From 3088258ea762eba3bc4e9377f8d49229d6ee094c Mon Sep 17 00:00:00 2001 From: "David E. Box" Date: Fri, 18 Nov 2022 16:23:39 -0800 Subject: tools/arch/x86: intel_sdsi: Add support for reading state certificates Add option to read and decode On Demand state certificates. Link: https://github.com/intel/intel-sdsi/blob/master/state-certificate-encoding.rst Signed-off-by: David E. Box Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20221119002343.1281885-6-david.e.box@linux.intel.com Signed-off-by: Hans de Goede --- tools/arch/x86/intel_sdsi/intel_sdsi.c | 268 ++++++++++++++++++++++++--------- 1 file changed, 198 insertions(+), 70 deletions(-) (limited to 'tools/arch') diff --git a/tools/arch/x86/intel_sdsi/intel_sdsi.c b/tools/arch/x86/intel_sdsi/intel_sdsi.c index c0e2f2349db4..9dd94014a672 100644 --- a/tools/arch/x86/intel_sdsi/intel_sdsi.c +++ b/tools/arch/x86/intel_sdsi/intel_sdsi.c @@ -22,11 +22,24 @@ #include +#ifndef __packed +#define __packed __attribute__((packed)) +#endif + +#define min(x, y) ({ \ + typeof(x) _min1 = (x); \ + typeof(y) _min2 = (y); \ + (void) (&_min1 == &_min2); \ + _min1 < _min2 ? _min1 : _min2; }) + #define SDSI_DEV "intel_vsec.sdsi" #define AUX_DEV_PATH "/sys/bus/auxiliary/devices/" #define SDSI_PATH (AUX_DEV_DIR SDSI_DEV) #define GUID 0x6dd191 #define REGISTERS_MIN_SIZE 72 +#define STATE_CERT_MAX_SIZE 4096 +#define STATE_MAX_NUM_LICENSES 16 +#define STATE_MAX_NUM_IN_BUNDLE (uint32_t)8 #define __round_mask(x, y) ((__typeof__(x))((y) - 1)) #define round_up(x, y) ((((x) - 1) | __round_mask(x, y)) + 1) @@ -49,6 +62,7 @@ struct availability { uint64_t reserved:48; uint64_t available:3; uint64_t threshold:3; + uint64_t reserved2:10; }; struct sdsi_regs { @@ -63,17 +77,55 @@ struct sdsi_regs { uint64_t socket_id; }; +#define CONTENT_TYPE_LK_ENC 0xD +#define CONTENT_TYPE_LK_BLOB_ENC 0xE + +struct state_certificate { + uint32_t content_type; + uint32_t region_rev_id; + uint32_t header_size; + uint32_t total_size; + uint32_t key_size; + uint32_t num_licenses; +}; + +struct license_key_info { + uint32_t key_rev_id; + uint64_t key_image_content[6]; +} __packed; + +#define LICENSE_BLOB_SIZE(l) (((l) & 0x7fffffff) * 4) +#define LICENSE_VALID(l) (!!((l) & 0x80000000)) + +// License Group Types +#define LBT_ONE_TIME_UPGRADE 1 +#define LBT_METERED_UPGRADE 2 + +struct license_blob_content { + uint32_t type; + uint64_t id; + uint64_t ppin; + uint64_t previous_ppin; + uint32_t rev_id; + uint32_t num_bundles; +} __packed; + +struct bundle_encoding { + uint32_t encoding; + uint32_t encoding_rsvd[7]; +}; + struct sdsi_dev { struct sdsi_regs regs; + struct state_certificate sc; char *dev_name; char *dev_path; int guid; }; enum command { - CMD_NONE, CMD_SOCKET_INFO, - CMD_DUMP_CERT, + CMD_STATE_CERT, CMD_PROV_AKC, CMD_PROV_CAP, }; @@ -168,20 +220,56 @@ static int sdsi_read_reg(struct sdsi_dev *s) return 0; } -static int sdsi_certificate_dump(struct sdsi_dev *s) +static char *license_blob_type(uint32_t type) +{ + switch (type) { + case LBT_ONE_TIME_UPGRADE: + return "One time upgrade"; + case LBT_METERED_UPGRADE: + return "Metered upgrade"; + default: + return "Unknown license blob type"; + } +} + +static char *content_type(uint32_t type) +{ + switch (type) { + case CONTENT_TYPE_LK_ENC: + return "Licencse key encoding"; + case CONTENT_TYPE_LK_BLOB_ENC: + return "License key + Blob encoding"; + default: + return "Unknown content type"; + } +} + +static void get_feature(uint32_t