x86/sev: Provide guest VMPL level to userspace

Requesting an attestation report from userspace involves providing the VMPL
level for the report. Currently any value from 0-3 is valid because Linux
enforces running at VMPL0.

When an SVSM is present, though, Linux will not be running at VMPL0 and only
VMPL values starting at the VMPL level Linux is running at to 3 are valid. In
order to allow userspace to determine the minimum VMPL value that can be
supplied to an attestation report, create a sysfs entry that can be used to
retrieve the current VMPL level of the kernel.

  [ bp: Add CONFIG_SYSFS ifdeffery. ]

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/fff846da0d8d561f9fdaf297dcf8cd907545a25b.1717600736.git.thomas.lendacky@amd.com

diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index e7e160954e798e50ecd5bea999b03e31bf280d7f..8fd7ed9aee4edbf447e2fd2ac917b65c7bd2677e 100644 (file)
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -605,6 +605,18 @@ Description:       Umwait control
                          Note that a value of zero means there is no limit.
                          Low order two bits must be zero.
 
+What:          /sys/devices/system/cpu/sev
+               /sys/devices/system/cpu/sev/vmpl
+Date:          May 2024
+Contact:       Linux kernel mailing list <linux-kernel@vger.kernel.org>
+Description:   Secure Encrypted Virtualization (SEV) information
+
+               This directory is only present when running as an SEV-SNP guest.
+
+               vmpl: Reports the Virtual Machine Privilege Level (VMPL) at which
+                     the SEV-SNP guest is running.
+
+
 What:          /sys/devices/system/cpu/svm
 Date:          August 2019
 Contact:       Linux kernel mailing list <linux-kernel@vger.kernel.org>

diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
index 84f3731556358459e1cf746f59dd99acdda512c1..4dc7ae33eac9ee2d3a92f9a086ca8526e633a42c 100644 (file)
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -2504,3 +2504,49 @@ void __init snp_update_svsm_ca(void)
        /* Update the CAA to a proper kernel address */
        boot_svsm_caa = &boot_svsm_ca_page;
 }
+
+#ifdef CONFIG_SYSFS
+static ssize_t vmpl_show(struct kobject *kobj,
+                        struct kobj_attribute *attr, char *buf)
+{
+       return sysfs_emit(buf, "%d\n", snp_vmpl);
+}
+
+static struct kobj_attribute vmpl_attr = __ATTR_RO(vmpl);
+
+static struct attribute *vmpl_attrs[] = {
+       &vmpl_attr.attr,
+       NULL
+};
+
+static struct attribute_group sev_attr_group = {
+       .attrs = vmpl_attrs,
+};
+
+static int __init sev_sysfs_init(void)
+{
+       struct kobject *sev_kobj;
+       struct device *dev_root;
+       int ret;
+
+       if (!cc_platform_has(CC_ATTR_GUEST_SEV_SNP))
+               return -ENODEV;
+
+       dev_root = bus_get_dev_root(&cpu_subsys);
+       if (!dev_root)
+               return -ENODEV;
+
+       sev_kobj = kobject_create_and_add("sev", &dev_root->kobj);
+       put_device(dev_root);
+
+       if (!sev_kobj)
+               return -ENOMEM;
+
+       ret = sysfs_create_group(sev_kobj, &sev_attr_group);
+       if (ret)
+               kobject_put(sev_kobj);
+
+       return ret;
+}
+arch_initcall(sev_sysfs_init);
+#endif // CONFIG_SYSFS