#
0470bb1b |
|
07-Sep-2023 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - Add support for DBC over PSP mailbox On some SOCs DBC is supported through the PSP mailbox instead of the platform mailbox. This capability is advertised in the PSP capabilities register. Allow using this communication path if supported. Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
6e17375c |
|
07-Sep-2023 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - Add support for extended PSP mailbox commands The PSP mailbox supports a number of extended sub-commands. These subcommands are placed in the header of the buffer sent to the mailbox. Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
949a0c8d |
|
07-Sep-2023 |
Tom Lendacky <thomas.lendacky@amd.com> |
crypto: ccp - Move direct access to some PSP registers out of TEE With the PSP mailbox registers supporting more than just TEE, access to them must be maintained and serialized by the PSP device support. Remove TEE support direct access and create an interface in the PSP support where the register access can be controlled/serialized. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Reviewed-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Tested-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
c04cf9e1 |
|
23-Jun-2023 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - Add support for fetching a nonce for dynamic boost control Dynamic Boost Control is a feature offered on AMD client platforms that allows software to request and set power or frequency limits. Only software that has authenticated with the PSP can retrieve or set these limits. Create a character device and ioctl for fetching the nonce. This ioctl supports optionally passing authentication information which will influence how many calls the nonce is valid for. Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
7ccc4f4e |
|
10-Mar-2023 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - Add support for an interface for platform features Some platforms with a PSP support an interface for features that interact directly with the PSP instead of through a SEV or TEE environment. Initialize this interface so that other drivers can consume it. These drivers may either be subdrivers for the ccp module or external modules. For external modules, export a symbol for them to utilize. Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
1c5c1daf |
|
10-Mar-2023 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - Move some PSP mailbox bit definitions into common header Some of the bits and fields used for mailboxes communicating with the PSP are common across all mailbox implementations (SEV, TEE, etc). Move these bits into the common `linux/psp.h` so they don't need to be re-defined for each implementation. Acked-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
a7ca7bbd |
|
10-Mar-2023 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - Drop TEE support for IRQ handler The only PSP mailbox that currently supports interrupt on completion is the SEV mailbox. Drop the dead code for the TEE subdriver to potentially call it. Acked-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
50c4decc |
|
31-Mar-2022 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - Export PSP security bits to userspace The PSP sets several pre-defined bits in the capabilities register to indicate that security attributes of the platform. Export these attributes into userspace for administrators to confirm platform is properly locked down. Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
cac32cd4 |
|
31-Mar-2022 |
Mario Limonciello <mario.limonciello@amd.com> |
crypto: ccp - cache capability into psp device The results of the capability register will be used by future code at runtime rather than just initialization. Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
33960acc |
|
03-Dec-2019 |
Rijo Thomas <Rijo-john.Thomas@amd.com> |
crypto: ccp - add TEE support for Raven Ridge Adds a PCI device entry for Raven Ridge. Raven Ridge is an APU with a dedicated AMD Secure Processor having Trusted Execution Environment (TEE) support. The TEE provides a secure environment for running Trusted Applications (TAs) which implement security-sensitive parts of a feature. This patch configures AMD Secure Processor's TEE interface by initializing a ring buffer (shared memory between Rich OS and Trusted OS) which can hold multiple command buffer entries. The TEE interface is facilitated by a set of CPU to PSP mailbox registers. The next patch will address how commands are submitted to the ring buffer. Cc: Jens Wiklander <jens.wiklander@linaro.org> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Co-developed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Gary R Hook <gary.hook@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
b93566f1 |
|
03-Dec-2019 |
Rijo Thomas <Rijo-john.Thomas@amd.com> |
crypto: ccp - create a generic psp-dev file The PSP (Platform Security Processor) provides support for key management commands in Secure Encrypted Virtualization (SEV) mode, along with software-based Trusted Execution Environment (TEE) to enable third-party Trusted Applications. Therefore, introduce psp-dev.c and psp-dev.h files, which can invoke SEV (or TEE) initialization based on platform feature support. TEE interface support will be introduced in a later patch. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jens Wiklander <jens.wiklander@linaro.org> Co-developed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Gary R Hook <gary.hook@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
ec310caf |
|
12-Nov-2019 |
Brijesh Singh <brijesh.singh@amd.com> |
