980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")
This is a dependent commit for the series of patches to add the AMD SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but not support for the critical component for boot integrity that follows the SEV-SNP threat model. That series https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/ is applied at tip but is not yet in the mainline.
I have confirmed that this patch applies cleanly. Stefano's patch series needs a minor tweak to the first patch due to the changed surrounding function declarations in arch/x86/include/asm/sev.h https://github.com/deeglaze/amdese-linux/commits/vtpm612/ I've independently tested the patches.
On Thu, May 01, 2025 at 09:48:59AM -0700, Dionna Amalie Glaze wrote:
980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")
This is a dependent commit for the series of patches to add the AMD SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but not support for the critical component for boot integrity that follows the SEV-SNP threat model. That series https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/ is applied at tip but is not yet in the mainline.
How does this fix a bug in these stable branches now?
I have confirmed that this patch applies cleanly. Stefano's patch series needs a minor tweak to the first patch due to the changed surrounding function declarations in arch/x86/include/asm/sev.h https://github.com/deeglaze/amdese-linux/commits/vtpm612/ I've independently tested the patches.
Have you read the stable kernel rules text?
totally confused,
greg k-h
On Thu, May 1, 2025 at 11:04 AM Greg KH gregkh@linuxfoundation.org wrote:
On Thu, May 01, 2025 at 09:48:59AM -0700, Dionna Amalie Glaze wrote:
980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")
This is a dependent commit for the series of patches to add the AMD SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but not support for the critical component for boot integrity that follows the SEV-SNP threat model. That series https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/ is applied at tip but is not yet in the mainline.
How does this fix a bug in these stable branches now?
I find that the inability to use the main purpose of SVSM support for trusted boot integrity is a security bug according to the SEV-SNP threat model. This is a dependency already in mainline for the support patches mentioned below. If you prefer to submit them all together, then ignore this.
I have confirmed that this patch applies cleanly. Stefano's patch series needs a minor tweak to the first patch due to the changed surrounding function declarations in arch/x86/include/asm/sev.h https://github.com/deeglaze/amdese-linux/commits/vtpm612/ I've independently tested the patches.
Have you read the stable kernel rules text?
Yes, though admittedly I'm looking for a generous read. I haven't yet proposed those patches for stable because I'm waiting for them to make their way through tip to get to the mainline.
totally confused,
Not my intent. This is my first time proposing a change to stable, so apologies if I got it wrong.
greg k-h
On Thu, May 01, 2025 at 01:06:34PM -0700, Dionna Amalie Glaze wrote:
On Thu, May 1, 2025 at 11:04 AM Greg KH gregkh@linuxfoundation.org wrote:
On Thu, May 01, 2025 at 09:48:59AM -0700, Dionna Amalie Glaze wrote:
980a573621ea ("tpm: Make chip->{status,cancel,req_canceled} opt")
This is a dependent commit for the series of patches to add the AMD SEV-SNP SVSM vTPM device driver. Kernel 6.11 added SVSM support, but not support for the critical component for boot integrity that follows the SEV-SNP threat model. That series https://lore.kernel.org/all/20250410135118.133240-1-sgarzare@redhat.com/ is applied at tip but is not yet in the mainline.
How does this fix a bug in these stable branches now?
I find that the inability to use the main purpose of SVSM support for trusted boot integrity is a security bug according to the SEV-SNP threat model.
That is a new feature, sorry. Just use new kernel versions if you wish to have this.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Dionna Amalie Glaze -
Greg KH