configfs-tsm: Introduce a shared ABI for attestation reports

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

One of the common operations of a TSM (Trusted Security Module) is to
provide a way for a TVM (confidential computing guest execution
environment) to take a measurement of its launch state, sign it and
submit it to a verifying party. Upon successful attestation that
verifies the integrity of the TVM additional secrets may be deployed.
The concept is common across TSMs, but the implementations are
unfortunately vendor specific. While the industry grapples with a common
definition of this attestation format [1], Linux need not make this
problem worse by defining a new ABI per TSM that wants to perform a
similar operation. The current momentum has been to invent new ioctl-ABI
per TSM per function which at best is an abdication of the kernel's
responsibility to make common infrastructure concepts share common ABI.

The proposal, targeted to conceptually work with TDX, SEV-SNP, COVE if
not more, is to define a configfs interface to retrieve the TSM-specific
blob.

report=/sys/kernel/config/tsm/report/report0
mkdir $report
dd if=binary_userdata_plus_nonce > $report/inblob
hexdump $report/outblob

This approach later allows for the standardization of the attestation
blob format without needing to invent a new ABI. Once standardization
happens the standard format can be emitted by $report/outblob and
indicated by $report/provider, or a new attribute like
"$report/tcg_coco_report" can emit the standard format alongside the
vendor format.

Review of previous iterations of this interface identified that there is
a need to scale report generation for multiple container environments
[2]. Configfs enables a model where each container can bind mount one or
more report generation item instances. Still, within a container only a
single thread can be manipulating a given configuration instance at a
time. A 'generation' count is provided to detect conflicts between
multiple threads racing to configure a report instance.

The SEV-SNP concepts of "extended reports" and "privilege levels" are
optionally enabled by selecting 'tsm_report_ext_type' at register_tsm()
time. The expectation is that those concepts are generic enough that
they may be adopted by other TSM implementations. In other words,
configfs-tsm aims to address a superset of TSM specific functionality
with a common ABI where attributes may appear, or not appear, based on
the set of concepts the implementation supports.

Link: http://lore.kernel.org/r/64961c3baf8ce_142af829436@dwillia2-xfh.jf.intel.com.notmuch [1]
Link: http://lore.kernel.org/r/57f3a05e-8fcd-4656-beea-56bb8365ae64@linux.microsoft.com [2]
Cc: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Cc: Dionna Amalie Glaze <dionnaglaze@google.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Peter Gonda <pgonda@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Samuel Ortiz <sameo@rivosinc.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Tested-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Dan Williams 2 years ago 70e6f7e2 ec51ffcf

