Loading...
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * AMD Secure Encrypted Virtualization (SEV) guest driver interface
4 *
5 * Copyright (C) 2021 Advanced Micro Devices, Inc.
6 *
7 * Author: Brijesh Singh <brijesh.singh@amd.com>
8 */
9
10#include <linux/module.h>
11#include <linux/kernel.h>
12#include <linux/types.h>
13#include <linux/mutex.h>
14#include <linux/io.h>
15#include <linux/platform_device.h>
16#include <linux/miscdevice.h>
17#include <linux/set_memory.h>
18#include <linux/fs.h>
19#include <linux/tsm.h>
20#include <crypto/aead.h>
21#include <linux/scatterlist.h>
22#include <linux/psp-sev.h>
23#include <linux/sockptr.h>
24#include <linux/cleanup.h>
25#include <linux/uuid.h>
26#include <uapi/linux/sev-guest.h>
27#include <uapi/linux/psp-sev.h>
28
29#include <asm/svm.h>
30#include <asm/sev.h>
31
32#include "sev-guest.h"
33
34#define DEVICE_NAME "sev-guest"
35#define AAD_LEN 48
36#define MSG_HDR_VER 1
37
38#define SNP_REQ_MAX_RETRY_DURATION (60*HZ)
39#define SNP_REQ_RETRY_DELAY (2*HZ)
40
41struct snp_guest_crypto {
42 struct crypto_aead *tfm;
43 u8 *iv, *authtag;
44 int iv_len, a_len;
45};
46
47struct snp_guest_dev {
48 struct device *dev;
49 struct miscdevice misc;
50
51 void *certs_data;
52 struct snp_guest_crypto *crypto;
53 /* request and response are in unencrypted memory */
54 struct snp_guest_msg *request, *response;
55
56 /*
57 * Avoid information leakage by double-buffering shared messages
58 * in fields that are in regular encrypted memory.
59 */
60 struct snp_guest_msg secret_request, secret_response;
61
62 struct snp_secrets_page_layout *layout;
63 struct snp_req_data input;
64 union {
65 struct snp_report_req report;
66 struct snp_derived_key_req derived_key;
67 struct snp_ext_report_req ext_report;
68 } req;
69 u32 *os_area_msg_seqno;
70 u8 *vmpck;
71};
72
73static u32 vmpck_id;
74module_param(vmpck_id, uint, 0444);
75MODULE_PARM_DESC(vmpck_id, "The VMPCK ID to use when communicating with the PSP.");
76
77/* Mutex to serialize the shared buffer access and command handling. */
78static DEFINE_MUTEX(snp_cmd_mutex);
79
80static bool is_vmpck_empty(struct snp_guest_dev *snp_dev)
81{
82 char zero_key[VMPCK_KEY_LEN] = {0};
83
84 if (snp_dev->vmpck)
85 return !memcmp(snp_dev->vmpck, zero_key, VMPCK_KEY_LEN);
86
87 return true;
88}
89
90/*
91 * If an error is received from the host or AMD Secure Processor (ASP) there
92 * are two options. Either retry the exact same encrypted request or discontinue
93 * using the VMPCK.
94 *
95 * This is because in the current encryption scheme GHCB v2 uses AES-GCM to
96 * encrypt the requests. The IV for this scheme is the sequence number. GCM
97 * cannot tolerate IV reuse.
98 *
99 * The ASP FW v1.51 only increments the sequence numbers on a successful
100 * guest<->ASP back and forth and only accepts messages at its exact sequence
101 * number.
102 *
103 * So if the sequence number were to be reused the encryption scheme is
104 * vulnerable. If the sequence number were incremented for a fresh IV the ASP
105 * will reject the request.
106 */
107static void snp_disable_vmpck(struct snp_guest_dev *snp_dev)
108{
109 dev_alert(snp_dev->dev, "Disabling vmpck_id %d to prevent IV reuse.\n",
110 vmpck_id);
111 memzero_explicit(snp_dev->vmpck, VMPCK_KEY_LEN);
112 snp_dev->vmpck = NULL;
113}
114
115static inline u64 __snp_get_msg_seqno(struct snp_guest_dev *snp_dev)
116{
117 u64 count;
118
119 lockdep_assert_held(&snp_cmd_mutex);
120
121 /* Read the current message sequence counter from secrets pages */
122 count = *snp_dev->os_area_msg_seqno;
123
124 return count + 1;
125}
126
127/* Return a non-zero on success */
128static u64 snp_get_msg_seqno(struct snp_guest_dev *snp_dev)
129{
130 u64 count = __snp_get_msg_seqno(snp_dev);
131
132 /*
133 * The message sequence counter for the SNP guest request is a 64-bit
134 * value but the version 2 of GHCB specification defines a 32-bit storage
135 * for it. If the counter exceeds the 32-bit value then return zero.
