AMD To Expose More PSP Security Information Under Linux, Including State Of CPU Fuses
Right now under Linux it isn't quick and easy to figure out if the likes of (Transparent) Secure Memory Encryption are enabled and working but a new patch series will more easily expose the security attributes of the AMD Platform Security Processor (PSP) to users on Linux. Among the information to be exposed will also include whether the CPU is fused in the name of tampering prevention.
AMD Linux engineer Mario Limonciello has been working on a patch series for exporting various AMD PSP security attributes under Linux and exposing that information to user-space via sysfs.
Among the information to be exposed via sysfs includes whether the CPU/APU is a fused part to prevent tampering but limits the CPU to working in certain system vendor motherboards (Platform Secure Boot) with effectively vendor-locking that given part. The sysfs information also indicates whether the CPU/APU is unlocked for debugging purposes, the TSME state, whether the PSP is enforcing rollback protection, the status of the Replay Protected Monotonic Counter (RPMC), whether the HSP TPM is acxtivated, and whether RomArmor SPI protection is enforced. This work is only about reporting the state of these various PSP features and doesn't allow altering their value/behavior.
This current patch series allows the ability to detect Secure Memory Encryption (SME) and Transparent Secure Memory Encryption (TSME) too and possibly expanding that in the future so both wouldn't be redundantly enabled at the same time, but now at least the user will know.
The AMD PSP information will be exported under /sys/bus/pci/devices/. This information reporting is being handled by AMD's CCP (Crypto Co-Processor) driver. This patch series thus also now allows the AMD CCP Linux driver to load even for CPUs without SEV/TEE. AMD's Platform Security Processor is the Arm core inserted onto the CPU die with on-chip firmware that is responsible for various security responsibilities on Ryzen and EPYC systems.
For now the patches are on the kernel mailing list while hopefully they will be readied in time for the v5.19 cycle this summer for this useful AMD PSP information reporting.