mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-18 03:06:43 +00:00
3a755ebcc2
This is the Intel version of a confidential computing solution called Trust Domain Extensions (TDX). This series adds support to run the kernel as part of a TDX guest. It provides similar guest protections to AMD's SEV-SNP like guest memory and register state encryption, memory integrity protection and a lot more. Design-wise, it differs from AMD's solution considerably: it uses a software module which runs in a special CPU mode called (Secure Arbitration Mode) SEAM. As the name suggests, this module serves as sort of an arbiter which the confidential guest calls for services it needs during its lifetime. Just like AMD's SNP set, this series reworks and streamlines certain parts of x86 arch code so that this feature can be properly accomodated. -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmKLbisACgkQEsHwGGHe VUqZLg/7B55iygCwzz0W/KLcXL2cISatUpzGbFs1XTbE9DMz06BPkOsEjF2k8ckv kfZjgqhSx3GvUI80gK0Tn2M2DfIj3nKuNSXd1pfextP7AxEf68FFJsQz1Ju7bHpT pZaG+g8IK4+mnEHEKTCO9ANg/Zw8yqJLdtsCaCNE9SUGUfQ6m/ujTEfsambXDHNm khyCAgpIGSOt51/4apoR9ebyrNCaeVbDawpIPjTy+iyFRc/WyaLFV9CQ8klw4gbw r/90x2JYxvAf0/z/ifT9Wa+TnYiQ0d4VjFbfr0iJ4GcPn5L3EIoIKPE8vPGMpoSX fLSzoNmAOT3ja57ytUUQ3o0edoRUIPEdixOebf9qWvE/aj7W37YRzrlJ8Ej/x9Jy HcI4WZF6Dr1bh6FnI/xX2eVZRzLOL4j9gNyPCwIbvgr1NjDqQnxU7nhxVMmQhJrs IdiEcP5WYerLKfka/uF//QfWUg5mDBgFa1/3xK57Z3j0iKWmgjaPpR0SWlOKjj8G tr0gGN9ejikZTqXKGsHn8fv/R3bjXvbVD8z0IEcx+MIrRmZPnX2QBlg7UA1AXV5n HoVwPFdH1QAtjZq1MRcL4hTOjz3FkS68rg7ZH0f2GWJAzWmEGytBIhECRnN/PFFq VwRB4dCCt0bzqRxkiH5lzdgR+xqRe61juQQsMzg+Flv/trpXDqM= =ac9K -----END PGP SIGNATURE----- Merge tag 'x86_tdx_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull Intel TDX support from Borislav Petkov: "Intel Trust Domain Extensions (TDX) support. This is the Intel version of a confidential computing solution called Trust Domain Extensions (TDX). This series adds support to run the kernel as part of a TDX guest. It provides similar guest protections to AMD's SEV-SNP like guest memory and register state encryption, memory integrity protection and a lot more. Design-wise, it differs from AMD's solution considerably: it uses a software module which runs in a special CPU mode called (Secure Arbitration Mode) SEAM. As the name suggests, this module serves as sort of an arbiter which the confidential guest calls for services it needs during its lifetime. Just like AMD's SNP set, this series reworks and streamlines certain parts of x86 arch code so that this feature can be properly accomodated" * tag 'x86_tdx_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (34 commits) x86/tdx: Fix RETs in TDX asm x86/tdx: Annotate a noreturn function x86/mm: Fix spacing within memory encryption features message x86/kaslr: Fix build warning in KASLR code in boot stub Documentation/x86: Document TDX kernel architecture ACPICA: Avoid cache flush inside virtual machines x86/tdx/ioapic: Add shared bit for IOAPIC base address x86/mm: Make DMA memory shared for TD guest x86/mm/cpa: Add support for TDX shared memory x86/tdx: Make pages shared in ioremap() x86/topology: Disable CPU online/offline control for TDX guests x86/boot: Avoid #VE during boot for TDX platforms x86/boot: Set CR0.NE early and keep it set during the boot x86/acpi/x86/boot: Add multiprocessor wake-up support x86/boot: Add a trampoline for booting APs via firmware handoff x86/tdx: Wire up KVM hypercalls x86/tdx: Port I/O: Add early boot support x86/tdx: Port I/O: Add runtime hypercalls x86/boot: Port I/O: Add decompression-time support for TDX x86/boot: Port I/O: Allow to hook up alternative helpers ...