136 * The caller should check the return value, but if the caller happens to
137 * not check the value and use it, then the firmware treats zero as an
138 * invalid number and will fail the message request.
139 */
140 if (count >= UINT_MAX) {
141 dev_err(snp_dev->dev, "request message sequence counter overflow\n");
142 return 0;
143 }
144
145 return count;
146}
147
148static void snp_inc_msg_seqno(struct snp_guest_dev *snp_dev)
149{
150 /*
151 * The counter is also incremented by the PSP, so increment it by 2
152 * and save in secrets page.
153 */
154 *snp_dev->os_area_msg_seqno += 2;
155}
156
157static inline struct snp_guest_dev *to_snp_dev(struct file *file)
158{
159 struct miscdevice *dev = file->private_data;
160
161 return container_of(dev, struct snp_guest_dev, misc);
162}
163
164static struct snp_guest_crypto *init_crypto(struct snp_guest_dev *snp_dev, u8 *key, size_t keylen)
165{
166 struct snp_guest_crypto *crypto;
167
168 crypto = kzalloc(sizeof(*crypto), GFP_KERNEL_ACCOUNT);
169 if (!crypto)
170 return NULL;
171
172 crypto->tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
173 if (IS_ERR(crypto->tfm))
174 goto e_free;
175
176 if (crypto_aead_setkey(crypto->tfm, key, keylen))
177 goto e_free_crypto;
178
179 crypto->iv_len = crypto_aead_ivsize(crypto->tfm);
180 crypto->iv = kmalloc(crypto->iv_len, GFP_KERNEL_ACCOUNT);
181 if (!crypto->iv)
182 goto e_free_crypto;
183
184 if (crypto_aead_authsize(crypto->tfm) > MAX_AUTHTAG_LEN) {
185 if (crypto_aead_setauthsize(crypto->tfm, MAX_AUTHTAG_LEN)) {
186 dev_err(snp_dev->dev, "failed to set authsize to %d\n", MAX_AUTHTAG_LEN);
187 goto e_free_iv;
188 }
189 }
190
191 crypto->a_len = crypto_aead_authsize(crypto->tfm);
192 crypto->authtag = kmalloc(crypto->a_len, GFP_KERNEL_ACCOUNT);
193 if (!crypto->authtag)
194 goto e_free_iv;
195
196 return crypto;
197
198e_free_iv:
199 kfree(crypto->iv);
200e_free_crypto:
201 crypto_free_aead(crypto->tfm);
202e_free:
203 kfree(crypto);
204
205 return NULL;
206}
207
208static void deinit_crypto(struct snp_guest_crypto *crypto)
209{
210 crypto_free_aead(crypto->tfm);
211 kfree(crypto->iv);
212 kfree(crypto->authtag);
213 kfree(crypto);
214}
215
216static int enc_dec_message(struct snp_guest_crypto *crypto, struct snp_guest_msg *msg,
217 u8 *src_buf, u8 *dst_buf, size_t len, bool enc)
218{
219 struct snp_guest_msg_hdr *hdr = &msg->hdr;
220 struct scatterlist src[3], dst[3];
221 DECLARE_CRYPTO_WAIT(wait);
222 struct aead_request *req;
223 int ret;
224
225 req = aead_request_alloc(crypto->tfm, GFP_KERNEL);
226 if (!req)
227 return -ENOMEM;
228
229 /*
230 * AEAD memory operations:
231 * +------ AAD -------+------- DATA -----+---- AUTHTAG----+
232 * | msg header | plaintext | hdr->authtag |
233 * | bytes 30h - 5Fh | or | |
234 * | | cipher | |
235 * +------------------+------------------+----------------+
236 */
237 sg_init_table(src, 3);
238 sg_set_buf(&src[0], &hdr->algo, AAD_LEN);
239 sg_set_buf(&src[1], src_buf, hdr->msg_sz);
240 sg_set_buf(&src[2], hdr->authtag, crypto->a_len);
241
242 sg_init_table(dst, 3);
243 sg_set_buf(&dst[0], &hdr->algo, AAD_LEN);
244 sg_set_buf(&dst[1], dst_buf, hdr->msg_sz);
245 sg_set_buf(&dst[2], hdr->authtag, crypto->a_len);
246
247 aead_request_set_ad(req, AAD_LEN);
248 aead_request_set_tfm(req, crypto->tfm);
249 aead_request_set_callback(req, 0, crypto_req_done, &wait);
250
251 aead_request_set_crypt(req, src, dst, len, crypto->iv);
252 ret = crypto_wait_req(enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req), &wait);
253
254 aead_request_free(req);
255 return ret;
256}
257
