From patchwork Mon Nov 6 18:11:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 10044093 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A782460247 for ; Mon, 6 Nov 2017 18:21:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C47A29D03 for ; Mon, 6 Nov 2017 18:21:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 90E2729D89; Mon, 6 Nov 2017 18:21:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 220D029D03 for ; Mon, 6 Nov 2017 18:21:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753866AbdKFSU7 (ORCPT ); Mon, 6 Nov 2017 13:20:59 -0500 Received: from mail-by2nam03on0078.outbound.protection.outlook.com ([104.47.42.78]:49424 "EHLO NAM03-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932706AbdKFSMd (ORCPT ); Mon, 6 Nov 2017 13:12:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uT1oQ0LEapfJv2pWuIwGgN2CIulEUVO2qGMVmVTyMb8=; b=tf/3oZNmZowC8GIrIvqs0DqJ9A0wxRFSp5l3JmX2EtW1aWKrW+jX/9dyN+8jowHjwu6qjXMcsJjS0XykxKj2/1DJ54V5cGjwuQ0Uw6VaP6r0/eho9ZBHzGvjej3jlncEk8UJqeadKV15NwH6rRNcvgUQKet6cAc5GrOcjNgRoUQ= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from wsp141597wss.amd.com (165.204.78.1) by SN1PR12MB0159.namprd12.prod.outlook.com (10.162.3.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.197.13; Mon, 6 Nov 2017 18:12:18 +0000 From: Brijesh Singh To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: bp@alien8.de, Brijesh Singh , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Borislav Petkov , Herbert Xu , Gary Hook , Tom Lendacky , linux-crypto@vger.kernel.org Subject: [Part2 PATCH v8 19/38] crypto: ccp: Implement SEV_PEK_CERT_IMPORT ioctl command Date: Mon, 6 Nov 2017 12:11:11 -0600 Message-Id: <20171106181130.68491-20-brijesh.singh@amd.com> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20171106181130.68491-1-brijesh.singh@amd.com> References: <20171106181130.68491-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: BN6PR10CA0031.namprd10.prod.outlook.com (10.175.102.145) To SN1PR12MB0159.namprd12.prod.outlook.com (10.162.3.146) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: da8a7439-171d-4f62-a04d-08d52541eb97 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603199); SRVR:SN1PR12MB0159; X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0159; 3:9vvrSKIjXgtUbHyvDQWmtfcbyiT7jSbgwzsHiCI5+oi/N1RSjzuVyJ+XHIzx0jNS4mCVFvLkjxOr2vynMFIDLXTMZFJAm33Kjgd08WB9lBlY9aRl05mufDmLK+5e5cIMt7Cp5ibzXGQP/JSWGmk4LUsmr6tffw2UUkPbuSUuBkFa2e0ol2gKJI4oNwcR1a3L51RKms/0LnqZpQhldhFN91RDfy0DnbGG8K3S8XMHqKFd0s+8Owx6BJONTvA8tbDb; 25:4spDHweYzrDL8ppHbKYRE5Cu635uCAzmtvAvQoqsZGr5tU10hV6yNlihCsikSX3wR6Fkc4MA9byQWlcm0rzoZ5Csoa098L8aGBbxwgkZbafT1EGG0E2UzkdoO6KcqN9ZXUFbRoA8MvyCW71V35y8r+jpg957KM4peUufSWWebjSAtFWqnjv4Tthv9qpvYPxSe5/J34L3XORLRsChgMMDSJFN02rcmpsTeHlke9R8DBOaNVWe4A1CQeLGJktikTT9ArG0v1gFUxsAjuugQqLKXGyEpfXStkbm5oHYQT/gHrpWcFAoNv209+yvEGD7CrnbjOIDSjFSlPZR71mUEIIEow==; 31:B7dUq/O5f03/WU6LUG1ZiNIOHopYT3kpO9QBIa5Uz6xAOp+TYxdP7y+vurcAWo3onyEL/Blj795y2mgO7dmeionlHkObYegpdGcnSgcXPfjKKclrODQznBvzrGVlj8dgsV+2SQb+pe8ms/4wK/TWlznbhyLpeJ4KhI7sV+MBdb6BGHJaI+U2gPmSE07rSpsdow3oXMDVLYBBskiwzLlPdUEG96OdunoG6SOC7ReyH9I= X-MS-TrafficTypeDiagnostic: SN1PR12MB0159: X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0159; 20:vWcPe8H4TXTufp2clqggN4y1XltCz8YCB9JA1NumQoZEyiycizls3InNsePXB/VrpT19l43rnbQ28ZJWIKhYmiFp2dbH55arNCC9MqWIAZXmXDwkdOAiFlmSvE5V9I+xW9XleOWXI2MSiR9WNbna+XinQlg5yohSHrfI9TMpJU5OzR4GfJJ0458lX2da3vv55cknP6nDEX8AZIQSQZadmZjrLNxM/JiCurdXZV77iVDg5ZoV8zf7CJeGhYY59DqaTG+T1c/cVmhPGnAceiPIepEtduFszz1Y4shdpul8eSIp32rOskSKlzIBBIYsOVfqhUMxEsu5BRAshjPpl2BA1qp0POBmVSWz/VIRgFUn403KRxiYuawjjJol9nWczSJ5tWr7RoNnDEaQU5zQkIUuykJ1+dDFl8qi+XDyikkjKSNXgbCbrW67KP1aant+agdRFO2c04HRpMtE1XI3pUtvZGvoFxyYwdzKy6f0QT66V49d6Y1gW5tgC6HqL+zrdu4U; 4:gAxHdyg4xNziZJYg1Q5TiqL0UMuVvMbPScDF5sEBngm5013EaUE7zZjkPlYLm50rmnqWPI3wNMojsLOUuLIujrMC6A7AHb4Yvzb1rdBLmXvI44Z+m8tpAp3d+rjC+X+bsfi/JBxRPVNbVuF2soGJo76CAfPB1C50KiG109dtdOE5gOk7Vxq44RcE0BgB1dIKBK6T4yUcl/8ElFN1JZWl4ObLTkHAz/UwWKzyyAxFfKDxYLKYP1ABK13O7nSpTaw1cdx18AB1jyCn97U/uqnG5y35oAY2lXIEilKU1sw4MFR+3eqxj1bo5EdcbS+gMw+WdrSZISAhbu45DE+f/mBjsw== X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(3231021)(100000703101)(100105400095)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041248)(20161123564025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:SN1PR12MB0159; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:SN1PR12MB0159; X-Forefront-PRVS: 048396AFA0 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(346002)(376002)(39860400002)(189002)(199003)(68736007)(97736004)(4326008)(316002)(16526018)(54906003)(7736002)(8936002)(2906002)(81166006)(81156014)(25786009)(53936002)(8676002)(2870700001)(1076002)(6116002)(23676003)(50226002)(189998001)(305945005)(86362001)(3846002)(50466002)(33646002)(66066001)(36756003)(53416004)(47776003)(5660300001)(76176999)(478600001)(6486002)(105586002)(50986999)(2950100002)(101416001)(106356001)(6666003); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR12MB0159; H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtTTjFQUjEyTUIwMTU5OzIzOldFaENYMkpiUXIrOFlIbGliMUJwbjNyR3k4?= =?utf-8?B?L05TcitPQ2JvazVTZkVDZ09jWVQvUHlPVkhDNUwvZk9WZGczck9jaklRZDRx?= =?utf-8?B?TDF5bXRIYkpvVVhYR28vaHRhK25iZ0dtWDdndFg2a1V1cWV6NVVZdUpxOTkv?= =?utf-8?B?NTV3MjdCT0lYSGJXeExFMFliTXNhRnZaajdKSFZPUUV1U0Y2bFdTSkkwUDVX?= =?utf-8?B?MU5DWjVxY2hlTWhhdWQ4NkVxUHZMbUQ2cHBOenowTGFhSnZRSEFvQ3Y2M3NV?= =?utf-8?B?ekhETmNieWtNRWN4cFhrQk1scENRMEFvUEVDWERoamI5WU1kZXlINTkrK3lp?= =?utf-8?B?K1R1dEd5SWFYblRQZ2ttRU5qd1VOc1p2bEJVVTFWR3BoTGp6VGphNHNaelY3?= =?utf-8?B?UTNRNHJHR0M1Wmg2Q0J6eUlmdFB5dVJZOUNJK21ESFVyNVNDMit6UDNqZ2Nh?= =?utf-8?B?Q3p3dWtSd3dOSGMwNWhYdlh1UHF2UllsNzcrL0ZuTmk3UDZRMFV0T3JGWDhO?= =?utf-8?B?SUhxdkhQWHBWYVRBV2NaQXdrSDFjRkV3bDdnUUs4SDBmdkVDaGFLRHl4Q3Rq?= =?utf-8?B?cHBJS0o0Z2ZmeE9vc3pwVXdscHVaeHpGYUJLcWxvNlBKbzcrVDg2aitjTEVT?= =?utf-8?B?ZldVd2tZMktEamdod3c5SlBGQTY0MHFDRHZNSW0wQjIxaGc2cVhvYjVralRB?= =?utf-8?B?NUlySTh2RmYyVy9XYnhUdjNyUDVuOUMzTzIrRU1aR014ZFRuNHEzUmNxQ1NB?= =?utf-8?B?dmt2ekMvRnpJT0pYRThBbkJpVWlRT2JiQzE3TXBLazZyNTdhTnRGMW1WRE03?