| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Older systems will not populate the security attributes in the
capabilities register. The PSP on these systems, however, does have a
command to get the security attributes. Use this command during ccp
startup to populate the attributes if they're missing.
Closes: https://github.com/fwupd/fwupd/issues/5284
Closes: https://github.com/fwupd/fwupd/issues/5675
Closes: https://github.com/fwupd/fwupd/issues/6253
Closes: https://github.com/fwupd/fwupd/issues/7280
Closes: https://github.com/fwupd/fwupd/issues/6323
Closes: https://github.com/fwupd/fwupd/discussions/5433
Signed-off-by: Mario Limonciello <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
To prepare for other code that will manipulate security attributes
move the handling code out of sp-pci.c. No intended functional changes.
Signed-off-by: Mario Limonciello <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Making the capabilities register a union makes it easier to refer
to the members instead of always doing bit shifts.
No intended functional changes.
Acked-by: Tom Lendacky <[email protected]>
Suggested-by: Yazen Ghannam <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Offsets are checked by the capabilities register in multiple places.
To make the code more readable add a macro.
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
With the PSP mailbox registers supporting more than just TEE, access to
them must be maintained and serialized by the PSP device support. Remove
TEE support direct access and create an interface in the PSP support
where the register access can be controlled/serialized.
Signed-off-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Reviewed-by: Rijo Thomas <[email protected]>
Tested-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Dynamic Boost Control is a feature offered on AMD client platforms that
allows software to request and set power or frequency limits.
Only software that has authenticated with the PSP can retrieve or set
these limits.
Create a character device and ioctl for fetching the nonce. This ioctl
supports optionally passing authentication information which will influence
how many calls the nonce is valid for.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
The bootloader and TEE versions are stored in registers that can be
accessed from sysfs. This exports the information for recent client
and datacenter parts.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
As it's not always obvious what PSP bootloader or TEE version are
present in OEM systems, add the ability to get this information from
sysfs for supported platforms.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
The attribute_show() macro is only valid for determining the availability
of security related sysfs entries. Rename the macro to better show this
relationship.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Add a new CCP/PSP PCI device ID and new PSP register offsets.
Signed-off-by: John Allen <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
PCI device 0x17E0 includes new TEE offsets, doesn't support a
platform mailbox, and does support platform doorbell
so introduce a new structure to represent it.
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
A number of platforms are emitting the error:
```ccp: unable to access the device: you might be running a broken BIOS.```
This is expected behavior as CCP is no longer accessible from the PSP's
PCIe BAR so stop trying to probe CCP for 0x1649.
Cc: [email protected]
Signed-off-by: Mario Limonciello <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Some platforms support using a doorbell to communicate. Export
this feature for other drivers to utilize as well.
Link: https://lore.kernel.org/linux-i2c/[email protected]/
Suggested-by: Jan Dabros <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Client PSP parts support the platform access interface. Add
the register offsets so that client parts will initialize this
interface.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Add comments next to the version data MMIO register values to identify
the register name being used.
Signed-off-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
SoCs containing 0x14CA are present both in datacenter parts that
support SEV as well as client parts that support TEE.
Cc: [email protected] # 5.15+
Tested-by: Rijo-john Thomas <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Add a new CCP/PSP PCI device ID. This uses same register offsets
as the previously supported structure.
Signed-off-by: Mario Limonciello <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Acked-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
The PSP sets several pre-defined bits in the capabilities
register to indicate that security attributes of the platform.
Export these attributes into userspace for administrators to
confirm platform is properly locked down.
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Mario Limonciello <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Add a new CCP/PSP PCI device ID and corresponding entry in the dev_vdata
struct.
Signed-off-by: John Allen <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
The commit 97f9ac3db6612 ("crypto: ccp - Add support for SEV-ES to the
PSP driver") added support to allocate Trusted Memory Region (TMR)
used during the SEV-ES firmware initialization. The TMR gets locked
during the firmware initialization and unlocked during the shutdown.
While the TMR is locked, access to it is disallowed.
Currently, the CCP driver does not shutdown the firmware during the
kexec reboot, leaving the TMR memory locked.
Register a callback to shutdown the SEV firmware on the kexec boot.
Fixes: 97f9ac3db6612 ("crypto: ccp - Add support for SEV-ES to the PSP driver")
Reported-by: Lucas Nussbaum <[email protected]>
Tested-by: Lucas Nussbaum <[email protected]>
Cc: <[email protected]>
Cc: Tom Lendacky <[email protected]>
Cc: Joerg Roedel <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: David Rientjes <[email protected]>
Signed-off-by: Brijesh Singh <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
If an error occurs after calling 'sp_get_irqs()', 'sp_free_irqs()' must be
called as already done in the error handling path.
Fixes: f4d18d656f88 ("crypto: ccp - Abstract interrupt registeration")
Signed-off-by: Christophe JAILLET <[email protected]>
Acked-by: John Allen <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Add a new PCI device entry for Green Sardine APU.
Signed-off-by: Devaraj Rangasamy <[email protected]>
Tested-by: Babulu Ellune <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Drivers using legacy power management .suspen()/.resume() callbacks
have to manage PCI states and device's PM states themselves. They also
need to take care of standard configuration registers.
