[PATCH] Ability to read the MKTME status from userspace (patch v2)

[Daniel Gutson]

The intent of this patch is to provide visibility of the
MKTME status to userspace. This is an important factor for
firmware security related applilcations.

Changes since v1:
* Documentation/ABI/stable/securityfs-mktme-status (new file)
* include/uapi/misc/mktme_status.h (new file)
* Fixed MAINTAINER title.
* cpu.h: added values to the enumerands
* Renamed the function from get_mktme_status to mktme_get_status
* Improved Kconfig help
* Removed unnecessary license-related lines since there is a SPDX line
* Moved pr_fmt macro before the includes
* Turned global variables (mktme_dir, mktme_file) as static
* Removed BUFFER_SIZE macro
* No longer returning -1 for error, but using the previously error.
* No more pr_info for the normal behavior.
* Renamed this from a kernel driver to a kernel module.

Signed-off-by: Daniel Gutson <daniel.gutson@xxxxxxxxxxxxx>
---
 .../ABI/stable/securityfs-mktme-status        | 12 ++++
 MAINTAINERS                                   |  5 ++
 arch/x86/include/asm/cpu.h                    |  8 +++
 arch/x86/kernel/cpu/intel.c                   | 12 ++--
 drivers/misc/Kconfig                          | 15 +++++
 drivers/misc/Makefile                         |  1 +
 drivers/misc/mktme_status.c                   | 67 +++++++++++++++++++
 include/uapi/misc/mktme_status.h              | 12 ++++
 8 files changed, 127 insertions(+), 5 deletions(-)
 create mode 100644 Documentation/ABI/stable/securityfs-mktme-status
 create mode 100644 drivers/misc/mktme_status.c
 create mode 100644 include/uapi/misc/mktme_status.h

diff --git a/Documentation/ABI/stable/securityfs-mktme-status b/Documentation/ABI/stable/securityfs-mktme-status
new file mode 100644
index 000000000000..a791c6ef2c15
--- /dev/null
+++ b/Documentation/ABI/stable/securityfs-mktme-status
@@ -0,0 +1,12 @@
+What: 		/securityfs/mktme/status
+Date:		24-Jun-2020
+KernelVersion:	v5.7
+Contact:	daniel.gutson@xxxxxxxxxxxxx
+Description: 	The mktme securityfs interface exports the BIOS status
+		of the MKTME.
+Values:         For possible values see arch/x86/include/asm/cpu.h.
+
+		Currently these values are:
+		0 Enabled by BIOS
+		1 Disabled by BIOS
+		2 Uninitialized
diff --git a/MAINTAINERS b/MAINTAINERS
index 7b5ffd646c6b..e034e8ab6fe1 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11477,6 +11477,11 @@ W:	https://linuxtv.org
 T:	git git://linuxtv.org/media_tree.git
 F:	drivers/media/radio/radio-miropcm20*
 
+MKTME STATUS READING SUPPORT
+M:	Daniel Gutson <daniel.gutson@xxxxxxxxxxxxx>
+S:	Supported
+F:	drivers/misc/mktme_status.c
+
 MMP SUPPORT
 R:	Lubomir Rintel <lkundrak@xxxxx>
 L:	linux-arm-kernel@xxxxxxxxxxxxxxxxxxx (moderated for non-subscribers)
diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h
index dd17c2da1af5..80d2896a3f43 100644
--- a/arch/x86/include/asm/cpu.h
+++ b/arch/x86/include/asm/cpu.h
@@ -26,6 +26,14 @@ struct x86_cpu {
 	struct cpu cpu;
 };
 
+enum mktme_status_type {
+	MKTME_ENABLED = 0,
+	MKTME_DISABLED = 1,
+	MKTME_UNINITIALIZED = 2
+};
+
+extern enum mktme_status_type mktme_get_status(void);
+
 #ifdef CONFIG_HOTPLUG_CPU
 extern int arch_register_cpu(int num);
 extern void arch_unregister_cpu(int);
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index c25a67a34bd3..134a88685bc3 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -495,11 +495,7 @@ static void srat_detect_node(struct cpuinfo_x86 *c)
 #define TME_ACTIVATE_CRYPTO_ALGS(x)	((x >> 48) & 0xffff)	/* Bits 63:48 */
 #define TME_ACTIVATE_CRYPTO_AES_XTS_128	1
 
-/* Values for mktme_status (SW only construct) */
-#define MKTME_ENABLED			0
-#define MKTME_DISABLED			1
-#define MKTME_UNINITIALIZED		2
-static int mktme_status = MKTME_UNINITIALIZED;
+static enum mktme_status_type mktme_status = MKTME_UNINITIALIZED;
 
 static void detect_tme(struct cpuinfo_x86 *c)
 {
@@ -1114,6 +1110,12 @@ bool handle_user_split_lock(struct pt_regs *regs, long error_code)
 	return true;
 }
 
+enum mktme_status_type mktme_get_status(void)
+{
+	return mktme_status;
+}
+EXPORT_SYMBOL_GPL(mktme_get_status);
+
 /*
  * This function is called only when switching between tasks with
  * different split-lock detection modes. It sets the MSR for the
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index e1b1ba5e2b92..c9715bbdd8e5 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -456,6 +456,21 @@ config PVPANIC
 	  a paravirtualized device provided by QEMU; it lets a virtual machine
 	  (guest) communicate panic events to the host.
 
