tools/arch/x86: intel_sdsi: Add support for reading state certificates
authorDavid E. Box <david.e.box@linux.intel.com>
Sat, 19 Nov 2022 00:23:39 +0000 (16:23 -0800)
committerHans de Goede <hdegoede@redhat.com>
Mon, 21 Nov 2022 09:55:51 +0000 (10:55 +0100)
Add option to read and decode On Demand state certificates.

Link: https://github.com/intel/intel-sdsi/blob/master/state-certificate-encoding.rst
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20221119002343.1281885-6-david.e.box@linux.intel.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
tools/arch/x86/intel_sdsi/intel_sdsi.c

index c0e2f23..9dd9401 100644 (file)
 
 #include <sys/types.h>
 
+#ifndef __packed
+#define __packed __attribute__((packed))
+#endif
+
+#define min(x, y) ({                            \
+       typeof(x) _min1 = (x);                  \
+       typeof(y) _min2 = (y);                  \
+       (void) (&_min1 == &_min2);              \
+       _min1 < _min2 ? _min1 : _min2; })
+
 #define SDSI_DEV               "intel_vsec.sdsi"
 #define AUX_DEV_PATH           "/sys/bus/auxiliary/devices/"
 #define SDSI_PATH              (AUX_DEV_DIR SDSI_DEV)
 #define GUID                   0x6dd191
 #define REGISTERS_MIN_SIZE     72
+#define STATE_CERT_MAX_SIZE    4096
+#define STATE_MAX_NUM_LICENSES 16
+#define STATE_MAX_NUM_IN_BUNDLE        (uint32_t)8
 
 #define __round_mask(x, y) ((__typeof__(x))((y) - 1))
 #define round_up(x, y) ((((x) - 1) | __round_mask(x, y)) + 1)
@@ -49,6 +62,7 @@ struct availability {
        uint64_t reserved:48;
        uint64_t available:3;
        uint64_t threshold:3;
+       uint64_t reserved2:10;
 };
 
 struct sdsi_regs {
@@ -63,17 +77,55 @@ struct sdsi_regs {
        uint64_t socket_id;
 };
 
+#define CONTENT_TYPE_LK_ENC            0xD
+#define CONTENT_TYPE_LK_BLOB_ENC       0xE
+
+struct state_certificate {
+       uint32_t content_type;
+       uint32_t region_rev_id;
+       uint32_t header_size;
+       uint32_t total_size;
+       uint32_t key_size;
+       uint32_t num_licenses;
+};
+
+struct license_key_info {
+       uint32_t key_rev_id;
+       uint64_t key_image_content[6];
+} __packed;
+
+#define LICENSE_BLOB_SIZE(l)   (((l) & 0x7fffffff) * 4)
+#define LICENSE_VALID(l)       (!!((l) & 0x80000000))
+
+// License Group Types
+#define LBT_ONE_TIME_UPGRADE   1
+#define LBT_METERED_UPGRADE    2
+
+struct license_blob_content {
+       uint32_t type;
+       uint64_t id;
+       uint64_t ppin;
+       uint64_t previous_ppin;
+       uint32_t rev_id;
+       uint32_t num_bundles;
+} __packed;
+
+struct bundle_encoding {
+       uint32_t encoding;
+       uint32_t encoding_rsvd[7];
+};
+
 struct sdsi_dev {
        struct sdsi_regs regs;
+       struct state_certificate sc;
        char *dev_name;
        char *dev_path;
        int guid;
 };
 
 enum command {
-       CMD_NONE,
        CMD_SOCKET_INFO,
-       CMD_DUMP_CERT,
+       CMD_STATE_CERT,
        CMD_PROV_AKC,
        CMD_PROV_CAP,
 };
@@ -168,20 +220,56 @@ static int sdsi_read_reg(struct sdsi_dev *s)
        return 0;
 }
 
