mbox series

[v3,0/4] Export PSP security attributes

Message ID 20220331211213.2844-1-mario.limonciello@amd.com (mailing list archive)
Headers show
Series Export PSP security attributes | expand

Message

Mario Limonciello March 31, 2022, 9:12 p.m. UTC
Select AMD SOCs include the ability to export capabilities that
have been activated or detected by the platform security processor.

This information is useful for both system designers as well as system
administrators to ensure that the system has been properly locked down
to their expectations.

Software such as fwupd will also be modified to use this information
as part of the calculations for a security level score that may be
presented to a user.

This series also adds the ability to detect that TSME and SME are both
activated simultaneously to notify a user.  Previously a user could turn
on TSME and SME at the same time, but the kernel was unable to detect
that TSME was enabled in the OS.

This information is evaluated "too late" right now in the kernel to stop
the kernel from enabling SME, but if that is desirable at a later time
some of the early code can be modified to read the same information and
make that decision.

Mario Limonciello (4):
  crypto: ccp: cache capability into psp device
  crypto: ccp: Export PSP security bits to userspace
  crypto: ccp: Allow PSP driver to load without SEV/TEE support
  crypto: ccp: When TSME and SME both detected notify user

 Documentation/ABI/testing/sysfs-driver-ccp | 87 ++++++++++++++++++++++
 drivers/crypto/ccp/psp-dev.c               | 49 +++++-------
 drivers/crypto/ccp/psp-dev.h               | 22 ++++++
 drivers/crypto/ccp/sp-pci.c                | 62 +++++++++++++++
 4 files changed, 189 insertions(+), 31 deletions(-)
 create mode 100644 Documentation/ABI/testing/sysfs-driver-ccp

Comments

Herbert Xu April 8, 2022, 8:32 a.m. UTC | #1
On Thu, Mar 31, 2022 at 04:12:09PM -0500, Mario Limonciello wrote:
> Select AMD SOCs include the ability to export capabilities that
> have been activated or detected by the platform security processor.
> 
> This information is useful for both system designers as well as system
> administrators to ensure that the system has been properly locked down
> to their expectations.
> 
> Software such as fwupd will also be modified to use this information
> as part of the calculations for a security level score that may be
> presented to a user.
> 
> This series also adds the ability to detect that TSME and SME are both
> activated simultaneously to notify a user.  Previously a user could turn
> on TSME and SME at the same time, but the kernel was unable to detect
> that TSME was enabled in the OS.
> 
> This information is evaluated "too late" right now in the kernel to stop
> the kernel from enabling SME, but if that is desirable at a later time
> some of the early code can be modified to read the same information and
> make that decision.
> 
> Mario Limonciello (4):
>   crypto: ccp: cache capability into psp device
>   crypto: ccp: Export PSP security bits to userspace
>   crypto: ccp: Allow PSP driver to load without SEV/TEE support
>   crypto: ccp: When TSME and SME both detected notify user
> 
>  Documentation/ABI/testing/sysfs-driver-ccp | 87 ++++++++++++++++++++++
>  drivers/crypto/ccp/psp-dev.c               | 49 +++++-------
>  drivers/crypto/ccp/psp-dev.h               | 22 ++++++
>  drivers/crypto/ccp/sp-pci.c                | 62 +++++++++++++++
>  4 files changed, 189 insertions(+), 31 deletions(-)
>  create mode 100644 Documentation/ABI/testing/sysfs-driver-ccp

All applied.  Thanks.