= =?utf-8?B?TjVydXJEc2tLNEg5cW1qaVBCSWUxQVBKRHFjQ1BaVW1GMXJGMkUxRXd0c3ox?= =?utf-8?B?WWdkRVd5YlhBQ0g0Q1pSSUhjSXBPMlJlYWY5WDU5clM3K3FMK3ZxclF3NXVP?= =?utf-8?B?RW9uT1BEWHc1ZS9FdmtwVG5XOVEzVjNVUWNhNmhyZ0l1dFJBQ2RYUGZENkpz?= =?utf-8?B?R29VOUY3TXlnelVOTEdULzZ0OVdubVN6MmVkSUlWb0xlbjdiUTl4L2ZuWjRh?= =?utf-8?B?cFZXcndadVRrYTREQ09WN0VZbXFLWmZ2aWlhbWJJdUN3M3ZlWU9BWFd0alRU?= =?utf-8?B?Qm1lZE9BYnhuek5RSXYwQWJ6VENadzVnWGszd3FIQWxRNnZFQmEwd3JLYlVl?= =?utf-8?B?ZUtRU0x1YTVLSktOQVh2T2NrbFNFUHdpOENBTDZoUjlmVW9wRXJ2eFVyKzls?= =?utf-8?B?M0Q4OHRkUnhCaTZoSlRNdnpTUWU3ZGlaR2VqTi9ncS93aEpHUGxjWnVGVlda?= =?utf-8?B?Lyt0NkxnSFF4dHVPdXVrS3grUytUbmNmQUdwSGhMaXdSeFE1L2FnQjA4UnZh?= =?utf-8?B?OVFUV0dBRGJBZmxJam1vdzJoZW0vcEorbE9BRW5sNkZUWE1xV0JyVXNjN055?= =?utf-8?Q?wJ7Y8al43aH0hPjsjrK/zZ7m1uf?= X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0159; 6:0EpbG6vyjzQyVRCb4RO4a5AtjeASis7xOmS1+OZhi0kPc/vEoQ5/DFgR08aT9v2P5o0SPdjgLjFt+0Vj2SE7THbffS6ffxShY10jR8p51G3Eqlbj8wL3SRX1VYUk15HCQvpEaDy0i0XWB63NT0KQ7vTdUqWX1v9SkAPRHkQJmGIPTFoszpPRxizlRSC8evqLOU/A0goy1snNFTPRzMVBZsaw7fQzuzNoxChsCdn+6spc6htQqVj8HLTqyvxIKMsMdeJzP03Yl1jorprxa686pJItxjCjc9jynYnvaUcKd8seMNPtXBS2l2Nx1yE5VnpErAM4C9CwmGevoiO5FIi3JXx2pw1UjD9OjOm7UMTYsAE=; 5:kBvNtFdJEFtQI+PNXwNydQ/UhrxRVwgFgEXEugZykzP+lAtjcdAacocg8UAIIQSlcQggAT/G6EvtlvK8XhzjmOd29RoAMW8DregQeNS317FxzZ6UQQJrRXCQypfzKaw5JJhxeTIrDlHjYBqPAXChW04sKB8a9cwPEhFRNmtAjLo=; 24:UrfPoRErMrnBUkNGl7lTI/oapU8moLQTgTJ3z+wRB76dHia8kQ/yhFpZbAoikn4KpVzriwk2lilp+MOblX7znMnlAUN7ZOfiJ1WBSfEamoM=; 7:2/GE4SG7CfbSZ+aB0SPcAcpUSRmzRH6ROdoPAIfASvljNxRjvXQRV8R4UYCht34J8/ytnidiUTZdn4xQvbuv3Mg1nDEN3+z5A0TPq+U78dv71vywoHKQmwUGISNLpBjDsrZ6RF/5A+mAZfE+LIgwQRBFe8L0Vl3OkaXv3vY0X7JbpvF98aAK7qOJWPAmUdW6REZwokHM9AAm6cQ4EKY2tZXFZroUaJ/EXfC2WgZrw57ddK1uWr+XVgUCtjwbQ+Na SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0159; 20:6Y0amRCmqL6lP7FVShikiuPjrFyKftoqhVVvagqajKfjD3Nn2Gl4KmvlITQHf6srX1aiEgya2G4GwORyMWxF3BpiIvMNMAbbrrvj6kpFtXRy1ksW5tRE3sOoYvP+3jViZdelLyP9zwu2Ghgp2KPd4nphNZu4KDUUUl6bu3ovVzAjysIm1OkEW+dRgjhuT64H88EsSjrwX3xNPrZ6VEW9UK9doZDq+4YmJZGBW9Fgkn7PJlyNBL/aE6+qHsL9Aytl X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2017 18:12:18.9727 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: da8a7439-171d-4f62-a04d-08d52541eb97 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB0159 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The SEV_PEK_CERT_IMPORT command can be used to import the signed PEK certificate. The command is defined in SEV spec section 5.8. Cc: Paolo Bonzini Cc: "Radim Krčmář" Cc: Borislav Petkov Cc: Herbert Xu Cc: Gary Hook Cc: Tom Lendacky Cc: linux-crypto@vger.kernel.org Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Improvements-by: Borislav Petkov Signed-off-by: Brijesh Singh Acked-by: Gary R Hook Reviewed-by: Borislav Petkov --- drivers/crypto/ccp/psp-dev.c | 81 ++++++++++++++++++++++++++++++++++++++++++++ include/linux/psp-sev.h | 4 +++ 2 files changed, 85 insertions(+) diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c index c3906bbdb69b..9d1c4600db19 100644 --- a/drivers/crypto/ccp/psp-dev.c +++ b/drivers/crypto/ccp/psp-dev.c @@ -365,6 +365,84 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp) return ret; } +void *psp_copy_user_blob(u64 __user uaddr, u32 len) +{ + void *data; + + if (!uaddr || !len) + return ERR_PTR(-EINVAL); + + /* verify that blob length does not exceed our limit */ + if (len > SEV_FW_BLOB_MAX_SIZE) + return ERR_PTR(-EINVAL); + + data = kmalloc(len, GFP_KERNEL); + if (!data) + return ERR_PTR(-ENOMEM); + + if (copy_from_user(data, (void __user *)(uintptr_t)uaddr, len)) + goto e_free; + + return data; + +e_free: + kfree(data); + return ERR_PTR(-EFAULT); +} +EXPORT_SYMBOL_GPL(psp_copy_user_blob); + +static int sev_ioctl_do_pek_import(struct sev_issue_cmd *argp) +{ + struct sev_user_data_pek_cert_import input; + struct sev_data_pek_cert_import *data; + void *pek_blob, *oca_blob; + int ret; + + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) + return -EFAULT; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + /* copy PEK certificate blobs from userspace */ + pek_blob = psp_copy_user_blob(input.pek_cert_address, input.pek_cert_len); + if (IS_ERR(pek_blob)) { + ret = PTR_ERR(pek_blob); + goto e_free; + } + + data->pek_cert_address = __psp_pa(pek_blob); + data->pek_cert_len = input.pek_cert_len; + + /* copy PEK certificate blobs from userspace */ + oca_blob = psp_copy_user_blob(input.oca_cert_address, input.oca_cert_len); + if (IS_ERR(oca_blob)) { + ret = PTR_ERR(oca_blob); + goto e_free_pek; + } + + data->oca_cert_address = __psp_pa(oca_blob); + data->oca_cert_len = input.oca_cert_len; + + /* If platform is not in INIT state then transition it to INIT */ + if (psp_master->sev_state != SEV_STATE_INIT) { + ret = __sev_platform_init_locked(&argp->error); + if (ret) + goto e_free_oca; + } + + ret = __sev_do_cmd_locked(SEV_CMD_PEK_CERT_IMPORT, data, &argp->error); + +e_free_oca: + kfree(oca_blob); +e_free_pek: + kfree(pek_blob); +e_free: + kfree(data); + return ret; +} + static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) { void __user *argp = (void __user *)arg; @@ -402,6 +480,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) case SEV_PEK_CSR: ret = sev_ioctl_do_pek_csr(&input); break; + case SEV_PEK_CERT_IMPORT: + ret = sev_ioctl_do_pek_import(&input); + break; default: ret = -EINVAL; goto out; diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index 0b6dd306d88b..93addfa34061 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -576,6 +576,8 @@ int sev_guest_df_flush(int *error); */ int sev_guest_decommission(struct sev_data_decommission *data, int *error); +void *psp_copy_user_blob(u64 __user uaddr, u32 len); + #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ static inline int @@ -597,6 +599,8 @@ static inline int sev_guest_df_flush(int *error) { return -ENODEV; } static inline int sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } +static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } + #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ #endif /* __PSP_SEV_H__ */