-static int sdsi_certificate_dump(struct sdsi_dev *s)
+static char *license_blob_type(uint32_t type)
+{
+       switch (type) {
+       case LBT_ONE_TIME_UPGRADE:
+               return "One time upgrade";
+       case LBT_METERED_UPGRADE:
+               return "Metered upgrade";
+       default:
+               return "Unknown license blob type";
+       }
+}
+
+static char *content_type(uint32_t type)
+{
+       switch (type) {
+       case  CONTENT_TYPE_LK_ENC:
+               return "Licencse key encoding";
+       case CONTENT_TYPE_LK_BLOB_ENC:
+               return "License key + Blob encoding";
+       default:
+               return "Unknown content type";
+       }
+}
+
+static void get_feature(uint32_t encoding, char *feature)
+{
+       char *name = (char *)&encoding;
+
+       feature[3] = name[0];
+       feature[2] = name[1];
+       feature[1] = name[2];
+       feature[0] = name[3];
+}
+
+static int sdsi_state_cert_show(struct sdsi_dev *s)
 {
-       uint64_t state_certificate[512] = {0};
-       bool first_instance;
-       uint64_t previous;
+       char buf[STATE_CERT_MAX_SIZE] = {0};
+       struct state_certificate *sc;
+       struct license_key_info *lki;
+       uint32_t offset = 0;
+       uint32_t count = 0;
        FILE *cert_ptr;
-       int i, ret, size;
+       int ret, size;
 
        ret = sdsi_update_registers(s);
        if (ret)
                return ret;
 
        if (!s->regs.en_features.sdsi) {
-               fprintf(stderr, "SDSi feature is present but not enabled.");
+               fprintf(stderr, "On Demand feature is present but not enabled.");
                fprintf(stderr, " Unable to read state certificate");
                return -1;
        }
@@ -198,32 +286,74 @@ static int sdsi_certificate_dump(struct sdsi_dev *s)
                return -1;
        }
 
-       size = fread(state_certificate, 1, sizeof(state_certificate), cert_ptr);
+       size = fread(buf, 1, sizeof(buf), cert_ptr);
        if (!size) {
                fprintf(stderr, "Could not read 'state_certificate' file\n");
                fclose(cert_ptr);
                return -1;
        }
+       fclose(cert_ptr);
 
-       printf("%3d: 0x%lx\n", 0, state_certificate[0]);
-       previous = state_certificate[0];
-       first_instance = true;
+       sc = (struct state_certificate *)buf;
 
-       for (i = 1; i < (int)(round_up(size, sizeof(uint64_t))/sizeof(uint64_t)); i++) {
-               if (state_certificate[i] == previous) {
-                       if (first_instance) {
-                               puts("*");
-                               first_instance = false;
-                       }
-                       continue;
+       /* Print register info for this guid */
+       printf("\n");
+       printf("State certificate for device %s\n", s->dev_name);
+       printf("\n");
+       printf("Content Type:          %s\n", content_type(sc->content_type));
+       printf("Region Revision ID:    %d\n", sc->region_rev_id);
+       printf("Header Size:           %d\n", sc->header_size * 4);
+       printf("Total Size:            %d\n", sc->total_size);
+       printf("OEM Key Size:          %d\n", sc->key_size * 4);
+       printf("Number of Licenses:    %d\n", sc->num_licenses);
+
+       /* Skip over the license sizes 4 bytes per license) to get the license key info */
+       lki = (void *)sc + sizeof(*sc) + (4 * sc->num_licenses);
+
+       printf("License blob Info:\n");
+       printf("    License Key Revision ID:    0x%x\n", lki->key_rev_id);
+       printf("    License Key Image Content:  0x%lx%lx%lx%lx%lx%lx\n",
+              lki->key_image_content[5], lki->key_image_content[4],
+              lki->key_image_content[3], lki->key_image_content[2],
+              lki->key_image_content[1], lki->key_image_content[0]);
+
+       while (count++ < sc->num_licenses) {
+               uint32_t blob_size_field = *(uint32_t *)(buf + 0x14 + count * 4);
+               uint32_t blob_size = LICENSE_BLOB_SIZE(blob_size_field);
+               bool license_valid = LICENSE_VALID(blob_size_field);
+               struct license_blob_content *lbc =
+                       (void *)(sc) +                  // start of the state certificate
+                       sizeof(*sc) +                   // size of the state certificate
+                       (4 * sc->num_licenses) +        // total size of the blob size blocks
+                       sizeof(*lki) +                  // size of the license key info
+                       offset;                         // offset to this blob content
+               struct bundle_encoding *bundle = (void *)(lbc) + sizeof(*lbc);
+               char feature[5];
+               uint32_t i;
+
+               printf("     Blob %d:\n", count - 1);
+               printf("        License blob size:          %u\n", blob_size);
+               printf("        License is valid:           %s\n", license_valid ? "Yes" : "No");
+               printf("        License blob type:          %s\n", license_blob_type(lbc->type));
+               printf("        License blob ID:            0x%lx\n", lbc->id);
+               printf("        PPIN:                       0x%lx\n", lbc->ppin);
+               printf("        Previous PPIN:              0x%lx\n", lbc->previous_ppin);
+               printf("        Blob revision ID:           %u\n", lbc->rev_id);
+               printf("        Number of Features:         %u\n", lbc->num_bundles);
+
+               feature[4] = '\0';
+
+               for (i = 0; i < min(lbc->num_bundles, STATE_MAX_NUM_IN_BUNDLE); i++) {
+                       get_feature(bundle[i].encoding, feature);
+                       printf("                 Feature %d:         %s\n", i, feature);
                }
-               printf("%3d: 0x%lx\n", i, state_certificate[i]);
-               previous = state_certificate[i];
-               first_instance = true;
-       }
-       printf("%3d\n", i);
 
