent functions".
>>
>> Please comment. Thanks.
> 
> This looks ok to me. If the AMD IOMMU and CCP maintainers can give it an
> ack I can queue this for v6.19, but let me know if the timing is too
> tight and this needs to circle around for v6.20.

I had some comments in patches 4 and 5 that I hope would be quick to
cleanup.

> 
> Note that if this is deferred then the PCI/TSM core, that has been
> soaking in linux-next [1], will also be deferred as at least one
> consumer needs to go in with the core infrastructure. It is already the
> case that TEE I/O for CCA and TDX have dependencies that will not
> resolve in time for v6.19 merge.
> 
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm.git/log/?h=next

Tom Lendacky wrote:
[..]
> > 
> > This looks ok to me. If the AMD IOMMU and CCP maintainers can give it an
> > ack I can queue this for v6.19, but let me know if the timing is too
> > tight and this needs to circle around for v6.20.
> 
> I had some comments in patches 4 and 5 that I hope would be quick to
> cleanup.

Those comments look good, and are significant. If Alexey can do a quick
turnaround on those and I can get them in tsm.git#next before tomorrow
(PST), then maybe a Friday pull is still in the offing. If not, this
will all need to wait for v6.20.

On Tue, Nov 25, 2025 at 12:38:56PM -0800, dan.j.williams@intel.com wrote:
> This looks ok to me. If the AMD IOMMU and CCP maintainers can give it an
> ack I can queue this for v6.19, but let me know if the timing is too
> tight and this needs to circle around for v6.20.

For the IOMMU parts:

Acked-by: Joerg Roedel <joerg.roedel@amd.com>