258static int __enc_payload(struct snp_guest_dev *snp_dev, struct snp_guest_msg *msg,
259 void *plaintext, size_t len)
260{
261 struct snp_guest_crypto *crypto = snp_dev->crypto;
262 struct snp_guest_msg_hdr *hdr = &msg->hdr;
263
264 memset(crypto->iv, 0, crypto->iv_len);
265 memcpy(crypto->iv, &hdr->msg_seqno, sizeof(hdr->msg_seqno));
266
267 return enc_dec_message(crypto, msg, plaintext, msg->payload, len, true);
268}
269
270static int dec_payload(struct snp_guest_dev *snp_dev, struct snp_guest_msg *msg,
271 void *plaintext, size_t len)
272{
273 struct snp_guest_crypto *crypto = snp_dev->crypto;
274 struct snp_guest_msg_hdr *hdr = &msg->hdr;
275
276 /* Build IV with response buffer sequence number */
277 memset(crypto->iv, 0, crypto->iv_len);
278 memcpy(crypto->iv, &hdr->msg_seqno, sizeof(hdr->msg_seqno));
279
280 return enc_dec_message(crypto, msg, msg->payload, plaintext, len, false);
281}
282
283static int verify_and_dec_payload(struct snp_guest_dev *snp_dev, void *payload, u32 sz)
284{
285 struct snp_guest_crypto *crypto = snp_dev->crypto;
286 struct snp_guest_msg *resp = &snp_dev->secret_response;
287 struct snp_guest_msg *req = &snp_dev->secret_request;
288 struct snp_guest_msg_hdr *req_hdr = &req->hdr;
289 struct snp_guest_msg_hdr *resp_hdr = &resp->hdr;
290
291 dev_dbg(snp_dev->dev, "response [seqno %lld type %d version %d sz %d]\n",
292 resp_hdr->msg_seqno, resp_hdr->msg_type, resp_hdr->msg_version, resp_hdr->msg_sz);
293
294 /* Copy response from shared memory to encrypted memory. */
295 memcpy(resp, snp_dev->response, sizeof(*resp));
296
297 /* Verify that the sequence counter is incremented by 1 */
298 if (unlikely(resp_hdr->msg_seqno != (req_hdr->msg_seqno + 1)))
299 return -EBADMSG;
300
301 /* Verify response message type and version number. */
302 if (resp_hdr->msg_type != (req_hdr->msg_type + 1) ||
303 resp_hdr->msg_version != req_hdr->msg_version)
304 return -EBADMSG;
305
306 /*
307 * If the message size is greater than our buffer length then return
308 * an error.
309 */
310 if (unlikely((resp_hdr->msg_sz + crypto->a_len) > sz))
311 return -EBADMSG;
312
313 /* Decrypt the payload */
314 return dec_payload(snp_dev, resp, payload, resp_hdr->msg_sz + crypto->a_len);
315}
316
317static int enc_payload(struct snp_guest_dev *snp_dev, u64 seqno, int version, u8 type,
318 void *payload, size_t sz)
319{
320 struct snp_guest_msg *req = &snp_dev->secret_request;
321 struct snp_guest_msg_hdr *hdr = &req->hdr;
322
323 memset(req, 0, sizeof(*req));
324
325 hdr->algo = SNP_AEAD_AES_256_GCM;
326 hdr->hdr_version = MSG_HDR_VER;
327 hdr->hdr_sz = sizeof(*hdr);
328 hdr->msg_type = type;
329 hdr->msg_version = version;
330 hdr->msg_seqno = seqno;
331 hdr->msg_vmpck = vmpck_id;
332 hdr->msg_sz = sz;
333
334 /* Verify the sequence number is non-zero */
335 if (!hdr->msg_seqno)
336 return -ENOSR;
337
338 dev_dbg(snp_dev->dev, "request [seqno %lld type %d version %d sz %d]\n",
339 hdr->msg_seqno, hdr->msg_type, hdr->msg_version, hdr->msg_sz);
340
341 return __enc_payload(snp_dev, req, payload, sz);
342}
343
344static int __handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code,
345 struct snp_guest_request_ioctl *rio)
346{
347 unsigned long req_start = jiffies;
348 unsigned int override_npages = 0;
349 u64 override_err = 0;
350 int rc;
351
352retry_request:
353 /*
354 * Call firmware to process the request. In this function the encrypted
355 * message enters shared memory with the host. So after this call the
356 * sequence number must be incremented or the VMPCK must be deleted to
357 * prevent reuse of the IV.
