Loading...
Note: File does not exist in v3.1.
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Copyright IBM Corp. 2022
4 * Author(s): Steffen Eiden <seiden@linux.ibm.com>
5 *
6 * This file provides a Linux misc device to give userspace access to some
7 * Ultravisor (UV) functions. The device only accepts IOCTLs and will only
8 * be present if the Ultravisor facility (158) is present.
9 *
10 * When userspace sends a valid IOCTL uvdevice will copy the input data to
11 * kernel space, do some basic validity checks to avoid kernel/system
12 * corruption. Any other check that the Ultravisor does will not be done by
13 * the uvdevice to keep changes minimal when adding new functionalities
14 * to existing UV-calls.
15 * After the checks uvdevice builds a corresponding
16 * Ultravisor Call Control Block, and sends the request to the Ultravisor.
17 * Then, it copies the response, including the return codes, back to userspace.
18 * It is the responsibility of the userspace to check for any error issued
19 * by UV and to interpret the UV response. The uvdevice acts as a communication
20 * channel for userspace to the Ultravisor.
21 */
22
23#include <linux/module.h>
24#include <linux/kernel.h>
25#include <linux/miscdevice.h>
26#include <linux/types.h>
27#include <linux/stddef.h>
28#include <linux/vmalloc.h>
29#include <linux/slab.h>
30#include <linux/cpufeature.h>
31
32#include <asm/uvdevice.h>
33#include <asm/uv.h>
34
35#define BIT_UVIO_INTERNAL U32_MAX
36/* Mapping from IOCTL-nr to UVC-bit */
37static const u32 ioctl_nr_to_uvc_bit[] __initconst = {
38 [UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL,
39 [UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST,
40 [UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET,
41 [UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS,
42 [UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS,
43};
44
45static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS);
46
47static struct uvio_uvdev_info uvdev_info = {
48 .supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0),
49};
50
51static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds)
52{
53 int i;
54
55 for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) {
56 if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL)
57 continue;
58 if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list))
59 continue;
60 __set_bit(i, supp_uv_cmds);
61 }
62}
63
64/**
65 * uvio_uvdev_info() - get information about the uvdevice
66 *
67 * @uv_ioctl: ioctl control block
68 *
69 * Lists all IOCTLs that are supported by this uvdevice
70 */
71static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
72{
73 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
74
75 if (uv_ioctl->argument_len < sizeof(uvdev_info))
76 return -EINVAL;
77 if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info)))
78 return -EFAULT;
79
80 uv_ioctl->uv_rc = UVC_RC_EXECUTED;
81 return 0;
82}
83
84static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb,
85 u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest)
86{
87 void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr;
88
89 if (copy_from_user(arcb, user_buf_arcb, uvio_attest->arcb_len))
90 return -EFAULT;
91
92 uvcb_attest->header.len = sizeof(*uvcb_attest);
93 uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST;
94 uvcb_attest->arcb_addr = (u64)arcb;
95 uvcb_attest->cont_token = 0;
96 uvcb_attest->user_data_len = uvio_attest->user_data_len;
97 memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data));
98 uvcb_attest->meas_len = uvio_attest->meas_len;
99 uvcb_attest->meas_addr = (u64)meas;
100 uvcb_attest->add_data_len = uvio_attest->add_data_len;
101 uvcb_attest->add_data_addr = (u64)add_data;
102
103 return 0;
104}
105
106static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest,
107 struct uvio_ioctl_cb *uv_ioctl,
108 u8 *measurement, u8 *add_data,
109 struct uvio_attest *uvio_attest)
110{
111 struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr;
112 u32 __user *user_buf_add_len = (u32 __user *)&user_uvio_attest->add_data_len;
113 void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr;
114 void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr;
115 void __user *user_buf_uid = &user_uvio_attest->config_uid;
116
117 if (copy_to_user(user_buf_meas, measurement, uvio_attest->meas_len))
118 return -EFAULT;
119 if (add_data && copy_to_user(user_buf_add, add_data, uvio_attest->add_data_len))
120 return -EFAULT;
121 if (put_user(uvio_attest->add_data_len, user_buf_add_len))
122 return -EFAULT;
123 if (copy_to_user(user_buf_uid, uvcb_attest->config_uid, sizeof(uvcb_attest->config_uid)))
124 return -EFAULT;
125 return 0;
126}
127
128static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest)
129{
130 u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr;
131
132 if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest)))
133 return -EFAULT;
134
135 if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN)
136 return -EINVAL;
137 if (uvio_attest->arcb_len == 0)
138 return -EINVAL;
139 if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN)
140 return -EINVAL;
141 if (uvio_attest->meas_len == 0)
142 return -EINVAL;
143 if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN)
144 return -EINVAL;
145 if (uvio_attest->reserved136)
146 return -EINVAL;
147 return 0;
148}
149
150/**
151 * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC.
152 *
153 * @uv_ioctl: ioctl control block
154 *
155 * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call.
156 * It verifies that the given userspace addresses are valid and request sizes
157 * are sane. Every other check is made by the Ultravisor (UV) and won't result
158 * in a negative return value. It copies the input to kernelspace, builds the
159 * request, sends the UV-call, and copies the result to userspace.