+590

6 changed files

expand all

Documentation

ABI

testing

configfs-tsm

MAINTAINERS

drivers

virt

coco

Kconfig

Makefile

tsm.c

include

linux

tsm.h

+82

Documentation/ABI/testing/configfs-tsm

··· 1 + What: /sys/kernel/config/tsm/report/$name/inblob 2 + Date: September, 2023 3 + KernelVersion: v6.7 4 + Contact: linux-coco@lists.linux.dev 5 + Description: 6 + (WO) Up to 64 bytes of user specified binary data. For replay 7 + protection this should include a nonce, but the kernel does not 8 + place any restrictions on the content. 9 + 10 + What: /sys/kernel/config/tsm/report/$name/outblob 11 + Date: September, 2023 12 + KernelVersion: v6.7 13 + Contact: linux-coco@lists.linux.dev 14 + Description: 15 + (RO) Binary attestation report generated from @inblob and other 16 + options The format of the report is implementation specific 17 + where the implementation is conveyed via the @provider 18 + attribute. 19 + 20 + What: /sys/kernel/config/tsm/report/$name/auxblob 21 + Date: October, 2023 22 + KernelVersion: v6.7 23 + Contact: linux-coco@lists.linux.dev 24 + Description: 25 + (RO) Optional supplemental data that a TSM may emit, visibility 26 + of this attribute depends on TSM, and may be empty if no 27 + auxiliary data is available. 28 + 29 + When @provider is "sev_guest" this file contains the 30 + "cert_table" from SEV-ES Guest-Hypervisor Communication Block 31 + Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ. 32 + https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf 33 + 34 + What: /sys/kernel/config/tsm/report/$name/provider 35 + Date: September, 2023 36 + KernelVersion: v6.7 37 + Contact: linux-coco@lists.linux.dev 38 + Description: 39 + (RO) A name for the format-specification of @outblob like 40 + "sev_guest" [1] or "tdx_guest" [2] in the near term, or a 41 + common standard format in the future. 42 + 43 + [1]: SEV Secure Nested Paging Firmware ABI Specification 44 + Revision 1.55 Table 22 45 + https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf 46 + 47 + [2]: Intel® Trust Domain Extensions Data Center Attestation 48 + Primitives : Quote Generation Library and Quote Verification 49 + Library Revision 0.8 Appendix 4,5 50 + https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf 51 + 52 + What: /sys/kernel/config/tsm/report/$name/generation 53 + Date: September, 2023 54 + KernelVersion: v6.7 55 + Contact: linux-coco@lists.linux.dev 56 + Description: 57 + (RO) The value in this attribute increments each time @inblob or 58 + any option is written. Userspace can detect conflicts by 59 + checking generation before writing to any attribute and making 60 + sure the number of writes matches expectations after reading 61 + @outblob, or it can prevent conflicts by creating a report 62 + instance per requesting context. 63 + 64 + What: /sys/kernel/config/tsm/report/$name/privlevel 65 + Date: September, 2023 66 + KernelVersion: v6.7 67 + Contact: linux-coco@lists.linux.dev 68 + Description: 69 + (WO) Attribute is visible if a TSM implementation provider 70 + supports the concept of attestation reports for TVMs running at 71 + different privilege levels, like SEV-SNP "VMPL", specify the 72 + privilege level via this attribute. The minimum acceptable 73 + value is conveyed via @privlevel_floor and the maximum 74 + acceptable value is TSM_PRIVLEVEL_MAX (3). 75 + 76 + What: /sys/kernel/config/tsm/report/$name/privlevel_floor 77 + Date: September, 2023 78 + KernelVersion: v6.7 79 + Contact: linux-coco@lists.linux.dev 80 + Description: 81 + (RO) Indicates the minimum permissible value that can be written 82 + to @privlevel.

MAINTAINERS

··· 21889 21889 T: git git://github.com/srcres258/linux-doc.git doc-zh-tw 21890 21890 F: Documentation/translations/zh_TW/ 21891 21891 21892 + TRUSTED SECURITY MODULE (TSM) ATTESTATION REPORTS 21893 + M: Dan Williams <dan.j.williams@intel.com> 21894 + L: linux-coco@lists.linux.dev 21895 + S: Maintained 21896 + F: Documentation/ABI/testing/configfs-tsm 21897 + F: drivers/virt/coco/tsm.c 21898 + F: include/linux/tsm.h 21899 + 21892 21900 TTY LAYER AND SERIAL DRIVERS 21893 21901 M: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 21894 21902 M: Jiri Slaby <jirislaby@kernel.org>

drivers/virt/coco/Kconfig

··· 2 2 # 3 3 # Confidential computing related collateral 4 4 # 5 + 6 + config TSM_REPORTS 7 + select CONFIGFS_FS 8 + tristate 9 + 5 10 source "drivers/virt/coco/efi_secret/Kconfig" 6 11 7 12 source "drivers/virt/coco/sev-guest/Kconfig"

drivers/virt/coco/Makefile

··· 2 2 # 3 3 # Confidential computing related collateral 4 4 # 5 + obj-$(CONFIG_TSM_REPORTS) += tsm.o 5 6 obj-$(CONFIG_EFI_SECRET) += efi_secret/ 6 7 obj-$(CONFIG_SEV_GUEST) += sev-guest/ 7 8 obj-$(CONFIG_INTEL_TDX_GUEST) += tdx-guest/

