en Copyright 2015 Java http://172.16.0.5:8080/history/linux-6.15/drivers/virt/coco/Makefile#7999edc4 virt: arm-cca-guest: TSM_REPORT support for realmsIntroduce an arm-cca-guest driver that registers withthe configfs-tsm module to provide user interfaces forretrieving an attestation token.When a new report is requested the arm-cca-guest driverinvokes the appropriate RSI interfaces to query anattestation token.The steps to retrieve an attestation token are as follows: 1. Mount the configfs filesystem if not already mounted mount -t configfs none /sys/kernel/config 2. Generate an attestation token report=/sys/kernel/config/tsm/report/report0 mkdir $report dd if=/dev/urandom bs=64 count=1 > $report/inblob hexdump -C $report/outblob rmdir $reportSigned-off-by: Sami Mujawar <sami.mujawar@arm.com>Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>Signed-off-by: Steven Price <steven.price@arm.com>Reviewed-by: Gavin Shan <gshan@redhat.com>Link: https://lore.kernel.org/r/20241017131434.40935-11-steven.price@arm.comSigned-off-by: Catalin Marinas <catalin.marinas@arm.com> List of files: /linux-6.15/drivers/virt/coco/Makefile Thu, 17 Oct 2024 13:14:33 +0000 Sami Mujawar <sami.mujawar@arm.com> http://172.16.0.5:8080/history/linux-6.15/drivers/virt/coco/Makefile#a06c3fad drivers/virt: pkvm: Add initial support for running as a protected guestImplement a pKVM protected guest driver to probe the presence of pKVMand determine the memory protection granule using the HYP_MEMINFOhypercall.Acked-by: Marc Zyngier <maz@kernel.org>Link: https://lore.kernel.org/r/20240830130150.8568-3-will@kernel.orgSigned-off-by: Will Deacon <will@kernel.org> List of files: /linux-6.15/drivers/virt/coco/Makefile Fri, 30 Aug 2024 13:01:45 +0000 Will Deacon <will@kernel.org> http://172.16.0.5:8080/history/linux-6.15/drivers/virt/coco/Makefile#70e6f7e2 configfs-tsm: Introduce a shared ABI for attestation reportsOne of the common operations of a TSM (Trusted Security Module) is toprovide a way for a TVM (confidential computing guest executionenvironment) to take a measurement of its launch state, sign it andsubmit it to a verifying party. Upon successful attestation thatverifies the integrity of the TVM additional secrets may be deployed.The concept is common across TSMs, but the implementations areunfortunately vendor specific. While the industry grapples with a commondefinition of this attestation format [1], Linux need not make thisproblem worse by defining a new ABI per TSM that wants to perform asimilar operation. The current momentum has been to invent new ioctl-ABIper TSM per function which at best is an abdication of the kernel'sresponsibility to make common infrastructure concepts share common ABI.The proposal, targeted to conceptually work with TDX, SEV-SNP, COVE ifnot more, is to define a configfs interface to retrieve the TSM-specificblob. report=/sys/kernel/config/tsm/report/report0 mkdir $report dd if=binary_userdata_plus_nonce > $report/inblob hexdump $report/outblobThis approach later allows for the standardization of the attestationblob format without needing to invent a new ABI. Once standardizationhappens the standard format can be emitted by $report/outblob andindicated by $report/provider, or a new attribute like"$report/tcg_coco_report" can emit the standard format alongside thevendor format.Review of previous iterations of this interface identified that there isa need to scale report generation for multiple container environments[2]. Configfs enables a model where each container can bind mount one ormore report generation item instances. Still, within a container only asingle thread can be manipulating a given configuration instance at atime. A 'generation' count is provided to detect conflicts betweenmultiple threads racing to configure a report instance.The SEV-SNP concepts of "extended reports" and "privilege levels" areoptionally enabled by selecting 'tsm_report_ext_type' at register_tsm()time. The expectation is that those concepts are generic enough thatthey may be adopted by other TSM implementations. In other words,configfs-tsm aims to address a superset of TSM specific functionalitywith a common ABI where attributes may appear, or not appear, based onthe set of concepts the implementation supports.Link: http://lore.kernel.org/r/64961c3baf8ce_142af829436@dwillia2-xfh.jf.intel.com.notmuch [1]Link: http://lore.kernel.org/r/57f3a05e-8fcd-4656-beea-56bb8365ae64@linux.microsoft.com [2]Cc: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>Cc: Dionna Amalie Glaze <dionnaglaze@google.com>Cc: James Bottomley <James.Bottomley@HansenPartnership.com>Cc: Peter Gonda <pgonda@google.com>Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>Cc: Samuel Ortiz <sameo@rivosinc.com>Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>Acked-by: Thomas Gleixner <tglx@linutronix.de>Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>Tested-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>Signed-off-by: Dan Williams <dan.j.williams@intel.com> List of files: /linux-6.15/drivers/virt/coco/Makefile Tue, 26 Sep 2023 03:13:29 +0000 Dan Williams <dan.j.williams@intel.com> http://172.16.0.5:8080/history/linux-6.15/drivers/virt/coco/Makefile#ec51ffcf virt: coco: Add a coco/Makefile and coco/KconfigIn preparation for adding another coco build target, relievedrivers/virt/Makefile of the responsibility to track new compilationunit additions to drivers/virt/coco/, and do the same fordrivers/virt/Kconfig.Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>Tested-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>Signed-off-by: Dan Williams <dan.j.williams@intel.com> List of files: /linux-6.15/drivers/virt/coco/Makefile Sun, 13 Aug 2023 00:21:00 +0000 Dan Williams <dan.j.williams@intel.com>