Received: by 10.223.176.5 with SMTP id f5csp629917wra;
        Wed, 7 Feb 2018 05:04:11 -0800 (PST)
X-Google-Smtp-Source: AH8x226SX+sRrLjPIkke7SLjR3SyRG+RBafQrqiTPJVr19PW7S/AKDEJ+BjNnlmmO0RljuDpOzCL
X-Received: by 2002:a17:902:a588:: with SMTP id az8-v6mr6114304plb.10.1518008651491;
        Wed, 07 Feb 2018 05:04:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518008651; cv=none;
        d=google.com; s=arc-20160816;
        b=wrMqXQFNxRcRIF9pf0V+cwiLQcab2wUh3QtBqxhz1z6ddaMi3DYMLkEeZn/dNNO+jq
         qw/lIgBdbWuQ/dyMfpXJbcjftLj3i03nU0VHp2ilGnOVG8XS1b1jKmwHTSl01yj0ntZo
         LVU0De0zXkjUaM5+/vs6uXlWvEL2owlSxiwqSB3CxEfzk0VdaCFSn4cZtAmvD1knmaik
         XP3+hfXDHDqci+k6K7WD5DrhB+C39IdJ0mEJLb1Rsjq9oFfDL4g0+AJiakwCRF/U9M03
         mt6L7DR5gnvLhRc9BDLutNERf1YWFYeW1ags4HiBNiJHSne2B0dfG0fbpIVtAsIFje6H
         Kv6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=2l1QIyOkDieGtlBt+LRQ5XaOO7gDBEtjzMAgS97hzNY=;
        b=a+Uu8Jgl2NNmLEQhLBMji8k68m8TuAgaqCKf6DOUyJ6Lnb7qMGpM8rD8T5RiZojRfJ
         wvtsHmqZ1d7duvFUPb94JS1XLsk+qE66/VCFItcmvFGTGk7l2fAswZ1tzQZ7a8weSM21
         5spZCEZ7we557rlGdtqsV9o7zpOeIFrDGCMvbuWyVa0NYieBX0xYyrRTzLSLx2asfzvr
         lFefqukqxYBB/nud48bUXhuhHmu/h3lvJS2IrTHksFWjn9oho+2zYcna2p4cyV239eIB
         9Ro+amk+LdvU1TYW2BqqpuSKz17mGmk+ZqFgWmJ8B0pqaIvepZ51t0q02rsKVqGz7/In
         Q8AA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m9-v6si1073359plk.486.2018.02.07.05.03.57;
        Wed, 07 Feb 2018 05:04:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753834AbeBGM7y (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Wed, 7 Feb 2018 07:59:54 -0500
Received: from mga11.intel.com ([192.55.52.93]:20991 "EHLO mga11.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753478AbeBGM7x (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Feb 2018 07:59:53 -0500
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Feb 2018 04:59:52 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.46,473,1511856000"; 
   d="scan'208";a="16220650"
Received: from black.fi.intel.com ([10.237.72.28])
  by fmsmga008.fm.intel.com with ESMTP; 07 Feb 2018 04:59:50 -0800
Received: by black.fi.intel.com (Postfix, from userid 1000)
        id AA17B807; Wed,  7 Feb 2018 14:59:49 +0200 (EET)
From:   "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
To:     Ingo Molnar <mingo@redhat.com>, x86@kernel.org,
        Thomas Gleixner <tglx@linutronix.de>,
        "H. Peter Anvin" <hpa@zytor.com>
Cc:     Tom Lendacky <thomas.lendacky@amd.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Kai Huang <kai.huang@linux.intel.com>,
        linux-kernel@vger.kernel.org,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: [PATCHv2 2/5] x86/tme: Detect if TME and MKTME is activated by BIOS
Date:   Wed,  7 Feb 2018 15:59:43 +0300
Message-Id: <20180207125946.5906-3-kirill.shutemov@linux.intel.com>
X-Mailer: git-send-email 2.15.1
In-Reply-To: <20180207125946.5906-1-kirill.shutemov@linux.intel.com>
References: <20180207125946.5906-1-kirill.shutemov@linux.intel.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

IA32_TME_ACTIVATE MSR (0x982) can be used to check if BIOS has enabled
TME and MKTME. It includes which encryption policy/algorithm is selected
for TME or available for MKTME. For MKTME, the MSR also enumerates how
many KeyIDs are available.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 arch/x86/kernel/cpu/intel.c | 94 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index 319bf989fad1..5f8e37675329 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -506,6 +506,97 @@ static void detect_vmx_virtcap(struct cpuinfo_x86 *c)
 	}
 }
 
