Older systems will not populate the security attributes in the
capabilities register. The PSP on these systems, however, does have a
command to get the security attributes. Use this command during ccp
startup to populate the attributes if they're missing.
Closes: https://github.com/fwupd/fwupd/issues/5284
Closes: https://github.com/fwupd/fwupd/issues/5675
Closes: https://github.com/fwupd/fwupd/issues/6253
Closes: https://github.com/fwupd/fwupd/issues/7280
Closes: https://github.com/fwupd/fwupd/issues/6323
Closes: https://github.com/fwupd/fwupd/discussions/5433
Signed-off-by: Mario Limonciello <[email protected]>
---
drivers/crypto/ccp/hsti.c | 63 +++++++++++++++++++++++++++++
drivers/crypto/ccp/hsti.h | 2 +
drivers/crypto/ccp/psp-dev.c | 5 +++
drivers/crypto/ccp/psp-dev.h | 2 -
drivers/crypto/ccp/sp-dev.h | 1 +
drivers/crypto/ccp/sp-pci.c | 5 ++-
include/linux/psp-platform-access.h | 1 +
7 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/ccp/hsti.c b/drivers/crypto/ccp/hsti.c
index 076c1d175b2b..8f583902d786 100644
--- a/drivers/crypto/ccp/hsti.c
+++ b/drivers/crypto/ccp/hsti.c
@@ -12,6 +12,13 @@
#include "psp-dev.h"
#include "hsti.h"
+#define PSP_CAPABILITY_PSP_SECURITY_OFFSET 8
+
+struct hsti_request {
+ struct psp_req_buffer_hdr header;
+ u32 hsti;
+} __packed;
+
#define security_attribute_show(name) \
static ssize_t name##_show(struct device *d, struct device_attribute *attr, \
char *buf) \
@@ -66,3 +73,59 @@ struct attribute_group psp_security_attr_group = {
.attrs = psp_security_attrs,
.is_visible = psp_security_is_visible,
};
+
+static int psp_poulate_hsti(struct psp_device *psp)
+{
+ struct hsti_request *req;
+ int ret;
+
+ /* Are the security attributes already reported? */
+ if (psp->capability.security_reporting)
+ return 0;
+
+ /* Allocate command-response buffer */
+ req = kzalloc(sizeof(*req), GFP_KERNEL | __GFP_ZERO);
+ if (!req)
+ return -ENOMEM;
+
+ req->header.payload_size = sizeof(req);
+
+ ret = psp_send_platform_access_msg(PSP_CMD_HSTI_QUERY, (struct psp_request *)req);
+ if (ret)
+ goto out;
+
+ if (req->header.status != 0) {
+ dev_dbg(psp->dev, "failed to populate HSTI state: %d\n", req->header.status);
+ ret = -EINVAL;
+ goto out;
+ }
+
+ psp->capability.security_reporting = 1;
+ psp->capability.raw |= req->hsti << PSP_CAPABILITY_PSP_SECURITY_OFFSET;
+
+out:
+ kfree(req);
+
+ return ret;
+}
+
+int psp_init_hsti(struct psp_device *psp)
+{
+ int ret;
+
+ if (PSP_FEATURE(psp, HSTI)) {
+ ret = psp_poulate_hsti(psp);
+ if (ret)
+ return ret;
+ }
+
+ /*
+ * At this stage, if security information hasn't been populated by
+ * either the PSP or by the driver through the platform command,
+ * then there is nothing more to do.
