Michael S. Tsirkin
2021-Sep-30 11:03 UTC
[PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest
On Wed, Sep 29, 2021 at 06:05:09PM -0700, Kuppuswamy Sathyanarayanan wrote:> Confidential guest platforms like TDX have a requirement to allow > only trusted devices. By default the confidential-guest core will > arrange for all devices to default to unauthorized (via > dev_default_authorization) in device_initialize(). Since virtio > driver is already hardened against the attack from the un-trusted host, > override the confidential computing default unauthorized state > > Reviewed-by: Dan Williams <dan.j.williams at intel.com> > Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy at linux.intel.com>Architecturally this all looks backwards. IIUC nothing about virtio makes it authorized or trusted. The driver is hardened, true, but this should be set at the driver not the device level. And in particular, not all virtio drivers are hardened - I think at this point blk and scsi drivers have been hardened - so treating them all the same looks wrong.> --- > drivers/virtio/virtio.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c > index 588e02fb91d3..377b0ccdc503 100644 > --- a/drivers/virtio/virtio.c > +++ b/drivers/virtio/virtio.c > @@ -5,6 +5,8 @@ > #include <linux/module.h> > #include <linux/idr.h> > #include <linux/of.h> > +#include <linux/cc_platform.h> > +#include <linux/device.h> > #include <uapi/linux/virtio_ids.h> > > /* Unique numbering for virtio devices. */ > @@ -390,6 +392,13 @@ int register_virtio_device(struct virtio_device *dev) > dev->config_enabled = false; > dev->config_change_pending = false; > > + /* > + * For Confidential guest (like TDX), virtio devices are > + * trusted. So set authorized status as true. > + */ > + if (cc_platform_has(CC_ATTR_GUEST_DEVICE_FILTER)) > + dev->dev.authorized = true; > + > /* We always start by resetting the device, in case a previous > * driver messed it up. This also tests that code path a little. */ > dev->config->reset(dev); > -- > 2.25.1
Dan Williams
2021-Sep-30 13:36 UTC
[PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest
On Thu, Sep 30, 2021 at 4:03 AM Michael S. Tsirkin <mst at redhat.com> wrote:> > On Wed, Sep 29, 2021 at 06:05:09PM -0700, Kuppuswamy Sathyanarayanan wrote: > > Confidential guest platforms like TDX have a requirement to allow > > only trusted devices. By default the confidential-guest core will > > arrange for all devices to default to unauthorized (via > > dev_default_authorization) in device_initialize(). Since virtio > > driver is already hardened against the attack from the un-trusted host, > > override the confidential computing default unauthorized state > > > > Reviewed-by: Dan Williams <dan.j.williams at intel.com> > > Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy at linux.intel.com> > > Architecturally this all looks backwards. IIUC nothing about virtio > makes it authorized or trusted. The driver is hardened, > true, but this should be set at the driver not the device level.That's was my initial reaction to this proposal as well, and I ended up leading Sathya astray from what Greg wanted. Greg rightly points out that the "authorized" attribute from USB and Thunderbolt already exists [1] [2]. So the choice is find an awkward way to mix driver trust with existing bus-local "authorized" mechanisms, or promote the authorized capability to the driver-core. This patch set implements the latter to keep the momentum on the already shipping design scheme to not add to the driver-core maintenance burden. [1]: https://lore.kernel.org/all/YQuaJ78y8j1UmBoz at kroah.com/ [2]: https://lore.kernel.org/all/YQzF%2FutgrJfbZuHh at kroah.com/> And in particular, not all virtio drivers are hardened - > I think at this point blk and scsi drivers have been hardened - so > treating them all the same looks wrong.My understanding was that they have been audited, Sathya?