[SPR] TDX attestation driver enabling

Priority 2 (Attestation): TDX Enable attestation driver in x86. Target 5.20. Needs backport to Ubuntu 22.10
(Tracking submission: https://lore.kernel<email address hidden>/#t)

Any update or feedback?

Some comments after a quick review:

 1) Patches are missing an upstream reference (link, git repo, etc.)? In this way we can verify if patches have been posted upstream, if they've got a review, etc. (this is not critical, because I see that a link to the upstream thread has been posted in comment #1, so the link can be added when the patches are applied)

 2) Is there a dependency between this patch set and the other TDX-related patch set? (https://bugs.launchpad.net/intel/+bug/1971028)

 3) As I mentioned in the other LP tracker (1971028) also this patch set seems to be still in a development state, especially reading some comments in the upstream thread it looks like the kernel ABI isn't still defined yet (e.g., discussion about using ioctl() vs sysfs interface), or core implementation details, like using DMA vs CMA vs swiotlb memory for allocations). Usually we tend to accept patches that have been already "approved" upstream (merged in a git repository or at least ACK-ed completely, so they're not subject to big changes or big refactoring, especially in the kernel ABI.

1) Thanks for your correction and i will follow this rule to submit future patches.
2) No, this one is an independent patch set.
   But this patch(https://bugs.launchpad.net/intel/+bug/1971028) will be some minor
code dependency with current one(https://bugs.launchpad.net/intel/+bug/1971027).
3) For current two patch set, what's your suggestion for me to follow up and make
sure the work to keep moving forward?
Thanks for your comments!

@huzhiming100 IMHO the best would be setup a public git repository based on our latest kinetic:linux kernel (https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic).

Then you can periodically apply and push new versions of these patch sets there and ping us (here or by sending an email to our kernel mailing list <email address hidden>) when new versions are available. And ideally the commits should have a reference to the upstream email thread or a reference to an upstream git repository (once they are accepted upstream).

In this way we can easily monitor the progress of these patch sets and respond quickly with our review.

Regarding the code itself ideally we would like to receive patch sets in a more "stable" state, meaning that at least patches have been Acked-by some upstream maintainers. In this way we don't expect to see big changes in the kernel ABI or big code refactoring that would make our maintenance a little problematic.

I think all of the above would strongly speed up the process of getting these two patch set applied to our Ubuntu kernels.

And if you have any doubt or something that I wrote is not clear feel free to ask any question.

Thanks!

@arighi, thanks for the detail clarification and good advice.
I will get back your advice to our internal program manager who is responsible for engaging with Ubuntu.

@arighi, according to Intel-Canonical syncing meeting for TDX enabling on last Wednesday, TDX lazy accept is target for Ubuntu 22.10.
could you please help to review the refresh version?
According to your previous suggestions:
1) change base repo to your latest kinetic:
base repo: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic
base branch: master-next
2) list out upstream reference:
https://lore.kernel<email address hidden>/#r

Test log is attached.

upstream changed to 6.2, but backporting will be still on.

This patch set has been applied to kinetic:linux (5.19) and kinetic:linux-unstable (6.0). It is now part of the Ubuntu kernel in 22.10.

Hi,

The status of the patches is being tracked via the following public bug report: bug 1988120.

It looks like the most recent upstream submission of the TDX attestation driver has some changes that can potentially break user-space applications that are relying on this feature.

In particular:

 1) device renamed from /dev/tdx-guest to /dev/tdx_guest

 2) members inside struct tdx_report_req has been shuffled a bit to prevent holes

We can either move forward and apply the same changes, but 2 seems a bit dangerous, because it may break user-space in a bad way.

If doable, a better possibility would be to drop the TDX attestation driver support from the generic kernel, then merge the whole TDX support (both attestation driver and the lazy accept patch) in the Azure kernel for now (or the cloud kernels that are considering to start using this feature) and when things will settle generic will get the same changes from Azure (or any other cloud kernel with the TDX patches).

Opinions?

For your concern and suggestion, we already raise it to our management and project level.
They will try to align with Canonical in project level for your mentioned concern.
Thanks!

@Andrea

The patches are applied to tip/tdx branch.

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/tdx&id=6c8c1406a6d6a3f2e61ac590f5c0994231bc6be7

The base kernel for the back port should be: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/log/?h=master-next

The attachment "Intel TDX guest attestation driver enabling" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Remove the downstream patch firstly:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=285d6d8136ebadcee7fd6452b9e4223996a2a0af
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=0b78a71c7d7630ab7c3c8a03cbe4f78f1361fb45

Then apply the upstream patch, build and selftest with pass result.

TDX guest boot up log.

Host log for self test sample.

Feature delivered in Ubuntu 23.04 (kernel 6.2) with the upstream patches (no SAUCE patches). Feature available in Ubuntu 22.04 via the HWE 6.2 kernel.