118 lines
3.1 KiB
C
118 lines
3.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* Confidential Computing Platform Capability checks
|
|
*
|
|
* Copyright (C) 2021 Advanced Micro Devices, Inc.
|
|
*
|
|
* Author: Tom Lendacky <thomas.lendacky@amd.com>
|
|
*/
|
|
|
|
#ifndef _LINUX_CC_PLATFORM_H
|
|
#define _LINUX_CC_PLATFORM_H
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/stddef.h>
|
|
|
|
/**
|
|
* enum cc_attr - Confidential computing attributes
|
|
*
|
|
* These attributes represent confidential computing features that are
|
|
* currently active.
|
|
*/
|
|
enum cc_attr {
|
|
/**
|
|
* @CC_ATTR_MEM_ENCRYPT: Memory encryption is active
|
|
*
|
|
* The platform/OS is running with active memory encryption. This
|
|
* includes running either as a bare-metal system or a hypervisor
|
|
* and actively using memory encryption or as a guest/virtual machine
|
|
* and actively using memory encryption.
|
|
*
|
|
* Examples include SME, SEV and SEV-ES.
|
|
*/
|
|
CC_ATTR_MEM_ENCRYPT,
|
|
|
|
/**
|
|
* @CC_ATTR_HOST_MEM_ENCRYPT: Host memory encryption is active
|
|
*
|
|
* The platform/OS is running as a bare-metal system or a hypervisor
|
|
* and actively using memory encryption.
|
|
*
|
|
* Examples include SME.
|
|
*/
|
|
CC_ATTR_HOST_MEM_ENCRYPT,
|
|
|
|
/**
|
|
* @CC_ATTR_GUEST_MEM_ENCRYPT: Guest memory encryption is active
|
|
*
|
|
* The platform/OS is running as a guest/virtual machine and actively
|
|
* using memory encryption.
|
|
*
|
|
* Examples include SEV and SEV-ES.
|
|
*/
|
|
CC_ATTR_GUEST_MEM_ENCRYPT,
|
|
|
|
/**
|
|
* @CC_ATTR_GUEST_STATE_ENCRYPT: Guest state encryption is active
|
|
*
|
|
* The platform/OS is running as a guest/virtual machine and actively
|
|
* using memory encryption and register state encryption.
|
|
*
|
|
* Examples include SEV-ES.
|
|
*/
|
|
CC_ATTR_GUEST_STATE_ENCRYPT,
|
|
|
|
/**
|
|
* @CC_ATTR_GUEST_UNROLL_STRING_IO: String I/O is implemented with
|
|
* IN/OUT instructions
|
|
*
|
|
* The platform/OS is running as a guest/virtual machine and uses
|
|
* IN/OUT instructions in place of string I/O.
|
|
*
|
|
* Examples include TDX guest & SEV.
|
|
*/
|
|
CC_ATTR_GUEST_UNROLL_STRING_IO,
|
|
|
|
/**
|
|
* @CC_ATTR_SEV_SNP: Guest SNP is active.
|
|
*
|
|
* The platform/OS is running as a guest/virtual machine and actively
|
|
* using AMD SEV-SNP features.
|
|
*/
|
|
CC_ATTR_GUEST_SEV_SNP,
|
|
|
|
/**
|
|
* @CC_ATTR_HOTPLUG_DISABLED: Hotplug is not supported or disabled.
|
|
*
|
|
* The platform/OS is running as a guest/virtual machine does not
|
|
* support CPU hotplug feature.
|
|
*
|
|
* Examples include TDX Guest.
|
|
*/
|
|
CC_ATTR_HOTPLUG_DISABLED,
|
|
};
|
|
|
|
#ifdef CONFIG_ARCH_HAS_CC_PLATFORM
|
|
|
|
/**
|
|
* cc_platform_has() - Checks if the specified cc_attr attribute is active
|
|
* @attr: Confidential computing attribute to check
|
|
*
|
|
* The cc_platform_has() function will return an indicator as to whether the
|
|
* specified Confidential Computing attribute is currently active.
|
|
*
|
|
* Context: Any context
|
|
* Return:
|
|
* * TRUE - Specified Confidential Computing attribute is active
|
|
* * FALSE - Specified Confidential Computing attribute is not active
|
|
*/
|
|
bool cc_platform_has(enum cc_attr attr);
|
|
|
|
#else /* !CONFIG_ARCH_HAS_CC_PLATFORM */
|
|
|
|
static inline bool cc_platform_has(enum cc_attr attr) { return false; }
|
|
|
|
#endif /* CONFIG_ARCH_HAS_CC_PLATFORM */
|
|
|
|
#endif /* _LINUX_CC_PLATFORM_H */
|