| Message ID | 20220704135833.1496303-10-martin.fernandez@eclypsium.com (mailing list archive) |
|---|---|
| State | Deferred, archived |
| Headers | show |
| Series | x86: Show in sysfs if a memory node is able to do encryption | expand |
On Mon, Jul 04, 2022 at 10:58:33AM -0300, Martin Fernandez wrote: > Show in each node in sysfs if its memory is able to do be encrypted by > the CPU; on EFI systems: if all its memory is marked with > EFI_MEMORY_CPU_CRYPTO in the EFI memory map. > > Signed-off-by: Martin Fernandez <martin.fernandez@eclypsium.com> > --- > Documentation/ABI/testing/sysfs-devices-node | 10 ++++++++++ > drivers/base/node.c | 10 ++++++++++ > 2 files changed, 20 insertions(+) > create mode 100644 Documentation/ABI/testing/sysfs-devices-node > > diff --git a/Documentation/ABI/testing/sysfs-devices-node b/Documentation/ABI/testing/sysfs-devices-node > new file mode 100644 > index 000000000000..0e95420bd7c5 > --- /dev/null > +++ b/Documentation/ABI/testing/sysfs-devices-node > @@ -0,0 +1,10 @@ > +What: /sys/devices/system/node/nodeX/crypto_capable > +Date: April 2022 > +Contact: Martin Fernandez <martin.fernandez@eclypsium.com> > +Users: fwupd (https://fwupd.org) > +Description: > + This value is 1 if all system memory in this node is > + capable of being protected with the CPU's memory > + cryptographic capabilities. It is 0 otherwise. > + On EFI systems the node will be marked with > + EFI_MEMORY_CPU_CRYPTO. Where will such a node be "marked"? I do not understand this last sentence, sorry, can you please reword this? And why is EFI an issue here at all? thanks, greg k-h
On 7/4/22, Greg KH <gregkh@linuxfoundation.org> wrote: > On Mon, Jul 04, 2022 at 10:58:33AM -0300, Martin Fernandez wrote: >> Show in each node in sysfs if its memory is able to do be encrypted by >> the CPU; on EFI systems: if all its memory is marked with >> EFI_MEMORY_CPU_CRYPTO in the EFI memory map. >> >> Signed-off-by: Martin Fernandez <martin.fernandez@eclypsium.com> >> --- >> Documentation/ABI/testing/sysfs-devices-node | 10 ++++++++++ >> drivers/base/node.c | 10 ++++++++++ >> 2 files changed, 20 insertions(+) >> create mode 100644 Documentation/ABI/testing/sysfs-devices-node >> >> diff --git a/Documentation/ABI/testing/sysfs-devices-node >> b/Documentation/ABI/testing/sysfs-devices-node >> new file mode 100644 >> index 000000000000..0e95420bd7c5 >> --- /dev/null >> +++ b/Documentation/ABI/testing/sysfs-devices-node >> @@ -0,0 +1,10 @@ >> +What: /sys/devices/system/node/nodeX/crypto_capable >> +Date: April 2022 >> +Contact: Martin Fernandez <martin.fernandez@eclypsium.com> >> +Users: fwupd (https://fwupd.org) >> +Description: >> + This value is 1 if all system memory in this node is >> + capable of being protected with the CPU's memory >> + cryptographic capabilities. It is 0 otherwise. >> + On EFI systems the node will be marked with >> + EFI_MEMORY_CPU_CRYPTO. > > Where will such a node be "marked"? I do not understand this last > sentence, sorry, can you please reword this? What I meant is that if all the memory regions in a given node are flagged with EFI_MEMORY_CPU_CRYPTO then that file will hold a 1. Maybe it's a little confusing if you don't know what EFI_MEMORY_CPU_CRYPTO is. > And why is EFI an issue here at all? Checking for EFI_MEMORY_CPU_CRYPTO is the way to know if a memory region is able to be encrypted by the CPU on EFI platforms. It's not really an issue and it's currently the only implementation for this file. Is it clearer here? This value is 1 if the memory in this node is capable of being protected with the CPU's memory cryptographic capabilities. It is 0 otherwise. On EFI systems this means that all the memory regions of the node have the EFI_MEMORY_CPU_CRYPTO attribute set. > thanks, > > greg k-h >