358 */
359 rc = snp_issue_guest_request(exit_code, &snp_dev->input, rio);
360 switch (rc) {
361 case -ENOSPC:
362 /*
363 * If the extended guest request fails due to having too
364 * small of a certificate data buffer, retry the same
365 * guest request without the extended data request in
366 * order to increment the sequence number and thus avoid
367 * IV reuse.
368 */
369 override_npages = snp_dev->input.data_npages;
370 exit_code = SVM_VMGEXIT_GUEST_REQUEST;
371
372 /*
373 * Override the error to inform callers the given extended
374 * request buffer size was too small and give the caller the
375 * required buffer size.
376 */
377 override_err = SNP_GUEST_VMM_ERR(SNP_GUEST_VMM_ERR_INVALID_LEN);
378
379 /*
380 * If this call to the firmware succeeds, the sequence number can
381 * be incremented allowing for continued use of the VMPCK. If
382 * there is an error reflected in the return value, this value
383 * is checked further down and the result will be the deletion
384 * of the VMPCK and the error code being propagated back to the
385 * user as an ioctl() return code.
386 */
387 goto retry_request;
388
389 /*
390 * The host may return SNP_GUEST_VMM_ERR_BUSY if the request has been
391 * throttled. Retry in the driver to avoid returning and reusing the
392 * message sequence number on a different message.
393 */
394 case -EAGAIN:
395 if (jiffies - req_start > SNP_REQ_MAX_RETRY_DURATION) {
396 rc = -ETIMEDOUT;
397 break;
398 }
399 schedule_timeout_killable(SNP_REQ_RETRY_DELAY);
400 goto retry_request;
401 }
402
403 /*
404 * Increment the message sequence number. There is no harm in doing
405 * this now because decryption uses the value stored in the response
406 * structure and any failure will wipe the VMPCK, preventing further
407 * use anyway.
408 */
409 snp_inc_msg_seqno(snp_dev);
410
411 if (override_err) {
412 rio->exitinfo2 = override_err;
413
414 /*
415 * If an extended guest request was issued and the supplied certificate
416 * buffer was not large enough, a standard guest request was issued to
417 * prevent IV reuse. If the standard request was successful, return -EIO
418 * back to the caller as would have originally been returned.
419 */
420 if (!rc && override_err == SNP_GUEST_VMM_ERR(SNP_GUEST_VMM_ERR_INVALID_LEN))
421 rc = -EIO;
422 }
423
424 if (override_npages)
425 snp_dev->input.data_npages = override_npages;
426
427 return rc;
428}
429
430static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code,
431 struct snp_guest_request_ioctl *rio, u8 type,
432 void *req_buf, size_t req_sz, void *resp_buf,
433 u32 resp_sz)
434{
435 u64 seqno;
436 int rc;
437
438 /* Get message sequence and verify that its a non-zero */
439 seqno = snp_get_msg_seqno(snp_dev);
440 if (!seqno)
441 return -EIO;
442
443 /* Clear shared memory's response for the host to populate. */
444 memset(snp_dev->response, 0, sizeof(struct snp_guest_msg));
445
446 /* Encrypt the userspace provided payload in snp_dev->secret_request. */
447 rc = enc_payload(snp_dev, seqno, rio->msg_version, type, req_buf, req_sz);
448 if (rc)
449 return rc;
450
451 /*
452 * Write the fully encrypted request to the shared unencrypted
453 * request page.
454 */
455 memcpy(snp_dev->request, &snp_dev->secret_request,
456 sizeof(snp_dev->secret_request));
457
458 rc = __handle_guest_request(snp_dev, exit_code, rio);
459 if (rc) {
460 if (rc == -EIO &&
461 rio->exitinfo2 == SNP_GUEST_VMM_ERR(SNP_GUEST_VMM_ERR_INVALID_LEN))
462 return rc;
463
464 dev_alert(snp_dev->dev,
465 "Detected error from ASP request. rc: %d, exitinfo2: 0x%llx\n",
466 rc, rio->exitinfo2);
467
468 snp_disable_vmpck(snp_dev);
469 return rc;
470 }
471
472 rc = verify_and_dec_payload(snp_dev, resp_buf, resp_sz);
473 if (rc) {
474 dev_alert(snp_dev->dev, "Detected unexpected decode failure from ASP. rc: %d\n", rc);
475 snp_disable_vmpck(snp_dev);
476 return rc;
477 }
478
479 return 0;
480}
481
482struct snp_req_resp {
483 sockptr_t req_data;
484 sockptr_t resp_data;
485};
486
487static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
488{
489 struct snp_guest_crypto *crypto = snp_dev->crypto;
490 struct snp_report_req *req = &snp_dev->req.report;
491 struct snp_report_resp *resp;
492 int rc, resp_len;
493
494 lockdep_assert_held(&snp_cmd_mutex);
495
496 if (!arg->req_data || !arg->resp_data)
497 return -EINVAL;
498
499 if (copy_from_user(req, (void __user *)arg->req_data, sizeof(*req)))
500 return -EFAULT;
501
502 /*
503 * The intermediate response buffer is used while decrypting the
504 * response payload. Make sure that it has enough space to cover the
505 * authtag.