encoding, char *feature) +{ + char *name = (char *)&encoding; + + feature[3] = name[0]; + feature[2] = name[1]; + feature[1] = name[2]; + feature[0] = name[3]; +} + +static int sdsi_state_cert_show(struct sdsi_dev *s) { - uint64_t state_certificate[512] = {0}; - bool first_instance; - uint64_t previous; + char buf[STATE_CERT_MAX_SIZE] = {0}; + struct state_certificate *sc; + struct license_key_info *lki; + uint32_t offset = 0; + uint32_t count = 0; FILE *cert_ptr; - int i, ret, size; + int ret, size; ret = sdsi_update_registers(s); if (ret) return ret; if (!s->regs.en_features.sdsi) { - fprintf(stderr, "SDSi feature is present but not enabled."); + fprintf(stderr, "On Demand feature is present but not enabled."); fprintf(stderr, " Unable to read state certificate"); return -1; } @@ -198,32 +286,74 @@ static int sdsi_certificate_dump(struct sdsi_dev *s) return -1; } - size = fread(state_certificate, 1, sizeof(state_certificate), cert_ptr); + size = fread(buf, 1, sizeof(buf), cert_ptr); if (!size) { fprintf(stderr, "Could not read 'state_certificate' file\n"); fclose(cert_ptr); return -1; } + fclose(cert_ptr); - printf("%3d: 0x%lx\n", 0, state_certificate[0]); - previous = state_certificate[0]; - first_instance = true; + sc = (struct state_certificate *)buf; - for (i = 1; i < (int)(round_up(size, sizeof(uint64_t))/sizeof(uint64_t)); i++) { - if (state_certificate[i] == previous) { - if (first_instance) { - puts("*"); - first_instance = false; - } - continue; + /* Print register info for this guid */ + printf("\n"); + printf("State certificate for device %s\n", s->dev_name); + printf("\n"); + printf("Content Type: %s\n", content_type(sc->content_type)); + printf("Region Revision ID: %d\n", sc->region_rev_id); + printf("Header Size: %d\n", sc->header_size * 4); + printf("Total Size: %d\n", sc->total_size); + printf("OEM Key Size: %d\n", sc->key_size * 4); + printf("Number of Licenses: %d\n", sc->num_licenses); + + /* Skip over the license sizes 4 bytes per license) to get the license key info */ + lki = (void *)sc + sizeof(*sc) + (4 * sc->num_licenses); + + printf("License blob Info:\n"); + printf(" License Key Revision ID: 0x%x\n", lki->key_rev_id); + printf(" License Key Image Content: 0x%lx%lx%lx%lx%lx%lx\n", + lki->key_image_content[5], lki->key_image_content[4], + lki->key_image_content[3], lki->key_image_content[2], + lki->key_image_content[1], lki->key_image_content[0]); + + while (count++ < sc->num_licenses) { + uint32_t blob_size_field = *(uint32_t *)(buf + 0x14 + count * 4); + uint32_t blob_size = LICENSE_BLOB_SIZE(blob_size_field); + bool license_valid = LICENSE_VALID(blob_size_field); + struct license_blob_content *lbc = + (void *)(sc) + // start of the state certificate + sizeof(*sc) + // size of the state certificate + (4 * sc->num_licenses) + // total size of the blob size blocks + sizeof(*lki) + // size of the license key info + offset; // offset to this blob content + struct bundle_encoding *bundle = (void *)(lbc) + sizeof(*lbc); + char feature[5]; + uint32_t i; + + printf(" Blob %d:\n", count - 1); + printf(" License blob size: %u\n", blob_size); + printf(" License is valid: %s\n", license_valid ? "Yes" : "No"); + printf(" License blob type: %s\n", license_blob_type(lbc->type)); + printf(" License blob ID: 0x%lx\n", lbc->id); + printf(" PPIN: 0x%lx\n", lbc->ppin); + printf(" Previous PPIN: 0x%lx\n", lbc->previous_ppin); + printf(" Blob revision ID: %u\n", lbc->rev_id); + printf(" Number of Features: %u\n", lbc->num_bundles); + + feature[4] = '\0'; + + for (i = 0; i < min(lbc->num_bundles, STATE_MAX_NUM_IN_BUNDLE); i++) { + get_feature(bundle[i].encoding, feature); + printf(" Feature %d: %s\n", i, feature); } - printf("%3d: 0x%lx\n", i, state_certificate[i]); - previous = state_certificate[i]; - first_instance = true; - } - printf("%3d\n", i); - fclose(cert_ptr); + if (lbc->num_bundles > STATE_MAX_NUM_IN_BUNDLE) + fprintf(stderr, " Warning: %d > %d licenses in bundle reported.