Switch to generic power management framework using a single
"struct dev_pm_ops" variable to take the unnecessary load from the driver.
This also avoids the need for the driver to directly call most of the PCI
helper functions and device power state control functions as through
the generic framework, PCI Core takes care of the necessary operations,
and drivers are required to do only device-specific jobs.
Signed-off-by: Vaibhav Gupta <[email protected]>
Acked-by: John Allen <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Introduce clear_psp_master_device() to ensure that sp_dev_master gets
properly cleared on the release of a psp device.
Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
Signed-off-by: John Allen <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Adds a PCI device entry for Raven Ridge. Raven Ridge is an APU with a
dedicated AMD Secure Processor having Trusted Execution Environment (TEE)
support. The TEE provides a secure environment for running Trusted
Applications (TAs) which implement security-sensitive parts of a feature.
This patch configures AMD Secure Processor's TEE interface by initializing
a ring buffer (shared memory between Rich OS and Trusted OS) which can hold
multiple command buffer entries. The TEE interface is facilitated by a set
of CPU to PSP mailbox registers.
The next patch will address how commands are submitted to the ring buffer.
Cc: Jens Wiklander <[email protected]>
Cc: Tom Lendacky <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Co-developed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
PSP can support both SEV and TEE interface. Therefore, move
SEV specific registers to a dedicated data structure.
TEE interface specific registers will be added in a later
patch.
Cc: Ard Biesheuvel <[email protected]>
Cc: Tom Lendacky <[email protected]>
Cc: Jens Wiklander <[email protected]>
Co-developed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
The PSP (Platform Security Processor) provides support for key management
commands in Secure Encrypted Virtualization (SEV) mode, along with
software-based Trusted Execution Environment (TEE) to enable third-party
Trusted Applications.
Therefore, introduce psp-dev.c and psp-dev.h files, which can invoke
SEV (or TEE) initialization based on platform feature support.
TEE interface support will be introduced in a later patch.
Cc: Ard Biesheuvel <[email protected]>
Cc: Tom Lendacky <[email protected]>
Cc: Jens Wiklander <[email protected]>
Co-developed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
This is a preliminary patch for creating a generic PSP device driver
file, which will have support for both SEV and TEE (Trusted Execution
Environment) interface.
This patch does not introduce any new functionality, but simply renames
psp-dev.c and psp-dev.h files to sev-dev.c and sev-dev.h files
respectively.
Cc: Ard Biesheuvel <[email protected]>
Cc: Tom Lendacky <[email protected]>
Cc: Jens Wiklander <[email protected]>
Co-developed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Enrico Weigelt <[email protected]>
Reviewed-by: Kate Stewart <[email protected]>
Reviewed-by: Allison Randal <[email protected]>
Cc: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
The current content of some of the driver messages and the way that they
are issued results in some confusion, especially in the area of the PSP
as it relates to SEV support. If SEV is not supported, a message is issued
that says "psp initialization failed." This makes it seem like there was
a problem, when in fact, the PSP support is just disabled if SEV is not
supported.
Update the driver to check SEV support a bit earlier and issue a debug-
level message if SEV is not supported, followed by a debug-level message
that the PSP is disabled. This way you will only see PSP messages if SEV
is supported or if debug information is desired. Also, remove the overall
"enabled" and "disabled" messages for the driver and rely on the CCP and
PSP support to issue component-specific messages.
Signed-off-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Correct copyright dates for files that have had code added
to them in 2018.
Signed-off-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
Add a new CCP/PSP PCI device ID and new PSP register offsets.
Signed-off-by: Tom Lendacky <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Reviewed-by: Brijesh Singh <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
In preparation for adding a new PSP device ID that uses different register
offsets, add support to the PSP version data for register offset values.
And then update the code to use these new register offset values.
Signed-off-by: Tom Lendacky <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Reviewed-by: Brijesh Singh <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|
|
The Platform Security Processor (PSP) is part of the AMD Secure
Processor (AMD-SP) functionality. The PSP is a dedicated processor
that provides support for key management commands in Secure Encrypted
Virtualization (SEV) mode, along with software-based Trusted Execution
Environment (TEE) to enable third-party trusted applications.
Note that the key management functionality provided by the SEV firmware
can be used outside of the kvm-amd driver hence it doesn't need to
depend on CONFIG_KVM_AMD.
Cc: Paolo Bonzini <[email protected]>
Cc: "Radim Krčmář" <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: Gary Hook <[email protected]>
Cc: Tom Lendacky <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Improvements-by: Borislav Petkov <[email protected]>
Signed-off-by: Brijesh Singh <[email protected]>
Reviewed-by: Borislav Petkov <[email protected]>
|
|
CCP device initializes is now integerated into higher level SP device,
to avoid the confusion lets rename the ccp driver initialization files
(ccp-platform.c->sp-platform.c, ccp-pci.c->sp-pci.c). The patch does not
make any functional changes other than renaming file and structures
Signed-off-by: Brijesh Singh <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
|