160 *
161 * The Attestation Request has two input and two outputs.
162 * ARCB and User Data are inputs for the UV generated by userspace.
163 * Measurement and Additional Data are outputs for userspace generated by UV.
164 *
165 * The Attestation Request Control Block (ARCB) is a cryptographically verified
166 * and secured request to UV and User Data is some plaintext data which is
167 * going to be included in the Attestation Measurement calculation.
168 *
169 * Measurement is a cryptographic measurement of the callers properties,
170 * optional data configured by the ARCB and the user data. If specified by the
171 * ARCB, UV will add some Additional Data to the measurement calculation.
172 * This Additional Data is then returned as well.
173 *
174 * If the Retrieve Attestation Measurement UV facility is not present,
175 * UV will return invalid command rc. This won't be fenced in the driver
176 * and does not result in a negative return value.
177 *
178 * Context: might sleep
179 *
180 * Return: 0 on success or a negative error code on error.
181 */
182static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
183{
184 struct uv_cb_attest *uvcb_attest = NULL;
185 struct uvio_attest *uvio_attest = NULL;
186 u8 *measurement = NULL;
187 u8 *add_data = NULL;
188 u8 *arcb = NULL;
189 int ret;
190
191 ret = -EINVAL;
192 if (uv_ioctl->argument_len != sizeof(*uvio_attest))
193 goto out;
194
195 ret = -ENOMEM;
196 uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL);
197 if (!uvio_attest)
198 goto out;
199
200 ret = get_uvio_attest(uv_ioctl, uvio_attest);
201 if (ret)
202 goto out;
203
204 ret = -ENOMEM;
205 arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL);
206 measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL);
207 if (!arcb || !measurement)
208 goto out;
209
210 if (uvio_attest->add_data_len) {
211 add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL);
212 if (!add_data)
213 goto out;
214 }
215
216 uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL);
217 if (!uvcb_attest)
218 goto out;
219
220 ret = uvio_build_uvcb_attest(uvcb_attest, arcb, measurement, add_data, uvio_attest);
221 if (ret)
222 goto out;
223
224 uv_call_sched(0, (u64)uvcb_attest);
225
226 uv_ioctl->uv_rc = uvcb_attest->header.rc;
227 uv_ioctl->uv_rrc = uvcb_attest->header.rrc;
228
229 ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data,
230 uvio_attest);
231out:
232 kvfree(arcb);
233 kvfree(measurement);
234 kvfree(add_data);
235 kfree(uvio_attest);
236 kfree(uvcb_attest);
237 return ret;
238}
239
240/** uvio_add_secret() - perform an Add Secret UVC
241 *
242 * @uv_ioctl: ioctl control block
243 *
244 * uvio_add_secret() performs the Add Secret Ultravisor Call.
245 *
246 * The given userspace argument address and size are verified to be
247 * valid but every other check is made by the Ultravisor
248 * (UV). Therefore UV errors won't result in a negative return
249 * value. The request is then copied to kernelspace, the UV-call is
250 * performed and the results are copied back to userspace.
251 *
252 * The argument has to point to an Add Secret Request Control Block
253 * which is an encrypted and cryptographically verified request that
254 * inserts a protected guest's secrets into the Ultravisor for later
255 * use.
256 *
257 * If the Add Secret UV facility is not present, UV will return
258 * invalid command rc. This won't be fenced in the driver and does not
259 * result in a negative return value.
260 *
261 * Context: might sleep
262 *
263 * Return: 0 on success or a negative error code on error.
264 */
265static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
266{
267 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
268 struct uv_cb_guest_addr uvcb = {
269 .header.len = sizeof(uvcb),
270 .header.cmd = UVC_CMD_ADD_SECRET,
271 };
272 void *asrcb = NULL;
273 int ret;
274
275 if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN)
276 return -EINVAL;
277 if (uv_ioctl->argument_len == 0)
278 return -EINVAL;
279
280 asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL);
281 if (!asrcb)
282 return -ENOMEM;
283
284 ret = -EFAULT;
285 if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len))
286 goto out;
287
288 ret = 0;
289 uvcb.addr = (u64)asrcb;
290 uv_call_sched(0, (u64)&uvcb);
291 uv_ioctl->uv_rc = uvcb.header.rc;
292 uv_ioctl->uv_rrc = uvcb.header.rrc;
293
294out:
295 kvfree(asrcb);
296 return ret;
297}
298
299/** uvio_list_secrets() - perform a List Secret UVC
300 * @uv_ioctl: ioctl control block
301 *
302 * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies
303 * that the given userspace argument address is valid and its size is sane.
304 * Every other check is made by the Ultravisor (UV) and won't result in a
305 * negative return value. It builds the request, performs the UV-call, and
306 * copies the result to userspace.
307 *
308 * The argument specifies the location for the result of the UV-Call.
309 *
310 * If the List Secrets UV facility is not present, UV will return invalid
311 * command rc. This won't be fenced in the driver and does not result in a
312 * negative return value.
313 *
314 * Context: might sleep
315 *
316 * Return: 0 on success or a negative error code on error.
