| Message ID | 20240528210712.1268-1-mario.limonciello@amd.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Enable PSP security attributes on more SoCs | expand |
On Tuesday, May 28th, 2024 at 10:07 PM, Mario Limonciello <mario.limonciello@amd.com> wrote: > v1->v2: Looks great, and the output of "fwupdmgr security" on my pre-production Lenovo T14 (AMD Ryzen 7 PRO 4750U) is now a lot more accurate: HSI-1 ✔ BIOS firmware updates: Enabled +✔ Fused platform: Locked +✔ Supported CPU: Valid ✔ TPM empty PCRs: Valid ✔ TPM v2.0: Found ✔ UEFI bootservice variables: Locked ✔ UEFI platform key: Valid HSI-2 ✔ IOMMU: Enabled +✔ Platform debugging: Locked ✔ TPM PCR0 reconstruction: Valid +✘ SPI write protection: Disabled ✘ BIOS rollback protection: Disabled HSI-3 +✘ SPI replay protection: Not supported ✘ CET Platform: Not supported ✘ Pre-boot DMA protection: Disabled ✘ Suspend-to-idle: Disabled ✘ Suspend-to-ram: Enabled HSI-4 +✔ Encrypted RAM: Encrypted ✔ SMAP: Enabled +✘ Processor rollback protection: Disabled Tested-by: Richard Hughes <richard@hughsie.com> Richard
On Tue, May 28, 2024 at 04:07:07PM -0500, Mario Limonciello wrote: > On some older SoCs the PSP doesn't export security attributes in the > capabilities register. On these SoCs it is however possible to get > the information by a platform access command. > > Restructure the driver to move all security attribute handling to > a central location and then add support for calling the platform > access command on those processors. > > v1->v2: > * Add tags (except patch 2) > * Fix kernel robot reported issue > * Move a check from patch 4 to patch 5 > Mario Limonciello (5): > crypto: ccp: Represent capabilities register as a union > crypto: ccp: Move security attributes to their own file > crypto: ccp: align psp_platform_access_msg > crypto: ccp: Add support for getting security attributes on some older > systems > crypto: ccp: Move message about TSME being enabled later in init > > MAINTAINERS | 6 ++ > drivers/crypto/ccp/Makefile | 3 +- > drivers/crypto/ccp/dbc.c | 2 +- > drivers/crypto/ccp/hsti.c | 138 ++++++++++++++++++++++++++++ > drivers/crypto/ccp/hsti.h | 17 ++++ > drivers/crypto/ccp/psp-dev.c | 23 ++--- > drivers/crypto/ccp/psp-dev.h | 46 +++++----- > drivers/crypto/ccp/sp-dev.h | 2 +- > drivers/crypto/ccp/sp-pci.c | 67 ++------------ > include/linux/psp-platform-access.h | 5 +- > 10 files changed, 210 insertions(+), 99 deletions(-) > create mode 100644 drivers/crypto/ccp/hsti.c > create mode 100644 drivers/crypto/ccp/hsti.h > > -- > 2.43.0 All applied. Thanks.
On some older SoCs the PSP doesn't export security attributes in the capabilities register. On these SoCs it is however possible to get the information by a platform access command. Restructure the driver to move all security attribute handling to a central location and then add support for calling the platform access command on those processors. v1->v2: * Add tags (except patch 2) * Fix kernel robot reported issue * Move a check from patch 4 to patch 5 Mario Limonciello (5): crypto: ccp: Represent capabilities register as a union crypto: ccp: Move security attributes to their own file crypto: ccp: align psp_platform_access_msg crypto: ccp: Add support for getting security attributes on some older systems crypto: ccp: Move message about TSME being enabled later in init MAINTAINERS | 6 ++ drivers/crypto/ccp/Makefile | 3 +- drivers/crypto/ccp/dbc.c | 2 +- drivers/crypto/ccp/hsti.c | 138 ++++++++++++++++++++++++++++ drivers/crypto/ccp/hsti.h | 17 ++++ drivers/crypto/ccp/psp-dev.c | 23 ++--- drivers/crypto/ccp/psp-dev.h | 46 +++++----- drivers/crypto/ccp/sp-dev.h | 2 +- drivers/crypto/ccp/sp-pci.c | 67 ++------------ include/linux/psp-platform-access.h | 5 +- 10 files changed, 210 insertions(+), 99 deletions(-) create mode 100644 drivers/crypto/ccp/hsti.c create mode 100644 drivers/crypto/ccp/hsti.h