From: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
To: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, luto@kernel.org,
peterz@infradead.org, x86@kernel.org,
linux-kernel@vger.kernel.org
Cc: thomas.lendacky@amd.com, brijesh.singh@amd.com,
kirill.shutemov@linux.intel.com, hpa@zytor.com,
pbonzini@redhat.com, seanjc@google.com, srutherford@google.com,
ashish.kalra@amd.com, darren.kenny@oracle.com,
venu.busireddy@oracle.com, boris.ostrovsky@oracle.com,
alejandro.j.jimenez@oracle.com
Subject: [RFC 3/3] x86: Expose SEV-ES capabilities in sysfs
Date: Wed, 9 Mar 2022 17:06:08 -0500 [thread overview]
Message-ID: <20220309220608.16844-4-alejandro.j.jimenez@oracle.com> (raw)
In-Reply-To: <20220309220608.16844-1-alejandro.j.jimenez@oracle.com>
Expose the state of the SEV-ES feature via the new sysfs interface.
Document the new ABI.
Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
---
.../ABI/testing/sysfs-kernel-mm-mem-encrypt | 28 ++++++++++++-
arch/x86/mm/mem_encrypt_amd.c | 40 ++++++++++++++++++-
2 files changed, 66 insertions(+), 2 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt b/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt
index 68a932d4540b..ecd491c0a7bd 100644
--- a/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt
+++ b/Documentation/ABI/testing/sysfs-kernel-mm-mem-encrypt
@@ -49,7 +49,7 @@ Description: Expose status of sev feature. Valid values are:
inactive (Guest only): Running in unencrypted virtual machine.
-What: /sys/kernel/mm/mem_encrypt/sev/nr_asid_available
+What: /sys/kernel/mm/mem_encrypt/{sev,sev_es}/nr_asid_available
Date: March 2022
KernelVersion: 5.17
Description: (Host only) Total number of ASIDs available for encrypted
@@ -60,3 +60,29 @@ Date: March 2022
KernelVersion: 5.17
Description: (Host only) Number of ASIDs available for SEV guests with
SEV-ES disabled.
+
+What: /sys/kernel/mm/mem_encrypt/sev_es/status
+Date: March 2022
+KernelVersion: 5.17
+Description: Expose status of sev_es feature. Valid values are:
+
+ unsupported: Secure Encrypted Virtualization with Encrypted
+ State is not supported by the processor.
+
+ enabled (Host only): Hypervisor host capable of running SEV
+ guests.
+
+ disabled (Host only): Memory encryption has been disabled by
+ System-Configuration Register (SYSCFG) MemEncryptionModeEn bit.
+
+ active (Guest only): Running in virtual machine with encrypted
+ code, data, and guest register state.
+
+ inactive (Guest only): Running in virtual machine with
+ unencrypted register state.
+
+What: /sys/kernel/mm/mem_encrypt/sev_es/nr_sev_es_asid
+Date: March 2022
+KernelVersion: 5.17
+Description: (Host only) Number of ASIDs available for SEV guests with SEV-
+ ES enabled.
diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c
index 86979e0e26c7..bafc34bf6121 100644
--- a/arch/x86/mm/mem_encrypt_amd.c
+++ b/arch/x86/mm/mem_encrypt_amd.c
@@ -39,6 +39,7 @@
#define AMD_SME_BIT BIT(0)
#define AMD_SEV_BIT BIT(1)
+#define AMD_SEV_ES_BIT BIT(3)
#define CC_ATTR_RO(_name) \
static struct kobj_attribute _name##_attr = __ATTR_RO(_name)
@@ -98,7 +99,8 @@ static void encrypted_mem_caps_init(void)
cpuid(AMD_CPUID_ENCRYPTED_MEM, &eax, &ebx, &ecx, &edx);
cbit_pos = ebx & 0x3f;
- sec_encrypt_support_mask = eax & (AMD_SME_BIT | AMD_SEV_BIT);
+ sec_encrypt_support_mask = eax &
+ (AMD_SME_BIT | AMD_SEV_BIT | AMD_SEV_ES_BIT);
max_sev_asid = ecx;
min_sev_asid = edx;
@@ -174,6 +176,10 @@ static ssize_t status_show(struct kobject *kobj,
} else if (!strcmp(kobj->name, "sev")) {
return sev_status_show(AMD_SEV_BIT, X86_FEATURE_SEV,
CC_ATTR_GUEST_MEM_ENCRYPT, buf);
+
+ } else if (!strcmp(kobj->name, "sev_es")) {
+ return sev_status_show(AMD_SEV_ES_BIT, X86_FEATURE_SEV_ES,
+ CC_ATTR_GUEST_STATE_ENCRYPT, buf);
}
/*
@@ -210,6 +216,18 @@ static ssize_t nr_sev_asid_show(struct kobject *kobj,
}
CC_ATTR_RO(nr_sev_asid);
+static ssize_t nr_sev_es_asid_show(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
+{
+ unsigned int nr_sev_es_asid = 0;
+
+ if (min_sev_asid)
+ nr_sev_es_asid = min_sev_asid - 1;
+
+ return sysfs_emit(buf, "%u\n", nr_sev_es_asid);
+}
+CC_ATTR_RO(nr_sev_es_asid);
+
static struct attribute *sme_attrs[] = {
&status_attr.attr,
NULL,
@@ -236,16 +254,36 @@ static const struct attribute_group sev_guest_attr_group = {
.attrs = sev_guest_attrs,
};
+static struct attribute *sev_es_host_attrs[] = {
+ &status_attr.attr,
+ &nr_asid_available_attr.attr,
+ &nr_sev_es_asid_attr.attr,
+ NULL,
+};
+static const struct attribute_group sev_es_host_attr_group = {
+ .attrs = sev_es_host_attrs,
+};
+
+static struct attribute *sev_es_guest_attrs[] = {
+ &status_attr.attr,
+ NULL,
+};
+static const struct attribute_group sev_es_guest_attr_group = {
+ .attrs = sev_es_guest_attrs,
+};
+
/* List of features to be exposed when running as hypervisor host */
static struct amd_cc_feature host_cc_feat_list[] = {
AMD_CC_FEATURE("sme", sme_attr_group, NULL),
AMD_CC_FEATURE("sev", sev_host_attr_group, NULL),
+ AMD_CC_FEATURE("sev_es", sev_es_host_attr_group, NULL),
{},
};
/* List of features to be exposed when running as guest */
static struct amd_cc_feature guest_cc_feat_list[] = {
AMD_CC_FEATURE("sev", sev_guest_attr_group, NULL),
+ AMD_CC_FEATURE("sev_es", sev_es_guest_attr_group, NULL),
{},
};
--
2.34.1
next prev parent reply other threads:[~2022-03-09 22:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-09 22:06 [RFC 0/3] Expose Confidential Computing capabilities on sysfs Alejandro Jimenez
2022-03-09 22:06 ` [RFC 1/3] x86: Expose Secure Memory Encryption capabilities in sysfs Alejandro Jimenez
2022-03-09 22:06 ` [RFC 2/3] x86: Expose SEV " Alejandro Jimenez
2022-03-09 22:06 ` Alejandro Jimenez [this message]
2022-03-09 22:40 ` [RFC 0/3] Expose Confidential Computing capabilities on sysfs Dave Hansen
2022-03-10 18:07 ` Alejandro Jimenez
2022-03-14 22:43 ` Isaku Yamahata
2022-03-15 1:17 ` Kai Huang
2022-03-15 13:30 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220309220608.16844-4-alejandro.j.jimenez@oracle.com \
--to=alejandro.j.jimenez@oracle.com \
--cc=ashish.kalra@amd.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=darren.kenny@oracle.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=seanjc@google.com \
--cc=srutherford@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=venu.busireddy@oracle.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).