+#define MSR_IA32_TME_ACTIVATE		0x982
+
+#define TME_ACTIVATE_LOCKED(x)		(x & 0x1)
+#define TME_ACTIVATE_ENABLED(x)		(x & 0x2)
+
+#define TME_ACTIVATE_POLICY(x)		((x >> 4) & 0xf)	/* Bits 7:4 */
+#define TME_ACTIVATE_POLICY_AES_XTS_128	0
+
+#define TME_ACTIVATE_KEYID_BITS(x)	((x >> 32) & 0xf)	/* Bits 35:32 */
+
+#define TME_ACTIVATE_CRYPTO_ALGS(x)	((x >> 48) & 0xffff)	/* Bits 63:48 */
+#define TME_ACTIVATE_CRYPTO_AES_XTS_128	1
+
+#define MKTME_ENABLED		0
+#define MKTME_DISABLED		1
+#define MKTME_UNINITIALIZED	2
+static int mktme_status = MKTME_UNINITIALIZED;
+
+static void detect_keyid_bits(struct cpuinfo_x86 *c, u64 tme_activate)
+{
+	int keyid_bits = 0, nr_keyids = 0;
+
+	keyid_bits = TME_ACTIVATE_KEYID_BITS(tme_activate);
+	nr_keyids = (1UL << keyid_bits) - 1;
+	if (nr_keyids) {
+		pr_info_once("x86/mktme: enabled by BIOS\n");
+		pr_info_once("x86/mktme: %d KeyIDs available\n", nr_keyids);
+	} else {
+		pr_info_once("x86/mktme: disabled by BIOS\n");
+	}
+
+	if (mktme_status == MKTME_UNINITIALIZED) {
+		/* MKTME is usable */
+		mktme_status = MKTME_ENABLED;
+	}
+
+	/*
+	 * Exclude KeyID bits from physical address bits.
+	 *
+	 * We have to do this even if we are not going to use KeyID bits
+	 * ourself. VM guests still have to know that these bits are not usable
+	 * for physical address.
+	 */
+	c->x86_phys_bits -= keyid_bits;
+}
+
+static void detect_tme(struct cpuinfo_x86 *c)
+{
+	u64 tme_activate, tme_policy, tme_crypto_algs;
+	static u64 tme_activate_cpu0 = 0;
+
+	rdmsrl(MSR_IA32_TME_ACTIVATE, tme_activate);
+
+	if (mktme_status != MKTME_UNINITIALIZED) {
+		if (tme_activate != tme_activate_cpu0) {
+			/* Broken BIOS? */
+			pr_err_once("x86/tme: configuation is inconsistent between CPUs\n");
+			pr_err_once("x86/tme: MKTME is not usable\n");
+			mktme_status = MKTME_DISABLED;
+
+			/* Proceed. We may need to exclude bits from x86_phys_bits. */
+		}
+	} else {
+		tme_activate_cpu0 = tme_activate;
+	}
+
+	if (!TME_ACTIVATE_LOCKED(tme_activate) || !TME_ACTIVATE_ENABLED(tme_activate)) {
+		pr_info_once("x86/tme: not enabled by BIOS\n");
+		mktme_status = MKTME_DISABLED;
+		return;
+	}
+
+	if (mktme_status != MKTME_UNINITIALIZED)
+		return detect_keyid_bits(c, tme_activate);
+
+	pr_info("x86/tme: enabled by BIOS\n");
+
+	tme_policy = TME_ACTIVATE_POLICY(tme_activate);
+	if (tme_policy != TME_ACTIVATE_POLICY_AES_XTS_128)
+		pr_warn("x86/tme: Unknown policy is active: %#llx\n", tme_policy);
+
+	tme_crypto_algs = TME_ACTIVATE_CRYPTO_ALGS(tme_activate);
+	if (!(tme_crypto_algs & TME_ACTIVATE_CRYPTO_AES_XTS_128)) {
+		pr_err("x86/mktme: No known encryption algorithm is supported: %#llx\n",
+				tme_crypto_algs);
+		mktme_status = MKTME_DISABLED;
+	}
+
+	detect_keyid_bits(c, tme_activate);
+}
+
 static void init_intel_energy_perf(struct cpuinfo_x86 *c)
 {
 	u64 epb;
@@ -676,6 +767,9 @@ static void init_intel(struct cpuinfo_x86 *c)
 	if (cpu_has(c, X86_FEATURE_VMX))
 		detect_vmx_virtcap(c);
 
+	if (cpu_has(c, X86_FEATURE_TME))
+		detect_tme(c);
+
 	init_intel_energy_perf(c);
 
 	init_intel_misc_features(c);
-- 
2.15.1