506 */
507 resp_len = sizeof(resp->data) + crypto->a_len;
508 resp = kzalloc(resp_len, GFP_KERNEL_ACCOUNT);
509 if (!resp)
510 return -ENOMEM;
511
512 rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg,
513 SNP_MSG_REPORT_REQ, req, sizeof(*req), resp->data,
514 resp_len);
515 if (rc)
516 goto e_free;
517
518 if (copy_to_user((void __user *)arg->resp_data, resp, sizeof(*resp)))
519 rc = -EFAULT;
520
521e_free:
522 kfree(resp);
523 return rc;
524}
525
526static int get_derived_key(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
527{
528 struct snp_derived_key_req *req = &snp_dev->req.derived_key;
529 struct snp_guest_crypto *crypto = snp_dev->crypto;
530 struct snp_derived_key_resp resp = {0};
531 int rc, resp_len;
532 /* Response data is 64 bytes and max authsize for GCM is 16 bytes. */
533 u8 buf[64 + 16];
534
535 lockdep_assert_held(&snp_cmd_mutex);
536
537 if (!arg->req_data || !arg->resp_data)
538 return -EINVAL;
539
540 /*
541 * The intermediate response buffer is used while decrypting the
542 * response payload. Make sure that it has enough space to cover the
543 * authtag.
544 */
545 resp_len = sizeof(resp.data) + crypto->a_len;
546 if (sizeof(buf) < resp_len)
547 return -ENOMEM;
548
549 if (copy_from_user(req, (void __user *)arg->req_data, sizeof(*req)))
550 return -EFAULT;
551
552 rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg,
553 SNP_MSG_KEY_REQ, req, sizeof(*req), buf, resp_len);
554 if (rc)
555 return rc;
556
557 memcpy(resp.data, buf, sizeof(resp.data));
558 if (copy_to_user((void __user *)arg->resp_data, &resp, sizeof(resp)))
559 rc = -EFAULT;
560
561 /* The response buffer contains the sensitive data, explicitly clear it. */
562 memzero_explicit(buf, sizeof(buf));
563 memzero_explicit(&resp, sizeof(resp));
564 return rc;
565}
566
567static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg,
568 struct snp_req_resp *io)
569
570{
571 struct snp_ext_report_req *req = &snp_dev->req.ext_report;
572 struct snp_guest_crypto *crypto = snp_dev->crypto;
573 struct snp_report_resp *resp;
574 int ret, npages = 0, resp_len;
575 sockptr_t certs_address;
576
577 lockdep_assert_held(&snp_cmd_mutex);
578
579 if (sockptr_is_null(io->req_data) || sockptr_is_null(io->resp_data))
580 return -EINVAL;
581
582 if (copy_from_sockptr(req, io->req_data, sizeof(*req)))
583 return -EFAULT;
584
585 /* caller does not want certificate data */
586 if (!req->certs_len || !req->certs_address)
587 goto cmd;
588
589 if (req->certs_len > SEV_FW_BLOB_MAX_SIZE ||
590 !IS_ALIGNED(req->certs_len, PAGE_SIZE))
591 return -EINVAL;
592
593 if (sockptr_is_kernel(io->resp_data)) {
594 certs_address = KERNEL_SOCKPTR((void *)req->certs_address);
595 } else {
596 certs_address = USER_SOCKPTR((void __user *)req->certs_address);
597 if (!access_ok(certs_address.user, req->certs_len))
598 return -EFAULT;
599 }
600
601 /*
602 * Initialize the intermediate buffer with all zeros. This buffer
603 * is used in the guest request message to get the certs blob from
604 * the host. If host does not supply any certs in it, then copy
605 * zeros to indicate that certificate data was not provided.
606 */
607 memset(snp_dev->certs_data, 0, req->certs_len);
608 npages = req->certs_len >> PAGE_SHIFT;
609cmd:
610 /*
611 * The intermediate response buffer is used while decrypting the
612 * response payload. Make sure that it has enough space to cover the
613 * authtag.
