linux/Documentation/ABI/testing/configfs-tsm

What:		/sys/kernel/config/tsm/report/$name/inblob
Date:		September, 2023
KernelVersion:	v6.7
Contact:	linux-coco@lists.linux.dev
Description:
		(WO) Up to 64 bytes of user specified binary data. For replay
		protection this should include a nonce, but the kernel does not
		place any restrictions on the content.

What:		/sys/kernel/config/tsm/report/$name/outblob
Date:		September, 2023
KernelVersion:	v6.7
Contact:	linux-coco@lists.linux.dev
Description:
		(RO) Binary attestation report generated from @inblob and other
		options The format of the report is implementation specific
		where the implementation is conveyed via the @provider
		attribute.

What:		/sys/kernel/config/tsm/report/$name/auxblob
Date:		October, 2023
KernelVersion:	v6.7
Contact:	linux-coco@lists.linux.dev
Description:
		(RO) Optional supplemental data that a TSM may emit, visibility
		of this attribute depends on TSM, and may be empty if no
		auxiliary data is available.

		When @provider is "sev_guest" this file contains the
		"cert_table" from SEV-ES Guest-Hypervisor Communication Block
		Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ.
		https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf

What:		/sys/kernel/config/tsm/report/$name/provider
Date:		September, 2023
KernelVersion:	v6.7
Contact:	linux-coco@lists.linux.dev
Description:
		(RO) A name for the format-specification of @outblob like
		"sev_guest" [1] or "tdx_guest" [2] in the near term, or a
		common standard format in the future.

		[1]: SEV Secure Nested Paging Firmware ABI Specification
		Revision 1.55 Table 22
		https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf

		[2]: Intel® Trust Domain Extensions Data Center Attestation
		Primitives : Quote Generation Library and Quote Verification
		Library Revision 0.8 Appendix 4,5
		https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf

What:		/sys/kernel/config/tsm/report/$name/generation
Date:		September, 2023
KernelVersion:	v6.7
Contact:	linux-coco@lists.linux.dev
Description:
		(RO) The value in this attribute increments each time @inblob or
		any option is written. Userspace can detect conflicts by
		checking generation before writing to any attribute and making
		sure the number of writes matches expectations after reading
		@outblob, or it can prevent conflicts by creating a report
		instance per requesting context.

What:		/sys/kernel/config/tsm/report/$name/privlevel
Date:		September, 2023
KernelVersion:	v6.7
Contact:	linux-coco@lists.linux.dev
Description:
		(WO) Attribute is visible if a TSM implementation provider
		supports the concept of attestation reports for TVMs running at
		different privilege levels, like SEV-SNP "VMPL", specify the
		privilege level via this attribute.  The minimum acceptable
		value is conveyed via @privlevel_floor and the maximum
		acceptable value is TSM_PRIVLEVEL_MAX (3).

What:		/sys/kernel/config/tsm/report/$name/privlevel_floor
Date:		September, 2023
KernelVersion:	v6.7
Contact:	linux-coco@lists.linux.dev
Description:
		(RO) Indicates the minimum permissible value that can be written
		to @privlevel.
configfs-tsm: Introduce a shared ABI for attestation reports One of the common operations of a TSM (Trusted Security Module) is to provide a way for a TVM (confidential computing guest execution environment) to take a measurement of its launch state, sign it and submit it to a verifying party. Upon successful attestation that verifies the integrity of the TVM additional secrets may be deployed. The concept is common across TSMs, but the implementations are unfortunately vendor specific. While the industry grapples with a common definition of this attestation format [1], Linux need not make this problem worse by defining a new ABI per TSM that wants to perform a similar operation. The current momentum has been to invent new ioctl-ABI per TSM per function which at best is an abdication of the kernel's responsibility to make common infrastructure concepts share common ABI. The proposal, targeted to conceptually work with TDX, SEV-SNP, COVE if not more, is to define a configfs interface to retrieve the TSM-specific blob. report=/sys/kernel/config/tsm/report/report0 mkdir $report dd if=binary_userdata_plus_nonce > $report/inblob hexdump $report/outblob This approach later allows for the standardization of the attestation blob format without needing to invent a new ABI. Once standardization happens the standard format can be emitted by $report/outblob and indicated by $report/provider, or a new attribute like "$report/tcg_coco_report" can emit the standard format alongside the vendor format. Review of previous iterations of this interface identified that there is a need to scale report generation for multiple container environments [2]. Configfs enables a model where each container can bind mount one or more report generation item instances. Still, within a container only a single thread can be manipulating a given configuration instance at a time. A 'generation' count is provided to detect conflicts between multiple threads racing to configure a report instance. The SEV-SNP concepts of "extended reports" and "privilege levels" are optionally enabled by selecting 'tsm_report_ext_type' at register_tsm() time. The expectation is that those concepts are generic enough that they may be adopted by other TSM implementations. In other words, configfs-tsm aims to address a superset of TSM specific functionality with a common ABI where attributes may appear, or not appear, based on the set of concepts the implementation supports. Link: http://lore.kernel.org/r/64961c3baf8ce_142af829436@dwillia2-xfh.jf.intel.com.notmuch [1] Link: http://lore.kernel.org/r/57f3a05e-8fcd-4656-beea-56bb8365ae64@linux.microsoft.com [2] Cc: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> Cc: Dionna Amalie Glaze <dionnaglaze@google.com> Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: Peter Gonda <pgonda@google.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Samuel Ortiz <sameo@rivosinc.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> Tested-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> 2023-09-26 03:13:29 +00:00			`What: /sys/kernel/config/tsm/report/$name/inblob`
			`Date: September, 2023`
			`KernelVersion: v6.7`
			`Contact: linux-coco@lists.linux.dev`
			`Description:`
			`(WO) Up to 64 bytes of user specified binary data. For replay`
			`protection this should include a nonce, but the kernel does not`
			`place any restrictions on the content.`