\n", + lbc->num_bundles, STATE_MAX_NUM_IN_BUNDLE); + + offset += blob_size; + }; return 0; } @@ -231,7 +361,7 @@ static int sdsi_certificate_dump(struct sdsi_dev *s) static int sdsi_provision(struct sdsi_dev *s, char *bin_file, enum command command) { int bin_fd, prov_fd, size, ret; - char buf[4096] = { 0 }; + char buf[STATE_CERT_MAX_SIZE] = { 0 }; char cap[] = "provision_cap"; char akc[] = "provision_akc"; char *prov_file; @@ -266,7 +396,7 @@ static int sdsi_provision(struct sdsi_dev *s, char *bin_file, enum command comma } /* Read the binary file into the buffer */ - size = read(bin_fd, buf, 4096); + size = read(bin_fd, buf, STATE_CERT_MAX_SIZE); if (size == -1) { close(bin_fd); close(prov_fd); @@ -443,25 +573,26 @@ static void sdsi_free_dev(struct sdsi_dev *s) static void usage(char *prog) { - printf("Usage: %s [-l] [-d DEVNO [-iD] [-a FILE] [-c FILE]]\n", prog); + printf("Usage: %s [-l] [-d DEVNO [-i] [-s] [-a FILE] [-c FILE]]\n", prog); } static void show_help(void) { printf("Commands:\n"); - printf(" %-18s\t%s\n", "-l, --list", "list available sdsi devices"); - printf(" %-18s\t%s\n", "-d, --devno DEVNO", "sdsi device number"); - printf(" %-18s\t%s\n", "-i --info", "show socket information"); - printf(" %-18s\t%s\n", "-D --dump", "dump state certificate data"); - printf(" %-18s\t%s\n", "-a --akc FILE", "provision socket with AKC FILE"); - printf(" %-18s\t%s\n", "-c --cap FILE>", "provision socket with CAP FILE"); + printf(" %-18s\t%s\n", "-l, --list", "list available On Demand devices"); + printf(" %-18s\t%s\n", "-d, --devno DEVNO", "On Demand device number"); + printf(" %-18s\t%s\n", "-i, --info", "show socket information"); + printf(" %-18s\t%s\n", "-s, --state", "show state certificate"); + printf(" %-18s\t%s\n", "-a, --akc FILE", "provision socket with AKC FILE"); + printf(" %-18s\t%s\n", "-c, --cap FILE>", "provision socket with CAP FILE"); } int main(int argc, char *argv[]) { char bin_file[PATH_MAX], *dev_no = NULL; + bool device_selected = false; char *progname; - enum command command = CMD_NONE; + enum command command = -1; struct sdsi_dev *s; int ret = 0, opt; int option_index = 0; @@ -470,21 +601,22 @@ int main(int argc, char *argv[]) {"akc", required_argument, 0, 'a'}, {"cap", required_argument, 0, 'c'}, {"devno", required_argument, 0, 'd'}, - {"dump", no_argument, 0, 'D'}, {"help", no_argument, 0, 'h'}, {"info", no_argument, 0, 'i'}, {"list", no_argument, 0, 'l'}, + {"state", no_argument, 0, 's'}, {0, 0, 0, 0 } }; progname = argv[0]; - while ((opt = getopt_long_only(argc, argv, "+a:c:d:Da:c:h", long_options, + while ((opt = getopt_long_only(argc, argv, "+a:c:d:hils", long_options, &option_index)) != -1) { switch (opt) { case 'd': dev_no = optarg; + device_selected = true; break; case 'l': sdsi_list_devices(); @@ -492,8 +624,8 @@ int main(int argc, char *argv[]) case 'i': command = CMD_SOCKET_INFO; break; - case 'D': - command = CMD_DUMP_CERT; + case 's': + command = CMD_STATE_CERT; break; case 'a': case 'c': @@ -520,39 +652,35 @@ int main(int argc, char *argv[]) } } - if (!dev_no) { - if (command != CMD_NONE) - fprintf(stderr, "Missing device number, DEVNO, for this command\n"); - usage(progname); - return -1; - } + if (device_selected) { + s = sdsi_create_dev(dev_no); + if (!s) + return -1; - s = sdsi_create_dev(dev_no); - if (!s) - return -1; + switch (command) { + case CMD_SOCKET_INFO: + ret = sdsi_read_reg(s); + break; + case CMD_STATE_CERT: + ret = sdsi_state_cert_show(s); + break; + case CMD_PROV_AKC: + ret = sdsi_provision_akc(s, bin_file); + break; + case CMD_PROV_CAP: + ret = sdsi_provision_cap(s, bin_file); + break; + default: + fprintf(stderr, "No command specified\n"); + return -1; + } + + sdsi_free_dev(s); - /* Run the command */ - switch (command) { - case CMD_NONE: - fprintf(stderr, "Missing command for device %s\n", dev_no); - usage(progname); - break; - case CMD_SOCKET_INFO: - ret = sdsi_read_reg(s); - break; - case CMD_DUMP_CERT: - ret = sdsi_certificate_dump(s); - break; - case CMD_PROV_AKC: - ret = sdsi_provision_akc(s, bin_file); - break; - case CMD_PROV_CAP: - ret = sdsi_provision_cap(s, bin_file); - break; - } - - - sdsi_free_dev(s); + } else { + fprintf(stderr, "No device specified\n"); + return -1; + } return ret; } -- cgit v1.2.3 From 334599bccbf2ad638498e4576e29db77ebf09f04 Mon Sep 17 00:00:00 2001 From: "David E. Box" Date: Fri, 18 Nov 2022 16:23:40 -0800 Subject: tools/arch/x86: intel_sdsi: Add Intel On Demand text Intel Software Defined Silicon (SDSi) is now officially known as Intel On Demand. Change text in tool to indicate this. Signed-off-by: David E. Box Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20221119002343.1281885-7-david.e.box@linux.intel.com Signed-off-by: Hans de Goede --- tools/arch/x86/intel_sdsi/intel_sdsi.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'tools/arch') diff --git a/tools/arch/x86/intel_sdsi/intel_sdsi.c b/tools/arch/x86/intel_sdsi/intel_sdsi.c index 9dd94014a672..3718bd0c05cb 100644 --- a/tools/arch/x86/intel_sdsi/intel_sdsi.c +++ b/tools/arch/x86/intel_sdsi/intel_sdsi.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 /* - * sdsi: Intel Software Defined Silicon tool for provisioning certificates - * and activation payloads on supported cpus. + * sdsi: Intel On Demand (formerly Software Defined Silicon) tool for + * provisioning certificates and activation payloads on supported cpus. * * See https://github.com/intel/intel-sdsi/blob/master/os-interface.rst * for register descriptions. @@ -150,7 +150,7 @@ static void sdsi_list_devices(void) } if (!found) - fprintf(stderr, "No sdsi devices found.\n"); + fprintf(stderr, "No On Demand devices found.\n"); } static int sdsi_update_registers(struct sdsi_dev *s) @@ -206,7 +206,7 @@ static int sdsi_read_reg(struct sdsi_dev *s) printf("\n"); printf("PPIN: 0x%lx\n", s->regs.ppin); printf("Enabled Features\n"); - printf(" SDSi: %s\n", !!s->regs.en_features.sdsi ? "Enabled" : "Disabled"); + printf(" On Demand: %s\n", !!s->regs.en_features.sdsi ? "Enabled" : "Disabled"); printf("Authorization Failure Count\n"); printf(" AKC Failure Count: %d\n", s->regs.auth_fail_count.key_failure_count); printf(" AKC Failure Threshold: %d\n", s->regs.auth_fail_count.key_failure_threshold); @@ -428,7 +428,7 @@ static int sdsi_provision_akc(struct sdsi_dev *s, char *bin_file) return ret; if (!s->regs.en_features.sdsi) { - fprintf(stderr, "SDSi feature is present but