crypto: ccp - add SEV command privilege separation Currently, there is no privilege separation of the SEV command; you can run them all or none of them. This is less than ideal because it means that a compromise of the code which launches VMs could make permanent change to the SEV certifcate chain which will affect others. These commands are required to attest the VM environment: - SEV_PDH_CERT_EXPORT - SEV_PLATFORM_STATUS - SEV_GET_{ID,ID2} These commands manage the SEV certificate chain: - SEV_PEK_CERR_IMPORT - SEV_FACTORY_RESET - SEV_PEK_GEN - SEV_PEK_CSR - SEV_PDH_GEN Lets add the CAP_SYS_ADMIN check for the group of the commands which alters the SEV certificate chain to provide some level of privilege separation. Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Gary Hook <gary.hook@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Tom Lendacky <Thomas.Lendacky@amd.com> Tested-by: David Rientjes <rientjes@google.com> Co-developed-by: David Rientjes <rientjes@google.com> Signed-off-by: David Rientjes <rientjes@google.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
3a646b6e |
|
02-Aug-2019 |
Bjorn Helgaas <bhelgaas@google.com> |
crypto: ccp - Remove unnecessary linux/pci.h include Remove unused includes of linux/pci.h. Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Gary R Hook <gary.hook@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
600bac00 |
|
27-Jun-2019 |
Hook, Gary <Gary.Hook@amd.com> |
crypto: ccp - Switch to SPDX license identifiers Add an SPDX identifier and remove any specific statements. Signed-off-by: Gary R Hook <gary.hook@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
d2912cb1 |
|
04-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
fa5cd1c7 |
|
18-Dec-2018 |
Hook, Gary <Gary.Hook@amd.com> |
crypto: ccp - Update copyright notices and dates Correct copyright dates for files that have had code added to them in 2018. Signed-off-by: Gary R Hook <gary.hook@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
ad01a984 |
|
02-Jul-2018 |
Tom Lendacky <thomas.lendacky@amd.com> |
crypto: ccp - Support register differences between PSP devices In preparation for adding a new PSP device ID that uses different register offsets, add support to the PSP version data for register offset values. And then update the code to use these new register offset values. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Gary R Hook <gary.hook@amd.com> Reviewed-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
03af9124 |
|
02-Jul-2018 |
Tom Lendacky <thomas.lendacky@amd.com> |
crypto: ccp - Remove unused #defines Remove some unused #defines for register offsets that are not used. This will lessen the changes required when register offsets change between versions of the device. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Gary R Hook <gary.hook@amd.com> Reviewed-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
edd303ff |
|
25-May-2018 |
Janakarajan Natarajan <Janakarajan.Natarajan@amd.com> |
crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command The DOWNLOAD_FIRMWARE command, added as of SEV API v0.15, allows the OS to install SEV firmware newer than the currently active SEV firmware. For the new SEV firmware to be applied it must: * Pass the validation test performed by the existing firmware. * Be of the same build or a newer build compared to the existing firmware. For more information please refer to "Section 5.11 DOWNLOAD_FIRMWARE" of https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
#
200664d5 |
|
04-Dec-2017 |
Brijesh Singh <brijesh.singh@amd.com> |
crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support AMD's new Secure Encrypted Virtualization (SEV) feature allows the memory contents of virtual machines to be transparently encrypted with a key unique to the VM. The programming and management of the encryption keys are handled by the AMD Secure Processor (AMD-SP) which exposes the commands for these tasks. The complete spec is available at: http://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf Extend the AMD-SP driver to provide the following support: - an in-kernel API to communicate with the SEV firmware. The API can be used by the hypervisor to create encryption context for a SEV guest. - a userspace IOCTL to manage the platform certificates. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: Borislav Petkov <bp@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Gary Hook <gary.hook@amd.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: linux-crypto@vger.kernel.org Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Improvements-by: Borislav Petkov <bp@suse.de> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
|
#
2a6170df |
|
04-Dec-2017 |
Brijesh Singh <brijesh.singh@amd.com> |
crypto: ccp: Add Platform Security Processor (PSP) device support The Platform Security Processor (PSP) is part of the AMD Secure Processor (AMD-SP) functionality. The PSP is a dedicated processor that provides support for key management commands in Secure Encrypted Virtualization (SEV) mode, along with software-based Trusted Execution Environment (TEE) to enable third-party trusted applications. Note that the key management functionality provided by the SEV firmware can be used outside of the kvm-amd driver hence it doesn't need to depend on CONFIG_KVM_AMD. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: Borislav Petkov <bp@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Gary Hook <gary.hook@amd.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: linux-crypto@vger.kernel.org Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Improvements-by: Borislav Petkov <bp@suse.de> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Reviewed-by: Borislav Petkov <bp@suse.de>
|