coco/tsm: Introduce a core device for TEE Security Managers

A "TSM" is a platform component that provides an API for securely
provisioning resources for a confidential guest (TVM) to consume. The
name originates from the PCI specification for platform agent that
carries out operations for PCIe TDISP (TEE Device Interface Security
Protocol).

Instances of this core device are parented by a device representing the
platform security function like CONFIG_CRYPTO_DEV_CCP or
CONFIG_INTEL_TDX_HOST.

This device interface is a frontend to the aspects of a TSM and TEE I/O
that are cross-architecture common. This includes mechanisms like
enumerating available platform TEE I/O capabilities and provisioning
connections between the platform TSM and device DSMs (Device Security
Manager (TDISP)).

For now this is just the scaffolding for registering a TSM device sysfs
interface.

Cc: Xu Yilun <yilun.xu@linux.intel.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Co-developed-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>
Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Alexey Kardashevskiy <aik@amd.com>
Link: https://patch.msgid.link/20251031212902.2256310-2-dan.j.williams@intel.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>

diff --git a/Documentation/ABI/testing/sysfs-class-tsm b/Documentation/ABI/testing/sysfs-class-tsm
new file mode 100644 (file)
index 0000000..2949468
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-class-tsm
@@ -0,0 +1,9 @@
+What:          /sys/class/tsm/tsmN
+Contact:       linux-coco@lists.linux.dev
+Description:
+               "tsmN" is a device that represents the generic attributes of a
+               platform TEE Security Manager.  It is typically a child of a
+               platform enumerated TSM device. /sys/class/tsm/tsmN/uevent
+               signals when the PCI layer is able to support establishment of
+               link encryption and other device-security features coordinated
+               through a platform tsm.

diff --git a/MAINTAINERS b/MAINTAINERS
index 46bd8e0330421d0db8ef251e09ce5b7c03b40094..b8c9929532ed8a2ba02ed12cee5ea944bdb32dba 100644 (file)
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -26112,7 +26112,7 @@ M:      David Lechner <dlechner@baylibre.com>
 S:     Maintained
 F:     Documentation/devicetree/bindings/trigger-source/*
 
-TRUSTED SECURITY MODULE (TSM) INFRASTRUCTURE
+TRUSTED EXECUTION ENVIRONMENT SECURITY MANAGER (TSM)
 M:     Dan Williams <dan.j.williams@intel.com>
 L:     linux-coco@lists.linux.dev
 S:     Maintained

diff --git a/drivers/virt/coco/Kconfig b/drivers/virt/coco/Kconfig
index 819a97e8ba994ecd941be764a683405e7a51688f..bb0c6d6ddcc8d708158f4bb7ee68ced6391aa1ee 100644 (file)
--- a/drivers/virt/coco/Kconfig
+++ b/drivers/virt/coco/Kconfig
@@ -14,3 +14,6 @@ source "drivers/virt/coco/tdx-guest/Kconfig"
 source "drivers/virt/coco/arm-cca-guest/Kconfig"
 
 source "drivers/virt/coco/guest/Kconfig"
+
+config TSM
+       bool

diff --git a/drivers/virt/coco/Makefile b/drivers/virt/coco/Makefile
index f918bbb61737598561366e128e3e6247e399d6d4..cb52021912b34e39bc32dab36b3562078386e14a 100644 (file)
--- a/drivers/virt/coco/Makefile
+++ b/drivers/virt/coco/Makefile
@@ -7,4 +7,5 @@ obj-$(CONFIG_ARM_PKVM_GUEST)    += pkvm-guest/
 obj-$(CONFIG_SEV_GUEST)                += sev-guest/
 obj-$(CONFIG_INTEL_TDX_GUEST)  += tdx-guest/
 obj-$(CONFIG_ARM_CCA_GUEST)    += arm-cca-guest/
+obj-$(CONFIG_TSM)              += tsm-core.o
 obj-$(CONFIG_TSM_GUEST)                += guest/