+425

drivers/virt/coco/tsm.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-only 2 + /* Copyright(c) 2023 Intel Corporation. All rights reserved. */ 3 + 4 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 5 + 6 + #include <linux/tsm.h> 7 + #include <linux/err.h> 8 + #include <linux/slab.h> 9 + #include <linux/rwsem.h> 10 + #include <linux/string.h> 11 + #include <linux/module.h> 12 + #include <linux/cleanup.h> 13 + #include <linux/configfs.h> 14 + 15 + static struct tsm_provider { 16 + const struct tsm_ops *ops; 17 + const struct config_item_type *type; 18 + void *data; 19 + } provider; 20 + static DECLARE_RWSEM(tsm_rwsem); 21 + 22 + /** 23 + * DOC: Trusted Security Module (TSM) Attestation Report Interface 24 + * 25 + * The TSM report interface is a common provider of blobs that facilitate 26 + * attestation of a TVM (confidential computing guest) by an attestation 27 + * service. A TSM report combines a user-defined blob (likely a public-key with 28 + * a nonce for a key-exchange protocol) with a signed attestation report. That 29 + * combined blob is then used to obtain secrets provided by an agent that can 30 + * validate the attestation report. The expectation is that this interface is 31 + * invoked infrequently, however configfs allows for multiple agents to 32 + * own their own report generation instances to generate reports as 33 + * often as needed. 34 + * 35 + * The attestation report format is TSM provider specific, when / if a standard 36 + * materializes that can be published instead of the vendor layout. Until then 37 + * the 'provider' attribute indicates the format of 'outblob', and optionally 38 + * 'auxblob'. 39 + */ 40 + 41 + struct tsm_report_state { 42 + struct tsm_report report; 43 + unsigned long write_generation; 44 + unsigned long read_generation; 45 + struct config_item cfg; 46 + }; 47 + 48 + enum tsm_data_select { 49 + TSM_REPORT, 50 + TSM_CERTS, 51 + }; 52 + 53 + static struct tsm_report *to_tsm_report(struct config_item *cfg) 54 + { 55 + struct tsm_report_state *state = 56 + container_of(cfg, struct tsm_report_state, cfg); 57 + 58 + return &state->report; 59 + } 60 + 61 + static struct tsm_report_state *to_state(struct tsm_report *report) 62 + { 63 + return container_of(report, struct tsm_report_state, report); 64 + } 65 + 66 + static int try_advance_write_generation(struct tsm_report *report) 67 + { 68 + struct tsm_report_state *state = to_state(report); 69 + 70 + lockdep_assert_held_write(&tsm_rwsem); 71 + 72 + /* 73 + * Malicious or broken userspace has written enough times for 74 + * read_generation == write_generation by modular arithmetic without an 75 + * interim read. Stop accepting updates until the current report 76 + * configuration is read. 77 + */ 78 + if (state->write_generation == state->read_generation - 1) 79 + return -EBUSY; 80 + state->write_generation++; 81 + return 0; 82 + } 83 + 84 + static ssize_t tsm_report_privlevel_store(struct config_item *cfg, 85 + const char *buf, size_t len) 86 + { 87 + struct tsm_report *report = to_tsm_report(cfg); 88 + unsigned int val; 89 + int rc; 90 + 91 + rc = kstrtouint(buf, 0, &val); 92 + if (rc) 93 + return rc; 94 + 95 + /* 96 + * The valid privilege levels that a TSM might accept, if it accepts a 97 + * privilege level setting at all, are a max of TSM_PRIVLEVEL_MAX (see 98 + * SEV-SNP GHCB) and a minimum of a TSM selected floor value no less 99 + * than 0. 100 + */ 101 + if (provider.ops->privlevel_floor > val || val > TSM_PRIVLEVEL_MAX) 102 + return -EINVAL; 103 + 104 + guard(rwsem_write)(&tsm_rwsem); 105 + rc = try_advance_write_generation(report); 106 + if (rc) 107 + return rc; 108 + report->desc.privlevel = val; 109 + 110 + return len; 111 + } 112 + CONFIGFS_ATTR_WO(tsm_report_, privlevel); 113 + 114 + static ssize_t tsm_report_privlevel_floor_show(struct config_item *cfg, 115 + char *buf) 116 + { 117 + guard(rwsem_read)(&tsm_rwsem); 118 + return sysfs_emit(buf, "%u\n", provider.ops->privlevel_floor); 119 + } 120 + CONFIGFS_ATTR_RO(tsm_report_, privlevel_floor); 121 + 122 + static ssize_t tsm_report_inblob_write(struct config_item *cfg, 123 + const void *buf, size_t count) 124 + { 125 + struct tsm_report *report = to_tsm_report(cfg); 126 + int rc; 127 + 128 + guard(rwsem_write)(&tsm_rwsem); 129 + rc = try_advance_write_generation(report); 130 + if (rc) 131 + return rc; 132 + 133 + report->desc.inblob_len = count; 134 + memcpy(report->desc.inblob, buf, count); 135 + return count; 136 + } 137 + CONFIGFS_BIN_ATTR_WO(tsm_report_, inblob, NULL, TSM_INBLOB_MAX); 138 + 139 + static ssize_t tsm_report_generation_show(struct config_item *cfg, char *buf) 140 + { 141 + struct tsm_report *report = to_tsm_report(cfg); 142 + struct tsm_report_state *state = to_state(report); 143 + 144 + guard(rwsem_read)(&tsm_rwsem); 145 + return sysfs_emit(buf, "%lu\n", state->write_generation); 146 + } 147 + CONFIGFS_ATTR_RO(tsm_report_, generation); 148 + 149 + static ssize_t tsm_report_provider_show(struct config_item *cfg, char *buf) 150 + { 151 + guard(rwsem_read)(&tsm_rwsem); 152 + return sysfs_emit(buf, "%s\n", provider.ops->name); 153 + } 154 + CONFIGFS_ATTR_RO(tsm_report_, provider); 155 + 156 + static ssize_t __read_report(struct tsm_report *report, void *buf, size_t count, 157 + enum tsm_data_select select) 158 + { 159 + loff_t offset = 0; 160 + ssize_t len; 161 + u8 *out; 162 + 163 + if (select == TSM_REPORT) { 164 + out = report->outblob; 165 + len = report->outblob_len; 166 + } else { 167 + out = report->auxblob; 168 + len = report->auxblob_len; 169 + } 170 + 171 + /* 172 + * Recall that a NULL @buf is configfs requesting the size of 173 + * the buffer. 174 + */ 175 + if (!buf) 176 + return len; 177 + return memory_read_from_buffer(buf, count, &offset, out, len); 178 + } 179 + 180 + static ssize_t read_cached_report(struct tsm_report *report, void *buf, 181 + size_t count, enum tsm_data_select select) 182 + { 183 + struct tsm_report_state *state = to_state(report); 184 + 185 + guard(rwsem_read)(&tsm_rwsem); 186 + if (!report->desc.inblob_len) 187 + return -EINVAL; 188 + 189 + /* 190 + * A given TSM backend always fills in ->outblob regardless of 191 + * whether the report includes an auxblob or not. 192 + */ 193 + if (!report->outblob || 194 + state->read_generation != state->write_generation) 195 + return -EWOULDBLOCK; 196 + 197 + return __read_report(report, buf, count, select); 198 + } 199 + 200 + static ssize_t tsm_report_read(struct tsm_report *report, void *buf, 201 + size_t count, enum tsm_data_select select) 202 + { 203 + struct tsm_report_state *state = to_state(report); 204 + const struct tsm_ops *ops; 205 + ssize_t rc; 206 + 207 + /* try to read from the existing report if present and valid... */ 208 + rc = read_cached_report(report, buf, count, select); 209 + if (rc >= 0 || rc != -EWOULDBLOCK) 210 + return rc; 211 + 212 + /* slow path, report may need to be regenerated... */ 213 + guard(rwsem_write)(&tsm_rwsem); 214 + ops = provider.ops; 215 + if (!ops) 216 + return -ENOTTY; 217 + if (!report->desc.inblob_len) 218 + return -EINVAL; 219 + 220 + /* did another thread already generate this report? */ 221 + if (report->outblob && 222 + state->read_generation == state->write_generation) 223 + goto out; 224 + 225 + kvfree(report->outblob); 226 + kvfree(report->auxblob); 227 + report->outblob = NULL; 228 + report->auxblob = NULL; 229 + rc = ops->report_new(report, provider.data); 230 + if (rc < 0) 231 + return rc; 232 + state->read_generation = state->write_generation; 233 + out: 234 + return __read_report(report, buf, count, select); 235 + } 236 + 237 + static ssize_t tsm_report_outblob_read(struct config_item *cfg, void *buf, 238 + size_t count) 239 + { 240 + struct tsm_report *report = to_tsm_report(cfg); 241 + 242 + return tsm_report_read(report, buf, count, TSM_REPORT); 243 + } 244 + CONFIGFS_BIN_ATTR_RO(tsm_report_, outblob, NULL, TSM_OUTBLOB_MAX); 245 + 246 + static ssize_t tsm_report_auxblob_read(struct config_item *cfg, void *buf, 247 + size_t count) 248 + { 249 + struct tsm_report *report = to_tsm_report(cfg); 250 + 251 + return tsm_report_read(report, buf, count, TSM_CERTS); 252 + } 253 + CONFIGFS_BIN_ATTR_RO(tsm_report_, auxblob, NULL, TSM_OUTBLOB_MAX); 254 + 255 + #define TSM_DEFAULT_ATTRS() \ 256 + &tsm_report_attr_generation, \ 257 + &tsm_report_attr_provider 258 + 259 + static struct configfs_attribute *tsm_report_attrs[] = { 260 + TSM_DEFAULT_ATTRS(), 261 + NULL, 262 + }; 263 + 264 + static struct configfs_attribute *tsm_report_extra_attrs[] = { 265 + TSM_DEFAULT_ATTRS(), 266 + &tsm_report_attr_privlevel, 267 + &tsm_report_attr_privlevel_floor, 268 + NULL, 269 + }; 270 + 271 + #define TSM_DEFAULT_BIN_ATTRS() \ 272 + &tsm_report_attr_inblob, \ 273 + &tsm_report_attr_outblob 274 + 275 + static struct configfs_bin_attribute *tsm_report_bin_attrs[] = { 276 + TSM_DEFAULT_BIN_ATTRS(), 277 + NULL, 278 + }; 279 + 280 + static struct configfs_bin_attribute *tsm_report_bin_extra_attrs[] = { 281 + TSM_DEFAULT_BIN_ATTRS(), 282 + &tsm_report_attr_auxblob, 283 + NULL, 284 + }; 285 + 286 + static void tsm_report_item_release(struct config_item *cfg) 287 + { 288 + struct tsm_report *report = to_tsm_report(cfg); 289 + struct tsm_report_state *state = to_state(report); 290 + 291 + kvfree(report->auxblob); 292 + kvfree(report->outblob); 293 + kfree(state); 294 + } 295 + 296 + static struct configfs_item_operations tsm_report_item_ops = { 297 + .release = tsm_report_item_release, 298 + }; 299 + 300 + const struct config_item_type tsm_report_default_type = { 301 + .ct_owner = THIS_MODULE, 302 + .ct_bin_attrs = tsm_report_bin_attrs, 303 + .ct_attrs = tsm_report_attrs, 304 + .ct_item_ops = &tsm_report_item_ops, 305 + }; 306 + EXPORT_SYMBOL_GPL(tsm_report_default_type); 307 + 308 + const struct config_item_type tsm_report_extra_type = { 309 + .ct_owner = THIS_MODULE, 310 + .ct_bin_attrs = tsm_report_bin_extra_attrs, 311 + .ct_attrs = tsm_report_extra_attrs, 312 + .ct_item_ops = &tsm_report_item_ops, 313 + }; 314 + EXPORT_SYMBOL_GPL(tsm_report_extra_type); 315 + 316 + static struct config_item *tsm_report_make_item(struct config_group *group, 317 + const char *name) 318 + { 319 + struct tsm_report_state *state; 320 + 321 + guard(rwsem_read)(&tsm_rwsem); 322 + if (!provider.ops) 323 + return ERR_PTR(-ENXIO); 324 + 325 + state = kzalloc(sizeof(*state), GFP_KERNEL); 326 + if (!state) 327 + return ERR_PTR(-ENOMEM); 328 + 329 + config_item_init_type_name(&state->cfg, name, provider.type); 330 + return &state->cfg; 331 + } 332 + 333 + static struct configfs_group_operations tsm_report_group_ops = { 334 + .make_item = tsm_report_make_item, 335 + }; 336 + 337 + static const struct config_item_type tsm_reports_type = { 338 + .ct_owner = THIS_MODULE, 339 + .ct_group_ops = &tsm_report_group_ops, 340 + }; 341 + 342 + static const struct config_item_type tsm_root_group_type = { 343 + .ct_owner = THIS_MODULE, 344 + }; 345 + 346 + static struct configfs_subsystem tsm_configfs = { 347 + .su_group = { 348 + .cg_item = { 349 + .ci_namebuf = "tsm", 350 + .ci_type = &tsm_root_group_type, 351 + }, 352 + }, 353 + .su_mutex = __MUTEX_INITIALIZER(tsm_configfs.su_mutex), 354 + }; 355 + 356 + int tsm_register(const struct tsm_ops *ops, void *priv, 357 + const struct config_item_type *type) 358 + { 359 + const struct tsm_ops *conflict; 360 + 361 + if (!type) 362 + type = &tsm_report_default_type; 363 + if (!(type == &tsm_report_default_type || type == &tsm_report_extra_type)) 364 + return -EINVAL; 365 + 366 + guard(rwsem_write)(&tsm_rwsem); 367 + conflict = provider.ops; 368 + if (conflict) { 369 + pr_err("\"%s\" ops already registered\n", conflict->name); 370 + return -EBUSY; 371 + } 372 + 373 + provider.ops = ops; 374 + provider.data = priv; 375 + provider.type = type; 376 + return 0; 377 + } 378 + EXPORT_SYMBOL_GPL(tsm_register); 379 + 380 + int tsm_unregister(const struct tsm_ops *ops) 381 + { 382 + guard(rwsem_write)(&tsm_rwsem); 383 + if (ops != provider.ops) 384 + return -EBUSY; 385 + provider.ops = NULL; 386 + provider.data = NULL; 387 + provider.type = NULL; 388 + return 0; 389 + } 390 + EXPORT_SYMBOL_GPL(tsm_unregister); 391 + 392 + static struct config_group *tsm_report_group; 393 + 394 + static int __init tsm_init(void) 395 + { 396 + struct config_group *root = &tsm_configfs.su_group; 397 + struct config_group *tsm; 398 + int rc; 399 + 400 + config_group_init(root); 401 + rc = configfs_register_subsystem(&tsm_configfs); 402 + if (rc) 403 + return rc; 404 + 405 + tsm = configfs_register_default_group(root, "report", 406 + &tsm_reports_type); 407 + if (IS_ERR(tsm)) { 408 + configfs_unregister_subsystem(&tsm_configfs); 409 + return PTR_ERR(tsm); 410 + } 411 + tsm_report_group = tsm; 412 + 413 + return 0; 414 + } 415 + module_init(tsm_init); 416 + 417 + static void __exit tsm_exit(void) 418 + { 419 + configfs_unregister_default_group(tsm_report_group); 420 + configfs_unregister_subsystem(&tsm_configfs); 421 + } 422 + module_exit(tsm_exit); 423 + 424 + MODULE_LICENSE("GPL"); 425 + MODULE_DESCRIPTION("Provide Trusted Security Module attestation reports via configfs");

