mirrors
/
anolis-cloud-kernel
mirror of https://gitee.com/anolis/cloud-kernel.git
8
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
997,550 Commits 49 Branches 204 Tags 3.3 GiB
C 97.7%
Assembly 1.3%
Shell 0.3%
Makefile 0.3%
Python 0.2%
Other 0.1%
Go to file
Dan Williams 66cd42b164 configfs-tsm: Introduce a shared ABI for attestation reports 
ANBZ: #20392

commit 70e6f7e2b9 upstream.

One of the common operations of a TSM (Trusted Security Module) is to
provide a way for a TVM (confidential computing guest execution
environment) to take a measurement of its launch state, sign it and
submit it to a verifying party. Upon successful attestation that
verifies the integrity of the TVM additional secrets may be deployed.
The concept is common across TSMs, but the implementations are
unfortunately vendor specific. While the industry grapples with a common
definition of this attestation format [1], Linux need not make this
problem worse by defining a new ABI per TSM that wants to perform a
similar operation. The current momentum has been to invent new ioctl-ABI
per TSM per function which at best is an abdication of the kernel's
responsibility to make common infrastructure concepts share common ABI.

The proposal, targeted to conceptually work with TDX, SEV-SNP, COVE if
not more, is to define a configfs interface to retrieve the TSM-specific
blob.

    report=/sys/kernel/config/tsm/report/report0
    mkdir $report
    dd if=binary_userdata_plus_nonce > $report/inblob
    hexdump $report/outblob

This approach later allows for the standardization of the attestation
blob format without needing to invent a new ABI. Once standardization
happens the standard format can be emitted by $report/outblob and
indicated by $report/provider, or a new attribute like
"$report/tcg_coco_report" can emit the standard format alongside the
vendor format.

Review of previous iterations of this interface identified that there is
a need to scale report generation for multiple container environments
[2]. Configfs enables a model where each container can bind mount one or
more report generation item instances. Still, within a container only a
single thread can be manipulating a given configuration instance at a
time. A 'generation' count is provided to detect conflicts between
multiple threads racing to configure a report instance.

The SEV-SNP concepts of "extended reports" and "privilege levels" are
optionally enabled by selecting 'tsm_report_ext_type' at register_tsm()
time. The expectation is that those concepts are generic enough that
they may be adopted by other TSM implementations. In other words,
configfs-tsm aims to address a superset of TSM specific functionality
with a common ABI where attributes may appear, or not appear, based on
the set of concepts the implementation supports.

Link: http://lore.kernel.org/r/64961c3baf8ce_142af829436@dwillia2-xfh.jf.intel.com.notmuch [1]
Link: http://lore.kernel.org/r/57f3a05e-8fcd-4656-beea-56bb8365ae64@linux.microsoft.com [2]
Cc: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Cc: Dionna Amalie Glaze <dionnaglaze@google.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Peter Gonda <pgonda@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Samuel Ortiz <sameo@rivosinc.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Tested-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Zelin Deng <zelin.deng@linux.alibaba.com>
Acked-by: Xuchun Shang <xuchun.shang@linux.alibaba.com>
Link: https://gitee.com/anolis/cloud-kernel/pulls/5060
 		2025-04-16 01:34:16 +00:00
Documentation configfs-tsm: Introduce a shared ABI for attestation reports 2025-04-16 01:34:16 +00:00
LICENSES LICENSES/deprecated: add Zlib license text 2020-09-16 14:33:49 +02:00
anolis anolis: virtio-blk: enable CONFIG_VIRTIO_BLK_RING_PAIR default 2025-03-28 14:53:56 +00:00
arch kbuild: Drop -Wdeclaration-after-statement 2025-04-16 01:34:16 +00:00
block anolis: blk-mq: support dynamic request alloc 2025-03-28 14:53:56 +00:00
certs certs/blacklist_hashes.c: fix const confusion in certs blacklist 2022-06-22 14:13:17 +02:00
crypto KEYS: asymmetric: properly validate hash_algo and encoding 2024-10-22 17:41:35 +08:00
drivers configfs-tsm: Introduce a shared ABI for attestation reports 2025-04-16 01:34:16 +00:00
fs gfs2: Always check inode size of inline inodes 2025-04-08 03:08:55 +00:00
include configfs-tsm: Introduce a shared ABI for attestation reports 2025-04-16 01:34:16 +00:00
init init/main.c: Fix potential static_command_line memory overflow 2024-12-27 08:24:51 +00:00
io_uring anolis: io_uring: fix out-of-bound io_op_defs access in io_init_req 2025-04-09 09:02:53 +00:00
ipc memcg: enable accounting of ipc resources 2023-03-18 02:22:59 +00:00
kernel profiling: fix shift too large makes kernel panic 2025-04-14 13:11:57 +08:00
lib dyndbg: fix old BUG_ON in >control parser 2025-02-05 07:36:47 +00:00
mm anolis: mm: avoid wmark_min_adj throttle due to mem_policy 2025-04-10 09:18:29 +00:00
net netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() 2025-04-14 05:40:15 +00:00
samples vfio/mbochs: Fix close when multiple device FDs are open 2024-11-12 13:28:27 +00:00
scripts locking: Introduce __cleanup() based infrastructure 2025-04-16 01:34:16 +00:00
security security/keys: fix slab-out-of-bounds in key_task_permission 2025-03-27 09:41:10 +00:00
sound ALSA: core: Fix NULL module pointer assignment at card init 2024-12-31 08:58:00 +00:00
tools selftests/bpf: Add test for early update in prog_array_map_poke_run 2025-04-11 03:26:23 +00:00
usr usr/include/Makefile: add linux/nfc.h to the compile-test coverage 2022-02-01 17:25:48 +01:00
virt kvm: add cvm host feature 2024-12-20 04:05:11 +00:00
.clang-format RDMA 5.10 pull request 2020-10-17 11:18:18 -07:00
.cocciconfig
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl 2019-05-16 10:53:40 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for dts files 2019-12-04 19:44:11 -08:00
.gitignore kbuild: generate Module.symvers only when vmlinux exists 2021-05-19 10:12:59 +02:00
.mailmap mailmap: add two more addresses of Uwe Kleine-König 2020-12-06 10:19:07 -08:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS MAINTAINERS: Move Jason Cooper to CREDITS 2020-11-30 10:20:34 +01:00
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y 2020-02-04 01:53:07 +09:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS configfs-tsm: Introduce a shared ABI for attestation reports 2025-04-16 01:34:16 +00:00
Makefile kbuild: Drop -Wdeclaration-after-statement 2025-04-16 01:34:16 +00:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.