			`What: /sys/kernel/config/tsm/report/$name/outblob`
			`Date: September, 2023`
			`KernelVersion: v6.7`
			`Contact: linux-coco@lists.linux.dev`
			`Description:`
			`(RO) Binary attestation report generated from @inblob and other`
			`options The format of the report is implementation specific`
			`where the implementation is conveyed via the @provider`
			`attribute.`

			`What: /sys/kernel/config/tsm/report/$name/auxblob`
			`Date: October, 2023`
			`KernelVersion: v6.7`
			`Contact: linux-coco@lists.linux.dev`
			`Description:`
			`(RO) Optional supplemental data that a TSM may emit, visibility`
			`of this attribute depends on TSM, and may be empty if no`
			`auxiliary data is available.`

			`When @provider is "sev_guest" this file contains the`
			`"cert_table" from SEV-ES Guest-Hypervisor Communication Block`
			`Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ.`
			`https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf`

			`What: /sys/kernel/config/tsm/report/$name/provider`
			`Date: September, 2023`
			`KernelVersion: v6.7`
			`Contact: linux-coco@lists.linux.dev`
			`Description:`
			`(RO) A name for the format-specification of @outblob like`
			`"sev_guest" [1] or "tdx_guest" [2] in the near term, or a`
			`common standard format in the future.`

			`[1]: SEV Secure Nested Paging Firmware ABI Specification`
			`Revision 1.55 Table 22`
			`https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf`

			`[2]: Intel® Trust Domain Extensions Data Center Attestation`
			`Primitives : Quote Generation Library and Quote Verification`
			`Library Revision 0.8 Appendix 4,5`
			`https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf`

			`What: /sys/kernel/config/tsm/report/$name/generation`
			`Date: September, 2023`
			`KernelVersion: v6.7`
			`Contact: linux-coco@lists.linux.dev`
			`Description:`
			`(RO) The value in this attribute increments each time @inblob or`
			`any option is written. Userspace can detect conflicts by`
			`checking generation before writing to any attribute and making`
			`sure the number of writes matches expectations after reading`
			`@outblob, or it can prevent conflicts by creating a report`
			`instance per requesting context.`

			`What: /sys/kernel/config/tsm/report/$name/privlevel`
			`Date: September, 2023`
			`KernelVersion: v6.7`
			`Contact: linux-coco@lists.linux.dev`
			`Description:`
			`(WO) Attribute is visible if a TSM implementation provider`
			`supports the concept of attestation reports for TVMs running at`
			`different privilege levels, like SEV-SNP "VMPL", specify the`
			`privilege level via this attribute. The minimum acceptable`
			`value is conveyed via @privlevel_floor and the maximum`
			`acceptable value is TSM_PRIVLEVEL_MAX (3).`

			`What: /sys/kernel/config/tsm/report/$name/privlevel_floor`
			`Date: September, 2023`
			`KernelVersion: v6.7`
			`Contact: linux-coco@lists.linux.dev`
			`Description:`
			`(RO) Indicates the minimum permissible value that can be written`
			`to @privlevel.`