From patchwork Tue Dec 5 01:04:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 10091909 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7076F60327 for ; Tue, 5 Dec 2017 01:12:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 63DD528BA1 for ; Tue, 5 Dec 2017 01:12:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 586AD294F6; Tue, 5 Dec 2017 01:12:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BBE2D28BA1 for ; Tue, 5 Dec 2017 01:12:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752042AbdLEBMl (ORCPT ); Mon, 4 Dec 2017 20:12:41 -0500 Received: from mail-bn3nam01on0083.outbound.protection.outlook.com ([104.47.33.83]:27456 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752325AbdLEBFl (ORCPT ); Mon, 4 Dec 2017 20:05:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uT1oQ0LEapfJv2pWuIwGgN2CIulEUVO2qGMVmVTyMb8=; b=qQ5nU/PCgDa/0x/Y/XtlGZKy8K2I7FrRIEnQJh7d1/th3pLxPOMoAVxAiG74Pd6jh8xE63/NXEDrZ6G09Mw7hC9eQQngNCyTyXy37G1CQ+wZkcGVcwdxv6TU53Cjq8E9RyMw+mziKUPtNCJswh4k4W/7FTMvRzG5VHd9fezIqTU= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from wsp141597wss.amd.com (165.204.78.1) by CY1PR12MB0149.namprd12.prod.outlook.com (10.161.173.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.5; Tue, 5 Dec 2017 01:05:11 +0000 From: Brijesh Singh To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org Cc: bp@alien8.de, Brijesh Singh , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Borislav Petkov , Herbert Xu , Gary Hook , Tom Lendacky , linux-crypto@vger.kernel.org Subject: [Part2 PATCH v9 19/38] crypto: ccp: Implement SEV_PEK_CERT_IMPORT ioctl command Date: Mon, 4 Dec 2017 19:04:19 -0600 Message-Id: <20171205010438.5773-20-brijesh.singh@amd.com> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20171205010438.5773-1-brijesh.singh@amd.com> References: <20171205010438.5773-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: CY4PR0601CA0087.namprd06.prod.outlook.com (52.132.96.156) To CY1PR12MB0149.namprd12.prod.outlook.com (10.161.173.19) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 442c675d-4a19-4679-e833-08d53b7c3c95 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603286); SRVR:CY1PR12MB0149; X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0149; 3:7Z7aofW0yXpZ853gDG+jcon9VBLMq2r+nz1reXoNybVCYUvFffwkS3Daqa4LrK8DOjAzK1gRI0AhV8snmnLLqLd4wjRS0MMSdlBbWMd2Jx05s1Hwc3F3G9xYa2uxXostwqabUSTgsvHgBsFICxq3qMBiG0EU+ZrAoS42YYgiu+YyD8m7TB81TXNwRzklCk52ns490MocsHw2XLRkKhzRCJSmTJ6vHNr2Q4XUvjJj9JjkO3fIfnQy6I5tnjU87fJp; 25:ABCOeoUjMg36LU5k0iTuMESspci2jMoayUNEDtvkxSycyMOjFJzTUjyTBz5m+wZk34u/srtX9g/ubesLdKOLoVtIOvPjGEsyYeljCx8qskpkHnULjqqdN/u5hR3twH6goVZrpioAYtBmg/e71HTDCZBM9ABDydmieESSnxF+w8YiIBT/G1DlUbfuA0mfQxtpKvJ3JW6F0HY8AMo+rPowiuOVqOLOjn6ylZR/5bQbAPDhSLNfiRkwPy7qlTD4m2IWzJCfW+VLFr1+dBHQEVtYMDxshObK5fo0ZNGc9NeFgXhl7BB3VEg1LnJSXNUZFZHU4B9hEkay2YGMF/XS9EJTvQ==; 31:rovCxza3a2EPTQeA/y0Ya1WjTvNbSoFPPCB1vzDxJvMJS1hkrhxZ1xWIVeeUSH5X2sSO0So3vqpnmRF1lYzWhM4NhZtCP5mUnhxjfL8YJK3F82RhZBJlKG9+BFy0cKhl2CbtxuCk8cLxQmtjqI+kNNJHy8xsh2lJAQzFq93d7o3FX2c0+et3uk7pqQi7lTeFY6glcse3sBUkkkUSKleYWF4TYAdGiqHJg8hiv7pWVmA= X-MS-TrafficTypeDiagnostic: CY1PR12MB0149: X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0149; 20:Wpexs4UmjOUJEIATkDLgfEZWawKOYnr0rbr0pOiD9IG8YE3MAvzqVZENK0JhsrTPuHXHYQeOw7hO5vXk68D1DdKDOJzb4f038qnOMTiGDw4DfA6ovSv9tDMh0ueR/X1Mc0JQ5B3gzAjnRWSaLJVAP+tcuINRMhup/rBfOyfSzepQ6U/lW0dm7syuXayyXXdPuMgganMdJb84CqvAwc7rEiCQFRiUcdOHr70Wd8QZ3HlFzvyI1AXNYHfWlILrYTNYqQHapOWtamQiEAiILuJEJq/WGKgePcdwCh8xbjT5Oovl9+Jtbdx6bDcUmtJ+0cXaI+G6B5tbEaYM5fZdPw5R2w74orro03DnSGFdXCbsI2ijL9PlJL9BxjN3AgVgPyGZZWb5tpl/4Jxw4f0Twew9e/wF/YPduImhrNY5XvOUNEMCWXJnf+MY8hYz5YBleQdSpY4R3peHQqjLRGVQoc1XFW3uv2+/C586/TnE75uTMkfbsoA3PO3CqkqJDMtwijjy; 4:9lVqo7UNSYmTLd0p3hAKFAK1LWODBwBMSvaSEazmQNPdnGi1oQWZJu4KP/vfIAGq3vuXznhN1z0Rd/ZhZZUBetT4z6z6UmdF5Pslar14wqeLW9z3IQovrZPkTUJV9J3SSyBv3nPrIZMvVC2RSORS8aBjeTpW2EqtuSLdcqgA8PBjhmnx0uYM7EILx9s6rqlMlYBvhX9EzaoCLmIC+PEGRQfMMb5J/9MsXTlSg/eILxfW6xLUD2g5rrZipZ1WGIFLCUU5CSYchPGY/wlJ6KlTMCa2twgOkqLUBKz3VCRyLiO3kp7iCZgWIpHpglvNPFlVyLrEKazAXKtKKiXXDgNPbQ== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231022)(6055026)(6041248)(20161123558100)(20161123555025)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148)(201708071742011); SRVR:CY1PR12MB0149; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:CY1PR12MB0149; X-Forefront-PRVS: 0512CC5201 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(366004)(39860400002)(346002)(376002)(189002)(199003)(16526018)(189998001)(106356001)(478600001)(2870700001)(101416001)(23676004)(52116002)(97736004)(86362001)(7696005)(33646002)(54906003)(25786009)(105586002)(76176011)(316002)(2950100002)(7736002)(2906002)(6486002)(50226002)(81166006)(81156014)(8936002)(53936002)(8676002)(4326008)(1076002)(305945005)(66066001)(6116002)(53416004)(5660300001)(47776003)(68736007)(3846002)(50466002)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR12MB0149; H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtDWTFQUjEyTUIwMTQ5OzIzOjVVbWZjQTNSdEtxVnFTSEdEMFBUVGJ0c2Uv?= =?utf-8?B?akZmcTV2eUZDZ0F2THV2TExJTm80US8wUm0rVGZGdlBvRUhyYmFUckVNQkZy?= =?utf-8?B?WlV5R1RzUFRmRGIyNXdmQkdKbG9lOUVSYzNTUENpVENvTFNsQWloV3l6Nk9H?= =?utf-8?B?SGt0N0VHQ0EvUWxXLzViY280K0hTWjFKQ1RPRUR5WC9CdXBtb0J0TVRXYmZB?= =?utf-8?B?Qmc2cHZ0VzNVNFpuWTMzTjJwM1hxVTVNRXZERHFsUVdPbGRPU3AycERjU3F6?= =?utf-8?B?dnN0L2ZWOU5ycm5BT3YzQW5SRFU5ZXg5K050d3hLV0U5MUNKQU5RdWtHVXRO?= =?utf-8?B?dGgxclgwamttWEJxS2ZTVUhpQTZTZU5ZU2x4U1JNejFXcDNNUzBkcnFUa3pL?= =?utf-8?B?WjAzUjd1UFdNOXNxNTJvYlhaelMzdmFJU1ZmOXlKR3k4aDFkSUxSYmxmdnds?= =?utf-8?B?YUJDNHdpcW1xZjdMQWtHSUVQMXFEV3VsVWMwWU92NnFCSnY2emRVaEtCSjRI?= =?utf-8?B?SnNZb1FxNnV2M2tLNHVCY2UvRENrVEVvdXhXTUJYaDdqcWxHRUduZkdzOU9k?= =?utf-8?B?Y3AyNndWUWlFb3h2T0xtSXQybTVVWlFIUXV0OGtkTmRPbDJzU25XYndSVUh2?= =?utf-8?B?ckI3N2pxS2pTWmFxOWE4b1RidHZQRHZhVFE0VTNlTVZBejMwRDBmcEVSK3Vw?= =?utf-8?B?VkdCdjVsNmZ6WjFQMDZEOElPb01RK2ZmaW4zOFBzeXFJdE5DT0hURnRFS3Vz?= =?utf-8?B?c2QvWGFNZnVOeDBubUU3c1NRMnNWeG5iSzFCT3NZNVQ4aUZlTWxrNlh2MUsy?= =?utf-8?B?V0NCZmZMWFNjcVFoWFE3SHZQVXlXQmo3UzFxOWtiOWo5aUIvNjFvYml2MWpy?