From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
To: Ingo Molnar <mingo@redhat.com>,
x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Cc: Dave Hansen <dave.hansen@intel.com>,
Kai Huang <kai.huang@linux.intel.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: [RFC, PATCH 02/22] x86/tme: Detect if TME and MKTME is activated by BIOS
Date: Mon, 5 Mar 2018 19:25:50 +0300 [thread overview]
Message-ID: <20180305162610.37510-3-kirill.shutemov@linux.intel.com> (raw)
In-Reply-To: <20180305162610.37510-1-kirill.shutemov@linux.intel.com>
IA32_TME_ACTIVATE MSR (0x982) can be used to check if BIOS has enabled
TME and MKTME. It includes which encryption policy/algorithm is selected
for TME or available for MKTME. For MKTME, the MSR also enumerates how
many KeyIDs are available.
We would need to exclude KeyID bits from physical address bits.
detect_tme() would adjust cpuinfo_x86::x86_phys_bits accordingly.
We have to do this even if we are not going to use KeyID bits
ourself. VM guests still have to know that these bits are not usable
for physical address.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
arch/x86/kernel/cpu/intel.c | 90 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index d19e903214b4..c770689490b5 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -503,6 +503,93 @@ static void detect_vmx_virtcap(struct cpuinfo_x86 *c)
}
}
+#define MSR_IA32_TME_ACTIVATE 0x982
+
+/* Helpers to access TME_ACTIVATE MSR */
+#define TME_ACTIVATE_LOCKED(x) (x & 0x1)
+#define TME_ACTIVATE_ENABLED(x) (x & 0x2)
+
+#define TME_ACTIVATE_POLICY(x) ((x >> 4) & 0xf) /* Bits 7:4 */
+#define TME_ACTIVATE_POLICY_AES_XTS_128 0
+
+#define TME_ACTIVATE_KEYID_BITS(x) ((x >> 32) & 0xf) /* Bits 35:32 */
+
+#define TME_ACTIVATE_CRYPTO_ALGS(x) ((x >> 48) & 0xffff) /* Bits 63:48 */
+#define TME_ACTIVATE_CRYPTO_AES_XTS_128 1
+
+/* Values for mktme_status (SW only construct) */
+#define MKTME_ENABLED 0
+#define MKTME_DISABLED 1
+#define MKTME_UNINITIALIZED 2
+static int mktme_status = MKTME_UNINITIALIZED;
+
+static void detect_tme(struct cpuinfo_x86 *c)
+{
+ u64 tme_activate, tme_policy, tme_crypto_algs;
+ int keyid_bits = 0, nr_keyids = 0;
+ static u64 tme_activate_cpu0 = 0;
+
+ rdmsrl(MSR_IA32_TME_ACTIVATE, tme_activate);
+
+ if (mktme_status != MKTME_UNINITIALIZED) {
+ if (tme_activate != tme_activate_cpu0) {
+ /* Broken BIOS? */
+ pr_err_once("x86/tme: configuation is inconsistent between CPUs\n");
+ pr_err_once("x86/tme: MKTME is not usable\n");
+ mktme_status = MKTME_DISABLED;
+
+ /* Proceed. We may need to exclude bits from x86_phys_bits. */
+ }
+ } else {
+ tme_activate_cpu0 = tme_activate;
+ }
+
+ if (!TME_ACTIVATE_LOCKED(tme_activate) || !TME_ACTIVATE_ENABLED(tme_activate)) {
+ pr_info_once("x86/tme: not enabled by BIOS\n");
+ mktme_status = MKTME_DISABLED;
+ return;
+ }
+
+ if (mktme_status != MKTME_UNINITIALIZED)
+ goto detect_keyid_bits;
+
+ pr_info("x86/tme: enabled by BIOS\n");
+
+ tme_policy = TME_ACTIVATE_POLICY(tme_activate);
+ if (tme_policy != TME_ACTIVATE_POLICY_AES_XTS_128)
+ pr_warn("x86/tme: Unknown policy is active: %#llx\n", tme_policy);
+
+ tme_crypto_algs = TME_ACTIVATE_CRYPTO_ALGS(tme_activate);
+ if (!(tme_crypto_algs & TME_ACTIVATE_CRYPTO_AES_XTS_128)) {
+ pr_err("x86/mktme: No known encryption algorithm is supported: %#llx\n",
+ tme_crypto_algs);
+ mktme_status = MKTME_DISABLED;
+ }
+detect_keyid_bits:
+ keyid_bits = TME_ACTIVATE_KEYID_BITS(tme_activate);
+ nr_keyids = (1UL << keyid_bits) - 1;
+ if (nr_keyids) {
+ pr_info_once("x86/mktme: enabled by BIOS\n");
+ pr_info_once("x86/mktme: %d KeyIDs available\n", nr_keyids);
+ } else {
+ pr_info_once("x86/mktme: disabled by BIOS\n");
+ }
+
+ if (mktme_status == MKTME_UNINITIALIZED) {
+ /* MKTME is usable */
+ mktme_status = MKTME_ENABLED;
+ }
+
+ /*
+ * Exclude KeyID bits from physical address bits.
+ *
+ * We have to do this even if we are not going to use KeyID bits
+ * ourself. VM guests still have to know that these bits are not usable
+ * for physical address.