-       fclose(cert_ptr);
+               if (lbc->num_bundles > STATE_MAX_NUM_IN_BUNDLE)
+                       fprintf(stderr, "        Warning: %d > %d licenses in bundle reported.\n",
+                               lbc->num_bundles, STATE_MAX_NUM_IN_BUNDLE);
+
+               offset += blob_size;
+       };
 
        return 0;
 }
@@ -231,7 +361,7 @@ static int sdsi_certificate_dump(struct sdsi_dev *s)
 static int sdsi_provision(struct sdsi_dev *s, char *bin_file, enum command command)
 {
        int bin_fd, prov_fd, size, ret;
-       char buf[4096] = { 0 };
+       char buf[STATE_CERT_MAX_SIZE] = { 0 };
        char cap[] = "provision_cap";
        char akc[] = "provision_akc";
        char *prov_file;
@@ -266,7 +396,7 @@ static int sdsi_provision(struct sdsi_dev *s, char *bin_file, enum command comma
        }
 
        /* Read the binary file into the buffer */
-       size = read(bin_fd, buf, 4096);
+       size = read(bin_fd, buf, STATE_CERT_MAX_SIZE);
        if (size == -1) {
                close(bin_fd);
                close(prov_fd);
@@ -443,25 +573,26 @@ static void sdsi_free_dev(struct sdsi_dev *s)
 
 static void usage(char *prog)
 {
-       printf("Usage: %s [-l] [-d DEVNO [-iD] [-a FILE] [-c FILE]]\n", prog);
+       printf("Usage: %s [-l] [-d DEVNO [-i] [-s] [-a FILE] [-c FILE]]\n", prog);
 }
 
 static void show_help(void)
 {
        printf("Commands:\n");
-       printf("  %-18s\t%s\n", "-l, --list",           "list available sdsi devices");
-       printf("  %-18s\t%s\n", "-d, --devno DEVNO",    "sdsi device number");
-       printf("  %-18s\t%s\n", "-i --info",            "show socket information");
-       printf("  %-18s\t%s\n", "-D --dump",            "dump state certificate data");
-       printf("  %-18s\t%s\n", "-a --akc FILE",        "provision socket with AKC FILE");
-       printf("  %-18s\t%s\n", "-c --cap FILE>",       "provision socket with CAP FILE");
+       printf("  %-18s\t%s\n", "-l, --list",           "list available On Demand devices");
+       printf("  %-18s\t%s\n", "-d, --devno DEVNO",    "On Demand device number");
+       printf("  %-18s\t%s\n", "-i, --info",           "show socket information");
+       printf("  %-18s\t%s\n", "-s, --state",          "show state certificate");
+       printf("  %-18s\t%s\n", "-a, --akc FILE",       "provision socket with AKC FILE");
+       printf("  %-18s\t%s\n", "-c, --cap FILE>",      "provision socket with CAP FILE");
 }
 
