Select AMD SOCs include the ability to export capabilities that
have been activated or detected by the platform security processor.
This information is useful for both system designers as well as system
administrators to ensure that the system has been properly locked down
to their expectations.
Software such as fwupd will also be modified to use this information
as part of the calculations for a security level score that may be
presented to a user.
This series also adds the ability to detect that TSME and SME are both
activated simultaneously to notify a user. Previously a user could turn
on TSME and SME at the same time, but the kernel was unable to detect
that TSME was enabled in the OS.
This information is evaluated "too late" right now in the kernel to stop
the kernel from enabling SME, but if that is desirable at a later time
some of the early code can be modified to read the same information and
make that decision.
Mario Limonciello (4):
crypto: ccp: cache capability into psp device
crypto: ccp: Export PSP security bits to userspace
crypto: ccp: Allow PSP driver to load without SEV/TEE support
crypto: ccp: When TSME and SME both detected notify user
Documentation/ABI/testing/sysfs-driver-ccp | 87 ++++++++++++++++++++++
drivers/crypto/ccp/psp-dev.c | 49 +++++-------
drivers/crypto/ccp/psp-dev.h | 22 ++++++
drivers/crypto/ccp/sp-pci.c | 62 +++++++++++++++
4 files changed, 189 insertions(+), 31 deletions(-)
create mode 100644 Documentation/ABI/testing/sysfs-driver-ccp
--
2.34.1
The PSP sets several pre-defined bits in the capabilities
register to indicate that security attributes of the platform.
Export these attributes into userspace for administrators to
confirm platform is properly locked down.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
---
v2->v3:
* Add Tom's tag
---
Documentation/ABI/testing/sysfs-driver-ccp | 87 ++++++++++++++++++++++
drivers/crypto/ccp/psp-dev.h | 17 +++++
drivers/crypto/ccp/sp-pci.c | 62 +++++++++++++++
3 files changed, 166 insertions(+)
create mode 100644 Documentation/ABI/testing/sysfs-driver-ccp
diff --git a/Documentation/ABI/testing/sysfs-driver-ccp b/Documentation/ABI/testing/sysfs-driver-ccp
new file mode 100644
index 000000000000..7aded9b75553
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-driver-ccp
@@ -0,0 +1,87 @@
+What: /sys/bus/pci/devices/<BDF>/fused_part
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/fused_part file reports
+ whether the CPU or APU has been fused to prevent tampering.
+ 0: Not fused
+ 1: Fused
+
+What: /sys/bus/pci/devices/<BDF>/debug_lock_on
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/debug_lock_on reports
+ whether the AMD CPU or APU has been unlocked for debugging.
+ Possible values:
+ 0: Not locked
+ 1: Locked
+
+What: /sys/bus/pci/devices/<BDF>/tsme_status
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/tsme_status file reports
+ the status of transparent secure memory encryption on AMD systems.
+ Possible values:
+ 0: Not active
+ 1: Active
+
+What: /sys/bus/pci/devices/<BDF>/anti_rollback_status
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/anti_rollback_status file reports
+ whether the PSP is enforcing rollback protection.
+ Possible values:
+ 0: Not enforcing
+ 1: Enforcing
+
+What: /sys/bus/pci/devices/<BDF>/rpmc_production_enabled
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/rpmc_production_enabled file reports
+ whether Replay Protected Monotonic Counter support has been enabled.
+ Possible values:
+ 0: Not enabled
+ 1: Enabled
+
+What: /sys/bus/pci/devices/<BDF>/rpmc_spirom_available
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/rpmc_spirom_available file reports
+ whether an Replay Protected Monotonic Counter supported SPI is installed
+ on the system.
+ Possible values:
+ 0: Not present
+ 1: Present
+
+What: /sys/bus/pci/devices/<BDF>/hsp_tpm_available
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/hsp_tpm_available file reports
+ whether the HSP TPM has been activated.
+ Possible values:
+ 0: Not activated or present
+ 1: Activated
+
+What: /sys/bus/pci/devices/<BDF>/rom_armor_enforced
+Date: June 2022
+KernelVersion: 5.19
+Contact: [email protected]
+Description:
+ The /sys/bus/pci/devices/<BDF>/rom_armor_enforced file reports
+ whether RomArmor SPI protection is enforced.
