lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220309220608.16844-3-alejandro.j.jimenez@oracle.com>
Date:   Wed,  9 Mar 2022 17:06:07 -0500
From:   Alejandro Jimenez <alejandro.j.jimenez@...cle.com>
To:     tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
        dave.hansen@...ux.intel.com, luto@...nel.org, peterz@...radead.org,
        x86@...nel.org, linux-kernel@...r.kernel.org
Cc:     thomas.lendacky@....com, brijesh.singh@....com,
        kirill.shutemov@...ux.intel.com, hpa@...or.com,
        pbonzini@...hat.com, seanjc@...gle.com, srutherford@...gle.com,
        ashish.kalra@....com, darren.kenny@...cle.com,
        venu.busireddy@...cle.com, boris.ostrovsky@...cle.com,
        alejandro.j.jimenez@...cle.com
Subject: [RFC 2/3] x86: Expose SEV capabilities in sysfs

Expose the state of the SEV feature via the new sysfs interface. Document
the new ABI.

Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@...cle.com>
Reviewed-by: Darren Kenny <darren.kenny@...cle.com>
---
 .../ABI/testing/sysfs-kernel-mm-mem-encrypt   |  31 +++++
 arch/x86/mm/mem_encrypt_amd.c                 | 106 ++++++++++++++++--
 2 files changed, 129 insertions(+), 8 deletions(-)

diff --git a/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt b/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt
index a53f87f28704..68a932d4540b 100644
--- a/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt
+++ b/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt
@@ -29,3 +29,34 @@ Description:	(Host only) Expose status of SME feature. Valid values are:
 		inactive: Secure Memory Encryption is supported, enabled, but
 		the kernel is not applying encryption bit to page table entries
 		(SME mask in kernel is zero).
+
+What:		/sys/kernel/mm/mem_encrypt/sev/status
+Date:		March 2022
+KernelVersion:	5.17
+Description:	Expose status of sev feature. Valid values are:
+
+		unsupported: Secure Encrypted Virtualization capability is not
+		supported by the processor.
+
+		enabled (Host only): Hypervisor host capable of running SEV
+		guests.
+
+		disabled (Host only): Memory encryption has been disabled by
+		System-Configuration Register (SYSCFG) MemEncryptionModeEn bit.
+
+		active (Guest only): Running in virtual machine with encrypted
+		code and data.
+
+		inactive (Guest only): Running in unencrypted virtual machine.
+
+What:		/sys/kernel/mm/mem_encrypt/sev/nr_asid_available
+Date:		March 2022
+KernelVersion:	5.17
+Description:	(Host only) Total number of ASIDs available for encrypted
+		guests. Number of encrypted guests supported simultaneously.
+
+What:		/sys/kernel/mm/mem_encrypt/sev/nr_sev_asid
+Date:		March 2022
+KernelVersion:	5.17
+Description:	(Host only) Number of ASIDs available for SEV guests with
+		SEV-ES disabled.
diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c
index ccd6448042fe..86979e0e26c7 100644
--- a/arch/x86/mm/mem_encrypt_amd.c
+++ b/arch/x86/mm/mem_encrypt_amd.c
@@ -38,6 +38,7 @@
 #define AMD_CPUID_ENCRYPTED_MEM		0x8000001f
 
 #define AMD_SME_BIT			BIT(0)
+#define AMD_SEV_BIT			BIT(1)
 
 #define CC_ATTR_RO(_name) \
 	static struct kobj_attribute _name##_attr = __ATTR_RO(_name)
@@ -78,6 +79,8 @@ static char sme_early_buffer[PAGE_SIZE] __initdata __aligned(PAGE_SIZE);
 
 static u8 cbit_pos;
 static u32 sec_encrypt_support_mask;
+static u32 max_sev_asid;
+static u32 min_sev_asid;
 
 static inline bool is_vm(void)
 {
@@ -95,7 +98,10 @@ static void encrypted_mem_caps_init(void)
 	cpuid(AMD_CPUID_ENCRYPTED_MEM, &eax, &ebx, &ecx, &edx);
 
 	cbit_pos = ebx & 0x3f;
-	sec_encrypt_support_mask = eax & AMD_SME_BIT;
+	sec_encrypt_support_mask = eax & (AMD_SME_BIT | AMD_SEV_BIT);
+
+	max_sev_asid = ecx;
+	min_sev_asid = edx;
 }
 
 /* Verify that memory encryption capabilities are supported */
@@ -104,13 +110,7 @@ static inline bool mem_encrypt_feat_supported(u32 feat_bit)
 	return !!(sec_encrypt_support_mask & feat_bit);
 }
 
