[v13,0/3] Add TDX Guest Attestation support

Message ID	20220909192708.1113126-1-sathyanarayanan.kuppuswamy@linux.intel.com
Headers	show Return-Path: <linux-kselftest-owner@kernel.org> From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> To: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org, Shuah Khan <shuah@kernel.org> Cc: "H . Peter Anvin" <hpa@zytor.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, Tony Luck <tony.luck@intel.com>, Andi Kleen <ak@linux.intel.com>, Kai Huang <kai.huang@intel.com>, Wander Lairson Costa <wander@redhat.com>, Isaku Yamahata <isaku.yamahata@gmail.com>, marcelo.cerri@canonical.com, tim.gardner@canonical.com, khalid.elmously@canonical.com, philip.cox@canonical.com, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v13 0/3] Add TDX Guest Attestation support Date: Fri, 9 Sep 2022 12:27:05 -0700 Message-Id: <20220909192708.1113126-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Add TDX Guest Attestation support \| expand [v13,0/3] Add TDX Guest Attestation support [v13,1/3] x86/tdx: Add TDX Guest attestation interface driver [v13,2/3] selftests: tdx: Test TDX attestation GetReport support [v13,3/3] Documentation/x86: Document TDX attestation process

Message ID

20220909192708.1113126-1-sathyanarayanan.kuppuswamy@linux.intel.com

Headers

From: Kuppuswamy Sathyanarayanan
        <sathyanarayanan.kuppuswamy@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org,
        Shuah Khan <shuah@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kuppuswamy Sathyanarayanan
        <sathyanarayanan.kuppuswamy@linux.intel.com>,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        Tony Luck <tony.luck@intel.com>,
        Andi Kleen <ak@linux.intel.com>,
        Kai Huang <kai.huang@intel.com>,
        Wander Lairson Costa <wander@redhat.com>,
        Isaku Yamahata <isaku.yamahata@gmail.com>,
        marcelo.cerri@canonical.com, tim.gardner@canonical.com,
        khalid.elmously@canonical.com, philip.cox@canonical.com,
        linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
        linux-doc@vger.kernel.org
Subject: [PATCH v13 0/3] Add TDX Guest Attestation support
Date: Fri,  9 Sep 2022 12:27:05 -0700
Message-Id: 
 <20220909192708.1113126-1-sathyanarayanan.kuppuswamy@linux.intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Add TDX Guest Attestation support | expand

Message

Kuppuswamy Sathyanarayanan Sept. 9, 2022, 7:27 p.m. UTC

Hi All,

Intel's Trust Domain Extensions (TDX) protect guest VMs from malicious
hosts and some physical attacks. VM guest with TDX support is called
as a TDX Guest.

In TDX guest, attestation process is used to verify the TDX guest
trustworthiness to other entities before provisioning secrets to the
guest. For example, a key server may request for attestation before
releasing the encryption keys to mount the encrypted rootfs or
secondary drive.

This patch set adds attestation support for the TDX guest. Details
about the TDX attestation process and the steps involved are explained
in the commit log of Patch 1/3 or in Documentation/x86/tdx.rst (added
by patch 3/3).

Following are the details of the patch set:

Patch 1/3 -> Adds TDREPORT support.
Patch 2/3 -> Adds selftest support for TDREPORT feature.
Patch 3/3 -> Add attestation related documentation.

Commit log history is maintained in the individual patches.

Kuppuswamy Sathyanarayanan (3):
  x86/tdx: Add TDX Guest attestation interface driver
  selftests: tdx: Test TDX attestation GetReport support
  Documentation/x86: Document TDX attestation process

 Documentation/x86/tdx.rst                     |  75 +++++++++
 arch/x86/coco/tdx/tdx.c                       | 115 +++++++++++++
 arch/x86/include/uapi/asm/tdx.h               |  56 +++++++
 tools/arch/x86/include/uapi/asm/tdx.h         |  56 +++++++
 tools/testing/selftests/Makefile              |   1 +
 tools/testing/selftests/tdx/Makefile          |  11 ++
 tools/testing/selftests/tdx/config            |   1 +
 tools/testing/selftests/tdx/tdx_attest_test.c | 157 ++++++++++++++++++
 8 files changed, 472 insertions(+)
 create mode 100644 arch/x86/include/uapi/asm/tdx.h
 create mode 100644 tools/arch/x86/include/uapi/asm/tdx.h
 create mode 100644 tools/testing/selftests/tdx/Makefile
 create mode 100644 tools/testing/selftests/tdx/config
 create mode 100644 tools/testing/selftests/tdx/tdx_attest_test.c

Comments

Dave Hansen Sept. 9, 2022, 7:41 p.m. UTC | #1

On 9/9/22 12:27, Kuppuswamy Sathyanarayanan wrote:
> +	u8 reserved[7] = {0};
...
> +	if (!req.reportdata || !req.tdreport || req.subtype ||
> +		req.rpd_len != TDX_REPORTDATA_LEN ||
> +		req.tdr_len != TDX_REPORT_LEN ||
> +		memcmp(req.reserved, reserved, 7))
> +		return -EINVAL;

Huh, so to look for 0's, you:

1. Declare an on-stack structure with a hard coded, magic numbered field
   that has to be zeroed.
2. memcmp() that structure
3. Feed memcmp() with another hard coded magic number

I've gotta ask: did you have any reservations writing this code?  Were
there any alarm bells going off saying that something might be wrong?

Using memcmp() itself is probably forgivable.  But, the two magic
numbers are pretty mortal sins in my book.  What's going to happen the
first moment someone wants to repurpose a reserved byte?  They're going
to do:

-	__u8 reserved[7];
+	__u8 my_new_byte;
+	__u8 reserved[6];

What's going to happen to the code you wrote?  Will it continue to work?
 Or will the memcmp() silently start doing crazy stuff as it overruns
the structure into garbage land?

What's wrong with:

	memchr_inv(&req.reserved, sizeof(req.reserved), 0)

Kuppuswamy Sathyanarayanan Sept. 9, 2022, 8:07 p.m. UTC | #2

On 9/9/22 12:41 PM, Dave Hansen wrote:
> On 9/9/22 12:27, Kuppuswamy Sathyanarayanan wrote:
>> +	u8 reserved[7] = {0};
> ...
>> +	if (!req.reportdata || !req.tdreport || req.subtype ||
>> +		req.rpd_len != TDX_REPORTDATA_LEN ||
>> +		req.tdr_len != TDX_REPORT_LEN ||
>> +		memcmp(req.reserved, reserved, 7))
>> +		return -EINVAL;
> 
> Huh, so to look for 0's, you:
> 
> 1. Declare an on-stack structure with a hard coded, magic numbered field
>    that has to be zeroed.
> 2. memcmp() that structure
> 3. Feed memcmp() with another hard coded magic number
> 
> I've gotta ask: did you have any reservations writing this code?  Were
> there any alarm bells going off saying that something might be wrong?
> 
> Using memcmp() itself is probably forgivable.  But, the two magic
> numbers are pretty mortal sins in my book.  What's going to happen the
> first moment someone wants to repurpose a reserved byte?  They're going
> to do:
> 
> -	__u8 reserved[7];
> +	__u8 my_new_byte;
> +	__u8 reserved[6];
> 
> What's going to happen to the code you wrote?  Will it continue to work?
>  Or will the memcmp() silently start doing crazy stuff as it overruns
> the structure into garbage land?
> 
> What's wrong with:
> 
> 	memchr_inv(&req.reserved, sizeof(req.reserved), 0)

I did not consider the hard coding issue. It is a mistake. Your suggestion
looks better. I will use it.