tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'tsm-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm

Pull TSM updates from Dan Williams:
"A couple of updates to the maximum buffer sizes supported for the
configfs-tsm-reports interface.

This interface is a common transport that conveys the varied
architecture specific launch attestation reports for confidential VMs.

- Prepare the configfs-tsm-reports interface for passing larger
attestation evidence blobs for "Device Identifier Composition
Engine" (DICE) and Post Quantum Crypto (PQC)

- Update the tdx-guest driver for DICE evidence (larger certificate
chains and the CBOR Web Token schema)"

* tag 'tsm-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm:
configfs-tsm-report: tdx_guest: Increase Quote buffer size to 128KB
configfs-tsm-report: Increase TSM_REPORT_OUTBLOB_MAX to 16MB
configfs-tsm-report: Document size limits for outblob attributes

Linus Torvalds c4f414be bb7a3fc2

+20 -2
+16
Documentation/ABI/testing/configfs-tsm-report
··· 17 17 where the implementation is conveyed via the @provider 18 18 attribute. 19 19 20 + This interface fails reads and sets errno to EFBIG when the 21 + report generated by @provider exceeds the configfs-tsm-report 22 + internal maximums. Contact the platform provider for the 23 + compatible security module, driver, and attestation library 24 + combination. 25 + 20 26 What: /sys/kernel/config/tsm/report/$name/auxblob 21 27 Date: October, 2023 22 28 KernelVersion: v6.7 ··· 37 31 Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ. 38 32 https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf 39 33 34 + See "EFBIG" comment in the @outblob description for potential 35 + error conditions. 36 + 40 37 What: /sys/kernel/config/tsm/report/$name/manifestblob 41 38 Date: January, 2024 42 39 KernelVersion: v6.10 ··· 51 42 52 43 See 'service_provider' for information on the format of the 53 44 manifest blob. 45 + 46 + See "EFBIG" comment in the @outblob description for potential 47 + error conditions. 54 48 55 49 What: /sys/kernel/config/tsm/report/$name/provider 56 50 Date: September, 2023 ··· 72 60 Primitives : Quote Generation Library and Quote Verification 73 61 Library Revision 0.8 Appendix 4,5 74 62 https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf 63 + 64 + Intel TDX platforms with DICE-based attestation use CBOR Web Token 65 + (CWT) format for the Quote payload. This is indicated by the Quote 66 + size exceeding 8KB. 75 67 76 68 What: /sys/kernel/config/tsm/report/$name/generation 77 69 Date: September, 2023
+3 -1
drivers/virt/coco/tdx-guest/tdx-guest.c
··· 160 160 /* 161 161 * Intel's SGX QE implementation generally uses Quote size less 162 162 * than 8K (2K Quote data + ~5K of certificate blob). 163 + * DICE-based attestation uses layered evidence that requires 164 + * larger Quote size (~100K). 163 165 */ 164 - #define GET_QUOTE_BUF_SIZE SZ_8K 166 + #define GET_QUOTE_BUF_SIZE SZ_128K 165 167 166 168 #define GET_QUOTE_CMD_VER 1 167 169
+1 -1
include/linux/tsm.h
··· 8 8 #include <linux/device.h> 9 9 10 10 #define TSM_REPORT_INBLOB_MAX 64 11 - #define TSM_REPORT_OUTBLOB_MAX SZ_32K 11 + #define TSM_REPORT_OUTBLOB_MAX SZ_16M 12 12 13 13 /* 14 14 * Privilege level is a nested permission concept to allow confidential