not enabled. Unable to provision"); + fprintf(stderr, "On Demand feature is present but not enabled. Unable to provision"); return -1; } @@ -458,7 +458,7 @@ static int sdsi_provision_cap(struct sdsi_dev *s, char *bin_file) return ret; if (!s->regs.en_features.sdsi) { - fprintf(stderr, "SDSi feature is present but not enabled. Unable to provision"); + fprintf(stderr, "On Demand feature is present but not enabled. Unable to provision"); return -1; } -- cgit v1.2.3 From a8041a89b7a4ae13db28f02402996a0c6edffe25 Mon Sep 17 00:00:00 2001 From: "David E. Box" Date: Fri, 18 Nov 2022 16:23:41 -0800 Subject: tools/arch/x86: intel_sdsi: Read more On Demand registers Add decoding of the following On Demand register fields: 1. NVRAM content authorization error status 2. Enabled features: telemetry and attestation 3. Key provisioning status 4. NVRAM update limit 5. PCU_CR3_CAPID_CFG Link: https://github.com/intel/intel-sdsi/blob/master/state-certificate-encoding.rst Signed-off-by: David E. Box Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20221119002343.1281885-8-david.e.box@linux.intel.com Signed-off-by: Hans de Goede --- tools/arch/x86/intel_sdsi/intel_sdsi.c | 50 ++++++++++++++++++++++++++++++---- 1 file changed, 45 insertions(+), 5 deletions(-) (limited to 'tools/arch') diff --git a/tools/arch/x86/intel_sdsi/intel_sdsi.c b/tools/arch/x86/intel_sdsi/intel_sdsi.c index 3718bd0c05cb..01b5f9994e11 100644 --- a/tools/arch/x86/intel_sdsi/intel_sdsi.c +++ b/tools/arch/x86/intel_sdsi/intel_sdsi.c @@ -44,10 +44,28 @@ #define __round_mask(x, y) ((__typeof__(x))((y) - 1)) #define round_up(x, y) ((((x) - 1) | __round_mask(x, y)) + 1) +struct nvram_content_auth_err_sts { + uint64_t reserved:3; + uint64_t sdsi_content_auth_err:1; + uint64_t reserved1:1; + uint64_t sdsi_metering_auth_err:1; + uint64_t reserved2:58; +}; + struct enabled_features { uint64_t reserved:3; uint64_t sdsi:1; - uint64_t reserved1:60; + uint64_t reserved1:8; + uint64_t attestation:1; + uint64_t reserved2:13; + uint64_t metering:1; + uint64_t reserved3:37; +}; + +struct key_provision_status { + uint64_t reserved:1; + uint64_t license_key_provisioned:1; + uint64_t reserved2:62; }; struct auth_fail_count { @@ -65,15 +83,23 @@ struct availability { uint64_t reserved2:10; }; +struct nvram_update_limit { + uint64_t reserved:12; + uint64_t sdsi_50_pct:1; + uint64_t sdsi_75_pct:1; + uint64_t sdsi_90_pct:1; + uint64_t reserved2:49; +}; + struct sdsi_regs { uint64_t ppin; - uint64_t reserved; + struct nvram_content_auth_err_sts auth_err_sts; struct enabled_features en_features; - uint64_t reserved1; + struct key_provision_status key_prov_sts; struct auth_fail_count auth_fail_count; struct availability prov_avail; - uint64_t reserved2; - uint64_t reserved3; + struct nvram_update_limit limits; + uint64_t pcu_cr3_capid_cfg; uint64_t socket_id; }; @@ -205,8 +231,18 @@ static int sdsi_read_reg(struct sdsi_dev *s) printf("Socket information for device %s\n", s->dev_name); printf("\n"); printf("PPIN: 0x%lx\n", s->regs.ppin); + printf("NVRAM Content Authorization Error Status\n"); + printf(" SDSi Auth Err Sts: %s\n", !!s->regs.auth_err_sts.sdsi_content_auth_err ? "Error" : "Okay"); + + if (!!s->regs.en_features.metering) + printf(" Metering Auth Err Sts: %s\n", !!s->regs.auth_err_sts.sdsi_metering_auth_err ? "Error" : "Okay"); + printf("Enabled Features\n"); printf(" On Demand: %s\n", !!s->regs.en_features.sdsi ? "Enabled" : "Disabled"); + printf(" Attestation: %s\n", !!s->regs.en_features.attestation ? "Enabled" : "Disabled"); + printf(" On Demand: %s\n", !!s->regs.en_features.sdsi ? "Enabled" : "Disabled"); + printf(" Metering: %s\n", !!s->regs.en_features.metering ? "Enabled" : "Disabled"); + printf("License Key (AKC) Provisioned: %s\n", !!s->regs.key_prov_sts.license_key_provisioned ? "Yes" : "No"); printf("Authorization Failure Count\n"); printf(" AKC Failure Count: %d\n", s->regs.auth_fail_count.key_failure_count); printf(" AKC Failure Threshold: %d\n", s->regs.auth_fail_count.key_failure_threshold); @@ -215,6 +251,10 @@ static int sdsi_read_reg(struct sdsi_dev *s) printf("Provisioning Availability\n"); printf(" Updates Available: %d\n", s->regs.prov_avail.available); printf(" Updates Threshold: %d\n", s->regs.prov_avail.threshold); + printf("NVRAM Udate Limit\n"); + printf(" 50%% Limit Reached: %s\n", !!s->regs.limits.sdsi_50_pct ? "Yes" : "No"); + printf(" 75%% Limit Reached: %s\n", !!s->regs.limits.sdsi_75_pct ? "Yes" : "No"); + printf(" 90%% Limit Reached: %s\n", !!s->regs.limits.sdsi_90_pct ? "Yes" : "No"); printf("Socket ID: %ld\n", s->regs.socket_id & 0xF); return 0; -- cgit v1.2.3 From 429e789c67b8b5dc84ab5d5c83725f6e295a0adc Mon Sep 17 00:00:00 2001 From: "David E. Box" Date: Fri, 18 Nov 2022 16:23:42 -0800 Subject: tools/arch/x86: intel_sdsi: Add support for new GUID The structure and content of the On Demand registers is based on the GUID which is read from hardware through sysfs. Add support for decoding the registers of a new GUID 0xF210D9EF. Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20221119002343.1281885-9-david.e.box@linux.intel.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede --- tools/arch/x86/intel_sdsi/intel_sdsi.c | 36 +++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) (limited to 'tools/arch') diff --git a/tools/arch/x86/intel_sdsi/intel_sdsi.c b/tools/arch/x86/intel_sdsi/intel_sdsi.c index 01b5f9994e11..b42e1b6a6a1b 100644 --- a/tools/arch/x86/intel_sdsi/intel_sdsi.c +++ b/tools/arch/x86/intel_sdsi/intel_sdsi.c @@ -35,8 +35,10 @@ #define SDSI_DEV "intel_vsec.sdsi" #define AUX_DEV_PATH "/sys/bus/auxiliary/devices/" #define SDSI_PATH (AUX_DEV_DIR SDSI_DEV) -#define GUID 0x6dd191 -#define REGISTERS_MIN_SIZE 72 +#define GUID_V1 0x6dd191 +#define REGS_SIZE_GUID_V1 72 +#define GUID_V2 0xF210D9EF +#define REGS_SIZE_GUID_V2 80 #define STATE_CERT_MAX_SIZE 4096 #define STATE_MAX_NUM_LICENSES 16 #define STATE_MAX_NUM_IN_BUNDLE (uint32_t)8 @@ -100,9 +102,17 @@ struct sdsi_regs { struct availability prov_avail; struct nvram_update_limit limits; uint64_t pcu_cr3_capid_cfg; - uint64_t socket_id; + union { + struct { + uint64_t socket_id; + } v1; + struct { + uint64_t reserved; + uint64_t socket_id; + uint64_t reserved2; + } v2; + } extra; }; - #define CONTENT_TYPE_LK_ENC 0xD #define CONTENT_TYPE_LK_BLOB_ENC 0xE @@ -146,7 +156,7 @@ struct sdsi_dev { struct state_certificate sc; char *dev_name; char *dev_path; - int guid; + uint32_t guid; }; enum command { @@ -199,7 +209,7 @@ static int sdsi_update_registers(struct sdsi_dev *s) return -1; } - if (s->guid != GUID) { + if (s->guid != GUID_V1 && s->guid != GUID_V2) { fprintf(stderr, "Unrecognized guid, 0x%x\n", s->guid); fclose(regs_ptr); return -1; @@ -207,7 +217,8 @@ static int sdsi_update_registers(struct sdsi_dev *s) /* Update register info for this guid */ ret = fread(&s->regs, sizeof(uint8_t), sizeof(s->regs), regs_ptr); - if (ret != sizeof(s->regs)) { + if ((s->guid == GUID_V1 && ret != REGS_SIZE_GUID_V1) || + (s->guid == GUID_V2 && ret != REGS_SIZE_GUID_V2)) { fprintf(stderr, "Could not read 'registers' file\n"); fclose(regs_ptr); return -1; @@ -252,10 +263,13 @@ static int sdsi_read_reg(struct sdsi_dev *s) printf(" Updates Available: %d\n", s->regs.prov_avail.available); printf(" Updates Threshold: %d\n", s->regs.prov_avail.threshold); printf("NVRAM Udate Limit\n"); - printf(" 50%% Limit Reached: %s\n", !!s->regs.limits.sdsi_50_pct ? "Yes" : "No"); - printf(" 75%% Limit Reached: %s\n", !!s->regs.limits.sdsi_75_pct ? "Yes" : "No"); - printf(" 90%% Limit Reached: %s\n", !!s->regs.limits.sdsi_90_pct ? "Yes" : "No"); - printf("Socket ID: %ld\n", s->regs.socket_id & 0xF); + printf(" 50%% Limit Reached: %s\n", !!s->regs.limits.sdsi_50_pct ? "Yes" : "No"); + printf(" 75%% Limit Reached: %s\n", !!s->regs.limits.sdsi_75_pct ? "Yes" : "No"); + printf(" 90%% Limit Reached: %s\n", !!s->regs.limits.sdsi_90_pct ? "Yes" : "No"); + if (s->guid == GUID_V1) + printf("Socket ID: %ld\n", s->regs.extra.v1.socket_id & 0xF); + else + printf("Socket ID: %ld\n", s->regs.extra.v2.socket_id & 0xF); return 0; } -- cgit v1.2.3 From 7fdc03a7370fb64d12d5e93359464f9f72af5adc Mon Sep 17 00:00:00 2001 From: "David E. Box" Date: Fri, 18 Nov 2022 16:23:43 -0800 Subject: tools/arch/x86: intel_sdsi: Add support for reading meter certificates Add option to read and decode On Demand meter certificates. Link: https://github.com/intel/intel-sdsi/blob/master/meter-certificate.rst Signed-off-by: David E. Box Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20221119002343.1281885-10-david.e.box@linux.intel.com Signed-off-by: Hans de Goede --- tools/arch/x86/intel_sdsi/intel_sdsi.c | 110 ++++++++++++++++++++++++++++++++- 1 file changed, 108 insertions(+), 2 deletions(-) (limited to 'tools/arch') diff --git a/tools/arch/x86/intel_sdsi/intel_sdsi.c b/tools/arch/x86/intel_sdsi/intel_sdsi.c index b42e1b6a6a1b..2cd92761f171 100644 --- a/tools/arch/x86/intel_sdsi/intel_sdsi.c +++ b/tools/arch/x86/intel_sdsi/intel_sdsi.c @@ -40,8 +40,10 @@ #define GUID_V2 0xF210D9EF #define REGS_SIZE_GUID_V2 80 #define STATE_CERT_MAX_SIZE 4096 +#define METER_CERT_MAX_SIZE 4096 #define STATE_MAX_NUM_LICENSES 16 #define STATE_MAX_NUM_IN_BUNDLE (uint32_t)8 +#define METER_MAX_NUM_BUNDLES 8 #define __round_mask(x, y) ((__typeof__(x))((y) - 1)) #define round_up(x, y) ((((x) - 1) | __round_mask(x, y)) + 1) @@ -151,6 +153,21 @@ struct bundle_encoding { uint32_t encoding_rsvd[7]; }; +struct meter_certificate { + uint32_t block_signature; + uint32_t counter_unit; + uint64_t ppin; + uint32_t bundle_length; + uint32_t reserved; + uint32_t mmrc_encoding; + uint32_t mmrc_counter; +}; + +struct bundle_encoding_counter { + uint32_t encoding; + uint32_t counter; +}; + struct sdsi_dev { struct sdsi_regs regs; struct state_certificate sc; @@ -161,6 +178,7 @@ struct sdsi_dev { enum command { CMD_SOCKET_INFO, + CMD_METER_CERT, CMD_STATE_CERT, CMD_PROV_AKC, CMD_PROV_CAP, @@ -308,6 +326,86 @@ static void get_feature(uint32_t encoding, char *feature) feature[0] = name[3]; } +static int sdsi_meter_cert_show(struct sdsi_dev *s) +{ + char buf[METER_CERT_MAX_SIZE] = {0}; + struct bundle_encoding_counter *bec; + struct meter_certificate *mc; + uint32_t count = 0; + FILE *cert_ptr; + int ret, size; + + ret = sdsi_update_registers(s); + if (ret) + return ret; + + if (!s->regs.en_features.sdsi) { + fprintf(stderr, "SDSi feature is present but not enabled.