diff --git a/drivers/virt/coco/tsm-core.c b/drivers/virt/coco/tsm-core.c
new file mode 100644 (file)
index 0000000..347507c
--- /dev/null
+++ b/drivers/virt/coco/tsm-core.c
@@ -0,0 +1,93 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright(c) 2024-2025 Intel Corporation. All rights reserved. */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/tsm.h>
+#include <linux/rwsem.h>
+#include <linux/device.h>
+#include <linux/module.h>
+#include <linux/cleanup.h>
+
+static struct class *tsm_class;
+static DECLARE_RWSEM(tsm_rwsem);
+static DEFINE_IDA(tsm_ida);
+
+static struct tsm_dev *alloc_tsm_dev(struct device *parent)
+{
+       struct device *dev;
+       int id;
+
+       struct tsm_dev *tsm_dev __free(kfree) =
+               kzalloc(sizeof(*tsm_dev), GFP_KERNEL);
+       if (!tsm_dev)
+               return ERR_PTR(-ENOMEM);
+
+       id = ida_alloc(&tsm_ida, GFP_KERNEL);
+       if (id < 0)
+               return ERR_PTR(id);
+
+       tsm_dev->id = id;
+       dev = &tsm_dev->dev;
+       dev->parent = parent;
+       dev->class = tsm_class;
+       device_initialize(dev);
+
+       return no_free_ptr(tsm_dev);
+}
+
+struct tsm_dev *tsm_register(struct device *parent)
+{
+       struct tsm_dev *tsm_dev __free(put_tsm_dev) = alloc_tsm_dev(parent);
+       struct device *dev;
+       int rc;
+
+       if (IS_ERR(tsm_dev))
+               return tsm_dev;
+
+       dev = &tsm_dev->dev;
+       rc = dev_set_name(dev, "tsm%d", tsm_dev->id);
+       if (rc)
+               return ERR_PTR(rc);
+
+       rc = device_add(dev);
+       if (rc)
+               return ERR_PTR(rc);
+
+       return no_free_ptr(tsm_dev);
+}
+EXPORT_SYMBOL_GPL(tsm_register);
+
+void tsm_unregister(struct tsm_dev *tsm_dev)
+{
+       device_unregister(&tsm_dev->dev);
+}
+EXPORT_SYMBOL_GPL(tsm_unregister);
+
+static void tsm_release(struct device *dev)
+{
+       struct tsm_dev *tsm_dev = container_of(dev, typeof(*tsm_dev), dev);
+
+       ida_free(&tsm_ida, tsm_dev->id);
+       kfree(tsm_dev);
+}
+
+static int __init tsm_init(void)
+{
+       tsm_class = class_create("tsm");
+       if (IS_ERR(tsm_class))
+               return PTR_ERR(tsm_class);
+
+       tsm_class->dev_release = tsm_release;
+       return 0;
+}
+module_init(tsm_init)
+
+static void __exit tsm_exit(void)
+{
+       class_destroy(tsm_class);
+}
+module_exit(tsm_exit)
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("TEE Security Manager Class Device");

diff --git a/include/linux/tsm.h b/include/linux/tsm.h
index 431054810dca4e89dc26aecfffe3b17c4d4dafb8..cd97c63ffa3256d6f0157cf4aa28c6044c1c4545 100644 (file)
--- a/include/linux/tsm.h
+++ b/include/linux/tsm.h
@@ -5,6 +5,7 @@
 #include <linux/sizes.h>
 #include <linux/types.h>
 #include <linux/uuid.h>
+#include <linux/device.h>
 
 #define TSM_REPORT_INBLOB_MAX 64
 #define TSM_REPORT_OUTBLOB_MAX SZ_32K
@@ -107,6 +108,16 @@ struct tsm_report_ops {
        bool (*report_bin_attr_visible)(int n);
 };
 
+struct tsm_dev {
+       struct device dev;
+       int id;
+};
+
+DEFINE_FREE(put_tsm_dev, struct tsm_dev *,
+           if (!IS_ERR_OR_NULL(_T)) put_device(&_T->dev))
+
 int tsm_report_register(const struct tsm_report_ops *ops, void *priv);
 int tsm_report_unregister(const struct tsm_report_ops *ops);
+struct tsm_dev *tsm_register(struct device *parent);
+void tsm_unregister(struct tsm_dev *tsm_dev);
 #endif /* __TSM_H */