utils/inteltool: Add support to print Key Locker status

Add command-line option "-k" to print status.

Sample output:

$ inteltool -k
============= Dumping INTEL Key Locker status =============
Key Locker supported : YES
AESKL instructions enabled : NO
===========================================================

Change-Id: Icb1b08619b1dbc535640127f7ab5f6b49d70a6fe
Signed-off-by: Pratikkumar Prajapati <pratikkumar.v.prajapati@intel.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/71657
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Sridhar Siricilla <sridhar.siricilla@intel.com>

3 files changed, 70 insertions, 12 deletions

diff --git a/util/inteltool/cpu.c b/util/inteltool/cpu.c
index 74252293de69..5b1dbf3acf97 100644
--- a/util/inteltool/cpu.c
+++ b/util/inteltool/cpu.c
@@ -3,6 +3,7 @@
 
 #include <fcntl.h>
 #include <unistd.h>
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -17,16 +18,20 @@
 # define BREG	"%%ebx"
 #endif
 
-#define IA32_FEATURE_CONTROL	0x3a
-#define SGX_GLOBAL_ENABLED	(1 << 18)
-#define FEATURE_CONTROL_LOCKED	(1)
-#define MTRR_CAP_MSR		0xfe
-#define PRMRR_SUPPORTED		(1 << 12)
-#define SGX_SUPPORTED		(1 << 2)
-#define IA32_TME_ACTIVATE	0x982
-#define TME_SUPPORTED		(1 << 13)
-#define TME_LOCKED		(1)
-#define TME_ENABLED		(1 << 1)
+#define CPUID_STRUCT_EXTENDED_FEATURE_FLAGS	0x7
+#define IA32_FEATURE_CONTROL			0x3a
+#define SGX_GLOBAL_ENABLED			(1 << 18)
+#define FEATURE_CONTROL_LOCKED			(1)
+#define MTRR_CAP_MSR				0xfe
+#define PRMRR_SUPPORTED				(1 << 12)
+#define SGX_SUPPORTED				(1 << 2)
+#define IA32_TME_ACTIVATE			0x982
+#define TME_SUPPORTED				(1 << 13)
+#define TME_LOCKED				(1)
+#define TME_ENABLED				(1 << 1)
+#define CPUID_KEYLOCKER_FEATURE_FLAGS 		0x19
+#define KEYLOCKER_SUPPORTED			(1<<23)
+#define KEYLOCKER_AESKL				(1)
 
 int fd_msr;
 