614 */
615 resp_len = sizeof(resp->data) + crypto->a_len;
616 resp = kzalloc(resp_len, GFP_KERNEL_ACCOUNT);
617 if (!resp)
618 return -ENOMEM;
619
620 snp_dev->input.data_npages = npages;
621 ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg,
622 SNP_MSG_REPORT_REQ, &req->data,
623 sizeof(req->data), resp->data, resp_len);
624
625 /* If certs length is invalid then copy the returned length */
626 if (arg->vmm_error == SNP_GUEST_VMM_ERR_INVALID_LEN) {
627 req->certs_len = snp_dev->input.data_npages << PAGE_SHIFT;
628
629 if (copy_to_sockptr(io->req_data, req, sizeof(*req)))
630 ret = -EFAULT;
631 }
632
633 if (ret)
634 goto e_free;
635
636 if (npages && copy_to_sockptr(certs_address, snp_dev->certs_data, req->certs_len)) {
637 ret = -EFAULT;
638 goto e_free;
639 }
640
641 if (copy_to_sockptr(io->resp_data, resp, sizeof(*resp)))
642 ret = -EFAULT;
643
644e_free:
645 kfree(resp);
646 return ret;
647}
648
649static long snp_guest_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
650{
651 struct snp_guest_dev *snp_dev = to_snp_dev(file);
652 void __user *argp = (void __user *)arg;
653 struct snp_guest_request_ioctl input;
654 struct snp_req_resp io;
655 int ret = -ENOTTY;
656
657 if (copy_from_user(&input, argp, sizeof(input)))
658 return -EFAULT;
659
660 input.exitinfo2 = 0xff;
661
662 /* Message version must be non-zero */
663 if (!input.msg_version)
664 return -EINVAL;
665
666 mutex_lock(&snp_cmd_mutex);
667
668 /* Check if the VMPCK is not empty */
669 if (is_vmpck_empty(snp_dev)) {
670 dev_err_ratelimited(snp_dev->dev, "VMPCK is disabled\n");
671 mutex_unlock(&snp_cmd_mutex);
672 return -ENOTTY;
673 }
674
675 switch (ioctl) {
676 case SNP_GET_REPORT:
677 ret = get_report(snp_dev, &input);
678 break;
679 case SNP_GET_DERIVED_KEY:
680 ret = get_derived_key(snp_dev, &input);
681 break;
682 case SNP_GET_EXT_REPORT:
683 /*
684 * As get_ext_report() may be called from the ioctl() path and a
685 * kernel internal path (configfs-tsm), decorate the passed
686 * buffers as user pointers.
687 */
688 io.req_data = USER_SOCKPTR((void __user *)input.req_data);
689 io.resp_data = USER_SOCKPTR((void __user *)input.resp_data);
690 ret = get_ext_report(snp_dev, &input, &io);
691 break;
692 default:
693 break;
694 }
695
696 mutex_unlock(&snp_cmd_mutex);
697
698 if (input.exitinfo2 && copy_to_user(argp, &input, sizeof(input)))
699 return -EFAULT;
700
701 return ret;
702}
703
704static void free_shared_pages(void *buf, size_t sz)
705{
706 unsigned int npages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
707 int ret;
708
709 if (!buf)
710 return;
711
712 ret = set_memory_encrypted((unsigned long)buf, npages);
713 if (ret) {
714 WARN_ONCE(ret, "failed to restore encryption mask (leak it)\n");
715 return;
716 }
717
718 __free_pages(virt_to_page(buf), get_order(sz));
719}
720
721static void *alloc_shared_pages(struct device *dev, size_t sz)
722{
723 unsigned int npages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
724 struct page *page;
725 int ret;
726
727 page = alloc_pages(GFP_KERNEL_ACCOUNT, get_order(sz));
728 if (!page)
729 return NULL;
730
731 ret = set_memory_decrypted((unsigned long)page_address(page), npages);
732 if (ret) {
733 dev_err(dev, "failed to mark page shared, ret=%d\n", ret);
734 __free_pages(page, get_order(sz));
735 return NULL;
736 }
737
738 return page_address(page);
739}
740
741static const struct file_operations snp_guest_fops = {
742 .owner = THIS_MODULE,
743 .unlocked_ioctl = snp_guest_ioctl,
744};
745