\n"); + fprintf(stderr, " Unable to read meter certificate\n"); + return -1; + } + + if (!s->regs.en_features.metering) { + fprintf(stderr, "Metering not supporting on this socket.\n"); + return -1; + } + + ret = chdir(s->dev_path); + if (ret == -1) { + perror("chdir"); + return ret; + } + + cert_ptr = fopen("meter_certificate", "r"); + if (!cert_ptr) { + perror("Could not open 'meter_certificate' file"); + return -1; + } + + size = fread(buf, 1, sizeof(buf), cert_ptr); + if (!size) { + fprintf(stderr, "Could not read 'meter_certificate' file\n"); + fclose(cert_ptr); + return -1; + } + fclose(cert_ptr); + + mc = (struct meter_certificate *)buf; + + printf("\n"); + printf("Meter certificate for device %s\n", s->dev_name); + printf("\n"); + printf("Block Signature: 0x%x\n", mc->block_signature); + printf("Count Unit: %dms\n", mc->counter_unit); + printf("PPIN: 0x%lx\n", mc->ppin); + printf("Feature Bundle Length: %d\n", mc->bundle_length); + printf("MMRC encoding: %d\n", mc->mmrc_encoding); + printf("MMRC counter: %d\n", mc->mmrc_counter); + if (mc->bundle_length % 8) { + fprintf(stderr, "Invalid bundle length\n"); + return -1; + } + + if (mc->bundle_length > METER_MAX_NUM_BUNDLES * 8) { + fprintf(stderr, "More than %d bundles: %d\n", + METER_MAX_NUM_BUNDLES, mc->bundle_length / 8); + return -1; + } + + bec = (void *)(mc) + sizeof(mc); + + printf("Number of Feature Counters: %d\n", mc->bundle_length / 8); + while (count++ < mc->bundle_length / 8) { + char feature[5]; + + feature[4] = '\0'; + get_feature(bec[count].encoding, feature); + printf(" %s: %d\n", feature, bec[count].counter); + } + + return 0; +} + static int sdsi_state_cert_show(struct sdsi_dev *s) { char buf[STATE_CERT_MAX_SIZE] = {0}; @@ -627,7 +725,7 @@ static void sdsi_free_dev(struct sdsi_dev *s) static void usage(char *prog) { - printf("Usage: %s [-l] [-d DEVNO [-i] [-s] [-a FILE] [-c FILE]]\n", prog); + printf("Usage: %s [-l] [-d DEVNO [-i] [-s] [-m] [-a FILE] [-c FILE]]\n", prog); } static void show_help(void) @@ -637,6 +735,7 @@ static void show_help(void) printf(" %-18s\t%s\n", "-d, --devno DEVNO", "On Demand device number"); printf(" %-18s\t%s\n", "-i, --info", "show socket information"); printf(" %-18s\t%s\n", "-s, --state", "show state certificate"); + printf(" %-18s\t%s\n", "-m, --meter", "show meter certificate"); printf(" %-18s\t%s\n", "-a, --akc FILE", "provision socket with AKC FILE"); printf(" %-18s\t%s\n", "-c, --cap FILE>", "provision socket with CAP FILE"); } @@ -658,6 +757,7 @@ int main(int argc, char *argv[]) {"help", no_argument, 0, 'h'}, {"info", no_argument, 0, 'i'}, {"list", no_argument, 0, 'l'}, + {"meter", no_argument, 0, 'm'}, {"state", no_argument, 0, 's'}, {0, 0, 0, 0 } }; @@ -665,7 +765,7 @@ int main(int argc, char *argv[]) progname = argv[0]; - while ((opt = getopt_long_only(argc, argv, "+a:c:d:hils", long_options, + while ((opt = getopt_long_only(argc, argv, "+a:c:d:hilms", long_options, &option_index)) != -1) { switch (opt) { case 'd': @@ -678,6 +778,9 @@ int main(int argc, char *argv[]) case 'i': command = CMD_SOCKET_INFO; break; + case 'm': + command = CMD_METER_CERT; + break; case 's': command = CMD_STATE_CERT; break; @@ -715,6 +818,9 @@ int main(int argc, char *argv[]) case CMD_SOCKET_INFO: ret = sdsi_read_reg(s); break; + case CMD_METER_CERT: + ret = sdsi_meter_cert_show(s); + break; case CMD_STATE_CERT: ret = sdsi_state_cert_show(s); break; -- cgit v1.2.3