ACK: [SRU][K][PATCH v2 0/6] new TDX attestation driver from Intel

Khaled Elmously khalid.elmously at canonical.com
Thu Mar 9 05:16:33 UTC 2023 

On 2023-03-07 11:35:07 , Andrea Righi wrote:
> BugLink: https://bugs.launchpad.net/bugs/2009437
> 
> [Impact]
> 
> TDX guest attestation has been merged as SAUCE patches in the kinetic
> kernel with the following commits:
> 
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=285d6d8136ebadcee7fd6452b9e4223996a2a0af
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=0b78a71c7d7630ab7c3c8a03cbe4f78f1361fb45
> 
> However, Intel released a new TDX attestation driver that will be
> submitted upstream. We should align with the new version that will
> likely end upstream.
> 
> See also LP: #1971027
> 
> [Test case]
> 
> Testing this feature requires a special hardware in the host, special
> firmware and special configuration of a guest.
> 
> Right now it can only be tested by Intel.
> 
> [Fix]
> 
> Apply the new driver provided by Intel in LP: #1971027.
> 
> [Regression potential]
> 
> The new driver can potentially break user-space applications that are
> relying on the TDX attestation feature. This is because of this struct
> (used in the user-space/kernel communication, via ioctl):
> 
> + * Used in TDX_CMD_GET_REPORT IOCTL request.
> + */
> +struct tdx_report_req {
> + __u8 subtype;
> + __u64 reportdata;
> + __u32 rpd_len;
> + __u64 tdreport;
> + __u32 tdr_len;
> +};
> 
> The new patch changed the struct as following:
> 
> +struct tdx_report_req {
> + __u8 reportdata[TDX_REPORTDATA_LEN];
> + __u8 tdreport[TDX_REPORT_LEN];
> +};
> 
> In general we should never apply changes that are breaking user-space
> like this (especially for non-devel kernels), but realistically we can
> probably say that nobody is using this feature yet, so nobody has any
> user-space program that is relying on the old struct (and if they do,
> they're probably in touch with Intel, so they're aware of this change).
> 
> In conclusion, this change should be considered pretty safe, despite the
> potential user-space brekage.
> 
> ChangeLog v1 -> v2:
>  - add proper cherry picked / backported lines for upstream commits
> 
> ----------------------------------------------------------------
> Andrea Righi (3):
>       Revert "UBUNTU: SAUCE: selftests: tdx: Test GetReport TDX attestation feature"
>       Revert "UBUNTU: SAUCE: x86/tdx: Add TDX Guest attestation interface driver"
>       UBUNTU: [Config] enable TDX attestation driver as module by default
> 
> Kuppuswamy Sathyanarayanan (3):
>       x86/tdx: Add a wrapper to get TDREPORT0 from the TDX Module
>       virt: Add TDX guest driver
>       selftests/tdx: Test TDX attestation GetReport support
> 
>  Documentation/virt/coco/tdx-guest.rst         |  52 ++++++++
>  Documentation/virt/index.rst                  |   1 +
>  Documentation/x86/tdx.rst                     |  43 +++++++
>  arch/x86/coco/tdx/tdx.c                       | 151 ++++++------------------
>  arch/x86/include/asm/tdx.h                    |   2 +
>  arch/x86/include/uapi/asm/tdx.h               |  51 --------
>  debian.master/config/annotations              |   3 +
>  debian.master/config/config.common.ubuntu     |   1 +
>  drivers/virt/Kconfig                          |   2 +
>  drivers/virt/Makefile                         |   1 +
>  drivers/virt/coco/tdx-guest/Kconfig           |  10 ++
>  drivers/virt/coco/tdx-guest/Makefile          |   2 +
>  drivers/virt/coco/tdx-guest/tdx-guest.c       | 102 ++++++++++++++++
>  include/uapi/linux/tdx-guest.h                |  42 +++++++
>  tools/arch/x86/include/uapi/asm/tdx.h         |  51 --------
>  tools/testing/selftests/tdx/Makefile          |   8 +-
>  tools/testing/selftests/tdx/config            |   2 +-
>  tools/testing/selftests/tdx/tdx_attest_test.c | 156 ------------------------
>  tools/testing/selftests/tdx/tdx_guest_test.c  | 163 ++++++++++++++++++++++++++
>  19 files changed, 464 insertions(+), 379 deletions(-)
>  create mode 100644 Documentation/virt/coco/tdx-guest.rst
>  delete mode 100644 arch/x86/include/uapi/asm/tdx.h
>  create mode 100644 drivers/virt/coco/tdx-guest/Kconfig
>  create mode 100644 drivers/virt/coco/tdx-guest/Makefile
>  create mode 100644 drivers/virt/coco/tdx-guest/tdx-guest.c
>  create mode 100644 include/uapi/linux/tdx-guest.h
>  delete mode 100644 tools/arch/x86/include/uapi/asm/tdx.h
>  delete mode 100644 tools/testing/selftests/tdx/tdx_attest_test.c
>  create mode 100644 tools/testing/selftests/tdx/tdx_guest_test.c
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Khalid Elmously <khalid.elmously at canonical.com>

More information about the kernel-team mailing list