lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211122184418.GA2159461@bhelgaas>
Date:   Mon, 22 Nov 2021 12:44:18 -0600
From:   Bjorn Helgaas <helgaas@...nel.org>
To:     "David E. Box" <david.e.box@...ux.intel.com>
Cc:     lee.jones@...aro.org, hdegoede@...hat.com, bhelgaas@...gle.com,
        gregkh@...uxfoundation.org, andriy.shevchenko@...ux.intel.com,
        srinivas.pandruvada@...el.com, mgross@...ux.intel.com,
        linux-kernel@...r.kernel.org, platform-driver-x86@...r.kernel.org,
        linux-pci@...r.kernel.org
Subject: Re: [PATCH 4/4] platform/x86: Add Intel Software Defined Silicon
 driver

On Sat, Nov 20, 2021 at 03:17:05PM -0800, David E. Box wrote:
> Intel Software Defined Silicon (SDSi) is a post manufacturing mechanism for
> activating additional silicon features. Features are enabled through a
> license activation process.  The SDSi driver provides a per socket, sysfs
> attribute interface for applications to perform 3 main provisioning
> functions:
> 
> 1. Provision an Authentication Key Certificate (AKC), a key written to
>    internal NVRAM that is used to authenticate a capability specific
>    activation payload.
> 
> 2. Provision a Capability Activation Payload (CAP), a token authenticated
>    using the AKC and applied to the CPU configuration to activate a new
>    feature.
> 
> 3. Read the SDSi State Certificate, containing the CPU configuration
>    state.
> 
> The operations perform function specific mailbox commands that forward the
> requests to SDSi hardware to perform authentication of the payloads and
> enable the silicon configuration (to be made available after power
> cycling).
> 
> The SDSi device itself is enumerated as an auxiliary device from the
> intel_vsec driver and as such has a build dependency on CONFIG_INTEL_VSEC.
> 
> Link: https://github.com/intel/intel-sdsi
> Signed-off-by: David E. Box <david.e.box@...ux.intel.com>
> Reviewed-by: Mark Gross <markgross@...nel.org>
> ---
>  .../ABI/testing/sysfs-driver-intel_sdsi       |  75 +++
>  MAINTAINERS                                   |   5 +
>  drivers/platform/x86/intel/Kconfig            |  12 +
>  drivers/platform/x86/intel/Makefile           |   2 +
>  drivers/platform/x86/intel/sdsi.c             | 571 ++++++++++++++++++
>  drivers/platform/x86/intel/vsec.c             |  12 +-
>  6 files changed, 676 insertions(+), 1 deletion(-)
>  create mode 100644 Documentation/ABI/testing/sysfs-driver-intel_sdsi
>  create mode 100644 drivers/platform/x86/intel/sdsi.c
> 
> diff --git a/Documentation/ABI/testing/sysfs-driver-intel_sdsi b/Documentation/ABI/testing/sysfs-driver-intel_sdsi
> new file mode 100644
> index 000000000000..32a017ed3dd3
> --- /dev/null
> +++ b/Documentation/ABI/testing/sysfs-driver-intel_sdsi
> @@ -0,0 +1,75 @@
> +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X
> +Date:		Nov 2021
> +KernelVersion:	5.17
> +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> +Description:
> +		This folder contains interface files for accessing Intel
> +		Software Defined Silicon (SDSi) features on a CPU. X
> +		represent the socket instance (though not the socket id).

s/represent/represents/
s/socket id/socket ID/

As a user, how do I learn the socket instance?  Look at dmesg?  Look
at some other sysfs file?

> +		Some files communicate with SDSi hardware through a mailbox.
> +		Should the operation fail, one of the following error codes
> +		may be returned:
> +
> +		Error Code	Cause
> +	        ----------	-----
> +	        EIO		General mailbox failure. Log may indicate cause.
> +	        EBUSY		Mailbox is owned by another agent.
> +	        EPERM		SDSI capability is not enabled in hardware.
> +	        EPROTO		Failure in mailbox protocol detected by driver.
> +				See log for details.
> +	        EOVERFLOW	For provision commands, the size of the data
> +				exceeds what may be written.
> +	        ESPIPE		Seeking is not allowed.
> +	        ETIMEDOUT	Failure to complete mailbox transaction in time.
> +
> +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/guid
> +Date:		Nov 2021
> +KernelVersion:	5.17
> +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> +Description:
> +		(RO) The GUID for the registers file. The GUID identifies
> +		the register layout of the registers file in this folder.
> +		Information about the register layouts for a particular GUID
> +		is available at http://github.com/intel/intel-sdsi

s/register layout of the registers file/layout of the registers file/

> +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/registers
> +Date:		Nov 2021
> +KernelVersion:	5.17
> +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> +Description:
> +		(RO) Contains information needed by applications to provision
> +		a CPU and monitor status information. The layout of this file
> +		is determined by the GUID in this folder. Information about the
> +		layout for a particular GUID is available at
> +		http://github.com/intel/intel-sdsi
> +
> +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/provision_akc
> +Date:		Nov 2021
> +KernelVersion:	5.17
> +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> +Description:
> +		(WO) Used to write an Authentication Key Certificate (AKC) to
> +		the SDSi NVRAM for the CPU. The AKC is used to authentication a
> +		Capability Activation Payload. Mailbox command.

s/used to authentication/used to authenticate/

> +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/provision_cap
> +Date:		Nov 2021
> +KernelVersion:	5.17
> +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> +Description:
> +		(WO) Used to write a Capability Activation Payload (CAP) to the
> +		SDSi NVRAM for the CPU. CAP files are used to activate a given
> +		CPU feature. The CAP file is validated by SDSi hardware using a
> +		previously provision AKC file. Upon successful authentication, the
> +		CPU configuration is updated. A cold reboot is required to fully
> +		activate the feature. Mailbox command.

"CAP file" sounds like it might be redundant.  It *seems* like the
*payload* is what will be validated by SDSi and activate the feature.
Not sure "file" is meaningful if this is really talking about the
content of the CAP.

s/previously provision/previously provisioned/

> +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/read_state_cert
> +Date:		Nov 2021
> +KernelVersion:	5.17
> +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> +Description:
> +		(RO) Used to read back the current State Certificate for the CPU
> +		from SDSi hardware. The State Certificate contains information
> +		about the current licenses on the CPU. Mailbox command.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