+ */
+ if (!psp->capability.security_reporting)
+ return 0;
+
+ return 0;
+}
diff --git a/drivers/crypto/ccp/hsti.h b/drivers/crypto/ccp/hsti.h
index e5c5ceab9973..6a70f922d2c4 100644
--- a/drivers/crypto/ccp/hsti.h
+++ b/drivers/crypto/ccp/hsti.h
@@ -12,4 +12,6 @@
extern struct attribute_group psp_security_attr_group;
+int psp_init_hsti(struct psp_device *psp);
+
#endif /* __HSTI_H */
diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index 1a7b991c27f7..0a01ad134609 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -220,6 +220,11 @@ static int psp_init(struct psp_device *psp)
return ret;
}
+ /* HSTI uses platform access on some systems. */
+ ret = psp_init_hsti(psp);
+ if (ret)
+ return ret;
+
return 0;
}
diff --git a/drivers/crypto/ccp/psp-dev.h b/drivers/crypto/ccp/psp-dev.h
index 02a7c94c02df..e43ce87ede76 100644
--- a/drivers/crypto/ccp/psp-dev.h
+++ b/drivers/crypto/ccp/psp-dev.h
@@ -78,8 +78,6 @@ void psp_clear_sev_irq_handler(struct psp_device *psp);
struct psp_device *psp_get_master_device(void);
-#define PSP_CAPABILITY_PSP_SECURITY_OFFSET 8
-
/**
* enum psp_cmd - PSP mailbox commands
* @PSP_CMD_TEE_RING_INIT: Initialize TEE ring buffer
diff --git a/drivers/crypto/ccp/sp-dev.h b/drivers/crypto/ccp/sp-dev.h
index c4e125efe6c7..0895de823674 100644
--- a/drivers/crypto/ccp/sp-dev.h
+++ b/drivers/crypto/ccp/sp-dev.h
@@ -29,6 +29,7 @@
#define CACHE_WB_NO_ALLOC 0xb7
#define PLATFORM_FEATURE_DBC 0x1
+#define PLATFORM_FEATURE_HSTI 0x2
#define PSP_FEATURE(psp, feat) (psp->vdata && psp->vdata->platform_features & PLATFORM_FEATURE_##feat)
diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c
index 2db46736a4d7..f2d416a4f539 100644
--- a/drivers/crypto/ccp/sp-pci.c
+++ b/drivers/crypto/ccp/sp-pci.c
@@ -395,10 +395,12 @@ static const struct psp_vdata pspv1 = {
static const struct psp_vdata pspv2 = {
.sev = &sevv2,
+ .platform_access = &pa_v1,
.bootloader_info_reg = 0x109ec, /* C2PMSG_59 */
.feature_reg = 0x109fc, /* C2PMSG_63 */
.inten_reg = 0x10690, /* P2CMSG_INTEN */
.intsts_reg = 0x10694, /* P2CMSG_INTSTS */
+ .platform_features = PLATFORM_FEATURE_HSTI,
};
static const struct psp_vdata pspv3 = {
@@ -411,7 +413,8 @@ static const struct psp_vdata pspv3 = {
.feature_reg = 0x109fc, /* C2PMSG_63 */
.inten_reg = 0x10690, /* P2CMSG_INTEN */
.intsts_reg = 0x10694, /* P2CMSG_INTSTS */
- .platform_features = PLATFORM_FEATURE_DBC,
+ .platform_features = PLATFORM_FEATURE_DBC |
+ PLATFORM_FEATURE_HSTI,
};
static const struct psp_vdata pspv4 = {
diff --git a/include/linux/psp-platform-access.h b/include/linux/psp-platform-access.h
index 23893b33e48c..1504fb012c05 100644
--- a/include/linux/psp-platform-access.h
+++ b/include/linux/psp-platform-access.h
@@ -7,6 +7,7 @@
enum psp_platform_access_msg {
PSP_CMD_NONE = 0x0,
+ PSP_CMD_HSTI_QUERY = 0x14,
PSP_I2C_REQ_BUS_CMD = 0x64,
PSP_DYNAMIC_BOOST_GET_NONCE,
PSP_DYNAMIC_BOOST_SET_UID,
--
2.43.0
On 5/27/24 10:26, Mario Limonciello wrote:
> Older systems will not populate the security attributes in the
> capabilities register. The PSP on these systems, however, does have a
> command to get the security attributes. Use this command during ccp
> startup to populate the attributes if they're missing.
>
> Closes: https://github.com/fwupd/fwupd/issues/5284
> Closes: https://github.com/fwupd/fwupd/issues/5675
> Closes: https://github.com/fwupd/fwupd/issues/6253
> Closes: https://github.com/fwupd/fwupd/issues/7280
> Closes: https://github.com/fwupd/fwupd/issues/6323
> Closes: https://github.com/fwupd/fwupd/discussions/5433
> Signed-off-by: Mario Limonciello <[email protected]>
> ---
> drivers/crypto/ccp/hsti.c | 63 +++++++++++++++++++++++++++++
> drivers/crypto/ccp/hsti.h | 2 +
> drivers/crypto/ccp/psp-dev.c | 5 +++
> drivers/crypto/ccp/psp-dev.h | 2 -
> drivers/crypto/ccp/sp-dev.h | 1 +
> drivers/crypto/ccp/sp-pci.c | 5 ++-
> include/linux/psp-platform-access.h | 1 +
> 7 files changed, 76 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/crypto/ccp/hsti.c b/drivers/crypto/ccp/hsti.c
> index 076c1d175b2b..8f583902d786 100644
> --- a/drivers/crypto/ccp/hsti.c
> +++ b/drivers/crypto/ccp/hsti.c
> +int psp_init_hsti(struct psp_device *psp)
> +{
> + int ret;
> +
> + if (PSP_FEATURE(psp, HSTI)) {
> + ret = psp_poulate_hsti(psp);
> + if (ret)
> + return ret;
> + }
> +
> + /*
> + * At this stage, if security information hasn't been populated by
> + * either the PSP or by the driver through the platform command,
> + * then there is nothing more to do.
> + */
> + if (!psp->capability.security_reporting)
> + return 0;
This should really be part of patch #5, since it doesn't make a lot of
sense at this stage.
Thanks,
Tom
> +
> + return 0;
> +}