+ Possible values:
+ 0: Not enforced
+ 1: Enforced
diff --git a/drivers/crypto/ccp/psp-dev.h b/drivers/crypto/ccp/psp-dev.h
index d811da28cce6..d528eb04c3ef 100644
--- a/drivers/crypto/ccp/psp-dev.h
+++ b/drivers/crypto/ccp/psp-dev.h
@@ -61,5 +61,22 @@ struct psp_device *psp_get_master_device(void);
#define PSP_CAPABILITY_SEV BIT(0)
#define PSP_CAPABILITY_TEE BIT(1)
+#define PSP_CAPABILITY_PSP_SECURITY_REPORTING BIT(7)
+
+#define PSP_CAPABILITY_PSP_SECURITY_OFFSET 8
+/*
+ * The PSP doesn't directly store these bits in the capability register
+ * but instead copies them from the results of query command.
+ *
+ * The offsets from the query command are below, and shifted when used.
+ */
+#define PSP_SECURITY_FUSED_PART BIT(0)
+#define PSP_SECURITY_DEBUG_LOCK_ON BIT(2)
+#define PSP_SECURITY_TSME_STATUS BIT(5)
+#define PSP_SECURITY_ANTI_ROLLBACK_STATUS BIT(7)
+#define PSP_SECURITY_RPMC_PRODUCTION_ENABLED BIT(8)
+#define PSP_SECURITY_RPMC_SPIROM_AVAILABLE BIT(9)
+#define PSP_SECURITY_HSP_TPM_AVAILABLE BIT(10)
+#define PSP_SECURITY_ROM_ARMOR_ENFORCED BIT(11)
#endif /* __PSP_DEV_H */
diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c
index 88c672ad27e4..b5970ae54d0e 100644
--- a/drivers/crypto/ccp/sp-pci.c
+++ b/drivers/crypto/ccp/sp-pci.c
@@ -32,6 +32,67 @@ struct sp_pci {
};
static struct sp_device *sp_dev_master;
+#define attribute_show(name, def) \
+static ssize_t name##_show(struct device *d, struct device_attribute *attr, \
+ char *buf) \
+{ \
+ struct sp_device *sp = dev_get_drvdata(d); \
+ struct psp_device *psp = sp->psp_data; \
+ int bit = PSP_SECURITY_##def << PSP_CAPABILITY_PSP_SECURITY_OFFSET; \
+ return sysfs_emit(buf, "%d\n", (psp->capability & bit) > 0); \
+}
+
+attribute_show(fused_part, FUSED_PART)
+static DEVICE_ATTR_RO(fused_part);
+attribute_show(debug_lock_on, DEBUG_LOCK_ON)
+static DEVICE_ATTR_RO(debug_lock_on);
+attribute_show(tsme_status, TSME_STATUS)
+static DEVICE_ATTR_RO(tsme_status);
+attribute_show(anti_rollback_status, ANTI_ROLLBACK_STATUS)
+static DEVICE_ATTR_RO(anti_rollback_status);
+attribute_show(rpmc_production_enabled, RPMC_PRODUCTION_ENABLED)
+static DEVICE_ATTR_RO(rpmc_production_enabled);
+attribute_show(rpmc_spirom_available, RPMC_SPIROM_AVAILABLE)
+static DEVICE_ATTR_RO(rpmc_spirom_available);
+attribute_show(hsp_tpm_available, HSP_TPM_AVAILABLE)
+static DEVICE_ATTR_RO(hsp_tpm_available);
+attribute_show(rom_armor_enforced, ROM_ARMOR_ENFORCED)
+static DEVICE_ATTR_RO(rom_armor_enforced);
+
+static struct attribute *psp_attrs[] = {
+ &dev_attr_fused_part.attr,
+ &dev_attr_debug_lock_on.attr,
+ &dev_attr_tsme_status.attr,
+ &dev_attr_anti_rollback_status.attr,
+ &dev_attr_rpmc_production_enabled.attr,
+ &dev_attr_rpmc_spirom_available.attr,
+ &dev_attr_hsp_tpm_available.attr,
+ &dev_attr_rom_armor_enforced.attr,
+ NULL
+};
+
+static umode_t psp_security_is_visible(struct kobject *kobj, struct attribute *attr, int idx)
+{
+ struct device *dev = kobj_to_dev(kobj);
+ struct sp_device *sp = dev_get_drvdata(dev);
+ struct psp_device *psp = sp->psp_data;
+
+ if (psp && (psp->capability & PSP_CAPABILITY_PSP_SECURITY_REPORTING))
+ return 0444;
+
+ return 0;
+}
+
+static struct attribute_group psp_attr_group = {
+ .attrs = psp_attrs,
+ .is_visible = psp_security_is_visible,
+};
+
+static const struct attribute_group *psp_groups[] = {
+ &psp_attr_group,
+ NULL,
+};
+
static int sp_get_msix_irqs(struct sp_device *sp)
{
struct sp_pci *sp_pci = sp->dev_specific;
@@ -391,6 +452,7 @@ static struct pci_driver sp_pci_driver = {
.remove = sp_pci_remove,
.shutdown = sp_pci_shutdown,
.driver.pm = &sp_pci_pm_ops,
+ .dev_groups = psp_groups,
};
int sp_pci_init(void)
--
2.34.1
The results of the capability register will be used by future
code at runtime rather than just initialization.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