On Tue, Jul 05, 2022 at 02:35:18PM -0300, Martin Fernandez wrote: > On 7/4/22, Greg KH <gregkh@linuxfoundation.org> wrote: > > On Mon, Jul 04, 2022 at 10:58:33AM -0300, Martin Fernandez wrote: > >> Show in each node in sysfs if its memory is able to do be encrypted by > >> the CPU; on EFI systems: if all its memory is marked with > >> EFI_MEMORY_CPU_CRYPTO in the EFI memory map. > >> > >> Signed-off-by: Martin Fernandez <martin.fernandez@eclypsium.com> > >> --- > >> Documentation/ABI/testing/sysfs-devices-node | 10 ++++++++++ > >> drivers/base/node.c | 10 ++++++++++ > >> 2 files changed, 20 insertions(+) > >> create mode 100644 Documentation/ABI/testing/sysfs-devices-node > >> > >> diff --git a/Documentation/ABI/testing/sysfs-devices-node > >> b/Documentation/ABI/testing/sysfs-devices-node > >> new file mode 100644 > >> index 000000000000..0e95420bd7c5 > >> --- /dev/null > >> +++ b/Documentation/ABI/testing/sysfs-devices-node > >> @@ -0,0 +1,10 @@ > >> +What: /sys/devices/system/node/nodeX/crypto_capable > >> +Date: April 2022 > >> +Contact: Martin Fernandez <martin.fernandez@eclypsium.com> > >> +Users: fwupd (https://fwupd.org) > >> +Description: > >> + This value is 1 if all system memory in this node is > >> + capable of being protected with the CPU's memory > >> + cryptographic capabilities. It is 0 otherwise. > >> + On EFI systems the node will be marked with > >> + EFI_MEMORY_CPU_CRYPTO. > > > > Where will such a node be "marked"? I do not understand this last > > sentence, sorry, can you please reword this? > > What I meant is that if all the memory regions in a given node are > flagged with EFI_MEMORY_CPU_CRYPTO then that file will hold a 1. > > Maybe it's a little confusing if you don't know what > EFI_MEMORY_CPU_CRYPTO is. > > > And why is EFI an issue here at all? > > Checking for EFI_MEMORY_CPU_CRYPTO is the way to know if a memory > region is able to be encrypted by the CPU on EFI platforms. It's not > really an issue and it's currently the only implementation for this > file. > > Is it clearer here? > > This value is 1 if the memory in this node is capable of being > protected with the CPU's memory cryptographic capabilities. It is 0 > otherwise. > On EFI systems this means that all the memory regions of the node > have the EFI_MEMORY_CPU_CRYPTO attribute set. Much better, thanks. greg k-h
diff --git a/Documentation/ABI/testing/sysfs-devices-node b/Documentation/ABI/testing/sysfs-devices-node new file mode 100644 index 000000000000..0e95420bd7c5 --- /dev/null +++ b/Documentation/ABI/testing/sysfs-devices-node @@ -0,0 +1,10 @@ +What: /sys/devices/system/node/nodeX/crypto_capable +Date: April 2022 +Contact: Martin Fernandez <martin.fernandez@eclypsium.com> +Users: fwupd (https://fwupd.org) +Description: + This value is 1 if all system memory in this node is + capable of being protected with the CPU's memory + cryptographic capabilities. It is 0 otherwise. + On EFI systems the node will be marked with + EFI_MEMORY_CPU_CRYPTO. \ No newline at end of file diff --git a/drivers/base/node.c b/drivers/base/node.c index 0ac6376ef7a1..f081fa48c8e6 100644 --- a/drivers/base/node.c +++ b/drivers/base/node.c @@ -560,11 +560,21 @@ static ssize_t node_read_distance(struct device *dev, } static DEVICE_ATTR(distance, 0444, node_read_distance, NULL); +static ssize_t crypto_capable_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + struct pglist_data *pgdat = NODE_DATA(dev->id); + + return sysfs_emit(buf, "%d\n", pgdat->crypto_capable); +} +static DEVICE_ATTR_RO(crypto_capable); + static struct attribute *node_dev_attrs[] = { &dev_attr_meminfo.attr, &dev_attr_numastat.attr, &dev_attr_distance.attr, &dev_attr_vmstat.attr, + &dev_attr_crypto_capable.attr, NULL };
Show in each node in sysfs if its memory is able to do be encrypted by the CPU; on EFI systems: if all its memory is marked with EFI_MEMORY_CPU_CRYPTO in the EFI memory map. Signed-off-by: Martin Fernandez <martin.fernandez@eclypsium.com> --- Documentation/ABI/testing/sysfs-devices-node | 10 ++++++++++ drivers/base/node.c | 10 ++++++++++ 2 files changed, 20 insertions(+) create mode 100644 Documentation/ABI/testing/sysfs-devices-node