 int main(int argc, char *argv[])
 {
        char bin_file[PATH_MAX], *dev_no = NULL;
+       bool device_selected = false;
        char *progname;
-       enum command command = CMD_NONE;
+       enum command command = -1;
        struct sdsi_dev *s;
        int ret = 0, opt;
        int option_index = 0;
@@ -470,21 +601,22 @@ int main(int argc, char *argv[])
                {"akc",         required_argument,      0, 'a'},
                {"cap",         required_argument,      0, 'c'},
                {"devno",       required_argument,      0, 'd'},
-               {"dump",        no_argument,            0, 'D'},
                {"help",        no_argument,            0, 'h'},
                {"info",        no_argument,            0, 'i'},
                {"list",        no_argument,            0, 'l'},
+               {"state",       no_argument,            0, 's'},
                {0,             0,                      0, 0 }
        };
 
 
        progname = argv[0];
 
-       while ((opt = getopt_long_only(argc, argv, "+a:c:d:Da:c:h", long_options,
+       while ((opt = getopt_long_only(argc, argv, "+a:c:d:hils", long_options,
                        &option_index)) != -1) {
                switch (opt) {
                case 'd':
                        dev_no = optarg;
+                       device_selected = true;
                        break;
                case 'l':
                        sdsi_list_devices();
@@ -492,8 +624,8 @@ int main(int argc, char *argv[])
                case 'i':
                        command = CMD_SOCKET_INFO;
                        break;
-               case 'D':
-                       command = CMD_DUMP_CERT;
+               case 's':
+                       command = CMD_STATE_CERT;
                        break;
                case 'a':
                case 'c':
@@ -520,39 +652,35 @@ int main(int argc, char *argv[])
                }
        }
 
-       if (!dev_no) {
-               if (command != CMD_NONE)
-                       fprintf(stderr, "Missing device number, DEVNO, for this command\n");
-               usage(progname);
-               return -1;
-       }
+       if (device_selected) {
+               s = sdsi_create_dev(dev_no);
+               if (!s)
+                       return -1;
 
-       s = sdsi_create_dev(dev_no);
-       if (!s)
-               return -1;
+               switch (command) {
+               case CMD_SOCKET_INFO:
+                       ret = sdsi_read_reg(s);
+                       break;
+               case CMD_STATE_CERT:
+                       ret = sdsi_state_cert_show(s);
+                       break;
+               case CMD_PROV_AKC:
+                       ret = sdsi_provision_akc(s, bin_file);
+                       break;
+               case CMD_PROV_CAP:
+                       ret = sdsi_provision_cap(s, bin_file);
+                       break;
+               default:
+                       fprintf(stderr, "No command specified\n");
+                       return -1;
+               }
+
+               sdsi_free_dev(s);
 
-       /* Run the command */
-       switch (command) {
-       case CMD_NONE:
-               fprintf(stderr, "Missing command for device %s\n", dev_no);
-               usage(progname);
-               break;
-       case CMD_SOCKET_INFO:
-               ret = sdsi_read_reg(s);
-               break;
-       case CMD_DUMP_CERT:
-               ret = sdsi_certificate_dump(s);
-               break;
-       case CMD_PROV_AKC:
-               ret = sdsi_provision_akc(s, bin_file);
-               break;
-       case CMD_PROV_CAP:
-               ret = sdsi_provision_cap(s, bin_file);
-               break;
-       }
-
-
-       sdsi_free_dev(s);
+       } else {
+               fprintf(stderr, "No device specified\n");
+               return -1;
+       }
 
        return ret;
 }