linux/drivers/virt/coco
Paolo Bonzini bc9cd5a219 Merge branch 'kvm-6.11-sev-attestation' into HEAD
The GHCB 2.0 specification defines 2 GHCB request types to allow SNP guests
to send encrypted messages/requests to firmware: SNP Guest Requests and SNP
Extended Guest Requests. These encrypted messages are used for things like
servicing attestation requests issued by the guest. Implementing support for
these is required to be fully GHCB-compliant.

For the most part, KVM only needs to handle forwarding these requests to
firmware (to be issued via the SNP_GUEST_REQUEST firmware command defined
in the SEV-SNP Firmware ABI), and then forwarding the encrypted response to
the guest.

However, in the case of SNP Extended Guest Requests, the host is also
able to provide the certificate data corresponding to the endorsement key
used by firmware to sign attestation report requests. This certificate data
is provided by userspace because:

  1) It allows for different keys/key types to be used for each particular
     guest with requiring any sort of KVM API to configure the certificate
     table in advance on a per-guest basis.

  2) It provides additional flexibility with how attestation requests might
     be handled during live migration where the certificate data for
     source/dest might be different.

  3) It allows all synchronization between certificates and firmware/signing
     key updates to be handled purely by userspace rather than requiring
     some in-kernel mechanism to facilitate it. [1]

To support fetching certificate data from userspace, a new KVM exit type will
be needed to handle fetching the certificate from userspace. An attempt to
define a new KVM_EXIT_COCO/KVM_EXIT_COCO_REQ_CERTS exit type to handle this
was introduced in v1 of this patchset, but is still being discussed by
community, so for now this patchset only implements a stub version of SNP
Extended Guest Requests that does not provide certificate data, but is still
enough to provide compliance with the GHCB 2.0 spec.
2024-07-16 11:44:23 -04:00
..
efi_secret virt: efi_secret: Convert to platform remove callback returning void 2024-03-09 11:37:18 +01:00
sev-guest Merge branch 'kvm-6.11-sev-attestation' into HEAD 2024-07-16 11:44:23 -04:00
tdx-guest virt: tdx-guest: Add Quote generation support using TSM_REPORTS 2023-10-19 18:12:00 -07:00
Kconfig configfs-tsm: Introduce a shared ABI for attestation reports 2023-10-19 18:11:38 -07:00
Makefile configfs-tsm: Introduce a shared ABI for attestation reports 2023-10-19 18:11:38 -07:00
tsm.c configfs-tsm: Introduce a shared ABI for attestation reports 2023-10-19 18:11:38 -07:00