746static u8 *get_vmpck(int id, struct snp_secrets_page_layout *layout, u32 **seqno)
747{
748 u8 *key = NULL;
749
750 switch (id) {
751 case 0:
752 *seqno = &layout->os_area.msg_seqno_0;
753 key = layout->vmpck0;
754 break;
755 case 1:
756 *seqno = &layout->os_area.msg_seqno_1;
757 key = layout->vmpck1;
758 break;
759 case 2:
760 *seqno = &layout->os_area.msg_seqno_2;
761 key = layout->vmpck2;
762 break;
763 case 3:
764 *seqno = &layout->os_area.msg_seqno_3;
765 key = layout->vmpck3;
766 break;
767 default:
768 break;
769 }
770
771 return key;
772}
773
774struct snp_msg_report_resp_hdr {
775 u32 status;
776 u32 report_size;
777 u8 rsvd[24];
778};
779
780struct snp_msg_cert_entry {
781 guid_t guid;
782 u32 offset;
783 u32 length;
784};
785
786static int sev_report_new(struct tsm_report *report, void *data)
787{
788 struct snp_msg_cert_entry *cert_table;
789 struct tsm_desc *desc = &report->desc;
790 struct snp_guest_dev *snp_dev = data;
791 struct snp_msg_report_resp_hdr hdr;
792 const u32 report_size = SZ_4K;
793 const u32 ext_size = SEV_FW_BLOB_MAX_SIZE;
794 u32 certs_size, i, size = report_size + ext_size;
795 int ret;
796
797 if (desc->inblob_len != SNP_REPORT_USER_DATA_SIZE)
798 return -EINVAL;
799
800 void *buf __free(kvfree) = kvzalloc(size, GFP_KERNEL);
801 if (!buf)
802 return -ENOMEM;
803
804 guard(mutex)(&snp_cmd_mutex);
805
806 /* Check if the VMPCK is not empty */
807 if (is_vmpck_empty(snp_dev)) {
808 dev_err_ratelimited(snp_dev->dev, "VMPCK is disabled\n");
809 return -ENOTTY;
810 }
811
812 cert_table = buf + report_size;
813 struct snp_ext_report_req ext_req = {
814 .data = { .vmpl = desc->privlevel },
815 .certs_address = (__u64)cert_table,
816 .certs_len = ext_size,
817 };
818 memcpy(&ext_req.data.user_data, desc->inblob, desc->inblob_len);
819
820 struct snp_guest_request_ioctl input = {
821 .msg_version = 1,
822 .req_data = (__u64)&ext_req,
823 .resp_data = (__u64)buf,
824 .exitinfo2 = 0xff,
825 };
826 struct snp_req_resp io = {
827 .req_data = KERNEL_SOCKPTR(&ext_req),
828 .resp_data = KERNEL_SOCKPTR(buf),
829 };
830
831 ret = get_ext_report(snp_dev, &input, &io);
832 if (ret)
833 return ret;
834
835 memcpy(&hdr, buf, sizeof(hdr));
836 if (hdr.status == SEV_RET_INVALID_PARAM)
837 return -EINVAL;
838 if (hdr.status == SEV_RET_INVALID_KEY)
839 return -EINVAL;
840 if (hdr.status)
841 return -ENXIO;
842 if ((hdr.report_size + sizeof(hdr)) > report_size)
843 return -ENOMEM;
844
845 void *rbuf __free(kvfree) = kvzalloc(hdr.report_size, GFP_KERNEL);
846 if (!rbuf)
847 return -ENOMEM;
848
849 memcpy(rbuf, buf + sizeof(hdr), hdr.report_size);
850 report->outblob = no_free_ptr(rbuf);
851 report->outblob_len = hdr.report_size;
852
853 certs_size = 0;
854 for (i = 0; i < ext_size / sizeof(struct snp_msg_cert_entry); i++) {
855 struct snp_msg_cert_entry *ent = &cert_table[i];
856
857 if (guid_is_null(&ent->guid) && !ent->offset && !ent->length)
858 break;
859 certs_size = max(certs_size, ent->offset + ent->length);
860 }
861
862 /* Suspicious that the response populated entries without populating size */
863 if (!certs_size && i)
864 dev_warn_ratelimited(snp_dev->dev, "certificate slots conveyed without size\n");
865
866 /* No certs to report */
867 if (!certs_size)
868 return 0;
869
870 /* Suspicious that the certificate blob size contract was violated
871 */
872 if (certs_size > ext_size) {
873 dev_warn_ratelimited(snp_dev->dev, "certificate data truncated\n");
874 certs_size = ext_size;
875 }
876
877 void *cbuf __free(kvfree) = kvzalloc(certs_size, GFP_KERNEL);
