| Message ID | 59ca3ae4ac03c43751ce4af5119ede548bb9e8e4.1581555616.git.ashish.kalra@amd.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | SEV Live Migration Patchset. | expand |
On Wed, Feb 12, 2020 at 5:15 PM Ashish Kalra <Ashish.Kalra@amd.com> wrote: > > From: Brijesh Singh <brijesh.singh@amd.com> > > The command is used to create an outgoing SEV guest encryption context. > > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@redhat.com> > Cc: "H. Peter Anvin" <hpa@zytor.com> > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: "Radim Krčmář" <rkrcmar@redhat.com> > Cc: Joerg Roedel <joro@8bytes.org> > Cc: Borislav Petkov <bp@suse.de> > Cc: Tom Lendacky <thomas.lendacky@amd.com> > Cc: x86@kernel.org > Cc: kvm@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > Signed-off-by: Ashish Kalra <ashish.kalra@amd.com> > --- > .../virt/kvm/amd-memory-encryption.rst | 27 ++++ > arch/x86/kvm/svm.c | 125 ++++++++++++++++++ > include/linux/psp-sev.h | 8 +- > include/uapi/linux/kvm.h | 12 ++ > 4 files changed, 168 insertions(+), 4 deletions(-) > > diff --git a/Documentation/virt/kvm/amd-memory-encryption.rst b/Documentation/virt/kvm/amd-memory-encryption.rst > index d18c97b4e140..826911f41f3b 100644 > --- a/Documentation/virt/kvm/amd-memory-encryption.rst > +++ b/Documentation/virt/kvm/amd-memory-encryption.rst > @@ -238,6 +238,33 @@ Returns: 0 on success, -negative on error > __u32 trans_len; > }; > > +10. KVM_SEV_SEND_START > +---------------------- > + > +The KVM_SEV_SEND_START command can be used by the hypervisor to create an > +outgoing guest encryption context. > + > +Parameters (in): struct kvm_sev_send_start > + > +Returns: 0 on success, -negative on error > + > +:: > + struct kvm_sev_send_start { > + __u32 policy; /* guest policy */ > + > + __u64 pdh_cert_uaddr; /* platform Diffie-Hellman certificate */ > + __u32 pdh_cert_len; > + > + __u64 plat_certs_uadr; /* platform certificate chain */ > + __u32 plat_certs_len; > + > + __u64 amd_certs_uaddr; /* AMD certificate */ > + __u32 amd_cert_len; > + > + __u64 session_uaddr; /* Guest session information */ > + __u32 session_len; > + }; > + > References > ========== > > diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c > index a3e32d61d60c..3a7e2cac51de 100644 > --- a/arch/x86/kvm/svm.c > +++ b/arch/x86/kvm/svm.c > @@ -7140,6 +7140,128 @@ static int sev_launch_secret(struct kvm *kvm, struct kvm_sev_cmd *argp) > return ret; > } > > +/* Userspace wants to query session length. */ > +static int > +__sev_send_start_query_session_length(struct kvm *kvm, struct kvm_sev_cmd *argp, > + struct kvm_sev_send_start *params) > +{ > + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; > + struct sev_data_send_start *data; > + int ret; > + > + data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT); > + if (data == NULL) > + return -ENOMEM; > + > + data->handle = sev->handle; > + ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, data, &argp->error); > + > + params->session_len = data->session_len; > + if (copy_to_user((void __user *)(uintptr_t)argp->data, params, > + sizeof(struct kvm_sev_send_start))) > + ret = -EFAULT; > + > + kfree(data); > + return ret; > +} > + > +static int sev_send_start(struct kvm *kvm, struct kvm_sev_cmd *argp) > +{ > + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; > + struct sev_data_send_start *data; > + struct kvm_sev_send_start params; > + void *amd_certs, *session_data; > + void *pdh_cert, *plat_certs; > + int ret; > + > + if (!sev_guest(kvm)) > + return -ENOTTY; > + > + if (copy_from_user(¶ms, (void __user *)(uintptr_t)argp->data, > + sizeof(struct kvm_sev_send_start))) > + return -EFAULT; > + > + /* if session_len is zero, userspace wants t query the session length */ /t/to/ > > + if (!params.session_len) > + return __sev_send_start_query_session_length(kvm, argp, > + ¶ms); Document this behavior with the command. > + > + /* some sanity checks */ > + if (!params.pdh_cert_uaddr || !params.pdh_cert_len || > + !params.session_uaddr || params.session_len > SEV_FW_BLOB_MAX_SIZE) > + return -EINVAL; > + > + /* allocate the memory to hold the session data blob */ > + session_data = kmalloc(params.session_len, GFP_KERNEL_ACCOUNT); > + if (!session_data) > + return -ENOMEM; > + > + /* copy the certificate blobs from userspace */ > + pdh_cert = psp_copy_user_blob(params.pdh_cert_uaddr, > + params.pdh_cert_len); > + if (IS_ERR(pdh_cert)) { > + ret = PTR_ERR(pdh_cert); > + goto e_free_session; > + } > + > + plat_certs = psp_copy_user_blob(params.plat_certs_uaddr, > + params.plat_certs_len); > + if (IS_ERR(plat_certs)) { > + ret = PTR_ERR(plat_certs); > + goto e_free_pdh; > + } > + > + amd_certs = psp_copy_user_blob(params.amd_certs_uaddr, > + params.amd_certs_len); > + if (IS_ERR(amd_certs)) { > + ret = PTR_ERR(amd_certs); > + goto e_free_plat_cert; > + } > + > + data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT); > + if (data == NULL) { > + ret = -ENOMEM; > + goto e_free_amd_cert; > + } > + > + /* populate the FW SEND_START field with system physical address */ > + data->pdh_cert_address = __psp_pa(pdh_cert); > + data->pdh_cert_len = params.pdh_cert_len; > + data->plat_certs_address = __psp_pa(plat_certs); > + data->plat_certs_len = params.plat_certs_len; > + data->amd_certs_address = __psp_pa(amd_certs); > + data->amd_certs_len = params.amd_certs_len; > + data->session_address = __psp_pa(session_data); > + data->session_len = params.session_len; > + data->handle = sev->handle; > + > + ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, data, &argp->error); sev_issue_cmd can fail. I think you want to handle those errors here (e.g. it can return -ebadf or a number of others). Right now they could get clobbered by a later copy_to_user error. It's also worth documenting what the error argp->error is filled in with. I didn't see anything in the docs mentioning the status codes (may have missed it). > + > + if (copy_to_user((void __user *)(uintptr_t) params.session_uaddr, > + session_data, params.session_len)) { > + ret = -EFAULT; > + goto e_free; > + } > + > + params.policy = data->policy; > + params.session_len = data->session_len; > + if (copy_to_user((void __user *)(uintptr_t)argp->data, ¶ms, > + sizeof(struct kvm_sev_send_start))) > + ret = -EFAULT; > + > +e_free: > + kfree(data); > +e_free_amd_cert: > + kfree(amd_certs); > +e_free_plat_cert: > + kfree(plat_certs); > +e_free_pdh: > + kfree(pdh_cert); > +e_free_session: > + kfree(session_data); > + return ret; > +} > + > static int svm_mem_enc_op(struct kvm *kvm, void __user *argp) > { > struct kvm_sev_cmd sev_cmd; > @@ -7181,6 +7303,9 @@ static int svm_mem_enc_op(struct kvm *kvm, void __user *argp) > case KVM_SEV_LAUNCH_SECRET: > r = sev_launch_secret(kvm, &sev_cmd); > break; > + case KVM_SEV_SEND_START: > + r = sev_send_start(kvm, &sev_cmd); > + break; > default: > r = -EINVAL; > goto out; > diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h > index 5167bf2bfc75..9f63b9d48b63 100644 > --- a/include/linux/psp-sev.h > +++ b/include/linux/psp-sev.h > @@ -323,11 +323,11 @@ struct sev_data_send_start { > u64 pdh_cert_address; /* In */ > u32 pdh_cert_len; /* In */ > u32 reserved1; > - u64 plat_cert_address; /* In */ > - u32 plat_cert_len; /* In */ > + u64 plat_certs_address; /* In */ > + u32 plat_certs_len; /* In */ > u32 reserved2; > - u64 amd_cert_address; /* In */ > - u32 amd_cert_len; /* In */ > + u64 amd_certs_address; /* In */ > + u32 amd_certs_len; /* In */ > u32 reserved3; > u64 session_address; /* In */ > u32 session_len; /* In/Out */ > diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h > index 4b95f9a31a2f..17bef4c245e1 100644 > --- a/include/uapi/linux/kvm.h > +++ b/include/uapi/linux/kvm.h > @@ -1558,6 +1558,18 @@ struct kvm_sev_dbg { > __u32 len; > }; > > +struct kvm_sev_send_start { > + __u32 policy; > + __u64 pdh_cert_uaddr; > + __u32 pdh_cert_len; > + __u64 plat_certs_uaddr; > + __u32 plat_certs_len; > + __u64 amd_certs_uaddr; > + __u32 amd_certs_len; > + __u64 session_uaddr; > + __u32 session_len; > +}; > + > #define KVM_DEV_ASSIGN_ENABLE_IOMMU (1 << 0) > #define KVM_DEV_ASSIGN_PCI_2_3 (1 << 1) > #define KVM_DEV_ASSIGN_MASK_INTX (1 << 2) > -- > 2.17.1 > Looks pretty reasonable overall.
On Mon, Mar 9, 2020 at 2:28 PM Steve Rutherford <srutherford@google.com> wrote: > > On Wed, Feb 12, 2020 at 5:15 PM Ashish Kalra <Ashish.Kalra@amd.com> wrote: > > > > From: Brijesh Singh <brijesh.singh@amd.com> > > > > The command is used to create an outgoing SEV guest encryption context. > > > > Cc: Thomas Gleixner <tglx@linutronix.de> > > Cc: Ingo Molnar <mingo@redhat.com> > > Cc: "H. Peter Anvin" <hpa@zytor.com> > > Cc: Paolo Bonzini <pbonzini@redhat.com> > > Cc: "Radim Krčmář" <rkrcmar@redhat.com> > > Cc: Joerg Roedel <joro@8bytes.org> > > Cc: Borislav Petkov <bp@suse.de> > > Cc: Tom Lendacky <thomas.lendacky@amd.com> > > Cc: x86@kernel.org > > Cc: kvm@vger.kernel.org > > Cc: linux-kernel@vger.kernel.org > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > > Signed-off-by: Ashish Kalra <ashish.kalra@amd.com> > > --- > > .../virt/kvm/amd-memory-encryption.rst | 27 ++++ > > arch/x86/kvm/svm.c | 125 ++++++++++++++++++ > > include/linux/psp-sev.h | 8 +- > > include/uapi/linux/kvm.h | 12 ++ > > 4 files changed, 168 insertions(+), 4 deletions(-) > > > > diff --git a/Documentation/virt/kvm/amd-memory-encryption.rst b/Documentation/virt/kvm/amd-memory-encryption.rst > > index d18c97b4e140..826911f41f3b 100644 > > --- a/Documentation/virt/kvm/amd-memory-encryption.rst > > +++ b/Documentation/virt/kvm/amd-memory-encryption.rst > > @@ -238,6 +238,33 @@ Returns: 0 on success, -negative on error > > __u32 trans_len; > > }; > > > > +10. KVM_SEV_SEND_START > > +---------------------- > > + > > +The KVM_SEV_SEND_START command can be used by the hypervisor to create an > > +outgoing guest encryption context. > > + > > +Parameters (in): struct kvm_sev_send_start > > + > > +Returns: 0 on success, -negative on error > > + > > +:: > > + struct kvm_sev_send_start { > > + __u32 policy; /* guest policy */ > > + > > + __u64 pdh_cert_uaddr; /* platform Diffie-Hellman certificate */ > > + __u32 pdh_cert_len; > > + > > + __u64 plat_certs_uadr; /* platform certificate chain */ > > + __u32 plat_certs_len; > > + > > + __u64 amd_certs_uaddr; /* AMD certificate */ > > + __u32 amd_cert_len; > > + > > + __u64 session_uaddr; /* Guest session information */ > > + __u32 session_len; > > + }; > > + > > References > > ========== > > > > diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c > > index a3e32d61d60c..3a7e2cac51de 100644 > > --- a/arch/x86/kvm/svm.c > > +++ b/arch/x86/kvm/svm.c > > @@ -7140,6 +7140,128 @@ static int sev_launch_secret(struct kvm *kvm, struct kvm_sev_cmd *argp) > > return ret; > > } > > > > +/* Userspace wants to query session length. */ > > +static int > > +__sev_send_start_query_session_length(struct kvm *kvm, struct kvm_sev_cmd *argp, > > + struct kvm_sev_send_start *params) > > +{ > > + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; > > + struct sev_data_send_start *data; > > + int ret; > > + > > + data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT); > > + if (data == NULL) > > + return -ENOMEM; > > + > > + data->handle = sev->handle; > > + ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, data, &argp->error); > > + > > + params->session_len = data->session_len; > > + if (copy_to_user((void __user *)(uintptr_t)argp->data, params, > > + sizeof(struct kvm_sev_send_start))) > > + ret = -EFAULT; > > + > > + kfree(data); > > + return ret; > > +} > > + > > +static int sev_send_start(struct kvm *kvm, struct kvm_sev_cmd *argp) > > +{ > > + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; > > + struct sev_data_send_start *data; > > + struct kvm_sev_send_start params; > > + void *amd_certs, *session_data; > > + void *pdh_cert, *plat_certs; > > + int ret; > > + > > + if (!sev_guest(kvm)) > > + return -ENOTTY; > > + > > + if (copy_from_user(¶ms, (void __user *)(uintptr_t)argp->data, > > + sizeof(struct kvm_sev_send_start))) > > + return -EFAULT; > > + > > + /* if session_len is zero, userspace wants t query the session length */ > > /t/to/ > > > > + if (!params.session_len) > > + return __sev_send_start_query_session_length(kvm, argp, > > + ¶ms); > Document this behavior with the command. > > > + > > + /* some sanity checks */ > > + if (!params.pdh_cert_uaddr || !params.pdh_cert_len || > > + !params.session_uaddr || params.session_len > SEV_FW_BLOB_MAX_SIZE) > > + return -EINVAL; > > + > > + /* allocate the memory to hold the session data blob */ > > + session_data = kmalloc(params.session_len, GFP_KERNEL_ACCOUNT); > > + if (!session_data) > > + return -ENOMEM; > > + > > + /* copy the certificate blobs from userspace */ > > + pdh_cert = psp_copy_user_blob(params.pdh_cert_uaddr, > > + params.pdh_cert_len); > > + if (IS_ERR(pdh_cert)) { > > + ret = PTR_ERR(pdh_cert); > > + goto e_free_session; > > + } > > + > > + plat_certs = psp_copy_user_blob(params.plat_certs_uaddr, > > + params.plat_certs_len); > > + if (IS_ERR(plat_certs)) { > > + ret = PTR_ERR(plat_certs); > > + goto e_free_pdh; > > + } > > + > > + amd_certs = psp_copy_user_blob(params.amd_certs_uaddr, > > + params.amd_certs_len); > > + if (IS_ERR(amd_certs)) { > > + ret = PTR_ERR(amd_certs); > > + goto e_free_plat_cert; > > + } > > + > > + data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT); > > + if (data == NULL) { > > + ret = -ENOMEM; > > + goto e_free_amd_cert; > > + } > > + > > + /* populate the FW SEND_START field with system physical address */ > > + data->pdh_cert_address = __psp_pa(pdh_cert); > > + data->pdh_cert_len = params.pdh_cert_len; > > + data->plat_certs_address = __psp_pa(plat_certs); > > + data->plat_certs_len = params.plat_certs_len; > > + data->amd_certs_address = __psp_pa(amd_certs); > > + data->amd_certs_len = params.amd_certs_len; > > + data->session_address = __psp_pa(session_data); > > + data->session_len = params.session_len; > > + data->handle = sev->handle; > > + > > + ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, data, &argp->error); > sev_issue_cmd can fail. I think you want to handle those errors here > (e.g. it can return -ebadf or a number of others). Right now they > could get clobbered by a later copy_to_user error. > > It's also worth documenting what the error argp->error is filled in > with. I didn't see anything in the docs mentioning the status codes > (may have missed it). > > > + > > + if (copy_to_user((void __user *)(uintptr_t) params.session_uaddr, > > + session_data, params.session_len)) { > > + ret = -EFAULT; > > + goto e_free; > > + } One additional aspect, which also comes up for other commands, is that it's not clear if the command succeeded if you get back -EFAULT. Any of the copy_to_users could have failed, on either side of the sev_issue_cmd call. If userspace filled in the error with a reserved value (e.g. 0xFFFF0000, which is larger than the largest possible error code), it could observe that that value was clobbered and infer that sev_issue_cmd succeeded/failed/etc. This is particularly error prone since the success code is zero, which is almost certainly what people will initialize the error field as, unless they go out of their way. I think the cleanest answer would be to write in a reserved value to the error at the start of sev_send_* and have sev_issue_command clobber that value with the expected value. This way, userspace can know which GSTATE the guest transitioned to, even if it sees -EFAULT. > > + > > + params.policy = data->policy; > > + params.session_len = data->session_len; > > + if (copy_to_user((void __user *)(uintptr_t)argp->data, ¶ms, > > + sizeof(struct kvm_sev_send_start))) > > + ret = -EFAULT; > > + > > +e_free: > > + kfree(data); > > +e_free_amd_cert: > > + kfree(amd_certs); > > +e_free_plat_cert: > > + kfree(plat_certs); > > +e_free_pdh: > > + kfree(pdh_cert); > > +e_free_session: > > + kfree(session_data); > > + return ret; > > +} > > + > > static int svm_mem_enc_op(struct kvm *kvm, void __user *argp) > > { > > struct kvm_sev_cmd sev_cmd; > > @@ -7181,6 +7303,9 @@ static int svm_mem_enc_op(struct kvm *kvm, void __user *argp) > > case KVM_SEV_LAUNCH_SECRET: > > r = sev_launch_secret(kvm, &sev_cmd); > > break; > > + case KVM_SEV_SEND_START: > > + r = sev_send_start(kvm, &sev_cmd); > > + break; > > default: > > r = -EINVAL; > > goto out; > > diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h > > index 5167bf2bfc75..9f63b9d48b63 100644 > > --- a/include/linux/psp-sev.h > > +++ b/include/linux/psp-sev.h > > @@ -323,11 +323,11 @@ struct sev_data_send_start { > > u64 pdh_cert_address; /* In */ > > u32 pdh_cert_len; /* In */ > > u32 reserved1; > > - u64 plat_cert_address; /* In */ > > - u32 plat_cert_len; /* In */ > > + u64 plat_certs_address; /* In */ > > + u32 plat_certs_len; /* In */ > > u32 reserved2; > > - u64 amd_cert_address; /* In */ > > - u32 amd_cert_len; /* In */ > > + u64 amd_certs_address; /* In */ > > + u32 amd_certs_len; /* In */ > > u32 reserved3; > > u64 session_address; /* In */ > > u32 session_len; /* In/Out */ > > diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h > > index 4b95f9a31a2f..17bef4c245e1 100644 > > --- a/include/uapi/linux/kvm.h > > +++ b/include/uapi/linux/kvm.h > > @@ -1558,6 +1558,18 @@ struct kvm_sev_dbg { > > __u32 len; > > }; > > > > +struct kvm_sev_send_start { > > + __u32 policy; > > + __u64 pdh_cert_uaddr; > > + __u32 pdh_cert_len; > > + __u64 plat_certs_uaddr; > > + __u32 plat_certs_len; > > + __u64 amd_certs_uaddr; > > + __u32 amd_certs_len; > > + __u64 session_uaddr; > > + __u32 session_len; > > +}; > > + > > #define KVM_DEV_ASSIGN_ENABLE_IOMMU (1 << 0) > > #define KVM_DEV_ASSIGN_PCI_2_3 (1 << 1) > > #define KVM_DEV_ASSIGN_MASK_INTX (1 << 2) > > -- > > 2.17.1 > > > > Looks pretty reasonable overall.
diff --git a/Documentation/virt/kvm/amd-memory-encryption.rst b/Documentation/virt/kvm/amd-memory-encryption.rst index d18c97b4e140..826911f41f3b 100644 --- a/Documentation/virt/kvm/amd-memory-encryption.rst +++ b/Documentation/virt/kvm/amd-memory-encryption.rst @@ -238,6 +238,33 @@ Returns: 0 on success, -negative on error __u32 trans_len; }; +10. KVM_SEV_SEND_START +---------------------- + +The KVM_SEV_SEND_START command can be used by the hypervisor to create an +outgoing guest encryption context. + +Parameters (in): struct kvm_sev_send_start + +Returns: 0 on success, -negative on error + +:: + struct kvm_sev_send_start { + __u32 policy; /* guest policy */ + + __u64 pdh_cert_uaddr; /* platform Diffie-Hellman certificate */ + __u32 pdh_cert_len; + + __u64 plat_certs_uadr; /* platform certificate chain */ + __u32 plat_certs_len; + + __u64 amd_certs_uaddr; /* AMD certificate */ + __u32 amd_cert_len; + + __u64 session_uaddr; /* Guest session information */ + __u32 session_len; + }; + References ========== diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index a3e32d61d60c..3a7e2cac51de 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -7140,6 +7140,128 @@ static int sev_launch_secret(struct kvm *kvm, struct kvm_sev_cmd *argp) return ret; } +/* Userspace wants to query session length. */ +static int +__sev_send_start_query_session_length(struct kvm *kvm, struct kvm_sev_cmd *argp, + struct kvm_sev_send_start *params) +{ + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; + struct sev_data_send_start *data; + int ret; + + data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT); + if (data == NULL) + return -ENOMEM; + + data->handle = sev->handle; + ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, data, &argp->error); + + params->session_len = data->session_len; + if (copy_to_user((void __user *)(uintptr_t)argp->data, params, + sizeof(struct kvm_sev_send_start))) + ret = -EFAULT; + + kfree(data); + return ret; +} + +static int sev_send_start(struct kvm *kvm, struct kvm_sev_cmd *argp) +{ + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; + struct sev_data_send_start *data; + struct kvm_sev_send_start params; + void *amd_certs, *session_data; + void *pdh_cert, *plat_certs; + int ret; + + if (!sev_guest(kvm)) + return -ENOTTY; + + if (copy_from_user(¶ms, (void __user *)(uintptr_t)argp->data, + sizeof(struct kvm_sev_send_start))) + return -EFAULT; + + /* if session_len is zero, userspace wants t query the session length */ + if (!params.session_len) + return __sev_send_start_query_session_length(kvm, argp, + ¶ms); + + /* some sanity checks */ + if (!params.pdh_cert_uaddr || !params.pdh_cert_len || + !params.session_uaddr || params.session_len > SEV_FW_BLOB_MAX_SIZE) + return -EINVAL; + + /* allocate the memory to hold the session data blob */ + session_data = kmalloc(params.session_len, GFP_KERNEL_ACCOUNT); + if (!session_data) + return -ENOMEM; + + /* copy the certificate blobs from userspace */ + pdh_cert = psp_copy_user_blob(params.pdh_cert_uaddr, + params.pdh_cert_len); + if (IS_ERR(pdh_cert)) { + ret = PTR_ERR(pdh_cert); + goto e_free_session; + } + + plat_certs = psp_copy_user_blob(params.plat_certs_uaddr, + params.plat_certs_len); + if (IS_ERR(plat_certs)) { + ret = PTR_ERR(plat_certs); + goto e_free_pdh; + } + + amd_certs = psp_copy_user_blob(params.amd_certs_uaddr, + params.amd_certs_len); + if (IS_ERR(amd_certs)) { + ret = PTR_ERR(amd_certs); + goto e_free_plat_cert; + } + + data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT); + if (data == NULL) { + ret = -ENOMEM; + goto e_free_amd_cert; + } + + /* populate the FW SEND_START field with system physical address */ + data->pdh_cert_address = __psp_pa(pdh_cert); + data->pdh_cert_len = params.pdh_cert_len; + data->plat_certs_address = __psp_pa(plat_certs); + data->plat_certs_len = params.plat_certs_len; + data->amd_certs_address = __psp_pa(amd_certs); + data->amd_certs_len = params.amd_certs_len; + data->session_address = __psp_pa(session_data); + data->session_len = params.session_len; + data->handle = sev->handle; + + ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, data, &argp->error); + + if (copy_to_user((void __user *)(uintptr_t) params.session_uaddr, + session_data, params.session_len)) { + ret = -EFAULT; + goto e_free; + } + + params.policy = data->policy; + params.session_len = data->session_len; + if (copy_to_user((void __user *)(uintptr_t)argp->data, ¶ms, + sizeof(struct kvm_sev_send_start))) + ret = -EFAULT; + +e_free: + kfree(data); +e_free_amd_cert: + kfree(amd_certs); +e_free_plat_cert: + kfree(plat_certs); +e_free_pdh: + kfree(pdh_cert); +e_free_session: + kfree(session_data); + return ret; +} + static int svm_mem_enc_op(struct kvm *kvm, void __user *argp) { struct kvm_sev_cmd sev_cmd; @@ -7181,6 +7303,9 @@ static int svm_mem_enc_op(struct kvm *kvm, void __user *argp) case KVM_SEV_LAUNCH_SECRET: r = sev_launch_secret(kvm, &sev_cmd); break; + case KVM_SEV_SEND_START: + r = sev_send_start(kvm, &sev_cmd); + break; default: r = -EINVAL; goto out; diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index 5167bf2bfc75..9f63b9d48b63 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -323,11 +323,11 @@ struct sev_data_send_start { u64 pdh_cert_address; /* In */ u32 pdh_cert_len; /* In */ u32 reserved1; - u64 plat_cert_address; /* In */ - u32 plat_cert_len; /* In */ + u64 plat_certs_address; /* In */ + u32 plat_certs_len; /* In */ u32 reserved2; - u64 amd_cert_address; /* In */ - u32 amd_cert_len; /* In */ + u64 amd_certs_address; /* In */ + u32 amd_certs_len; /* In */ u32 reserved3; u64 session_address; /* In */ u32 session_len; /* In/Out */ diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h index 4b95f9a31a2f..17bef4c245e1 100644 --- a/include/uapi/linux/kvm.h +++ b/include/uapi/linux/kvm.h @@ -1558,6 +1558,18 @@ struct kvm_sev_dbg { __u32 len; }; +struct kvm_sev_send_start { + __u32 policy; + __u64 pdh_cert_uaddr; + __u32 pdh_cert_len; + __u64 plat_certs_uaddr; + __u32 plat_certs_len; + __u64 amd_certs_uaddr; + __u32 amd_certs_len; + __u64 session_uaddr; + __u32 session_len; +}; + #define KVM_DEV_ASSIGN_ENABLE_IOMMU (1 << 0) #define KVM_DEV_ASSIGN_PCI_2_3 (1 << 1) #define KVM_DEV_ASSIGN_MASK_INTX (1 << 2)