lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 22 Nov 2021 15:20:10 -0800
From:   "David E. Box" <david.e.box@...ux.intel.com>
To:     Bjorn Helgaas <helgaas@...nel.org>
Cc:     lee.jones@...aro.org, hdegoede@...hat.com, bhelgaas@...gle.com,
        gregkh@...uxfoundation.org, andriy.shevchenko@...ux.intel.com,
        srinivas.pandruvada@...el.com, mgross@...ux.intel.com,
        linux-kernel@...r.kernel.org, platform-driver-x86@...r.kernel.org,
        linux-pci@...r.kernel.org
Subject: Re: [PATCH 4/4] platform/x86: Add Intel Software Defined Silicon
 driver

Hi Bjorn,

Thanks for reviewing.

On Mon, 2021-11-22 at 12:44 -0600, Bjorn Helgaas wrote:
> On Sat, Nov 20, 2021 at 03:17:05PM -0800, David E. Box wrote:
> > Intel Software Defined Silicon (SDSi) is a post manufacturing mechanism for
> > activating additional silicon features. Features are enabled through a
> > license activation process.  The SDSi driver provides a per socket, sysfs
> > attribute interface for applications to perform 3 main provisioning
> > functions:
> > 
> > 1. Provision an Authentication Key Certificate (AKC), a key written to
> >    internal NVRAM that is used to authenticate a capability specific
> >    activation payload.
> > 
> > 2. Provision a Capability Activation Payload (CAP), a token authenticated
> >    using the AKC and applied to the CPU configuration to activate a new
> >    feature.
> > 
> > 3. Read the SDSi State Certificate, containing the CPU configuration
> >    state.
> > 
> > The operations perform function specific mailbox commands that forward the
> > requests to SDSi hardware to perform authentication of the payloads and
> > enable the silicon configuration (to be made available after power
> > cycling).
> > 
> > The SDSi device itself is enumerated as an auxiliary device from the
> > intel_vsec driver and as such has a build dependency on CONFIG_INTEL_VSEC.
> > 
> > Link: https://github.com/intel/intel-sdsi
> > Signed-off-by: David E. Box <david.e.box@...ux.intel.com>
> > Reviewed-by: Mark Gross <markgross@...nel.org>
> > ---
> >  .../ABI/testing/sysfs-driver-intel_sdsi       |  75 +++
> >  MAINTAINERS                                   |   5 +
> >  drivers/platform/x86/intel/Kconfig            |  12 +
> >  drivers/platform/x86/intel/Makefile           |   2 +
> >  drivers/platform/x86/intel/sdsi.c             | 571 ++++++++++++++++++
> >  drivers/platform/x86/intel/vsec.c             |  12 +-
> >  6 files changed, 676 insertions(+), 1 deletion(-)
> >  create mode 100644 Documentation/ABI/testing/sysfs-driver-intel_sdsi
> >  create mode 100644 drivers/platform/x86/intel/sdsi.c
> > 
> > diff --git a/Documentation/ABI/testing/sysfs-driver-intel_sdsi
> > b/Documentation/ABI/testing/sysfs-driver-intel_sdsi
> > new file mode 100644
> > index 000000000000..32a017ed3dd3
> > --- /dev/null
> > +++ b/Documentation/ABI/testing/sysfs-driver-intel_sdsi
> > @@ -0,0 +1,75 @@
> > +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X
> > +Date:		Nov 2021
> > +KernelVersion:	5.17
> > +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> > +Description:
> > +		This folder contains interface files for accessing Intel
> > +		Software Defined Silicon (SDSi) features on a CPU. X
> > +		represent the socket instance (though not the socket id).
> 
> s/represent/represents/
> s/socket id/socket ID/

Ack

> 
> As a user, how do I learn the socket instance?  Look at dmesg?  Look
> at some other sysfs file?

Instances are just the list of SDSi devices in this folder. Each device
represents a socket. They are enumerated in the order they are discovered. If
you meant socket ID, that is read from the registers file in this folder per the
spec. Ideally the two would be the same, but the socket ID is not known until
probe.

> 
> > +		Some files communicate with SDSi hardware through a mailbox.
> > +		Should the operation fail, one of the following error codes
> > +		may be returned:
> > +
> > +		Error Code	Cause
> > +	        ----------	-----
> > +	        EIO		General mailbox failure. Log may indicate cause.
> > +	        EBUSY		Mailbox is owned by another agent.
> > +	        EPERM		SDSI capability is not enabled in hardware.
> > +	        EPROTO		Failure in mailbox protocol detected by
> > driver.
> > +				See log for details.
> > +	        EOVERFLOW	For provision commands, the size of the data
> > +				exceeds what may be written.
> > +	        ESPIPE		Seeking is not allowed.
> > +	        ETIMEDOUT	Failure to complete mailbox transaction in time.
> > +
> > +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/gui
> > d
> > +Date:		Nov 2021
> > +KernelVersion:	5.17
> > +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> > +Description:
> > +		(RO) The GUID for the registers file. The GUID identifies
> > +		the register layout of the registers file in this folder.
> > +		Information about the register layouts for a particular GUID
> > +		is available at http://github.com/intel/intel-sdsi
> 
> s/register layout of the registers file/layout of the registers file/

Ack

> 
> > +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/reg
> > isters
> > +Date:		Nov 2021
> > +KernelVersion:	5.17
> > +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> > +Description:
> > +		(RO) Contains information needed by applications to provision
> > +		a CPU and monitor status information. The layout of this file
> > +		is determined by the GUID in this folder. Information about the
> > +		layout for a particular GUID is available at
> > +		http://github.com/intel/intel-sdsi
> > +
> > +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/pro
> > vision_akc
> > +Date:		Nov 2021
> > +KernelVersion:	5.17
> > +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> > +Description:
> > +		(WO) Used to write an Authentication Key Certificate (AKC) to
> > +		the SDSi NVRAM for the CPU. The AKC is used to authentication a
> > +		Capability Activation Payload. Mailbox command.
> 
> s/used to authentication/used to authenticate/

Ack

> 
> > +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/pro
> > vision_cap
> > +Date:		Nov 2021
> > +KernelVersion:	5.17
> > +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> > +Description:
> > +		(WO) Used to write a Capability Activation Payload (CAP) to the
> > +		SDSi NVRAM for the CPU. CAP files are used to activate a given
> > +		CPU feature. The CAP file is validated by SDSi hardware using a
> > +		previously provision AKC file. Upon successful authentication,
> > the
> > +		CPU configuration is updated. A cold reboot is required to fully
> > +		activate the feature. Mailbox command.
> 
> "CAP file" sounds like it might be redundant.  It *seems* like the
> *payload* is what will be validated by SDSi and activate the feature.
> Not sure "file" is meaningful if this is really talking about the
> content of the CAP.
> 
> s/previously provision/previously provisioned/

Ack

David

> 
> > +What:		/sys/bus/auxiliary/devices/intel_extended_cap.sdsi.X/rea
> > d_state_cert
> > +Date:		Nov 2021
> > +KernelVersion:	5.17
> > +Contact:	"David E. Box" <david.e.box@...ux.intel.com>
> > +Description:
> > +		(RO) Used to read back the current State Certificate for the CPU
> > +		from SDSi hardware. The State Certificate contains information
> > +		about the current licenses on the CPU. Mailbox command.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