crypto: ccp - Add an API to return the supported SEV-SNP policy bits

Supported policy bits are dependent on the level of SEV firmware that is
currently running. Create an API to return the supported policy bits for
the current level of firmware.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Link: https://patch.msgid.link/e3f711366ddc22e3dd215c987fd2e28dc1c07f54.1761593632.git.thomas.lendacky@amd.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index 0d13d47c164bb766a3093353cfe607f74177d103..db7c7c50cebc5d9e57da55c3e748f9e326dae109 100644 (file)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2777,6 +2777,43 @@ void sev_platform_shutdown(void)
 }
 EXPORT_SYMBOL_GPL(sev_platform_shutdown);
 
+u64 sev_get_snp_policy_bits(void)
+{
+       struct psp_device *psp = psp_master;
+       struct sev_device *sev;
+       u64 policy_bits;
+
+       if (!cc_platform_has(CC_ATTR_HOST_SEV_SNP))
+               return 0;
+
+       if (!psp || !psp->sev_data)
+               return 0;
+
+       sev = psp->sev_data;
+
+       policy_bits = SNP_POLICY_MASK_BASE;
+
+       if (sev->snp_plat_status.feature_info) {
+               if (sev->snp_feat_info_0.ecx & SNP_RAPL_DISABLE_SUPPORTED)
+                       policy_bits |= SNP_POLICY_MASK_RAPL_DIS;
+
+               if (sev->snp_feat_info_0.ecx & SNP_CIPHER_TEXT_HIDING_SUPPORTED)
+                       policy_bits |= SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM;
+
+               if (sev->snp_feat_info_0.ecx & SNP_AES_256_XTS_POLICY_SUPPORTED)
+                       policy_bits |= SNP_POLICY_MASK_MEM_AES_256_XTS;
+
+               if (sev->snp_feat_info_0.ecx & SNP_CXL_ALLOW_POLICY_SUPPORTED)
+                       policy_bits |= SNP_POLICY_MASK_CXL_ALLOW;
+
+               if (sev_version_greater_or_equal(1, 58))
+                       policy_bits |= SNP_POLICY_MASK_PAGE_SWAP_DISABLE;
+       }
+
+       return policy_bits;
+}
+EXPORT_SYMBOL_GPL(sev_get_snp_policy_bits);
+
 void sev_dev_destroy(struct psp_device *psp)
 {
        struct sev_device *sev = psp->sev_data;

diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 27c92543bf389b7b569c5c9dc07c214ed5952acb..abcdee256c65503a3cde80d681d364c9024ddbb2 100644 (file)
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -32,6 +32,20 @@
 #define SNP_POLICY_MASK_MIGRATE_MA             BIT_ULL(18)
 #define SNP_POLICY_MASK_DEBUG                  BIT_ULL(19)
 #define SNP_POLICY_MASK_SINGLE_SOCKET          BIT_ULL(20)
+#define SNP_POLICY_MASK_CXL_ALLOW              BIT_ULL(21)
+#define SNP_POLICY_MASK_MEM_AES_256_XTS                BIT_ULL(22)
+#define SNP_POLICY_MASK_RAPL_DIS               BIT_ULL(23)
+#define SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM BIT_ULL(24)
+#define SNP_POLICY_MASK_PAGE_SWAP_DISABLE      BIT_ULL(25)
+
+/* Base SEV-SNP policy bitmask for minimum supported SEV firmware version */
+#define SNP_POLICY_MASK_BASE   (SNP_POLICY_MASK_API_MINOR              | \
+                                SNP_POLICY_MASK_API_MAJOR              | \
+                                SNP_POLICY_MASK_SMT                    | \
+                                SNP_POLICY_MASK_RSVD_MBO               | \
+                                SNP_POLICY_MASK_MIGRATE_MA             | \
+                                SNP_POLICY_MASK_DEBUG                  | \
+                                SNP_POLICY_MASK_SINGLE_SOCKET)
 
 #define SEV_FW_BLOB_MAX_SIZE   0x4000  /* 16KB */
 
@@ -868,7 +882,10 @@ struct snp_feature_info {
        u32 edx;
 } __packed;
 
+#define SNP_RAPL_DISABLE_SUPPORTED             BIT(2)
 #define SNP_CIPHER_TEXT_HIDING_SUPPORTED       BIT(3)
+#define SNP_AES_256_XTS_POLICY_SUPPORTED       BIT(4)
+#define SNP_CXL_ALLOW_POLICY_SUPPORTED         BIT(5)
 
 #ifdef CONFIG_CRYPTO_DEV_SP_PSP
 
@@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask);
 void snp_free_firmware_page(void *addr);
 void sev_platform_shutdown(void);
 bool sev_is_snp_ciphertext_hiding_supported(void);
+u64 sev_get_snp_policy_bits(void);
 
 #else  /* !CONFIG_CRYPTO_DEV_SP_PSP */