317 */
318static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
319{
320 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
321 struct uv_cb_guest_addr uvcb = {
322 .header.len = sizeof(uvcb),
323 .header.cmd = UVC_CMD_LIST_SECRETS,
324 };
325 void *secrets = NULL;
326 int ret = 0;
327
328 if (uv_ioctl->argument_len != UVIO_LIST_SECRETS_LEN)
329 return -EINVAL;
330
331 secrets = kvzalloc(UVIO_LIST_SECRETS_LEN, GFP_KERNEL);
332 if (!secrets)
333 return -ENOMEM;
334
335 uvcb.addr = (u64)secrets;
336 uv_call_sched(0, (u64)&uvcb);
337 uv_ioctl->uv_rc = uvcb.header.rc;
338 uv_ioctl->uv_rrc = uvcb.header.rrc;
339
340 if (copy_to_user(user_buf_arg, secrets, UVIO_LIST_SECRETS_LEN))
341 ret = -EFAULT;
342
343 kvfree(secrets);
344 return ret;
345}
346
347/** uvio_lock_secrets() - perform a Lock Secret Store UVC
348 * @uv_ioctl: ioctl control block
349 *
350 * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It
351 * performs the UV-call and copies the return codes to the ioctl control block.
352 * After this call was dispatched successfully every following Add Secret UVC
353 * and Lock Secrets UVC will fail with return code 0x102.
354 *
355 * The argument address and size must be 0.
356 *
357 * If the Lock Secrets UV facility is not present, UV will return invalid
358 * command rc. This won't be fenced in the driver and does not result in a
359 * negative return value.
360 *
361 * Context: might sleep
362 *
363 * Return: 0 on success or a negative error code on error.
364 */
365static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
366{
367 struct uv_cb_nodata uvcb = {
368 .header.len = sizeof(uvcb),
369 .header.cmd = UVC_CMD_LOCK_SECRETS,
370 };
371
372 if (ioctl->argument_addr || ioctl->argument_len)
373 return -EINVAL;
374
375 uv_call(0, (u64)&uvcb);
376 ioctl->uv_rc = uvcb.header.rc;
377 ioctl->uv_rrc = uvcb.header.rrc;
378
379 return 0;
380}
381
382static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp,
383 unsigned long cmd)
384{
385 u8 nr = _IOC_NR(cmd);
386
387 if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE))
388 return -ENOIOCTLCMD;
389 if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC)
390 return -ENOIOCTLCMD;
391 if (nr >= UVIO_IOCTL_NUM_IOCTLS)
392 return -ENOIOCTLCMD;
393 if (_IOC_SIZE(cmd) != sizeof(*ioctl))
394 return -ENOIOCTLCMD;
395 if (copy_from_user(ioctl, argp, sizeof(*ioctl)))
396 return -EFAULT;
397 if (ioctl->flags != 0)
398 return -EINVAL;
399 if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14)))
400 return -EINVAL;
401
402 return nr;
403}
404
405/*
406 * IOCTL entry point for the Ultravisor device.
407 */
408static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
409{
410 void __user *argp = (void __user *)arg;
411 struct uvio_ioctl_cb uv_ioctl = { };
412 long ret;
413 int nr;
414
415 nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd);
416 if (nr < 0)
417 return nr;
418
419 switch (nr) {
420 case UVIO_IOCTL_UVDEV_INFO_NR:
421 ret = uvio_uvdev_info(&uv_ioctl);
422 break;
423 case UVIO_IOCTL_ATT_NR:
424 ret = uvio_attestation(&uv_ioctl);
425 break;
426 case UVIO_IOCTL_ADD_SECRET_NR:
427 ret = uvio_add_secret(&uv_ioctl);
428 break;
429 case UVIO_IOCTL_LIST_SECRETS_NR:
430 ret = uvio_list_secrets(&uv_ioctl);
431 break;
432 case UVIO_IOCTL_LOCK_SECRETS_NR:
433 ret = uvio_lock_secrets(&uv_ioctl);
434 break;
435 default:
436 ret = -ENOIOCTLCMD;
437 break;
438 }
439 if (ret)
440 return ret;
441
442 if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl)))
443 ret = -EFAULT;
444
445 return ret;
446}
447
448static const struct file_operations uvio_dev_fops = {
449 .owner = THIS_MODULE,
450 .unlocked_ioctl = uvio_ioctl,
451 .llseek = no_llseek,
452};
453
454static struct miscdevice uvio_dev_miscdev = {
455 .minor = MISC_DYNAMIC_MINOR,
456 .name = UVIO_DEVICE_NAME,
457 .fops = &uvio_dev_fops,
458};
459
460static void __exit uvio_dev_exit(void)
461{
462 misc_deregister(&uvio_dev_miscdev);
463}
464
465static int __init uvio_dev_init(void)
466{
467 set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds);
468 return misc_register(&uvio_dev_miscdev);
469}
470
471module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init);
472module_exit(uvio_dev_exit);
473
474MODULE_AUTHOR("IBM Corporation");
475MODULE_LICENSE("GPL");
476MODULE_DESCRIPTION("Ultravisor UAPI driver");