= =?utf-8?B?Z0NKeEg2aDlVbVFmSVJQQXlMeTdlb1l6bGhxWUFXSlhTdlNxV1pqQy9PR24v?= =?utf-8?B?Z0dlUjkrcUNRM3d4WXZHOGNxdmpPemhSVTM1RzZxZC8zWEJpQzNCYVF3VkJI?= =?utf-8?B?V05VVVlyditXd0RveFpWZ2lzQ2tKdXk3LzdIYWtFYkt6YmQ5ZWJ1S0JlY0M4?= =?utf-8?B?eERqNlJjYjJNNkpac3k1YzNFOTZuN1EvRWxEVnBXVHdjTXdvYTV6V0FhREpW?= =?utf-8?B?cDZ5RktYeEZaOXM4eHdYcnMyU3RHZmVpamN4b2FlVVZINWlBTUM1bENLazhy?= =?utf-8?B?b3FhbWpjaW9TcGU5VjJzb1dUcU9iMjVLRTF6Z0tUY2xuR2dkZEJOTFVLTkt6?= =?utf-8?B?ZDBkY1Z5VjNQSDU3VGVNdmJYWDBLZ0hwNU5VWGJjN0wrZEpTaldUQ1kvZXNr?= =?utf-8?B?bS9xMitCRlVGQWEwVnFsNmdvY2tsV0pKRVNnaDRpR1VtQ3BXcXE3TFNGVkQw?= =?utf-8?B?T1FGZjF1Y3MxdnpDQXkzblAxVjQyUHRJNklHQUphMFV1Q3FMSkJVUURsckFp?= =?utf-8?Q?aJ211SQxo1vtO/ZsM92FEFFflTo?= X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0149; 6:sX+vqmX/zHRepHIHpZude6CdZWyO6lXSjV7oKUC+t39I4R2nGJXnpjikCZNFCPUZjJtNP20UAdQtyTrmVlgv3IopYELBrvTtSEqCeiwHTW5q/gUO9CVCPzQeK441CtJ7TShGgTIjTA9wX3u/xb8jdWfB8r1MJPNRjS5dYSzmMDiY17if+iLe55Srj2cjfIHNKl7wrEosmncf1KgwtfzaRyD71jq8OTgeigZMH/gJp4DPJF4PBptkkofydh0Dp+NuWeXAYVSjJ4KqqJK8bd52p/vvns4jzkAVOxiqBYoac/V0/vC+4iO5GJ02kZlMDujmnx9feI9SmUr7/ItMQfkEL2vX0c2qIUBnDUrHQ4AyGrg=; 5:h2BA4ApNBWBOWnhgJMZz3Sx0n686eXKpOgIG0jutB6EtfOaB/UTM5v7UrLCMh8+g/Yi7VLjhnwq0bJ7XvGqcOTw+1xGY5OsaxT0ZZuwTp1+CLIdS/vjmfyvZvpNjjDxOrOJshNZqFcj+6D5J/lfOXFGGwpmNkhUmmLJa0Ujvoxo=; 24:I4rxlhPVd5E+WVS/sg1CTmGMnFhlE1vJzhM+Lu0eBAiGey/WAIA6svnjebIg05yoaPJZWKExqlqZHbPYDihzzNJa9EQaeuk5HKxZo4BbPVk=; 7:Rff0bChGAH4ysB2kIsrAKeWz16Kbr8f7xs+s0/UDAcofL7WyGsXJ90rXz3lYxCNy0qBnzZLmvXGDLgtCg+fAfounS/QpaTghvXhrpA4ltz+mcvyU0N+5urbkYG86Tsho3ogur9OFaftBqDr7aI35KulzVr/9Pocacenp1BAamr96FT0gnCu88JaLh5o2TL4DZ4CeuC2LP2hrqLX9sJ2TMfvh9gBXzlfiTmqNbQ7yiCyOjgsocbAk6Unj6x672Afw SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0149; 20:B4bC/50LgqbNxmr65lgRE4gMjGe46uv1ohNZ98JRSdHFB/coPTrw/yJKnxD6yMpul/g1M2YbzPSYTAthTYx2mFohJn+20EpAH5GH3ja6cogMEv4qxNQEwLxbher33SkWJRoWfMOTqsEEjw9EUNJbeLC1R/kB6CkCZe0119ZD61enp7hsrWpJ5KSOc2p+ITr0jcPmxWJhYVaA5qI/Fs2Mtvl8V3VNFm+llTVYzD/i4C6/91mGF2PM4CvdotMtsN+P X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Dec 2017 01:05:11.5609 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 442c675d-4a19-4679-e833-08d53b7c3c95 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR12MB0149 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The SEV_PEK_CERT_IMPORT command can be used to import the signed PEK certificate. The command is defined in SEV spec section 5.8. Cc: Paolo Bonzini Cc: "Radim Krčmář" Cc: Borislav Petkov Cc: Herbert Xu Cc: Gary Hook Cc: Tom Lendacky Cc: linux-crypto@vger.kernel.org Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Improvements-by: Borislav Petkov Signed-off-by: Brijesh Singh Acked-by: Gary R Hook Reviewed-by: Borislav Petkov --- drivers/crypto/ccp/psp-dev.c | 81 ++++++++++++++++++++++++++++++++++++++++++++ include/linux/psp-sev.h | 4 +++ 2 files changed, 85 insertions(+) diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c index c3906bbdb69b..9d1c4600db19 100644 --- a/drivers/crypto/ccp/psp-dev.c +++ b/drivers/crypto/ccp/psp-dev.c @@ -365,6 +365,84 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp) return ret; } +void *psp_copy_user_blob(u64 __user uaddr, u32 len) +{ + void *data; + + if (!uaddr || !len) + return ERR_PTR(-EINVAL); + + /* verify that blob length does not exceed our limit */ + if (len > SEV_FW_BLOB_MAX_SIZE) + return ERR_PTR(-EINVAL); + + data = kmalloc(len, GFP_KERNEL); + if (!data) + return ERR_PTR(-ENOMEM); + + if (copy_from_user(data, (void __user *)(uintptr_t)uaddr, len)) + goto e_free; + + return data; + +e_free: + kfree(data); + return ERR_PTR(-EFAULT); +} +EXPORT_SYMBOL_GPL(psp_copy_user_blob); + +static int sev_ioctl_do_pek_import(struct sev_issue_cmd *argp) +{ + struct sev_user_data_pek_cert_import input; + struct sev_data_pek_cert_import *data; + void *pek_blob, *oca_blob; + int ret; + + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) + return -EFAULT; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + /* copy PEK certificate blobs from userspace */ + pek_blob = psp_copy_user_blob(input.pek_cert_address, input.pek_cert_len); + if (IS_ERR(pek_blob)) { + ret = PTR_ERR(pek_blob); + goto e_free; + } + + data->pek_cert_address = __psp_pa(pek_blob); + data->pek_cert_len = input.pek_cert_len; + + /* copy PEK certificate blobs from userspace */ + oca_blob = psp_copy_user_blob(input.oca_cert_address, input.oca_cert_len); + if (IS_ERR(oca_blob)) { + ret = PTR_ERR(oca_blob); + goto e_free_pek; + } + + data->oca_cert_address = __psp_pa(oca_blob); + data->oca_cert_len = input.oca_cert_len; + + /* If platform is not in INIT state then transition it to INIT */ + if (psp_master->sev_state != SEV_STATE_INIT) { + ret = __sev_platform_init_locked(&argp->error); + if (ret) + goto e_free_oca; + } + + ret = __sev_do_cmd_locked(SEV_CMD_PEK_CERT_IMPORT, data, &argp->error); + +e_free_oca: + kfree(oca_blob); +e_free_pek: + kfree(pek_blob); +e_free: + kfree(data); + return ret; +} + static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) { void __user *argp = (void __user *)arg; @@ -402,6 +480,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) case SEV_PEK_CSR: ret = sev_ioctl_do_pek_csr(&input); break; + case SEV_PEK_CERT_IMPORT: + ret = sev_ioctl_do_pek_import(&input); + break; default: ret = -EINVAL; goto out; diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index 0b6dd306d88b..93addfa34061 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -576,6 +576,8 @@ int sev_guest_df_flush(int *error); */ int sev_guest_decommission(struct sev_data_decommission *data, int *error); +void *psp_copy_user_blob(u64 __user uaddr, u32 len); + #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ static inline int @@ -597,6 +599,8 @@ static inline int sev_guest_df_flush(int *error) { return -ENODEV; } static inline int sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } +static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } + #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ #endif /* __PSP_SEV_H__ */