bybrooklyn/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-04-18 14:53:58 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
3eda936f2a6fc3cd40ff6943179b63e8d781a9b0
linux/Documentation/ABI/testing/configfs-tsm-report
Kuppuswamy Sathyanarayanan 43185067c6 configfs-tsm-report: tdx_guest: Increase Quote buffer size to 128KB 
Intel platforms are transitioning from traditional SGX-based
attestation toward DICE-based attestation as part of a broader move
toward open and standardized attestation models. DICE enables layered
and extensible attestation, where evidence is accumulated across
multiple boot stages.

With SGX-based attestation, Quote sizes are typically under 8KB, as the
payload consists primarily of Quote data and a small certificate bundle.
Existing TDX guest code sizes the Quote buffer accordingly.

DICE-based attestation produces significantly larger Quotes due to the
inclusion of evidence (certificate chains) from multiple boot layers.
The cumulative Quote size can reach approximately 100KB.

Increase GET_QUOTE_BUF_SIZE to 128KB to ensure sufficient buffer
capacity for DICE-based Quote payloads.

Reviewed-by: Fang Peter <peter.fang@intel.com>
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Link: https://patch.msgid.link/20260211001712.1531955-4-sathyanarayanan.kuppuswamy@linux.intel.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2026-02-10 18:24:09 -08:00

162 lines
6.2 KiB
Plaintext
Raw Blame History

What: /sys/kernel/config/tsm/report/$name/inblob
Date: September, 2023
KernelVersion: v6.7
Contact: linux-coco@lists.linux.dev
Description:
(WO) Up to 64 bytes of user specified binary data. For replay
protection this should include a nonce, but the kernel does not
place any restrictions on the content.
What: /sys/kernel/config/tsm/report/$name/outblob
Date: September, 2023
KernelVersion: v6.7
Contact: linux-coco@lists.linux.dev
Description:
(RO) Binary attestation report generated from @inblob and other
options The format of the report is implementation specific
where the implementation is conveyed via the @provider
attribute.
This interface fails reads and sets errno to EFBIG when the
report generated by @provider exceeds the configfs-tsm-report
internal maximums. Contact the platform provider for the
compatible security module, driver, and attestation library
combination.
What: /sys/kernel/config/tsm/report/$name/auxblob
Date: October, 2023
KernelVersion: v6.7
Contact: linux-coco@lists.linux.dev
Description:
(RO) Optional supplemental data that a TSM may emit, visibility
of this attribute depends on TSM, and may be empty if no
auxiliary data is available.
When @provider is "sev_guest" this file contains the
"cert_table" from SEV-ES Guest-Hypervisor Communication Block
Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ.
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
See "EFBIG" comment in the @outblob description for potential
error conditions.
What: /sys/kernel/config/tsm/report/$name/manifestblob
Date: January, 2024
KernelVersion: v6.10
Contact: linux-coco@lists.linux.dev
Description:
(RO) Optional supplemental data that a TSM may emit, visibility
of this attribute depends on TSM, and may be empty if no
manifest data is available.
See 'service_provider' for information on the format of the
manifest blob.
See "EFBIG" comment in the @outblob description for potential
error conditions.
What: /sys/kernel/config/tsm/report/$name/provider
Date: September, 2023
KernelVersion: v6.7
Contact: linux-coco@lists.linux.dev
Description:
(RO) A name for the format-specification of @outblob like
"sev_guest" [1] or "tdx_guest" [2] in the near term, or a
common standard format in the future.
[1]: SEV Secure Nested Paging Firmware ABI Specification
Revision 1.55 Table 22
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf
[2]: Intel® Trust Domain Extensions Data Center Attestation
Primitives : Quote Generation Library and Quote Verification
Library Revision 0.8 Appendix 4,5
https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf
Intel TDX platforms with DICE-based attestation use CBOR Web Token
(CWT) format for the Quote payload. This is indicated by the Quote
size exceeding 8KB.
What: /sys/kernel/config/tsm/report/$name/generation
Date: September, 2023
KernelVersion: v6.7
Contact: linux-coco@lists.linux.dev
Description:
(RO) The value in this attribute increments each time @inblob or
any option is written. Userspace can detect conflicts by
checking generation before writing to any attribute and making
sure the number of writes matches expectations after reading
@outblob, or it can prevent conflicts by creating a report
instance per requesting context.
What: /sys/kernel/config/tsm/report/$name/privlevel
Date: September, 2023
KernelVersion: v6.7
Contact: linux-coco@lists.linux.dev
Description:
(WO) Attribute is visible if a TSM implementation provider
supports the concept of attestation reports for TVMs running at
different privilege levels, like SEV-SNP "VMPL", specify the
privilege level via this attribute. The minimum acceptable
value is conveyed via @privlevel_floor and the maximum
acceptable value is TSM_PRIVLEVEL_MAX (3).
What: /sys/kernel/config/tsm/report/$name/privlevel_floor
Date: September, 2023
KernelVersion: v6.7
Contact: linux-coco@lists.linux.dev
Description:
(RO) Indicates the minimum permissible value that can be written
to @privlevel.
What: /sys/kernel/config/tsm/report/$name/service_provider
Date: January, 2024
KernelVersion: v6.10
Contact: linux-coco@lists.linux.dev
Description:
(WO) Attribute is visible if a TSM implementation provider
supports the concept of attestation reports from a service
provider for TVMs, like SEV-SNP running under an SVSM.
Specifying the service provider via this attribute will create
an attestation report as specified by the service provider.
The only currently supported service provider is "svsm".
For the "svsm" service provider, see the Secure VM Service Module
for SEV-SNP Guests v1.00 Section 7. For the doc, search for
"site:amd.com "Secure VM Service Module for SEV-SNP
Guests", docID: 58019"
What: /sys/kernel/config/tsm/report/$name/service_guid
Date: January, 2024
KernelVersion: v6.10
Contact: linux-coco@lists.linux.dev
Description:
(WO) Attribute is visible if a TSM implementation provider
supports the concept of attestation reports from a service
provider for TVMs, like SEV-SNP running under an SVSM.
Specifying an empty/null GUID (00000000-0000-0000-0000-000000)
requests all active services within the service provider be
part of the attestation report. Specifying a GUID request
an attestation report of just the specified service using the
manifest form specified by the service_manifest_version
attribute.
See 'service_provider' for information on the format of the
service guid.
What: /sys/kernel/config/tsm/report/$name/service_manifest_version
Date: January, 2024
KernelVersion: v6.10
Contact: linux-coco@lists.linux.dev
Description:
(WO) Attribute is visible if a TSM implementation provider
supports the concept of attestation reports from a service
provider for TVMs, like SEV-SNP running under an SVSM.
Indicates the service manifest version requested for the
attestation report (default 0). If this field is not set by
the user, the default manifest version of the service (the
service's initial/first manifest version) is returned.
See 'service_provider' for information on the format of the
service manifest version.
Reference in New Issue View Git Blame Copy Permalink