[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200618210215.23602-1-daniel.gutson@eclypsium.com>
Date: Thu, 18 Jun 2020 18:02:15 -0300
From: Daniel Gutson <daniel.gutson@...ypsium.com>
To: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Daniel Gutson <daniel.gutson@...ypsium.com>,
Peter Zijlstra <peterz@...radead.org>
Cc: "David S. Miller" <davem@...emloft.net>,
Rob Herring <robh@...nel.org>, Tony Luck <tony.luck@...el.com>,
Rahul Tanwar <rahul.tanwar@...ux.intel.com>,
Xiaoyao Li <xiaoyao.li@...el.com>,
Sean Christopherson <sean.j.christopherson@...el.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
linux-kernel@...r.kernel.org, Daniel Gutson <daniel@...ypsium.com>
Subject: [PATCH] Ability to read the MKTME status from userspace
From: Daniel Gutson <daniel@...ypsium.com>
The intent of this patch is to provide visibility of the
MKTME status to userspace. This is an important factor for
firmware security related applilcations.
Signed-off-by: Daniel Gutson <daniel@...ypsium.com>
---
MAINTAINERS | 5 +++
arch/x86/include/asm/cpu.h | 8 ++++
arch/x86/kernel/cpu/intel.c | 12 +++---
drivers/misc/Kconfig | 11 +++++
drivers/misc/Makefile | 1 +
drivers/misc/mktme_status.c | 81 +++++++++++++++++++++++++++++++++++++
6 files changed, 113 insertions(+), 5 deletions(-)
create mode 100644 drivers/misc/mktme_status.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 50659d76976b..dc3b3c0e4701 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11335,6 +11335,11 @@ W: https://linuxtv.org
T: git git://linuxtv.org/media_tree.git
F: drivers/media/radio/radio-miropcm20*
+MKTME_STATUS MKTME STATUS READING SUPPORT
+M: Daniel Gutson <daniel.gutson@...ypsium.com>
+S: Supported
+F: drivers/misc/mktme_status.c
+
MMP SUPPORT
R: Lubomir Rintel <lkundrak@...sk>
L: linux-arm-kernel@...ts.infradead.org (moderated for non-subscribers)
diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h
index dd17c2da1af5..8929c1240135 100644
--- a/arch/x86/include/asm/cpu.h
+++ b/arch/x86/include/asm/cpu.h
@@ -26,6 +26,14 @@ struct x86_cpu {
struct cpu cpu;
};
+enum mktme_status_type {
+ MKTME_ENABLED,
+ MKTME_DISABLED,
+ MKTME_UNINITIALIZED
+};
+
+extern enum mktme_status_type get_mktme_status(void);
+
#ifdef CONFIG_HOTPLUG_CPU
extern int arch_register_cpu(int num);
extern void arch_unregister_cpu(int);
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index a19a680542ce..1f6054523226 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -489,11 +489,7 @@ static void srat_detect_node(struct cpuinfo_x86 *c)
#define TME_ACTIVATE_CRYPTO_ALGS(x) ((x >> 48) & 0xffff) /* Bits 63:48 */
#define TME_ACTIVATE_CRYPTO_AES_XTS_128 1
-/* Values for mktme_status (SW only construct) */
-#define MKTME_ENABLED 0
-#define MKTME_DISABLED 1
-#define MKTME_UNINITIALIZED 2
-static int mktme_status = MKTME_UNINITIALIZED;
+static enum mktme_status_type mktme_status = MKTME_UNINITIALIZED;
static void detect_tme(struct cpuinfo_x86 *c)
{
@@ -1107,6 +1103,12 @@ bool handle_user_split_lock(struct pt_regs *regs, long error_code)
return true;
}
+enum mktme_status_type get_mktme_status(void)
+{
+ return mktme_status;
+}
+EXPORT_SYMBOL_GPL(get_mktme_status);
+
/*
* This function is called only when switching between tasks with
* different split-lock detection modes. It sets the MSR for the
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index 99e151475d8f..0dc978efbbd5 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -465,6 +465,17 @@ config PVPANIC
a paravirtualized device provided by QEMU; it lets a virtual machine
(guest) communicate panic events to the host.
+config MKTME_STATUS
+ tristate "MKTME status reading support"
+ depends on X86_64 && SECURITYFS
+ help
+ This driver provides support for reading the MKTME status. The status
+ can be read from the mktme virtual file in the securityfs filesystem,
+ under the mktme directory.
+
+ The MKTME (Multi-Key Total Memory Encryption) status can be
+ 0 (enabled), 1 (disabled), or 3 (uninitialized).
+
source "drivers/misc/c2port/Kconfig"
source "drivers/misc/eeprom/Kconfig"
source "drivers/misc/cb710/Kconfig"
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index 9abf2923d831..f2f02efe34fd 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -58,3 +58,4 @@ obj-$(CONFIG_PVPANIC) += pvpanic.o
obj-$(CONFIG_HABANA_AI) += habanalabs/
obj-$(CONFIG_UACCE) += uacce/
obj-$(CONFIG_XILINX_SDFEC) += xilinx_sdfec.o
+obj-$(CONFIG_MKTME_STATUS) += mktme_status.o
diff --git a/drivers/misc/mktme_status.c b/drivers/misc/mktme_status.c
new file mode 100644
index 000000000000..795993181e77
--- /dev/null
+++ b/drivers/misc/mktme_status.c
@@ -0,0 +1,81 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * MKTME Status driver
+ *
+ * Copyright 2020 (c) Daniel Gutson (daniel.gutson@...ypsium.com)
+ *
+ * This file is licensed under the terms of the GNU General Public
+ * License version 2. This program is licensed "as is" without any
+ * warranty of any kind, whether express or implied.
+ */
+
+#include <linux/module.h>
+#include <linux/security.h>
+#include <asm/cpu.h>
+
+#ifdef pr_fmt
+#undef pr_fmt
+#endif
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+struct dentry *mktme_dir;
+struct dentry *mktme_file;
+
+/* Buffer to return: always 3 because of the following chars:
+ * value \n \0
+ */
+#define BUFFER_SIZE 3
+
+static ssize_t mktme_status_read(struct file *filp, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ char tmp[BUFFER_SIZE];
+
+ if (*ppos == BUFFER_SIZE)
+ return 0; // nothing else to read
+
+ sprintf(tmp, "%d\n", (int)get_mktme_status() & 1);
+ return simple_read_from_buffer(buf, count, ppos, tmp, sizeof(tmp));
+}
+
+static const struct file_operations mktme_status_ops = {
+ .read = mktme_status_read,
+};
+
+static int __init mod_init(void)
+{
+ mktme_dir = securityfs_create_dir("mktme", NULL);
+ if (IS_ERR(mktme_dir)) {
+ pr_err("Couldn't create mktme sysfs dir\n");
+ return -1;
+ }
+
+ pr_info("mktme securityfs dir creation successful\n");
+
+ mktme_file = securityfs_create_file("status", 0600, mktme_dir, NULL,
+ &mktme_status_ops);
+ if (IS_ERR(mktme_file)) {
+ pr_err("Error creating sysfs file bioswe\n");
+ goto out_file;
+ }
+
+ return 0;
+
+out_file:
+ securityfs_remove(mktme_file);
+ securityfs_remove(mktme_dir);
+ return -1;
+}
+
+static void __exit mod_exit(void)
+{
+ securityfs_remove(mktme_file);
+ securityfs_remove(mktme_dir);
+}
+
+module_init(mod_init);
+module_exit(mod_exit);
+
+MODULE_DESCRIPTION("MKTME Status driver");
+MODULE_AUTHOR("Daniel Gutson <daniel.gutson@...ypsium.com>");
+MODULE_LICENSE("GPL");
--
2.25.1
Powered by blists - more mailing lists