+69

include/linux/tsm.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + #ifndef __TSM_H 3 + #define __TSM_H 4 + 5 + #include <linux/sizes.h> 6 + #include <linux/types.h> 7 + 8 + #define TSM_INBLOB_MAX 64 9 + #define TSM_OUTBLOB_MAX SZ_32K 10 + 11 + /* 12 + * Privilege level is a nested permission concept to allow confidential 13 + * guests to partition address space, 4-levels are supported. 14 + */ 15 + #define TSM_PRIVLEVEL_MAX 3 16 + 17 + /** 18 + * struct tsm_desc - option descriptor for generating tsm report blobs 19 + * @privlevel: optional privilege level to associate with @outblob 20 + * @inblob_len: sizeof @inblob 21 + * @inblob: arbitrary input data 22 + */ 23 + struct tsm_desc { 24 + unsigned int privlevel; 25 + size_t inblob_len; 26 + u8 inblob[TSM_INBLOB_MAX]; 27 + }; 28 + 29 + /** 30 + * struct tsm_report - track state of report generation relative to options 31 + * @desc: input parameters to @report_new() 32 + * @outblob_len: sizeof(@outblob) 33 + * @outblob: generated evidence to provider to the attestation agent 34 + * @auxblob_len: sizeof(@auxblob) 35 + * @auxblob: (optional) auxiliary data to the report (e.g. certificate data) 36 + */ 37 + struct tsm_report { 38 + struct tsm_desc desc; 39 + size_t outblob_len; 40 + u8 *outblob; 41 + size_t auxblob_len; 42 + u8 *auxblob; 43 + }; 44 + 45 + /** 46 + * struct tsm_ops - attributes and operations for tsm instances 47 + * @name: tsm id reflected in /sys/kernel/config/tsm/report/$report/provider 48 + * @privlevel_floor: convey base privlevel for nested scenarios 49 + * @report_new: Populate @report with the report blob and auxblob 50 + * (optional), return 0 on successful population, or -errno otherwise 51 + * 52 + * Implementation specific ops, only one is expected to be registered at 53 + * a time i.e. only one of "sev-guest", "tdx-guest", etc. 54 + */ 55 + struct tsm_ops { 56 + const char *name; 57 + const unsigned int privlevel_floor; 58 + int (*report_new)(struct tsm_report *report, void *data); 59 + }; 60 + 61 + extern const struct config_item_type tsm_report_default_type; 62 + 63 + /* publish @privlevel, @privlevel_floor, and @auxblob attributes */ 64 + extern const struct config_item_type tsm_report_extra_type; 65 + 66 + int tsm_register(const struct tsm_ops *ops, void *priv, 67 + const struct config_item_type *type); 68 + int tsm_unregister(const struct tsm_ops *ops); 69 + #endif /* __TSM_H */