Merge tag 'tsm-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm

Pull TSM updates from Dan Williams:
 "A couple of updates to the maximum buffer sizes supported for the
  configfs-tsm-reports interface.

  This interface is a common transport that conveys the varied
  architecture specific launch attestation reports for confidential VMs.

   - Prepare the configfs-tsm-reports interface for passing larger
     attestation evidence blobs for "Device Identifier Composition
     Engine" (DICE) and Post Quantum Crypto (PQC)

   - Update the tdx-guest driver for DICE evidence (larger certificate
     chains and the CBOR Web Token schema)"

* tag 'tsm-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm:
  configfs-tsm-report: tdx_guest: Increase Quote buffer size to 128KB
  configfs-tsm-report: Increase TSM_REPORT_OUTBLOB_MAX to 16MB
  configfs-tsm-report: Document size limits for outblob attributes

3 files changed, 20 insertions, 2 deletions

diff --git a/Documentation/ABI/testing/configfs-tsm-report b/Documentation/ABI/testing/configfs-tsm-report
index 534408bc1408..7a6a5045a7d5 100644
--- a/Documentation/ABI/testing/configfs-tsm-report
+++ b/Documentation/ABI/testing/configfs-tsm-report
@@ -17,6 +17,12 @@ Description:
 		where the implementation is conveyed via the @provider
 		attribute.
 
+		This interface fails reads and sets errno to EFBIG when the
+		report generated by @provider exceeds the configfs-tsm-report
+		internal maximums. Contact the platform provider for the
+		compatible security module, driver, and attestation library
+		combination.
+
 What:		/sys/kernel/config/tsm/report/$name/auxblob
 Date:		October, 2023
 KernelVersion:	v6.7
@@ -31,6 +37,9 @@ Description:
 		Standardization v2.03 Section 4.1.8.1 MSG_REPORT_REQ.
 		https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
 
+		See "EFBIG" comment in the @outblob description for potential
+		error conditions.
+
 What:		/sys/kernel/config/tsm/report/$name/manifestblob
 Date:		January, 2024
 KernelVersion:	v6.10
@@ -43,6 +52,9 @@ Description:
 		See 'service_provider' for information on the format of the
 		manifest blob.
 
+		See "EFBIG" comment in the @outblob description for potential
+		error conditions.
+
 What:		/sys/kernel/config/tsm/report/$name/provider
 Date:		September, 2023
 KernelVersion:	v6.7
@@ -61,6 +73,10 @@ Description:
 		Library Revision 0.8 Appendix 4,5
 		https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf
 
+		Intel TDX platforms with DICE-based attestation use CBOR Web Token
+		(CWT) format for the Quote payload. This is indicated by the Quote
+		size exceeding 8KB.
+
 What:		/sys/kernel/config/tsm/report/$name/generation
 Date:		September, 2023
 KernelVersion:	v6.7
diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c
index 4e239ec960c9..4252b147593a 100644
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -160,8 +160,10 @@ static void tdx_mr_deinit(const struct attribute_group *mr_grp)
 /*
  * Intel's SGX QE implementation generally uses Quote size less
  * than 8K (2K Quote data + ~5K of certificate blob).
+ * DICE-based attestation uses layered evidence that requires
+ * larger Quote size (~100K).
  */
-#define GET_QUOTE_BUF_SIZE		SZ_8K
+#define GET_QUOTE_BUF_SIZE		SZ_128K
 
 #define GET_QUOTE_CMD_VER		1
 
diff --git a/include/linux/tsm.h b/include/linux/tsm.h
index 22e05b2aac69..381c53244c83 100644
--- a/include/linux/tsm.h
+++ b/include/linux/tsm.h
@@ -8,7 +8,7 @@
 #include <linux/device.h>
 
 #define TSM_REPORT_INBLOB_MAX 64
-#define TSM_REPORT_OUTBLOB_MAX SZ_32K
+#define TSM_REPORT_OUTBLOB_MAX SZ_16M
 
 /*
  * Privilege level is a nested permission concept to allow confidential