[RFC PATCH 19/30] vfio/pci: Add TSM TDI bind/unbind IOCTLs for TEE-IO support
Aneesh Kumar K.V
aneesh.kumar at kernel.org
Thu Jun 5 12:03:52 UTC 2025
Xu Yilun <yilun.xu at linux.intel.com> writes:
> Add new IOCTLs to do TSM based TDI bind/unbind. These IOCTLs are
> expected to be called by userspace when CoCo VM issues TDI bind/unbind
> command to VMM. Specifically for TDX Connect, these commands are some
> secure Hypervisor call named GHCI (Guest-Hypervisor Communication
> Interface).
>
> The TSM TDI bind/unbind operations are expected to be initiated by a
> running CoCo VM, which already have the legacy assigned device in place.
> The TSM bind operation is to request VMM make all secure configurations
> to support device work as a TDI, and then issue TDISP messages to move
> the TDI to CONFIG_LOCKED or RUN state, waiting for guest's attestation.
>
> Do TSM Unbind before vfio_pci_core_disable(), otherwise will lead
> device to TDISP ERROR state.
>
> Suggested-by: Jason Gunthorpe <jgg at nvidia.com>
> Signed-off-by: Wu Hao <hao.wu at intel.com>
> Signed-off-by: Xu Yilun <yilun.xu at linux.intel.com>
>
....
> +
> + /* To ensure no host side MMIO access is possible */
> + ret = pci_request_regions_exclusive(pdev, "vfio-pci-tsm");
> + if (ret)
> + goto out_unlock;
> +
>
I am hitting failures here with similar changes. Can you share the Qemu
changes needed to make this pci_request_regions_exclusive successful.
Also after the TDI is unbound, we want the region ownership backto
"vfio-pci" so that things continue to work as non-secure device. I don't
see we doing that. I could add a pci_bar_deactivate/pci_bar_activate in
userspace which will result in vfio_unmap()/vfio_map(). But that doesn't
release the region ownership.
> + ret = vfio_iommufd_tsm_bind(&vdev->vdev, tsm_bind.vdevice_id);
> + if (ret)
> + goto out_release_region;
> +
> + vdev->is_tsm_bound = true;
> + mutex_unlock(&vdev->vdev.dev_set->lock);
> +
> + return 0;
> +
> +out_release_region:
> + pci_release_regions(pdev);
> +out_unlock:
> + mutex_unlock(&vdev->vdev.dev_set->lock);
> + return ret;
> +}
-aneesh
More information about the dri-devel
mailing list