The PCI/TSM core has two users. The first, the VMM, uses the core for
physical link security and secure session establishment. That session is a
transport for managing all the assignable interfaces of a device, "TDIs".
Once a TDI is assigned to a TVM, the second user of the PCI/TSM core makes
requests to transition a TDI from UNLOCKED to LOCKED, and LOCKED to RUN.
That setup needs to be coordinated with device driver attach and MMIO + DMA
setup.
Add the support to lock and accept a device into a TVM / Trusted Execution
Environment (TEE).
See "PCI/TSM: Add Device Security (TVM Guest) operations support" for the
bulk of the infrastructure. See "device core: Introduce confidential device
acceptance" for a modest proposal on new device-core machinery for
coordinating a device's transition into the TEE.
The incremental "link TSM" / VMM side infrastructure in this set, "PCI/TSM:
Add pci_tsm_{bind,unbind}() methods for instantiating TDIs" and "PCI/TSM:
Add pci_tsm_guest_req() for managing TDIs" is not exercised by
samples/devsec/, but Aneesh asked that I am include them anyway. All other
functionality has a samples/devsec/ consumer. The simple smoke test I used
to verify the mechanics is included in tools/testing/devsec/devsec.sh.
This set is available at tsm.git#staging (rebasing branch) or
tsm.git#devsec-20250826 (immutable tag). It passes a basic smoke test
that exercises load/unload of the samples/devsec/ modules and
lock/accept/unlock of the emulated device.
Dan Williams (7):
PCI/TSM: Add pci_tsm_{bind,unbind}() methods for instantiating TDIs
PCI/TSM: Add pci_tsm_guest_req() for managing TDIs
device core: Introduce confidential device acceptance
x86/ioremap, resource: Introduce IORES_DESC_ENCRYPTED for encrypted
PCI MMIO
PCI/TSM: Add Device Security (TVM Guest) operations support
samples/devsec: Introduce a "Device Security TSM" sample driver
tools/testing/devsec: Add a script to exercise samples/devsec/
Documentation/ABI/testing/sysfs-bus-pci | 46 +-
Documentation/ABI/testing/sysfs-class-tsm | 19 +
arch/x86/mm/ioremap.c | 32 +-
drivers/base/Kconfig | 4 +
drivers/base/Makefile | 1 +
drivers/base/base.h | 5 +
drivers/base/coco.c | 96 ++++
drivers/pci/Kconfig | 2 +
drivers/pci/tsm.c | 513 +++++++++++++++++++++-
drivers/virt/coco/tsm-core.c | 41 ++
include/linux/device.h | 29 ++
include/linux/ioport.h | 2 +
include/linux/pci-tsm.h | 106 ++++-
samples/devsec/Makefile | 6 +
samples/devsec/pci.c | 43 ++
samples/devsec/tsm.c | 99 +++++
tools/testing/devsec/devsec.sh | 138 ++++++
17 files changed, 1161 insertions(+), 21 deletions(-)
create mode 100644 drivers/base/coco.c
create mode 100644 samples/devsec/pci.c
create mode 100644 samples/devsec/tsm.c
create mode 100755 tools/testing/devsec/devsec.sh
base-commit: 4de43c0eb5d83004edf891b974371572e3815126
