From b15b15fe10855677513f7bdaabde2622f6b550f8 Mon Sep 17 00:00:00 2001 From: niuyongwen Date: Tue, 25 Feb 2025 20:37:00 +0800 Subject: [PATCH 1/3] [bugfix]: crypto: ccp: Fix the issue of TDM support detection failure on Hygon platforms without psp firmware support Before using the TDM feature, a probe command is sent to the PSP to confirm its support status. However, when the psp firmware is not loaded, the probe command cannot be supported, so it should be set to an unsupported state. Signed-off-by: niuyongwen Signed-off-by: chench --- drivers/crypto/ccp/hygon/tdm-dev.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/ccp/hygon/tdm-dev.c b/drivers/crypto/ccp/hygon/tdm-dev.c index ab1559494b12..d30d2d8e1423 100644 --- a/drivers/crypto/ccp/hygon/tdm-dev.c +++ b/drivers/crypto/ccp/hygon/tdm-dev.c @@ -23,6 +23,7 @@ #include #include #include "tdm-dev.h" +#include "psp-dev.h" #ifdef pr_fmt #undef pr_fmt @@ -532,8 +533,12 @@ int psp_check_tdm_support(void) { int ret = 0; struct tdm_version version; + struct psp_device *psp = psp_master; - if (boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { + if (!psp) + goto end; + + if (is_vendor_hygon() && (psp->capability & PSP_CAPABILITY_SEV)) { if (tdm_support) goto end; -- Gitee From 02ba54b495440d28cd286b960b5b9257e51e41b1 Mon Sep 17 00:00:00 2001 From: niuyongwen Date: Wed, 2 Apr 2025 16:05:44 +0800 Subject: [PATCH 2/3] [optimization]: crypto: ccp: add "tdm_guard" as kernel and module parameter The parameter 'tdm_guard' has been implemented to provide runtime control over the TDM guard feature. As kernel boot parameter: While CONFIG_TDM_KERNEL_GUARD=y enables the feature by default, specifying: 1. 'tdm_guard=on' maintains the protection 2. 'tdm_guard=off' disables the guard mechanism" As module parameter: 1. 'modprobe tdm-kernel-guard tdm_guard=on' open the protection 2. 'modprobe tdm-kernel-guard tdm_guard=off' close the guard mechanism" Signed-off-by: niuyongwen Signed-off-by: chench --- drivers/crypto/ccp/hygon/tdm-kernel-guard.c | 40 ++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/ccp/hygon/tdm-kernel-guard.c b/drivers/crypto/ccp/hygon/tdm-kernel-guard.c index c3afe888ea04..0e52d5d385e4 100644 --- a/drivers/crypto/ccp/hygon/tdm-kernel-guard.c +++ b/drivers/crypto/ccp/hygon/tdm-kernel-guard.c @@ -23,8 +23,33 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt static int eh_obj = -1; +static char *tdm_guard; module_param(eh_obj, int, 0644); -MODULE_PARM_DESC(eh_obj, "security enhance object for TDM"); +MODULE_PARM_DESC(eh_obj, + "Bitmap of kernel targets protected by Hygon TDM(bit0: SCT, bit1: IDT, default: both)"); +module_param(tdm_guard, charp, 0644); +MODULE_PARM_DESC(tdm_guard, + "Enable TDM protection for selected targets(on=enable, off=disable, default:off)"); + +static bool tdm_guard_enabled; + +static int __init __maybe_unused parse_tdm_guard(char *str) +{ + if (!str) + return 0; + + if (!strncmp(str, "off", 3)) { + tdm_guard_enabled = false; + pr_info("Hygon TDM Guard: Disabled(cmdline)\n"); + } else if (!strncmp(str, "on", 2)) { + tdm_guard_enabled = true; + pr_info("Hygon TDM Guard: Enabled(cmdline)\n"); + } + + return 0; +} + +__setup("tdm_guard=", parse_tdm_guard); /* Objects are protected by TDM now * SCT: 0 @@ -292,6 +317,16 @@ static int __init kernel_security_enhance_init(void) goto end; } + if (tdm_guard) { + if (!strncmp(tdm_guard, "off", 3)) + tdm_guard_enabled = false; + else if (!strncmp(tdm_guard, "on", 2)) + tdm_guard_enabled = true; + } + + if (tdm_guard_enabled == false) + goto end; + asm("sidt %0":"=m"(idtr)); if (!psp_check_tdm_support()) @@ -327,6 +362,9 @@ static void __exit kernel_security_enhance_exit(void) { int i = 0; + if (tdm_guard_enabled == false) + return; + if (!psp_check_tdm_support()) return; -- Gitee From d04de0aa0dff9cc3e50befa0f338396f2e04cfff Mon Sep 17 00:00:00 2001 From: chench Date: Tue, 24 Jun 2025 13:41:41 +0800 Subject: [PATCH 3/3] [optimization][tdm]: optimize TDM driver code logic to avoid warning Signed-off-by: chench --- drivers/crypto/ccp/hygon/tdm-dev.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/crypto/ccp/hygon/tdm-dev.c b/drivers/crypto/ccp/hygon/tdm-dev.c index d30d2d8e1423..3396437ce36a 100644 --- a/drivers/crypto/ccp/hygon/tdm-dev.c +++ b/drivers/crypto/ccp/hygon/tdm-dev.c @@ -675,8 +675,7 @@ int psp_create_measure_task(struct addr_range_info *range, struct measure_data * } paddr_range_info->count = info_index; - addr_range_info_len = paddr_range_info->count * sizeof(struct addr_info) + - sizeof(struct addr_range_info); + addr_range_info_len = paddr_range_info->count * sizeof(struct addr_info); } else { /*check if physics address valid*/ ret = tdm_verify_phy_addr_valid(range); @@ -684,8 +683,7 @@ int psp_create_measure_task(struct addr_range_info *range, struct measure_data * pr_err("range address is abnormal!\n"); goto end; } - addr_range_info_len = range->count * sizeof(struct addr_info) + - sizeof(struct addr_range_info); + addr_range_info_len = range->count * sizeof(struct addr_info); } tdm_cmdresp_data = kzalloc(TDM_C2P_CMD_SIZE, GFP_KERNEL); @@ -708,10 +706,14 @@ int psp_create_measure_task(struct addr_range_info *range, struct measure_data * goto free_cmdresp; } - if (flag & TASK_CREATE_VADDR) - memcpy(&create_cmd->range_info, paddr_range_info, addr_range_info_len); - else - memcpy(&create_cmd->range_info, range, addr_range_info_len); + if (flag & TASK_CREATE_VADDR) { + create_cmd->range_info.count = paddr_range_info->count; + memcpy(&create_cmd->range_info.addr[0], &paddr_range_info->addr[0], + addr_range_info_len); + } else { + create_cmd->range_info.count = range->count; + memcpy(&create_cmd->range_info.addr[0], &range->addr[0], addr_range_info_len); + } ret = tdm_do_cmd(0, (void *)create_cmd, &error); if (ret && ret != -EIO) { @@ -1310,7 +1312,7 @@ int tdm_get_report(uint32_t task_id, struct task_selection_2b *selection, *length = needed_length; ret = -DYN_ERR_SIZE_SMALL; } else { - memcpy(report_buffer, report_resp, needed_length); + memcpy(report_buffer, (uint8_t *)report_resp, needed_length); } free_cmdresp: -- Gitee