Re: [PATCH kernel v2 0/5] PCI/TSM: Enabling core infrastructure on

From: Tom Lendacky

Date: Mon Dec 01 2025 - 10:28:22 EST

On 11/25/25 14:38, dan.j.williams@xxxxxxxxx wrote:
> Alexey Kardashevskiy wrote:
>> Here are some patches to begin enabling SEV-TIO on AMD.
>>
>> SEV-TIO allows guests to establish trust in a device that supports TEE
>> Device Interface Security Protocol (TDISP, defined in PCIe r6.0+) and
>> then interact with the device via private memory.
>>
>> In order to streamline upstreaming process, a common TSM infrastructure
>> is being developed in collaboration with Intel+ARM+RiscV. There is
>> Documentation/driver-api/pci/tsm.rst with proposed phases:
>> 1. IDE: encrypt PCI, host only
>> 2. TDISP: lock + accept flow, host and guest, interface report
>> 3. Enable secure MMIO + DMA: IOMMUFD, KVM changes
>> 4. Device attestation: certificates, measurements
>>
>> This is phase1 == IDE only.
>>
>> SEV TIO spec:
>> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58271.pdf
>>
>> Acronyms:
>> TEE - Trusted Execution Environments, a concept of managing trust
>> between the host and devices
>> TSM - TEE Security Manager (TSM), an entity which ensures security on
>> the host
>> PSP - AMD platform secure processor (also "ASP", "AMD-SP"), acts as TSM
>> on AMD.
>> SEV TIO - the TIO protocol implemented by the PSP and used by the host
>> GHCB - guest/host communication block - a protocol for guest-to-host
>> communication via a shared page
>> TDISP - TEE Device Interface Security Protocol (PCIe).
>>
>>
>> Flow:
>> - Boot host OS, load CCP which registers itself as a TSM
>> - PCI TSM creates sysfs nodes under "tsm" subdirectory in for all
>> TDISP-capable devices
>> - Enable IDE via "echo tsm0 >
>> /sys/bus/pci/devices/0000:e1:00.0/tsm/connect"
>> - observe "secure" in stream states in "lspci" for the rootport and endpoint
>>
>>
>> This is pushed out to
>> https://github.com/AMDESE/linux-kvm/commits/tsm-staging
>>
>> The full "WIP" trees and configs are here:
>> https://github.com/AMDESE/AMDSEV/blob/tsm/stable-commits
>>
>>
>> The previous conversation is here:
>> https://lore.kernel.org/r/20251111063819.4098701-1-aik@xxxxxxx
>> https://lore.kernel.org/r/20250218111017.491719-1-aik@xxxxxxx
>>
>> This is based on sha1
>> f7ae6d4ec652 Dan Williams "PCI/TSM: Add 'dsm' and 'bound' attributes for dependent functions".
>>
>> Please comment. Thanks.
>
> This looks ok to me. If the AMD IOMMU and CCP maintainers can give it an
> ack I can queue this for v6.19, but let me know if the timing is too
> tight and this needs to circle around for v6.20.

I had some comments in patches 4 and 5 that I hope would be quick to
cleanup.

>
> Note that if this is deferred then the PCI/TSM core, that has been
> soaking in linux-next [1], will also be deferred as at least one
> consumer needs to go in with the core infrastructure. It is already the
> case that TEE I/O for CCA and TDX have dependencies that will not
> resolve in time for v6.19 merge.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm.git/log/?h=next