Received: by 10.223.176.5 with SMTP id f5csp629917wra; Wed, 7 Feb 2018 05:04:11 -0800 (PST) X-Google-Smtp-Source: AH8x226SX+sRrLjPIkke7SLjR3SyRG+RBafQrqiTPJVr19PW7S/AKDEJ+BjNnlmmO0RljuDpOzCL X-Received: by 2002:a17:902:a588:: with SMTP id az8-v6mr6114304plb.10.1518008651491; Wed, 07 Feb 2018 05:04:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518008651; cv=none; d=google.com; s=arc-20160816; b=wrMqXQFNxRcRIF9pf0V+cwiLQcab2wUh3QtBqxhz1z6ddaMi3DYMLkEeZn/dNNO+jq qw/lIgBdbWuQ/dyMfpXJbcjftLj3i03nU0VHp2ilGnOVG8XS1b1jKmwHTSl01yj0ntZo LVU0De0zXkjUaM5+/vs6uXlWvEL2owlSxiwqSB3CxEfzk0VdaCFSn4cZtAmvD1knmaik XP3+hfXDHDqci+k6K7WD5DrhB+C39IdJ0mEJLb1Rsjq9oFfDL4g0+AJiakwCRF/U9M03 mt6L7DR5gnvLhRc9BDLutNERf1YWFYeW1ags4HiBNiJHSne2B0dfG0fbpIVtAsIFje6H Kv6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=2l1QIyOkDieGtlBt+LRQ5XaOO7gDBEtjzMAgS97hzNY=; b=a+Uu8Jgl2NNmLEQhLBMji8k68m8TuAgaqCKf6DOUyJ6Lnb7qMGpM8rD8T5RiZojRfJ wvtsHmqZ1d7duvFUPb94JS1XLsk+qE66/VCFItcmvFGTGk7l2fAswZ1tzQZ7a8weSM21 5spZCEZ7we557rlGdtqsV9o7zpOeIFrDGCMvbuWyVa0NYieBX0xYyrRTzLSLx2asfzvr lFefqukqxYBB/nud48bUXhuhHmu/h3lvJS2IrTHksFWjn9oho+2zYcna2p4cyV239eIB 9Ro+amk+LdvU1TYW2BqqpuSKz17mGmk+ZqFgWmJ8B0pqaIvepZ51t0q02rsKVqGz7/In Q8AA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m9-v6si1073359plk.486.2018.02.07.05.03.57; Wed, 07 Feb 2018 05:04:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753834AbeBGM7y (ORCPT + 99 others); Wed, 7 Feb 2018 07:59:54 -0500 Received: from mga11.intel.com ([192.55.52.93]:20991 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753478AbeBGM7x (ORCPT ); Wed, 7 Feb 2018 07:59:53 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Feb 2018 04:59:52 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,473,1511856000"; d="scan'208";a="16220650" Received: from black.fi.intel.com ([10.237.72.28]) by fmsmga008.fm.intel.com with ESMTP; 07 Feb 2018 04:59:50 -0800 Received: by black.fi.intel.com (Postfix, from userid 1000) id AA17B807; Wed, 7 Feb 2018 14:59:49 +0200 (EET) From: "Kirill A. Shutemov" To: Ingo Molnar , x86@kernel.org, Thomas Gleixner , "H. Peter Anvin" Cc: Tom Lendacky , Dave Hansen , Kai Huang , linux-kernel@vger.kernel.org, "Kirill A. Shutemov" Subject: [PATCHv2 2/5] x86/tme: Detect if TME and MKTME is activated by BIOS Date: Wed, 7 Feb 2018 15:59:43 +0300 Message-Id: <20180207125946.5906-3-kirill.shutemov@linux.intel.com> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20180207125946.5906-1-kirill.shutemov@linux.intel.com> References: <20180207125946.5906-1-kirill.shutemov@linux.intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org IA32_TME_ACTIVATE MSR (0x982) can be used to check if BIOS has enabled TME and MKTME. It includes which encryption policy/algorithm is selected for TME or available for MKTME. For MKTME, the MSR also enumerates how many KeyIDs are available. Signed-off-by: Kirill A. Shutemov --- arch/x86/kernel/cpu/intel.c | 94 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c index 319bf989fad1..5f8e37675329 100644 --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -506,6 +506,97 @@ static void detect_vmx_virtcap(struct cpuinfo_x86 *c) } } +#define MSR_IA32_TME_ACTIVATE 0x982 + +#define TME_ACTIVATE_LOCKED(x) (x & 0x1) +#define TME_ACTIVATE_ENABLED(x) (x & 0x2) + +#define TME_ACTIVATE_POLICY(x) ((x >> 4) & 0xf) /* Bits 7:4 */ +#define TME_ACTIVATE_POLICY_AES_XTS_128 0 + +#define TME_ACTIVATE_KEYID_BITS(x) ((x >> 32) & 0xf) /* Bits 35:32 */ + +#define TME_ACTIVATE_CRYPTO_ALGS(x) ((x >> 48) & 0xffff) /* Bits 63:48 */ +#define TME_ACTIVATE_CRYPTO_AES_XTS_128 1 + +#define MKTME_ENABLED 0 +#define MKTME_DISABLED 1 +#define MKTME_UNINITIALIZED 2 +static int mktme_status = MKTME_UNINITIALIZED; + +static void detect_keyid_bits(struct cpuinfo_x86 *c, u64 tme_activate) +{ + int keyid_bits = 0, nr_keyids = 0; + + keyid_bits = TME_ACTIVATE_KEYID_BITS(tme_activate); + nr_keyids = (1UL << keyid_bits) - 1; + if (nr_keyids) { + pr_info_once("x86/mktme: enabled by BIOS\n"); + pr_info_once("x86/mktme: %d KeyIDs available\n", nr_keyids); + } else { + pr_info_once("x86/mktme: disabled by BIOS\n"); + } + + if (mktme_status == MKTME_UNINITIALIZED) { + /* MKTME is usable */ + mktme_status = MKTME_ENABLED; + } + + /* + * Exclude KeyID bits from physical address bits. + * + * We have to do this even if we are not going to use KeyID bits + * ourself. VM guests still have to know that these bits are not usable + * for physical address. + */ + c->x86_phys_bits -= keyid_bits; +} + +static void detect_tme(struct cpuinfo_x86 *c) +{ + u64 tme_activate, tme_policy, tme_crypto_algs; + static u64 tme_activate_cpu0 = 0; + + rdmsrl(MSR_IA32_TME_ACTIVATE, tme_activate); + + if (mktme_status != MKTME_UNINITIALIZED) { + if (tme_activate != tme_activate_cpu0) { + /* Broken BIOS? */ + pr_err_once("x86/tme: configuation is inconsistent between CPUs\n"); + pr_err_once("x86/tme: MKTME is not usable\n"); + mktme_status = MKTME_DISABLED; + + /* Proceed. We may need to exclude bits from x86_phys_bits. */ + } + } else { + tme_activate_cpu0 = tme_activate; + } + + if (!TME_ACTIVATE_LOCKED(tme_activate) || !TME_ACTIVATE_ENABLED(tme_activate)) { + pr_info_once("x86/tme: not enabled by BIOS\n"); + mktme_status = MKTME_DISABLED; + return; + } + + if (mktme_status != MKTME_UNINITIALIZED) + return detect_keyid_bits(c, tme_activate); + + pr_info("x86/tme: enabled by BIOS\n"); + + tme_policy = TME_ACTIVATE_POLICY(tme_activate); + if (tme_policy != TME_ACTIVATE_POLICY_AES_XTS_128) + pr_warn("x86/tme: Unknown policy is active: %#llx\n", tme_policy); + + tme_crypto_algs = TME_ACTIVATE_CRYPTO_ALGS(tme_activate); + if (!(tme_crypto_algs & TME_ACTIVATE_CRYPTO_AES_XTS_128)) { + pr_err("x86/mktme: No known encryption algorithm is supported: %#llx\n", + tme_crypto_algs); + mktme_status = MKTME_DISABLED; + } + + detect_keyid_bits(c, tme_activate); +} + static void init_intel_energy_perf(struct cpuinfo_x86 *c) { u64 epb; @@ -676,6 +767,9 @@ static void init_intel(struct cpuinfo_x86 *c) if (cpu_has(c, X86_FEATURE_VMX)) detect_vmx_virtcap(c); + if (cpu_has(c, X86_FEATURE_TME)) + detect_tme(c); + init_intel_energy_perf(c); init_intel_misc_features(c); -- 2.15.1