+config MKTME_STATUS
+	tristate "MKTME status reading support"
+	depends on X86_64 && SECURITYFS
+	help
+	  This module provides support for reading the MKTME status.
+	  Enable this configuration option to enable reading the MKTME status
+	  from the mktme virtual file in the securityfs filesystem,
+	  under the mktme directory.
+
+	  The MKTME (Multi-Key Total Memory Encryption) status can be
+	  0 (enabled), 1 (disabled), or 3 (uninitialized).
+
+	  To compile this driver as a module, choose M here: the module will
+	  be called mktme_status.
+
 source "drivers/misc/c2port/Kconfig"
 source "drivers/misc/eeprom/Kconfig"
 source "drivers/misc/cb710/Kconfig"
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index c7bd01ac6291..98c971c096a6 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -57,3 +57,4 @@ obj-$(CONFIG_PVPANIC)   	+= pvpanic.o
 obj-$(CONFIG_HABANA_AI)		+= habanalabs/
 obj-$(CONFIG_UACCE)		+= uacce/
 obj-$(CONFIG_XILINX_SDFEC)	+= xilinx_sdfec.o
+obj-$(CONFIG_MKTME_STATUS)	+= mktme_status.o
diff --git a/drivers/misc/mktme_status.c b/drivers/misc/mktme_status.c
new file mode 100644
index 000000000000..22c14966b4e9
--- /dev/null
+++ b/drivers/misc/mktme_status.c
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * MKTME Status driver
+ *
+ * Copyright 2020 (c) Daniel Gutson (daniel.gutson@xxxxxxxxxxxxx)
+ *
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/security.h>
+#include <asm/cpu.h>
+
+static struct dentry *mktme_dir;
+static struct dentry *mktme_file;
+
+static ssize_t mktme_status_read(struct file *filp, char __user *buf,
+				 size_t count, loff_t *ppos)
+{
+	/* Buffer size 3 because of the following chars:
+	 *     value \n \0
+	 */
+	char tmp[3];
+
+	sprintf(tmp, "%d\n", (int)mktme_get_status() & 1);
+	return simple_read_from_buffer(buf, count, ppos, tmp, sizeof(tmp));
+}
+
+static const struct file_operations mktme_status_ops = {
+	.read = mktme_status_read,
+};
+
+static int __init mod_init(void)
+{
+	mktme_dir = securityfs_create_dir("mktme", NULL);
+	if (IS_ERR(mktme_dir)) {
+		pr_err("Couldn't create mktme sysfs dir\n");
+		return PTR_ERR(mktme_dir);
+	}
+
+	mktme_file = securityfs_create_file("status", 0600, mktme_dir, NULL,
+					    &mktme_status_ops);
+	if (IS_ERR(mktme_file)) {
+		pr_err("Error creating securityfs file 'status'\n");
+		goto out_file;
+	}
+
+	return 0;
+
+out_file:
+	securityfs_remove(mktme_dir);
+	return PTR_ERR(mktme_file);
+}
+
+static void __exit mod_exit(void)
+{
+	securityfs_remove(mktme_file);
+	securityfs_remove(mktme_dir);
+}
+
+module_init(mod_init);
+module_exit(mod_exit);
+
+MODULE_DESCRIPTION("MKTME Status kernel module");
+MODULE_AUTHOR("Daniel Gutson <daniel.gutson@xxxxxxxxxxxxx>");
+MODULE_LICENSE("GPL");
diff --git a/include/uapi/misc/mktme_status.h b/include/uapi/misc/mktme_status.h
new file mode 100644
index 000000000000..04b992d2757f
--- /dev/null
+++ b/include/uapi/misc/mktme_status.h
@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+
+#ifndef __MKTME_STATUS_H__
+#define __MKTME_STATUS_H__
+
+enum mktme_status_type {
+	MKTME_ENABLED = 0,
+	MKTME_DISABLED = 1,
+	MKTME_UNINITIALIZED = 2
+};
+
+#endif /* __MKTME_STATUS_H__ */
-- 
2.25.1