---
v2->v3:
* Add Tom's tag
---
drivers/crypto/ccp/psp-dev.c | 37 +++++++++++++++++-------------------
drivers/crypto/ccp/psp-dev.h | 5 +++++
2 files changed, 22 insertions(+), 20 deletions(-)
diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index ae7b44599914..8cd404121cd5 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -70,17 +70,17 @@ static unsigned int psp_get_capability(struct psp_device *psp)
*/
if (val == 0xffffffff) {
dev_notice(psp->dev, "psp: unable to access the device: you might be running a broken BIOS.\n");
- return 0;
+ return -ENODEV;
}
+ psp->capability = val;
- return val;
+ return 0;
}
-static int psp_check_sev_support(struct psp_device *psp,
- unsigned int capability)
+static int psp_check_sev_support(struct psp_device *psp)
{
/* Check if device supports SEV feature */
- if (!(capability & 1)) {
+ if (!(psp->capability & PSP_CAPABILITY_SEV)) {
dev_dbg(psp->dev, "psp does not support SEV\n");
return -ENODEV;
}
@@ -88,11 +88,10 @@ static int psp_check_sev_support(struct psp_device *psp,
return 0;
}
-static int psp_check_tee_support(struct psp_device *psp,
- unsigned int capability)
+static int psp_check_tee_support(struct psp_device *psp)
{
/* Check if device supports TEE feature */
- if (!(capability & 2)) {
+ if (!(psp->capability & PSP_CAPABILITY_TEE)) {
dev_dbg(psp->dev, "psp does not support TEE\n");
return -ENODEV;
}
@@ -100,11 +99,10 @@ static int psp_check_tee_support(struct psp_device *psp,
return 0;
}
-static int psp_check_support(struct psp_device *psp,
- unsigned int capability)
+static int psp_check_support(struct psp_device *psp)
{
- int sev_support = psp_check_sev_support(psp, capability);
- int tee_support = psp_check_tee_support(psp, capability);
+ int sev_support = psp_check_sev_support(psp);
+ int tee_support = psp_check_tee_support(psp);
/* Return error if device neither supports SEV nor TEE */
if (sev_support && tee_support)
@@ -113,17 +111,17 @@ static int psp_check_support(struct psp_device *psp,
return 0;
}
-static int psp_init(struct psp_device *psp, unsigned int capability)
+static int psp_init(struct psp_device *psp)
{
int ret;
- if (!psp_check_sev_support(psp, capability)) {
+ if (!psp_check_sev_support(psp)) {
ret = sev_dev_init(psp);
if (ret)
return ret;
}
- if (!psp_check_tee_support(psp, capability)) {
+ if (!psp_check_tee_support(psp)) {
ret = tee_dev_init(psp);
if (ret)
return ret;
@@ -136,7 +134,6 @@ int psp_dev_init(struct sp_device *sp)
{
struct device *dev = sp->dev;
struct psp_device *psp;
- unsigned int capability;
int ret;
ret = -ENOMEM;
@@ -155,11 +152,11 @@ int psp_dev_init(struct sp_device *sp)
psp->io_regs = sp->io_map;
- capability = psp_get_capability(psp);
- if (!capability)
+ ret = psp_get_capability(psp);
+ if (ret)
goto e_disable;
- ret = psp_check_support(psp, capability);
+ ret = psp_check_support(psp);
if (ret)
goto e_disable;
@@ -174,7 +171,7 @@ int psp_dev_init(struct sp_device *sp)
goto e_err;
}
- ret = psp_init(psp, capability);
+ ret = psp_init(psp);
if (ret)
goto e_irq;
diff --git a/drivers/crypto/ccp/psp-dev.h b/drivers/crypto/ccp/psp-dev.h
index ef38e4135d81..d811da28cce6 100644
--- a/drivers/crypto/ccp/psp-dev.h
+++ b/drivers/crypto/ccp/psp-dev.h
@@ -45,6 +45,8 @@ struct psp_device {
void *sev_data;
void *tee_data;
+
+ unsigned int capability;
};
void psp_set_sev_irq_handler(struct psp_device *psp, psp_irq_handler_t handler,
@@ -57,4 +59,7 @@ void psp_clear_tee_irq_handler(struct psp_device *psp);
struct psp_device *psp_get_master_device(void);
+#define PSP_CAPABILITY_SEV BIT(0)
+#define PSP_CAPABILITY_TEE BIT(1)
+
#endif /* __PSP_DEV_H */
--
2.34.1
Previously the PSP probe routine would fail if both SEV and TEE were
missing. This is possibly the case for some client parts.