-/*
- * sysfs interface for SME/SEV.
- * Expose whether the various memory encryption capabilities are
- * supported/enabled/active.
- */
-static ssize_t status_show(struct kobject *kobj,
-				struct kobj_attribute *attr, char *buf)
+static inline ssize_t sme_status_show(char *buf)
 {
 	if (!mem_encrypt_feat_supported(AMD_SME_BIT))
 		return sysfs_emit(buf, "%s\n", "unsupported");
@@ -129,7 +129,58 @@ static ssize_t status_show(struct kobject *kobj,
 	return sysfs_emit(buf, "%s\n",
 			!!cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT) ?
 			"active" : "inactive");
+}
+
+static inline ssize_t sev_status_show(u32 feat_bit, u32 feat_cap,
+					enum cc_attr encrypt_attr, char *buf)
+{
+	if (!mem_encrypt_feat_supported(feat_bit))
+		return sysfs_emit(buf, "%s\n", "unsupported");
+
+	if (!is_vm()) {
+		/*
+		 * When in a host, we can avoid reading MSR_AMD64_SYSCFG MSR to
+		 * check for MemEncryptionModeEn (bit 23) since an earlier call
+		 * to early_detect_mem_encrypt() clears the feature from the
+		 * CPU caps if the bit is not set. So it is sufficient to check
+		 * the CPU caps here.
+		 */
+		return sysfs_emit(buf, "%s\n", !!boot_cpu_has(feat_cap) ?
+				"enabled" : "disabled");
+	} else {
+		/*
+		 * When in a guest, we cannot check MemEncryptionModeEn(bit 23)
+		 * since KVM currently masks off MSR_AMD64_SYSCFG. Use the
+		 * cc_platform_has() API which uses the SEV_STATUS MSR to
+		 * determine if the feature is active.
+		 */
+		return sysfs_emit(buf, "%s\n",
+				!!cc_platform_has(encrypt_attr) ?
+				"active" : "inactive");
+	}
+}
+
+/*
+ * sysfs interface for SME/SEV.
+ * Expose whether the various memory encryption capabilities are
+ * supported/enabled/active.
+ */
+static ssize_t status_show(struct kobject *kobj,
+				struct kobj_attribute *attr, char *buf)
+{
+	if (!strcmp(kobj->name, "sme")) {
+		return sme_status_show(buf);
+
+	} else if (!strcmp(kobj->name, "sev")) {
+		return sev_status_show(AMD_SEV_BIT, X86_FEATURE_SEV,
+					CC_ATTR_GUEST_MEM_ENCRYPT, buf);
+	}
 
+	/*
+	 * The checks above must cover all of the possible CoCo features that
+	 * have the status attribute.
+	 */
+	return -1;
 }
 CC_ATTR_RO(status);
 
@@ -140,6 +191,25 @@ static ssize_t c_bit_position_show(struct kobject *kobj,
 }
 CC_ATTR_RO(c_bit_position);
 
+static ssize_t nr_asid_available_show(struct kobject *kobj,
+					struct kobj_attribute *attr, char *buf)
+{
+	return sysfs_emit(buf, "%u\n", max_sev_asid);
+}
+CC_ATTR_RO(nr_asid_available);
+
+static ssize_t nr_sev_asid_show(struct kobject *kobj,
+				struct kobj_attribute *attr, char *buf)
+{
+	u32 nr_sev_asid = 0;
+
+	if (max_sev_asid)
+		nr_sev_asid = max_sev_asid - min_sev_asid + 1;
+
+	return sysfs_emit(buf, "%u\n", nr_sev_asid);
+}
+CC_ATTR_RO(nr_sev_asid);
+
 static struct attribute *sme_attrs[] = {
 	&status_attr.attr,
 	NULL,
@@ -148,14 +218,34 @@ static const struct attribute_group sme_attr_group = {
 	.attrs = sme_attrs,
 };
 
+static struct attribute *sev_host_attrs[] = {
+	&status_attr.attr,
+	&nr_asid_available_attr.attr,
+	&nr_sev_asid_attr.attr,
+	NULL,
+};
+static const struct attribute_group sev_host_attr_group = {
+	.attrs = sev_host_attrs,
+};
+
+static struct attribute *sev_guest_attrs[] = {
+	&status_attr.attr,
+	NULL,
+};
+static const struct attribute_group sev_guest_attr_group = {
+	.attrs = sev_guest_attrs,
+};
+
 /* List of features to be exposed when running as hypervisor host */
 static struct amd_cc_feature host_cc_feat_list[] = {
 	AMD_CC_FEATURE("sme", sme_attr_group, NULL),
+	AMD_CC_FEATURE("sev", sev_host_attr_group, NULL),
 	{},
 };
 
 /* List of features to be exposed when running as guest */
 static struct amd_cc_feature guest_cc_feat_list[] = {
+	AMD_CC_FEATURE("sev", sev_guest_attr_group, NULL),
 	{},
 };
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