@@ -266,6 +271,49 @@ void print_tme(void)
 #endif
 }
 
+static bool is_keylocker_supported()
+{
+	cpuid_result_t cpuid_regs;
+	msr_t msr;
+
+	/*
+	 * CPUID leaf 0x7 subleaf 0x0 to detect Intel Key Locker support.
+	 * The specification of Key Locker can be found at: https://www.intel.com/
+	 * content/www/us/en/develop/download/intel-key-locker-specification.html
+	 * The spec can also be found via document #343965 on Intel's site.
+	 */
+	cpuid_regs = cpuid_ext(CPUID_STRUCT_EXTENDED_FEATURE_FLAGS, 0x0);
+	msr = rdmsr_from_cpu(0, MTRR_CAP_MSR);
+	return ((cpuid_regs.ecx & KEYLOCKER_SUPPORTED) && (msr.lo & PRMRR_SUPPORTED));
+}
+
+static bool is_aeskl_enabled()
+{
+	cpuid_result_t cpuid_regs;
+
+	/* CPUID leaf 0x19 subleaf 0x0 to detect details of Intel Key Locker feature */
+	cpuid_regs = cpuid_ext(CPUID_KEYLOCKER_FEATURE_FLAGS, 0x0);
+	return (cpuid_regs.ebx & KEYLOCKER_AESKL);
+}
+
+void print_keylocker(void)
+{
+#ifndef __DARWIN__
+	int keylocker_supported = is_keylocker_supported();
+
+	printf("\n============= Dumping INTEL Key Locker status =============\n");
+
+	printf("Key Locker supported : %s\n", keylocker_supported ? "YES" : "NO");
+
+	if (keylocker_supported) {
+		printf("AESKL instructions enabled : %s\n", is_aeskl_enabled() ? "YES" : "NO");
+	}
+	printf("===========================================================\n");
+#else
+	printf("Not Implemented\n");
+#endif
+}
+
 int print_intel_msrs(unsigned int range_start, unsigned int range_end)
 {
 	unsigned int i, core, id;
diff --git a/util/inteltool/inteltool.c b/util/inteltool/inteltool.c
index f4dbc1d94e9e..92a981a7b8a0 100644
--- a/util/inteltool/inteltool.c
+++ b/util/inteltool/inteltool.c
@@ -628,6 +628,7 @@ static void print_usage(const char *name)
 	     "   -A | --ambs:                      dump AMB registers\n"
 	     "   -x | --sgx:                       dump SGX status\n"
 	     "   -t | --tme:                       dump TME status\n"
+	     "   -k | --keylocker:                 dump Key Locker status\n"
 	     "   -a | --all:                       dump all known (safe) registers\n"
 	     "        --pcr=PORT_ID:               dump all registers of a PCR port\n"
 	     "                                     (may be specified max %d times)\n"
@@ -689,7 +690,7 @@ int main(int argc, char *argv[])
 	int dump_pmbase = 0, dump_epbar = 0, dump_dmibar = 0;
 	int dump_pciexbar = 0, dump_coremsrs = 0, dump_ambs = 0;
 	int dump_spi = 0, dump_gfx = 0, dump_ahci = 0, dump_sgx = 0, dump_tme = 0;
-	int dump_lpc = 0;
+	int dump_lpc = 0, dump_keylocker = 0;
 	int show_gpio_diffs = 0;
 	size_t pcr_count = 0;
 	uint8_t dump_pcr[MAX_PCR_PORTS];
@@ -719,10 +720,11 @@ int main(int argc, char *argv[])
 		{"sgx", 0, 0, 'x'},
 		{"pcr", required_argument, 0, LONG_OPT_PCR},
 		{"tme", 0, 0, 't'},
+		{"keylocker", 0, 0, 'k'},
 		{0, 0, 0, 0}
 	};
 
-	while ((opt = getopt_long(argc, argv, "vh?gGrplmedPMaAsfRS:xt",
+	while ((opt = getopt_long(argc, argv, "vh?gGrplmedPMaAsfRS:xtk",
                                   long_options, &option_index)) != EOF) {
 		switch (opt) {
 		case 'v':
@@ -803,6 +805,7 @@ int main(int argc, char *argv[])
 			dump_ahci = 1;
 			dump_sgx = 1;
 			dump_tme = 1;
+			dump_keylocker = 1;
 			break;
 		case 'A':
 			dump_ambs = 1;
@@ -816,6 +819,9 @@ int main(int argc, char *argv[])
 		case 't':
 			dump_tme = 1;
 			break;
+		case 'k':
+			dump_keylocker = 1;
+			break;
 		case LONG_OPT_PCR:
 			if (pcr_count < MAX_PCR_PORTS) {
 				errno = 0;
@@ -1011,6 +1017,9 @@ int main(int argc, char *argv[])
 	if (dump_tme)
 		print_tme();
 
+	if (dump_keylocker)
+		print_keylocker();
+
 	if (pcr_count)
 		print_pcr_ports(sb, dump_pcr, pcr_count);
 
diff --git a/util/inteltool/inteltool.h b/util/inteltool/inteltool.h
index 5b40721262f6..130e63ce88e9 100644
--- a/util/inteltool/inteltool.h
+++ b/util/inteltool/inteltool.h
@@ -498,6 +498,7 @@ int print_gfx(struct pci_dev *gfx);
 int print_ahci(struct pci_dev *ahci);
 int print_sgx(void);
 void print_tme(void);
+void print_keylocker(void);
 void ivybridge_dump_timings(const char *dump_spd_file);
 
 #endif