As capabilities can now be accessed from userspace, it may still be
useful to have the PSP driver finish loading so that those capabilities
can be read.
Signed-off-by: Mario Limonciello <[email protected]>
---
v2->v3:
* Remove helper function, and still set up IRQs even in this case to keep
cleanup process the same
v1->v2:
* Whitespace fixes
---
drivers/crypto/ccp/psp-dev.c | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index 8cd404121cd5..a3b7b5130be4 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -99,18 +99,6 @@ static int psp_check_tee_support(struct psp_device *psp)
return 0;
}
-static int psp_check_support(struct psp_device *psp)
-{
- int sev_support = psp_check_sev_support(psp);
- int tee_support = psp_check_tee_support(psp);
-
- /* Return error if device neither supports SEV nor TEE */
- if (sev_support && tee_support)
- return -ENODEV;
-
- return 0;
-}
-
static int psp_init(struct psp_device *psp)
{
int ret;
@@ -156,10 +144,6 @@ int psp_dev_init(struct sp_device *sp)
if (ret)
goto e_disable;
- ret = psp_check_support(psp);
- if (ret)
- goto e_disable;
-
/* Disable and clear interrupts until ready */
iowrite32(0, psp->io_regs + psp->vdata->inten_reg);
iowrite32(-1, psp->io_regs + psp->vdata->intsts_reg);
--
2.34.1
On 3/31/22 16:12, Mario Limonciello wrote:
> Previously the PSP probe routine would fail if both SEV and TEE were
> missing. This is possibly the case for some client parts.
>
> As capabilities can now be accessed from userspace, it may still be
> useful to have the PSP driver finish loading so that those capabilities
> can be read.
>
> Signed-off-by: Mario Limonciello <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
> ---
On Thu, Mar 31, 2022 at 04:12:09PM -0500, Mario Limonciello wrote:
> Select AMD SOCs include the ability to export capabilities that
> have been activated or detected by the platform security processor.
>
> This information is useful for both system designers as well as system
> administrators to ensure that the system has been properly locked down
> to their expectations.
>
> Software such as fwupd will also be modified to use this information
> as part of the calculations for a security level score that may be
> presented to a user.
>
> This series also adds the ability to detect that TSME and SME are both
> activated simultaneously to notify a user. Previously a user could turn
> on TSME and SME at the same time, but the kernel was unable to detect
> that TSME was enabled in the OS.
>
> This information is evaluated "too late" right now in the kernel to stop
> the kernel from enabling SME, but if that is desirable at a later time
> some of the early code can be modified to read the same information and
> make that decision.
>
> Mario Limonciello (4):
> crypto: ccp: cache capability into psp device
> crypto: ccp: Export PSP security bits to userspace
> crypto: ccp: Allow PSP driver to load without SEV/TEE support
> crypto: ccp: When TSME and SME both detected notify user
>
> Documentation/ABI/testing/sysfs-driver-ccp | 87 ++++++++++++++++++++++
> drivers/crypto/ccp/psp-dev.c | 49 +++++-------
> drivers/crypto/ccp/psp-dev.h | 22 ++++++
> drivers/crypto/ccp/sp-pci.c | 62 +++++++++++++++
> 4 files changed, 189 insertions(+), 31 deletions(-)
> create mode 100644 Documentation/ABI/testing/sysfs-driver-ccp
All applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt