From patchwork Wed Oct 4 13:13:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 9984675 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6CC106038E for ; Wed, 4 Oct 2017 13:22:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 56E4528AFE for ; Wed, 4 Oct 2017 13:22:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4B4E128961; Wed, 4 Oct 2017 13:22:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3A6728AE6 for ; Wed, 4 Oct 2017 13:22:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752529AbdJDNWf (ORCPT ); Wed, 4 Oct 2017 09:22:35 -0400 Received: from mail-cys01nam02on0084.outbound.protection.outlook.com ([104.47.37.84]:31550 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752330AbdJDNPM (ORCPT ); Wed, 4 Oct 2017 09:15:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=4Yf/NEWjt7BptDPVS/t6CXqfzMXvqPtFIUVuy1lYn8c=; b=Yk1LV1sYwsvZx0YNjhvgbnGHawyHczHEVU/EI9M9ZDHWDLj9W8gxzig0QwoHLcrMkNR4LUtVGFjG+wzjdxY6l5NvzseHD9mLavnXWBHrG9JVzHbkNNDAEnDYuXjLsp8xj/5oA0nuIKdF+wA2+9s0tRKpiSfBf3oAgh/SXmGMByc= Received: from ubuntu-010236106000.amd.com (165.204.78.1) by SN1PR12MB0160.namprd12.prod.outlook.com (10.162.3.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Wed, 4 Oct 2017 13:14:59 +0000 From: Brijesh Singh To: x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Brijesh Singh , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Borislav Petkov , Herbert Xu , Gary Hook , Tom Lendacky , linux-crypto@vger.kernel.org Subject: [Part2 PATCH v5 12/31] crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support Date: Wed, 4 Oct 2017 08:13:53 -0500 Message-Id: <20171004131412.13038-13-brijesh.singh@amd.com> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20171004131412.13038-1-brijesh.singh@amd.com> References: <20171004131412.13038-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: MWHPR2201CA0056.namprd22.prod.outlook.com (10.172.59.30) To SN1PR12MB0160.namprd12.prod.outlook.com (10.162.3.147) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 02470343-921b-479f-4063-08d50b29eb20 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(48565401081)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:SN1PR12MB0160; X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0160; 3:XojHbML0xtOSiR+thkkb8f0o0LA7PbJZqXYlZcZwzERqFNsZQs9XsQx4xgA85ctEytkGjj4tc2UXLxBMpnbrZYZSHqDSnKUdF0nkB0s2RYqKSKHYw5Go8qT/XxjF8DnqIoTdqLF4hRGXDRujK1gqJ4fhpEoFBrGatJAlUVdS+Essl44Bg6v64p+D/QJaXtwHwlia+GmR/U/bZzNvS5PY8hQagoO/O7velzG7uL9/OZF5WxNH7Q6S+u3AJQmz/0zt; 25:khsnRvTMn/5FNbWokfr+5KDfNifXOCN1Utm5xSlJvsKslH00Ov5o/LGcTHF0U0TTdoaklHhGPbwurvx38uTxtaZhyBW4AFMpkNOcr7tiysY/Jqv04LkPLI4ar+xzKrWQzxL3tQQtOYbRLLr2gy3u20quSvMvLfup8wGH0inygJQhWSwfQfHGGWFd2ztIde22mgxEuOMfa7nVNM0woAkpi5ctuLhSu3Acv43m7NOkgdZMXAt/CL6LiNtMvaBA9SrWlKKL2VSiVwH/29ktngksg8qfNQ37A33XqjsT4GcqkVl1k1ijIXmAFKU1fdfNlHkar3Ww47aZFP1L/ck+yLsSgg==; 31:2LshT83n3Ufrx5JywVPKi3m3tqHyxMl8tet7dBBO7P79pKT4OSexv98bUSZrIdeydFC8GVLhWwzt04sJRyoBq+2mDkrd6yq+2F6ylIgLQTUbffe9vUTMBatkyB8p2I3TG0Iq7Fxybqt9s/QDVW2kXcNZ6h6PoJC6ljod0k2ErwaRAUCDQrPNXU1Cuyb2gPYB6jb/lQ/41/xyTVNM1vY7f/K0A8EuH5J+tk9DivKu7wA= X-MS-TrafficTypeDiagnostic: SN1PR12MB0160: X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0160; 20:KtLPsJCa0HDcI2mThcXp9flRBB5UroyJW+q+8DHhOB9GUCmwa44UOheB2hGTwzxWDNkS15eXh9S4n+a+yoNWD8ViyyfSBzJUDuA1xo/GJIMJOxpjTrGaD7JfjV3OLkWmyL/oQP6VRIBjfKrHxymuCUWjTvz3wXuY1i6/69sq8xsY8Fn8l1Wiy1R6DRJtDpD/XYQ5+43bVQG5kyRUB4ZuwgifMcAra9y5/lUPP4L53j/cPBuJ57eHTodPwP9gr7Ruew8i/IDtzeWmCPhpW9dlEVjPsIud+ryL2HG8bC/+wrgsp/Yli/etebOaZXnzI0GQISzdkGYGvfiZquOazGzXyL0QaGKhmKKgQo4ocpQyQIjJOQkUDQp8pjPJ7QntVyBpr+COBodCWnUCeK7BDK2Sc9EX7TLeegb6/tTnWBlEn6G1Wy0ksZuTgT/nvDkXDEdVzWoguA504ReD2QlLXMuM+Lt/BN18VCwgrUFR82yhftbu8STTKBHDn/861j7NKqI3; 4:KloVIYHRfKIFHZro3qrmlZ8ISzI6ugIiaedh2jTMFxld8Vo++9OuXnar3ps6Rz8kD6oKz7ordZXWJ/92BHJTOS+YXclQlLhCLpmBN2ViAA3N77TvcavLCgqLJPmz4mycqX1xCppVjuL5A7tfw+/ez+0JljO6ssgXLGPLOrRH6ka5j4UZLnKABWZA+kRkppPeMERgIglpynOd+IKjsZ9WQlrn2CgtgBoX65ftRqqPjKdjwL1Wu7jzhZ3qaksj+doaAcPYw8GkPvN7RT1xP3JHi54wvsMNfh8OE3ROTup8307UP5TkCBn4WbqGHYbLitWr/oSmgts2tu7jLYzXhl2gvg== X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:SN1PR12MB0160; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:SN1PR12MB0160; X-Forefront-PRVS: 0450A714CB X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(346002)(376002)(199003)(189002)(575784001)(97736004)(6306002)(86362001)(23676002)(76176999)(53936002)(50986999)(53946003)(1076002)(6116002)(3846002)(478600001)(36756003)(47776003)(101416001)(33646002)(6486002)(66066001)(189998001)(68736007)(105586002)(53416004)(50466002)(4326008)(54906003)(8936002)(305945005)(6666003)(2870700001)(81166006)(966005)(5660300001)(81156014)(25786009)(2906002)(8676002)(7736002)(2950100002)(50226002)(106356001)(316002)(16526018)(2004002)(134885004); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR12MB0160; H:ubuntu-010236106000.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtTTjFQUjEyTUIwMTYwOzIzOktFbUV4c2lIaDA4UTloUHBDbkdSRVVKRFVh?= =?utf-8?B?WnAyY09Hc3RzMWdwTmM0cHBhdVBHK1ZQRkR1L2YvbEx5TG9XZ1h2QTNoZ1dw?= =?utf-8?B?MHB6MFMxd1NVSHp5d1VNVHF5Q2w1TnA3QUlOVUdMMFQvRmQ2anRSRGdvckNa?= =?utf-8?B?ZHNNU1ZkaW55WDdVM1lHR0x4bGtZd21BWmZIWmlVWnB4Q0lnVVFYbCtudCtV?= =?utf-8?B?WGJCbFltemJPK2pkamVidWF5czZsc3phTlJzcTZGTEhuWVc4aXNLWXBlR3g1?= =?utf-8?B?L2tWdE1VUzVmVWs0RjVyM09xdHYveW5tV3NCMjFFSERiRGNZRkFwWXN5RlhT?= =?utf-8?B?NW5ZNnhNUlorbjBrVUtBR3JaN3U5dm52aGtRRUo2VFlPMUM3bUd1WTlTM28v?= =?utf-8?B?RFJJT3dZcEJYNStzeHJOekdXK2JIK3JXNXhmclFweTlKYVVWN29TRmowbG9E?= =?utf-8?B?UUVWUENHY1lXdG1OM0ZBeVBZclVpY1grSm5hdzdVS0tLemRPSVlEWEdtbTBi?= =?utf-8?B?STZ4OHBhSmJVR25NRkxwSjUxNnFRRXZpZHlkdTBlUmRFR3hGVlBVYiswWHpp?= =?utf-8?B?ZGR4MHZXOWFXWDJtdkdBVmhYOWc2YnJueHgvenIzQm5HeGpycUQ1NmxWOVNS?= =?utf-8?B?TlJpc3JtNXdzNzJuODEvK25PSTNndzE3Tm9ybERwaDNMZ3BHZUtYY0tvdTZu?= =?utf-8?B?WEFYaGZJaXgvenBSU1BqV0dYZDBKd1VCL3ZKVkVhMUdYNXU1WUNHWVowY0xL?= =?utf-8?B?c0ExVXdqWFMrU1M1aFBHMytSTkljTXlWMHdDakhISUF2a3ZESkUxM2l6ZTZB?= =?utf-8?B?WVVEcllrV3Vsd0gxNjVtTjhCRkx4TTF0MWFTYWdIU0JQaElYRXg5OFpRODFU?= =?utf-8?B?WUcraDY3TjJaTXdTdHZJZ2JrWDNVWStndG9mL0VvSXVWN1JZRUQ1ak5jZWpT?= =?utf-8?B?WVRKaC9HVURESnNZeEJFcUduOTNrTVJ5d1NFK3l0U29zcmtBN0NyeUpFTmln?= =?utf-8?B?dFAyMnU1VWhaMDNMRVF5YWJCazFabkRkY1BDaDV1b3NyQzJuZHlZNkFqejVr?= =?utf-8?B?ZjcxTlpIK092Zm4wSituUzNDbE9GdFRlZjFPS0dNUGdHaDBqN3ZVaVN6YjNZ?= =?utf-8?B?UHNvYmQwNWZVeE1mb2piOFh5bzZMdlU4MVVkSFJRK1UwN2NIdFpFZjBDNDI1?= =?utf-8?B?SnNYQ2dOQjE0c0VJK0RjUWQ0K1ZpSXdibHlxZUt6bjZ6dWM0VFJLRFNFVERt?= =?utf-8?B?a1h3azhHWjhDRkhHSGpzMENoSThnOURZUVg0dWhzRllHb2hHdXFscU5qOWtC?= =?utf-8?B?eExDV25XZ1BWVEdMbjRPc04zUVFHR3pyR1ZaK1NZbkR6VGpmREg4eS9BRjd3?= =?utf-8?B?YWZHUnZHOUFJd1JVcEhTRHc3NndJbDI3QlZYTGt6STRmcUdDbERkcjBmMFFR?= =?utf-8?B?cHBpdWZMRTNRWEloZERWN0tNaENYMmJycktkTkZjUUlnc0NGaDFlL0VWQW82?= =?utf-8?B?N2Q5QTRxeUQ0Nzg1RDh2bElEQWpHRldGdHNCb3Y3RXplR0ZlNmk0MWxNcFhE?= =?utf-8?Q?//fPty1X1IJyHeXUX9xQsYejC7jsoxnXbLp1jdAwTX90=3D?= X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0160; 6:S8t2glfGZQzDGUkJ3XvHbINbydIyIUoFGjwBLImgHGtzdSvx+nAN8YPzEKpJGxyctphM314912W5kM349tiz9RLhQQEP0IKKuYCwdU30jhw3zXqEVQjK19u3wzz98WqLZSqhjkX+uCJVH5oKBYe/dwbL44YwXystZ6d4EqYRH4lMq8kvkCFODetPomPs9FkAfdoFATnbWlmRdistEipPZplZJbkKPJs/raizGQMhamWsBOJI7POVwQlRD2DR7Z/JlKh2BwaeZDs0CYpVzLQu4OdiL09uTpaSDC1GBPUtsUvsXK6OevZg/CsQrkDiaHUw7CqJcg7KWS4c2ElfeL6TFg==; 5:KAKbeJ6O1YVshZ0YS7npeG5D8neCl1rVDHEQWSRrmq1duGW+gwDOGKAavy5dirlxP6J6tM/hGNT+gHylQ5c0cz12To31dk81Jes2/WHI1TWcnCeHnb3CCsP8mtEwcI04JM8OddD7jOJpY/5dJCQxPA==; 24:M0D/GERSPEMjivhvdbIukSAOC7tZfrYDqsaI0WmghM47vYAzdFqaeLCKwMGs3gjil8ZC6YvlZcsL75MvSFWHXyGEH3AokB+Im+OhPwRPYsw=; 7:Byw0hdU95iQtA0K1cCXfkWCS4h0k8XaUVV+Q3mHYW66LvXv38o0MhNjyDMjxd6vu+iamSGh8GOmWPFCzgeiCGKIye6kXsZbm022XDUgbXT/kv1biYxSsq01Apn0Tbt495bC3Ft3mH3YyH6IlduSxym18Z0k031ZQK9RtaRxbB7RDlMu2kUF8T+j24LhKDSV2tUQBLjJpJFQ8NUgKXCfOI0VCPZsMJLKODq/5I9IIg1Y= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0160; 20:PFKTbqQy6EswWe5YchDrxeIQd6luqJsv+01we6x+WFqaO2dVukTHpsD9+YrKzmmMthT0aBojf3R4Oho+sb370Hwhy+JBgl7QAM4VFR4DVBY7IfXt1VAJ4LmQOWF0TS1aKwKgIfMl6aPlQQgq2OnnODemVjCBVbc4eH5/jRXW5RVzR8uxu5U0bOiGDJHaCp6Gj8xHsS9GaXFiZspFP6sWBVDERXdamBLV75ce2ME39Z0AUIpHAEOhREW/oJikJRIk X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2017 13:14:59.4430 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB0160 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP AMDs new Secure Encrypted Virtualization (SEV) feature allows the memory contents of a virtual machines to be transparently encrypted with a key unique to the guest VM. The programming and management of the encryption keys are handled by the AMD Secure Processor (AMD-SP), which exposes the commands for these tasks. The complete spec is available at: http://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf Extend the AMD-SP driver to provide the following support: - an in-kernel APIs to communicate with a SEV firmware. The APIs can be used by the hypervisor to create encryption context for the SEV guests. - a userspace IOCTL to manage the platform certificates Cc: Paolo Bonzini Cc: "Radim Krčmář" Cc: Borislav Petkov Cc: Herbert Xu Cc: Gary Hook Cc: Tom Lendacky Cc: linux-crypto@vger.kernel.org Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Brijesh Singh --- drivers/crypto/ccp/psp-dev.c | 734 +++++++++++++++++++++++++++++++++++++++++++ drivers/crypto/ccp/psp-dev.h | 17 + include/linux/psp-sev.h | 159 ++++++++++ include/uapi/linux/psp-sev.h | 116 +++++++ 4 files changed, 1026 insertions(+) create mode 100644 include/uapi/linux/psp-sev.h diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c index 7480d4316239..1b87a699bd3f 100644 --- a/drivers/crypto/ccp/psp-dev.c +++ b/drivers/crypto/ccp/psp-dev.c @@ -23,9 +23,20 @@ #include #include +#include + #include "sp-dev.h" #include "psp-dev.h" +#define DEVICE_NAME "sev" + +static unsigned int sev_poll; +module_param(sev_poll, uint, 0444); +MODULE_PARM_DESC(sev_poll, "Poll for sev command completion - any non-zero value"); + +DEFINE_MUTEX(sev_cmd_mutex); +static bool sev_fops_registered; + const struct psp_vdata psp_entry = { .offset = 0x10500, }; @@ -49,9 +60,725 @@ static struct psp_device *psp_alloc_struct(struct sp_device *sp) static irqreturn_t psp_irq_handler(int irq, void *data) { + struct psp_device *psp = data; + unsigned int status; + + /* read the interrupt status */ + status = ioread32(psp->io_regs + PSP_P2CMSG_INTSTS); + + /* check if its command completion */ + if (status & (1 << PSP_CMD_COMPLETE_REG)) { + int reg; + + /* check if its SEV command completion */ + reg = ioread32(psp->io_regs + PSP_CMDRESP); + if (reg & PSP_CMDRESP_RESP) { + psp->sev_int_rcvd = 1; + wake_up(&psp->sev_int_queue); + } + } + + /* clear the interrupt status by writing 1 */ + iowrite32(status, psp->io_regs + PSP_P2CMSG_INTSTS); + return IRQ_HANDLED; } +static int sev_wait_cmd_poll(struct psp_device *psp, unsigned int timeout, + unsigned int *reg) +{ + int wait = timeout * 10; /* 100ms sleep => timeout * 10 */ + + while (--wait) { + msleep(100); + + *reg = ioread32(psp->io_regs + PSP_CMDRESP); + if (*reg & PSP_CMDRESP_RESP) + break; + } + + if (!wait) { + dev_err(psp->dev, "sev command timed out\n"); + return -ETIMEDOUT; + } + + return 0; +} + +static int sev_wait_cmd_ioc(struct psp_device *psp, unsigned int *reg) +{ + psp->sev_int_rcvd = 0; + + wait_event(psp->sev_int_queue, psp->sev_int_rcvd); + *reg = ioread32(psp->io_regs + PSP_CMDRESP); + + return 0; +} + +static int sev_wait_cmd(struct psp_device *psp, unsigned int *reg) +{ + return (*reg & PSP_CMDRESP_IOC) ? sev_wait_cmd_ioc(psp, reg) + : sev_wait_cmd_poll(psp, 10, reg); +} + +static int sev_cmd_buffer_len(int cmd) +{ + switch (cmd) { + case SEV_CMD_INIT: return sizeof(struct sev_data_init); + case SEV_CMD_PLATFORM_STATUS: return sizeof(struct sev_data_status); + case SEV_CMD_PEK_CSR: return sizeof(struct sev_data_pek_csr); + case SEV_CMD_PEK_CERT_IMPORT: return sizeof(struct sev_data_pek_cert_import); + case SEV_CMD_PDH_CERT_EXPORT: return sizeof(struct sev_data_pdh_cert_export); + case SEV_CMD_LAUNCH_START: return sizeof(struct sev_data_launch_start); + case SEV_CMD_LAUNCH_UPDATE_DATA: return sizeof(struct sev_data_launch_update_data); + case SEV_CMD_LAUNCH_UPDATE_VMSA: return sizeof(struct sev_data_launch_update_vmsa); + case SEV_CMD_LAUNCH_FINISH: return sizeof(struct sev_data_launch_finish); + case SEV_CMD_LAUNCH_MEASURE: return sizeof(struct sev_data_launch_measure); + case SEV_CMD_ACTIVATE: return sizeof(struct sev_data_activate); + case SEV_CMD_DEACTIVATE: return sizeof(struct sev_data_deactivate); + case SEV_CMD_DECOMMISSION: return sizeof(struct sev_data_decommission); + case SEV_CMD_GUEST_STATUS: return sizeof(struct sev_data_guest_status); + case SEV_CMD_DBG_DECRYPT: return sizeof(struct sev_data_dbg); + case SEV_CMD_DBG_ENCRYPT: return sizeof(struct sev_data_dbg); + case SEV_CMD_SEND_START: return sizeof(struct sev_data_send_start); + case SEV_CMD_SEND_UPDATE_DATA: return sizeof(struct sev_data_send_update_data); + case SEV_CMD_SEND_UPDATE_VMSA: return sizeof(struct sev_data_send_update_vmsa); + case SEV_CMD_SEND_FINISH: return sizeof(struct sev_data_send_finish); + case SEV_CMD_RECEIVE_START: return sizeof(struct sev_data_receive_start); + case SEV_CMD_RECEIVE_FINISH: return sizeof(struct sev_data_receive_finish); + case SEV_CMD_RECEIVE_UPDATE_DATA: return sizeof(struct sev_data_receive_update_data); + case SEV_CMD_RECEIVE_UPDATE_VMSA: return sizeof(struct sev_data_receive_update_vmsa); + case SEV_CMD_LAUNCH_UPDATE_SECRET: return sizeof(struct sev_data_launch_secret); + default: return 0; + } + + return 0; +} + +static int sev_handle_cmd(int cmd, void *data, int *psp_ret) +{ + struct sp_device *sp = sp_get_psp_master_device(); + unsigned int phys_lsb, phys_msb; + struct psp_device *psp = sp->psp_data; + unsigned int reg, ret; + + if (!psp) + return -ENODEV; + + /* Get the physical address of the command buffer */ + phys_lsb = data ? lower_32_bits(__psp_pa(data)) : 0; + phys_msb = data ? upper_32_bits(__psp_pa(data)) : 0; + + dev_dbg(psp->dev, "sev command id %#x buffer 0x%08x%08x\n", + cmd, phys_msb, phys_lsb); + print_hex_dump_debug("(in): ", DUMP_PREFIX_OFFSET, 16, 2, data, + sev_cmd_buffer_len(cmd), false); + + /* Only one command at a time... */ + mutex_lock(&sev_cmd_mutex); + + iowrite32(phys_lsb, psp->io_regs + PSP_CMDBUFF_ADDR_LO); + iowrite32(phys_msb, psp->io_regs + PSP_CMDBUFF_ADDR_HI); + + reg = cmd; + reg <<= PSP_CMDRESP_CMD_SHIFT; + reg |= sev_poll ? 0 : PSP_CMDRESP_IOC; + iowrite32(reg, psp->io_regs + PSP_CMDRESP); + + ret = sev_wait_cmd(psp, ®); + if (ret) + goto unlock; + + if (psp_ret) + *psp_ret = reg & PSP_CMDRESP_ERR_MASK; + + if (reg & PSP_CMDRESP_ERR_MASK) { + dev_dbg(psp->dev, "sev command %#x failed (%#010x)\n", + cmd, reg & PSP_CMDRESP_ERR_MASK); + ret = -EIO; + } + +unlock: + mutex_unlock(&sev_cmd_mutex); + print_hex_dump_debug("(out): ", DUMP_PREFIX_OFFSET, 16, 2, data, + sev_cmd_buffer_len(cmd), false); + return ret; +} + +static int sev_platform_get_state(int *state, int *error) +{ + struct sev_data_status *data; + int ret; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + ret = sev_handle_cmd(SEV_CMD_PLATFORM_STATUS, data, error); + if (!ret) + *state = data->state; + + kfree(data); + return ret; +} + +static int sev_firmware_init(int *error) +{ + struct sev_data_init *data; + int rc; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + rc = sev_handle_cmd(SEV_CMD_INIT, data, error); + + kfree(data); + return rc; +} + +static inline int sev_ioctl_factory_reset(struct sev_issue_cmd *argp) +{ + return sev_handle_cmd(SEV_CMD_FACTORY_RESET, 0, &argp->error); +} + +static int sev_ioctl_platform_status(struct sev_issue_cmd *argp) +{ + struct sev_user_data_status out; + struct sev_data_status *data; + int ret; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + ret = sev_handle_cmd(SEV_CMD_PLATFORM_STATUS, data, &argp->error); + if (ret) + goto e_free; + + out.api_major = data->api_major; + out.api_minor = data->api_minor; + out.state = data->state; + out.owner = data->owner; + out.config = data->config; + out.build = data->build; + out.guest_count = data->guest_count; + if (copy_to_user((void __user *)(uintptr_t) argp->data, + &out, sizeof(struct sev_user_data_status))) { + ret = -EFAULT; + goto e_free; + } + +e_free: + kfree(data); + return ret; +} + +static void *copy_user_blob(u64 __user uaddr, u32 len) +{ + void *data; + + if (!uaddr || !len) + return ERR_PTR(-EINVAL); + + /* verify that blob length does not exceed our limit */ + if (len > SEV_FW_BLOB_MAX_SIZE) + return ERR_PTR(-EINVAL); + + data = kmalloc(len, GFP_KERNEL); + if (!data) + return ERR_PTR(-ENOMEM); + + if (copy_from_user(data, (void __user *)(uintptr_t)uaddr, len)) + goto e_free; + + return data; + +e_free: + kfree(data); + return ERR_PTR(-EFAULT); +} + +static int sev_ioctl_pek_csr(struct sev_issue_cmd *argp) +{ + struct sev_user_data_pek_csr input; + struct sev_data_pek_csr *data; + int do_shutdown = 0; + int ret, state; + void *blob; + + if (copy_from_user(&input, (void __user *)(uintptr_t)argp->data, + sizeof(struct sev_user_data_pek_csr))) + return -EFAULT; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + + /* copy the PEK certificate blob from userspace */ + blob = NULL; + if (input.address) { + blob = copy_user_blob(input.address, input.length); + if (IS_ERR(blob)) { + ret = PTR_ERR(blob); + goto e_free; + } + + data->address = __psp_pa(blob); + data->len = input.length; + } + + ret = sev_platform_get_state(&state, &argp->error); + if (ret) + goto e_free_blob; + + /* + * PEK_CERT command can be issued only when we are in INIT state. + * if current state is WORKING then reject it, if state is UNINIT + * then transition the platform to INIT state before issuing the + * command. + */ + if (state == SEV_STATE_WORKING) { + ret = -EBUSY; + goto e_free_blob; + } else if (state == SEV_STATE_UNINIT) { + ret = sev_firmware_init(&argp->error); + if (ret) + goto e_free_blob; + do_shutdown = 1; + } + + ret = sev_handle_cmd(SEV_CMD_PEK_CSR, data, &argp->error); + + input.length = data->len; + + if (copy_to_user((void __user *)(uintptr_t)argp->data, &input, + sizeof(struct sev_user_data_pek_csr))) + ret = -EFAULT; + + /* transition the plaform into INIT state */ + if (do_shutdown) + sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, NULL); + +e_free_blob: + kfree(blob); +e_free: + kfree(data); + return ret; +} + +static int sev_ioctl_pdh_gen(struct sev_issue_cmd *argp) +{ + int ret, state, do_shutdown = 0; + + /* + * PDH_GEN command can be issued when platform is in INIT or WORKING + * state. If we are in UNINIT state then transition into INIT state + * before issuing the command. + */ + ret = sev_platform_get_state(&state, &argp->error); + if (ret) + return ret; + + if (state == SEV_STATE_UNINIT) { + /* transition the plaform into INIT state */ + ret = sev_firmware_init(&argp->error); + if (ret) + return ret; + do_shutdown = 1; + } + + ret = sev_handle_cmd(SEV_CMD_PDH_GEN, 0, &argp->error); + + if (do_shutdown) + sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, NULL); + + return ret; +} + +static int sev_ioctl_pek_gen(struct sev_issue_cmd *argp) +{ + int do_shutdown = 0; + int ret, state; + + /* + * PEK_GEN command can be issued only when firmware is in INIT state. + * If firmware is in UNINIT state then we transition it into INIT state + * and issue the command. + */ + ret = sev_platform_get_state(&state, &argp->error); + if (ret) + return ret; + + if (state == SEV_STATE_WORKING) { + return -EBUSY; + } else if (state == SEV_STATE_UNINIT) { + /* transition the plaform into INIT state */ + ret = sev_firmware_init(&argp->error); + if (ret) + return ret; + + do_shutdown = 1; + } + + ret = sev_handle_cmd(SEV_CMD_PEK_GEN, 0, &argp->error); + + if (do_shutdown) + sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, NULL); + + return ret; +} + +static int sev_ioctl_pek_cert_import(struct sev_issue_cmd *argp) +{ + struct sev_user_data_pek_cert_import input; + struct sev_data_pek_cert_import *data; + int ret, state, do_shutdown = 0; + void *pek_blob, *oca_blob; + + if (copy_from_user(&input, (void __user *)(uintptr_t) argp->data, + sizeof(struct sev_user_data_pek_cert_import))) + return -EFAULT; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + /* copy PEK certificate blobs from userspace */ + pek_blob = copy_user_blob(input.pek_cert_address, input.pek_cert_len); + if (IS_ERR(pek_blob)) { + ret = PTR_ERR(pek_blob); + goto e_free; + } + + data->pek_cert_address = __psp_pa(pek_blob); + data->pek_cert_len = input.pek_cert_len; + + /* copy PEK certificate blobs from userspace */ + oca_blob = copy_user_blob(input.oca_cert_address, input.oca_cert_len); + if (IS_ERR(oca_blob)) { + ret = PTR_ERR(oca_blob); + goto e_free_pek; + } + + data->oca_cert_address = __psp_pa(oca_blob); + data->oca_cert_len = input.oca_cert_len; + + ret = sev_platform_get_state(&state, &argp->error); + if (ret) + goto e_free_oca; + + /* + * PEK_CERT_IMPORT command can be issued only when platform is in INIT + * state. If we are in UNINIT state then transition into INIT state + * before issuing the command. + */ + if (state == SEV_STATE_WORKING) { + ret = -EBUSY; + goto e_free_oca; + } else if (state == SEV_STATE_UNINIT) { + /* transition platform init INIT state */ + ret = sev_firmware_init(&argp->error); + if (ret) + goto e_free_oca; + do_shutdown = 1; + } + + ret = sev_handle_cmd(SEV_CMD_PEK_CERT_IMPORT, data, &argp->error); + + if (do_shutdown) + sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, NULL); + +e_free_oca: + kfree(oca_blob); +e_free_pek: + kfree(pek_blob); +e_free: + kfree(data); + return ret; +} + +static int sev_ioctl_pdh_cert_export(struct sev_issue_cmd *argp) +{ + struct sev_user_data_pdh_cert_export input; + struct sev_data_pdh_cert_export *data; + int ret, state, need_shutdown = 0; + void *pdh_blob, *cert_blob; + + if (copy_from_user(&input, (void __user *)(uintptr_t)argp->data, + sizeof(struct sev_user_data_pdh_cert_export))) + return -EFAULT; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + pdh_blob = NULL; + if (input.pdh_cert_address) { + if (!access_ok(VERIFY_WRITE, input.pdh_cert_address, + input.pdh_cert_len)) { + ret = -EFAULT; + goto e_free; + } + + if (input.pdh_cert_len > SEV_FW_BLOB_MAX_SIZE) { + ret = -EINVAL; + goto e_free; + } + + pdh_blob = kmalloc(input.pdh_cert_len, GFP_KERNEL); + if (!pdh_blob) { + ret = -ENOMEM; + goto e_free; + } + + data->pdh_cert_address = __psp_pa(pdh_blob); + data->pdh_cert_len = input.pdh_cert_len; + } + + cert_blob = NULL; + if (input.cert_chain_address) { + if (!access_ok(VERIFY_WRITE, input.cert_chain_address, + input.cert_chain_len)) { + ret = -EFAULT; + goto e_free_pdh; + } + + if (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) { + ret = -EINVAL; + goto e_free_pdh; + } + + cert_blob = kmalloc(input.cert_chain_len, GFP_KERNEL); + if (!cert_blob) { + ret = -ENOMEM; + goto e_free_pdh; + } + + data->cert_chain_address = __psp_pa(cert_blob); + data->cert_chain_len = input.cert_chain_len; + } + + ret = sev_platform_get_state(&state, &argp->error); + if (ret) + goto e_free_cert; + + /* + * CERT_EXPORT command can be issued in INIT or WORKING state. + * If we are in UNINIT state then transition into INIT state and + * shutdown before exiting. But if platform is in WORKING state + * then EXPORT the certificate but do not shutdown the platform. + */ + if (state == SEV_STATE_UNINIT) { + ret = sev_firmware_init(&argp->error); + if (ret) + goto e_free_cert; + + need_shutdown = 1; + } + + ret = sev_handle_cmd(SEV_CMD_PDH_CERT_EXPORT, data, &argp->error); + + input.cert_chain_len = data->cert_chain_len; + input.pdh_cert_len = data->pdh_cert_len; + + /* copy certificate length to userspace */ + if (copy_to_user((void __user *)(uintptr_t)argp->data, &input, + sizeof(struct sev_user_data_pdh_cert_export))) + ret = -EFAULT; + + if (ret) + goto e_shutdown; + + /* copy PDH certificate to userspace */ + if (pdh_blob && + copy_to_user((void __user *)(uintptr_t)input.pdh_cert_address, + pdh_blob, input.pdh_cert_len)) { + ret = -EFAULT; + goto e_shutdown; + } + + /* copy certificate chain to userspace */ + if (cert_blob && + copy_to_user((void __user *)(uintptr_t)input.cert_chain_address, + cert_blob, input.cert_chain_len)) { + ret = -EFAULT; + goto e_shutdown; + } + +e_shutdown: + if (need_shutdown) + sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, NULL); +e_free_cert: + kfree(cert_blob); +e_free_pdh: + kfree(pdh_blob); +e_free: + kfree(data); + return ret; +} + +static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) +{ + void __user *argp = (void __user *)arg; + struct sev_issue_cmd input; + int ret = -EFAULT; + + if (ioctl != SEV_ISSUE_CMD) + return -EINVAL; + + if (copy_from_user(&input, argp, sizeof(struct sev_issue_cmd))) + return -EFAULT; + + if (input.cmd > SEV_CMD_MAX) + return -EINVAL; + + switch (input.cmd) { + + case SEV_USER_CMD_FACTORY_RESET: { + ret = sev_ioctl_factory_reset(&input); + break; + } + case SEV_USER_CMD_PLATFORM_STATUS: { + ret = sev_ioctl_platform_status(&input); + break; + } + case SEV_USER_CMD_PEK_GEN: { + ret = sev_ioctl_pek_gen(&input); + break; + } + case SEV_USER_CMD_PDH_GEN: { + ret = sev_ioctl_pdh_gen(&input); + break; + } + case SEV_USER_CMD_PEK_CSR: { + ret = sev_ioctl_pek_csr(&input); + break; + } + case SEV_USER_CMD_PEK_CERT_IMPORT: { + ret = sev_ioctl_pek_cert_import(&input); + break; + } + case SEV_USER_CMD_PDH_CERT_EXPORT: { + ret = sev_ioctl_pdh_cert_export(&input); + break; + } + default: + ret = -EINVAL; + break; + } + + if (copy_to_user(argp, &input, sizeof(struct sev_issue_cmd))) + ret = -EFAULT; + + return ret; +} + + +const struct file_operations sev_fops = { + .owner = THIS_MODULE, + .unlocked_ioctl = sev_ioctl, +}; + +int sev_platform_init(struct sev_data_init *data, int *error) +{ + return sev_handle_cmd(SEV_CMD_INIT, data, error); +} +EXPORT_SYMBOL_GPL(sev_platform_init); + +int sev_platform_shutdown(int *error) +{ + return sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, error); +} +EXPORT_SYMBOL_GPL(sev_platform_shutdown); + +int sev_platform_status(struct sev_data_status *data, int *error) +{ + return sev_handle_cmd(SEV_CMD_PLATFORM_STATUS, data, error); +} +EXPORT_SYMBOL_GPL(sev_platform_status); + +int sev_issue_cmd_external_user(struct file *filep, unsigned int cmd, + void *data, int *error) +{ + if (!filep || filep->f_op != &sev_fops) + return -EBADF; + + return sev_handle_cmd(cmd, data, error); +} +EXPORT_SYMBOL_GPL(sev_issue_cmd_external_user); + +int sev_guest_deactivate(struct sev_data_deactivate *data, int *error) +{ + return sev_handle_cmd(SEV_CMD_DEACTIVATE, data, error); +} +EXPORT_SYMBOL_GPL(sev_guest_deactivate); + +int sev_guest_activate(struct sev_data_activate *data, int *error) +{ + return sev_handle_cmd(SEV_CMD_ACTIVATE, data, error); +} +EXPORT_SYMBOL_GPL(sev_guest_activate); + +int sev_guest_decommission(struct sev_data_decommission *data, int *error) +{ + return sev_handle_cmd(SEV_CMD_DECOMMISSION, data, error); +} +EXPORT_SYMBOL_GPL(sev_guest_decommission); + +int sev_guest_df_flush(int *error) +{ + return sev_handle_cmd(SEV_CMD_DF_FLUSH, 0, error); +} +EXPORT_SYMBOL_GPL(sev_guest_df_flush); + +static int sev_ops_init(struct psp_device *psp) +{ + struct miscdevice *misc = &psp->sev_misc; + int ret = 0; + + /* + * SEV feature support can be detected on the multiple devices but the + * SEV FW commands must be issued on the master. During probe time we + * do not know the master hence we create /dev/sev on the first device + * probe. sev_handle_cmd() finds the right master device to when issuing + * the command to the firmware. + */ + if (!sev_fops_registered) { + misc->minor = MISC_DYNAMIC_MINOR; + misc->name = DEVICE_NAME; + misc->fops = &sev_fops; + + ret = misc_register(misc); + if (!ret) { + sev_fops_registered = true; + psp->has_sev_fops = true; + init_waitqueue_head(&psp->sev_int_queue); + dev_info(psp->dev, "registered SEV device\n"); + } + } + + return ret; +} + +static int sev_init(struct psp_device *psp) +{ + /* Check if device supports SEV feature */ + if (!(ioread32(psp->io_regs + PSP_FEATURE_REG) & 1)) { + dev_dbg(psp->dev, "device does not support SEV\n"); + return 1; + } + + return sev_ops_init(psp); +} + +static void sev_exit(struct psp_device *psp) +{ + if (psp->has_sev_fops) + misc_deregister(&psp->sev_misc); +} + int psp_dev_init(struct sp_device *sp) { struct device *dev = sp->dev; @@ -88,11 +815,17 @@ int psp_dev_init(struct sp_device *sp) if (sp->set_psp_master_device) sp->set_psp_master_device(sp); + ret = sev_init(psp); + if (ret) + goto e_irq; + /* Enable interrupt */ iowrite32(-1, psp->io_regs + PSP_P2CMSG_INTEN); return 0; +e_irq: + sp_free_psp_irq(psp->sp, psp); e_err: sp->psp_data = NULL; @@ -105,5 +838,6 @@ void psp_dev_destroy(struct sp_device *sp) { struct psp_device *psp = sp->psp_data; + sev_exit(psp); sp_free_psp_irq(sp, psp); } diff --git a/drivers/crypto/ccp/psp-dev.h b/drivers/crypto/ccp/psp-dev.h index d53970ef5960..51d3cd966eed 100644 --- a/drivers/crypto/ccp/psp-dev.h +++ b/drivers/crypto/ccp/psp-dev.h @@ -25,9 +25,21 @@ #include #include #include +#include +#include #include "sp-dev.h" +#define PSP_C2PMSG(_num) ((_num) << 2) +#define PSP_CMDRESP PSP_C2PMSG(32) +#define PSP_CMDBUFF_ADDR_LO PSP_C2PMSG(56) +#define PSP_CMDBUFF_ADDR_HI PSP_C2PMSG(57) +#define PSP_FEATURE_REG PSP_C2PMSG(63) + +#define PSP_P2CMSG(_num) (_num << 2) +#define PSP_CMD_COMPLETE_REG 1 +#define PSP_CMD_COMPLETE PSP_P2CMSG(PSP_CMD_COMPLETE_REG) + #define PSP_P2CMSG_INTEN 0x0110 #define PSP_P2CMSG_INTSTS 0x0114 @@ -54,6 +66,11 @@ struct psp_device { struct sp_device *sp; void __iomem *io_regs; + + unsigned int sev_int_rcvd; + wait_queue_head_t sev_int_queue; + bool has_sev_fops; + struct miscdevice sev_misc; }; extern const struct psp_vdata psp_entry; diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index f01d0e3b09b8..ad7708803821 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -512,4 +512,163 @@ struct __attribute__((__packed__)) sev_data_dbg { u32 len; /* In */ }; +#if defined(CONFIG_CRYPTO_DEV_SP_PSP) + +/** + * sev_platform_init - perform SEV INIT command + * + * @init: sev_data_init structure to be processed + * @error: SEV command return code + * + * Returns: + * 0 if the SEV successfully processed the command + * -%ENODEV if the SEV device is not available + * -%ENOTSUPP if the SEV does not support SEV + * -%ETIMEDOUT if the SEV command timed out + * -%EIO if the SEV returned a non-zero return code + */ +int sev_platform_init(struct sev_data_init *init, int *error); + +/** + * sev_platform_shutdown - perform SEV SHUTDOWN command + * + * @error: SEV command return code + * + * Returns: + * 0 if the SEV successfully processed the command + * -%ENODEV if the SEV device is not available + * -%ENOTSUPP if the SEV does not support SEV + * -%ETIMEDOUT if the SEV command timed out + * -%EIO if the SEV returned a non-zero return code + */ +int sev_platform_shutdown(int *error); + +/** + * sev_platform_status - perform SEV PLATFORM_STATUS command + * + * @init: sev_data_status structure to be processed + * @error: SEV command return code + * + * Returns: + * 0 if the SEV successfully processed the command + * -%ENODEV if the SEV device is not available + * -%ENOTSUPP if the SEV does not support SEV + * -%ETIMEDOUT if the SEV command timed out + * -%EIO if the SEV returned a non-zero return code + */ +int sev_platform_status(struct sev_data_status *status, int *error); + +/** + * sev_issue_cmd_external_user - issue SEV command by other driver with a file + * handle. + * + * The function can be used by other drivers to issue a SEV command on + * behalf by userspace. The caller must pass a valid SEV file descriptor + * so that we know that caller has access to SEV device. + * + * @filep - SEV device file pointer + * @cmd - command to issue + * @data - command buffer + * @error: SEV command return code + * + * Returns: + * 0 if the SEV successfully processed the command + * -%ENODEV if the SEV device is not available + * -%ENOTSUPP if the SEV does not support SEV + * -%ETIMEDOUT if the SEV command timed out + * -%EIO if the SEV returned a non-zero return code + * -%EINVAL if the SEV file descriptor is not valid + */ +int sev_issue_cmd_external_user(struct file *filep, unsigned int id, + void *data, int *error); + +/** + * sev_guest_deactivate - perform SEV DEACTIVATE command + * + * @deactivate: sev_data_deactivate structure to be processed + * @sev_ret: sev command return code + * + * Returns: + * 0 if the sev successfully processed the command + * -%ENODEV if the sev device is not available + * -%ENOTSUPP if the sev does not support SEV + * -%ETIMEDOUT if the sev command timed out + * -%EIO if the sev returned a non-zero return code + */ +int sev_guest_deactivate(struct sev_data_deactivate *data, int *error); + +/** + * sev_guest_activate - perform SEV ACTIVATE command + * + * @activate: sev_data_activate structure to be processed + * @sev_ret: sev command return code + * + * Returns: + * 0 if the sev successfully processed the command + * -%ENODEV if the sev device is not available + * -%ENOTSUPP if the sev does not support SEV + * -%ETIMEDOUT if the sev command timed out + * -%EIO if the sev returned a non-zero return code + */ +int sev_guest_activate(struct sev_data_activate *data, int *error); + +/** + * sev_guest_df_flush - perform SEV DF_FLUSH command + * + * @sev_ret: sev command return code + * + * Returns: + * 0 if the sev successfully processed the command + * -%ENODEV if the sev device is not available + * -%ENOTSUPP if the sev does not support SEV + * -%ETIMEDOUT if the sev command timed out + * -%EIO if the sev returned a non-zero return code + */ +int sev_guest_df_flush(int *error); + +/** + * sev_guest_decommission - perform SEV DECOMMISSION command + * + * @decommission: sev_data_decommission structure to be processed + * @sev_ret: sev command return code + * + * Returns: + * 0 if the sev successfully processed the command + * -%ENODEV if the sev device is not available + * -%ENOTSUPP if the sev does not support SEV + * -%ETIMEDOUT if the sev command timed out + * -%EIO if the sev returned a non-zero return code + */ +int sev_guest_decommission(struct sev_data_decommission *data, int *error); + +#else /* !CONFIG_CRYPTO_DEV_SP_PSP */ + +static inline int +sev_platform_status(struct sev_data_status *status, int *error) { return -ENODEV; } + +static inline int +sev_platform_init(struct sev_data_init *init, int *error) { return -ENODEV; } + +static inline int sev_platform_shutdown(int *error) { return -ENODEV; } + +static inline int +sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; } + +static inline int +sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; } + +static inline int +sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; } + +static inline int sev_guest_df_flush(int *error) { return -ENODEV; } + +static inline int +sev_issue_cmd_external_user(struct file *filep, + unsigned int id, void *data, int *error) +{ + return -ENODEV; +} + +#endif /* CONFIG_CRYPTO_DEV_SP_PSP */ + #endif /* __PSP_SEV_H__ */ diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h new file mode 100644 index 000000000000..e41e4bed246a --- /dev/null +++ b/include/uapi/linux/psp-sev.h @@ -0,0 +1,116 @@ + +/* + * Userspace interface for AMD Secure Encrypted Virtualization (SEV) + * platform management commands. + * + * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. + * + * Author: Brijesh Singh + * + * SEV spec 0.14 is available at: + * http://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#ifndef __PSP_SEV_USER_H__ +#define __PSP_SEV_USER_H__ + +#include + +/** + * SEV platform commands + */ +enum { + SEV_USER_CMD_FACTORY_RESET = 0, + SEV_USER_CMD_PLATFORM_STATUS, + SEV_USER_CMD_PEK_GEN, + SEV_USER_CMD_PEK_CSR, + SEV_USER_CMD_PDH_GEN, + SEV_USER_CMD_PDH_CERT_EXPORT, + SEV_USER_CMD_PEK_CERT_IMPORT, + + SEV_USER_CMD_MAX, +}; + +/** + * struct sev_user_data_status - PLATFORM_STATUS command parameters + * + * @major: major API version + * @minor: minor API version + * @state: platform state + * @owner: self-owned or externally owned + * @config: platform config flags + * @build: firmware build id for API version + * @guest_count: number of active guests + */ +struct sev_user_data_status { + __u8 api_major; /* Out */ + __u8 api_minor; /* Out */ + __u8 state; /* Out */ + __u8 owner; /* Out */ + __u32 config; /* Out */ + __u8 build; /* Out */ + __u32 guest_count; /* Out */ +}; + +/** + * struct sev_user_data_pek_csr - PEK_CSR command parameters + * + * @address: PEK certificate chain + * @length: length of certificate + */ +struct sev_user_data_pek_csr { + __u64 address; /* In */ + __u32 length; /* In/Out */ +}; + +/** + * struct sev_user_data_cert_import - PEK_CERT_IMPORT command parameters + * + * @pek_address: PEK certificate chain + * @pek_len: length of PEK certificate + * @oca_address: OCA certificate chain + * @oca_len: length of OCA certificate + */ +struct sev_user_data_pek_cert_import { + __u64 pek_cert_address; /* In */ + __u32 pek_cert_len; /* In */ + __u64 oca_cert_address; /* In */ + __u32 oca_cert_len; /* In */ +}; + +/** + * struct sev_user_data_pdh_cert_export - PDH_CERT_EXPORT command parameters + * + * @pdh_address: PDH certificate address + * @pdh_len: length of PDH certificate + * @cert_chain_address: PDH certificate chain + * @cert_chain_len: length of PDH certificate chain + */ +struct sev_user_data_pdh_cert_export { + __u64 pdh_cert_address; /* In */ + __u32 pdh_cert_len; /* In/Out */ + __u64 cert_chain_address; /* In */ + __u32 cert_chain_len; /* In/Out */ +}; + +/** + * struct sev_issue_cmd - SEV ioctl parameters + * + * @cmd: SEV commands to execute + * @opaque: pointer to the command structure + * @error: SEV FW return code on failure + */ +struct sev_issue_cmd { + __u32 cmd; /* In */ + __u64 data; /* In */ + __u32 error; /* Out */ +}; + +#define SEV_IOC_TYPE 'S' +#define SEV_ISSUE_CMD _IOWR(SEV_IOC_TYPE, 0x0, struct sev_issue_cmd) + +#endif /* __PSP_USER_SEV_H */