+ */
+ c->x86_phys_bits -= keyid_bits;
+}
+
static void init_intel_energy_perf(struct cpuinfo_x86 *c)
{
u64 epb;
@@ -673,6 +760,9 @@ static void init_intel(struct cpuinfo_x86 *c)
if (cpu_has(c, X86_FEATURE_VMX))
detect_vmx_virtcap(c);
+ if (cpu_has(c, X86_FEATURE_TME))
+ detect_tme(c);
+
init_intel_energy_perf(c);
init_intel_misc_features(c);
--
2.16.1
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2018-03-05 16:26 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-05 16:25 [RFC, PATCH 00/22] Partial MKTME enabling Kirill A. Shutemov
2018-03-05 16:25 ` [RFC, PATCH 01/22] x86/cpufeatures: Add Intel Total Memory Encryption cpufeature Kirill A. Shutemov
2018-03-05 16:25 ` Kirill A. Shutemov [this message]
2018-03-05 16:25 ` [RFC, PATCH 03/22] x86/cpufeatures: Add Intel PCONFIG cpufeature Kirill A. Shutemov
2018-03-05 16:25 ` [RFC, PATCH 04/22] x86/pconfig: Detect PCONFIG targets Kirill A. Shutemov
2018-03-05 16:25 ` [RFC, PATCH 05/22] x86/pconfig: Provide defines and helper to run MKTME_KEY_PROG leaf Kirill A. Shutemov
2018-03-05 16:25 ` [RFC, PATCH 06/22] x86/mm: Decouple dynamic __PHYSICAL_MASK from AMD SME Kirill A. Shutemov
2018-03-05 16:25 ` [RFC, PATCH 07/22] x86/mm: Mask out KeyID bits from page table entry pfn Kirill A. Shutemov
2018-03-22 15:55 ` Punit Agrawal
2018-03-05 16:25 ` [RFC, PATCH 08/22] mm: Introduce __GFP_ENCRYPT Kirill A. Shutemov
2018-03-22 16:02 ` Punit Agrawal
2018-03-05 16:25 ` [RFC, PATCH 09/22] mm, rmap: Add arch-specific field into anon_vma Kirill A. Shutemov
2018-03-05 16:25 ` [RFC, PATCH 10/22] mm/shmem: Zero out unused vma fields in shmem_pseudo_vma_init() Kirill A. Shutemov
2018-03-05 16:25 ` [RFC, PATCH 11/22] mm: Use __GFP_ENCRYPT for pages in encrypted VMAs Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 12/22] mm: Do no merge vma with different encryption KeyIDs Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 13/22] mm, rmap: Free encrypted pages once mapcount drops to zero Kirill A. Shutemov
2018-03-05 19:12 ` Dave Hansen
2018-03-06 8:18 ` Kirill A. Shutemov
2018-03-05 19:13 ` Dave Hansen
2018-03-06 8:27 ` Kirill A. Shutemov
2018-03-06 14:59 ` Dave Hansen
2018-03-06 15:00 ` Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 14/22] mm, khugepaged: Do not collapse pages in encrypted VMAs Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 15/22] x86/mm: Introduce variables to store number, shift and mask of KeyIDs Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 16/22] x86/mm: Preserve KeyID on pte_modify() and pgprot_modify() Kirill A. Shutemov
2018-03-05 19:09 ` Dave Hansen
2018-03-06 8:30 ` Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 17/22] x86/mm: Implement vma_is_encrypted() and vma_keyid() Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 18/22] x86/mm: Handle allocation of encrypted pages Kirill A. Shutemov
2018-03-05 19:03 ` Dave Hansen
2018-03-06 8:34 ` Kirill A. Shutemov
2018-03-05 19:07 ` Dave Hansen
2018-03-06 8:36 ` Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 19/22] x86/mm: Implement free_encrypt_page() Kirill A. Shutemov
2018-03-05 19:00 ` Dave Hansen
2018-03-06 8:38 ` Kirill A. Shutemov
2018-03-05 19:07 ` Dave Hansen
2018-03-06 8:54 ` Kirill A. Shutemov
2018-03-06 13:52 ` Dave Hansen
2018-03-06 14:09 ` Kirill A. Shutemov
2018-03-20 12:50 ` Kirill A. Shutemov
2018-03-27 14:44 ` Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 20/22] x86/mm: Implement anon_vma_encrypted() and anon_vma_keyid() Kirill A. Shutemov
2018-03-05 16:26 ` [RFC, PATCH 21/22] x86/mm: Introduce page_keyid() and page_encrypted() Kirill A. Shutemov
2018-03-05 17:08 ` Dave Hansen
2018-03-06 8:57 ` Kirill A. Shutemov
2018-03-06 14:56 ` Dave Hansen
2018-03-06 14:58 ` Kirill A. Shutemov
2018-03-06 15:04 ` Dave Hansen
2018-03-05 16:26 ` [RFC, PATCH 22/22] x86: Introduce CONFIG_X86_INTEL_MKTME Kirill A. Shutemov
2018-03-05 18:30 ` [RFC, PATCH 00/22] Partial MKTME enabling Christoph Hellwig
2018-03-05 19:05 ` Matthew Wilcox
2018-03-06 8:58 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180305162610.37510-3-kirill.shutemov@linux.intel.com \
--to=kirill.shutemov@linux.intel.com \
--cc=dave.hansen@intel.com \
--cc=hpa@zytor.com \
--cc=kai.huang@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).