878 if (!cbuf)
879 return -ENOMEM;
880
881 memcpy(cbuf, cert_table, certs_size);
882 report->auxblob = no_free_ptr(cbuf);
883 report->auxblob_len = certs_size;
884
885 return 0;
886}
887
888static const struct tsm_ops sev_tsm_ops = {
889 .name = KBUILD_MODNAME,
890 .report_new = sev_report_new,
891};
892
893static void unregister_sev_tsm(void *data)
894{
895 tsm_unregister(&sev_tsm_ops);
896}
897
898static int __init sev_guest_probe(struct platform_device *pdev)
899{
900 struct snp_secrets_page_layout *layout;
901 struct sev_guest_platform_data *data;
902 struct device *dev = &pdev->dev;
903 struct snp_guest_dev *snp_dev;
904 struct miscdevice *misc;
905 void __iomem *mapping;
906 int ret;
907
908 if (!cc_platform_has(CC_ATTR_GUEST_SEV_SNP))
909 return -ENODEV;
910
911 if (!dev->platform_data)
912 return -ENODEV;
913
914 data = (struct sev_guest_platform_data *)dev->platform_data;
915 mapping = ioremap_encrypted(data->secrets_gpa, PAGE_SIZE);
916 if (!mapping)
917 return -ENODEV;
918
919 layout = (__force void *)mapping;
920
921 ret = -ENOMEM;
922 snp_dev = devm_kzalloc(&pdev->dev, sizeof(struct snp_guest_dev), GFP_KERNEL);
923 if (!snp_dev)
924 goto e_unmap;
925
926 ret = -EINVAL;
927 snp_dev->vmpck = get_vmpck(vmpck_id, layout, &snp_dev->os_area_msg_seqno);
928 if (!snp_dev->vmpck) {
929 dev_err(dev, "invalid vmpck id %d\n", vmpck_id);
930 goto e_unmap;
931 }
932
933 /* Verify that VMPCK is not zero. */
934 if (is_vmpck_empty(snp_dev)) {
935 dev_err(dev, "vmpck id %d is null\n", vmpck_id);
936 goto e_unmap;
937 }
938
939 platform_set_drvdata(pdev, snp_dev);
940 snp_dev->dev = dev;
941 snp_dev->layout = layout;
942
943 /* Allocate the shared page used for the request and response message. */
944 snp_dev->request = alloc_shared_pages(dev, sizeof(struct snp_guest_msg));
945 if (!snp_dev->request)
946 goto e_unmap;
947
948 snp_dev->response = alloc_shared_pages(dev, sizeof(struct snp_guest_msg));
949 if (!snp_dev->response)
950 goto e_free_request;
951
952 snp_dev->certs_data = alloc_shared_pages(dev, SEV_FW_BLOB_MAX_SIZE);
953 if (!snp_dev->certs_data)
954 goto e_free_response;
955
956 ret = -EIO;
957 snp_dev->crypto = init_crypto(snp_dev, snp_dev->vmpck, VMPCK_KEY_LEN);
958 if (!snp_dev->crypto)
959 goto e_free_cert_data;
960
961 misc = &snp_dev->misc;
962 misc->minor = MISC_DYNAMIC_MINOR;
963 misc->name = DEVICE_NAME;
964 misc->fops = &snp_guest_fops;
965
966 /* initial the input address for guest request */
967 snp_dev->input.req_gpa = __pa(snp_dev->request);
968 snp_dev->input.resp_gpa = __pa(snp_dev->response);
969 snp_dev->input.data_gpa = __pa(snp_dev->certs_data);
970
971 ret = tsm_register(&sev_tsm_ops, snp_dev, &tsm_report_extra_type);
972 if (ret)
973 goto e_free_cert_data;
974
975 ret = devm_add_action_or_reset(&pdev->dev, unregister_sev_tsm, NULL);
976 if (ret)
977 goto e_free_cert_data;
978
979 ret = misc_register(misc);
980 if (ret)
981 goto e_free_cert_data;
982
983 dev_info(dev, "Initialized SEV guest driver (using vmpck_id %d)\n", vmpck_id);
984 return 0;
985
986e_free_cert_data:
987 free_shared_pages(snp_dev->certs_data, SEV_FW_BLOB_MAX_SIZE);
988e_free_response:
989 free_shared_pages(snp_dev->response, sizeof(struct snp_guest_msg));
990e_free_request:
991 free_shared_pages(snp_dev->request, sizeof(struct snp_guest_msg));
992e_unmap:
993 iounmap(mapping);
994 return ret;
995}
996
997static void __exit sev_guest_remove(struct platform_device *pdev)
998{
999 struct snp_guest_dev *snp_dev = platform_get_drvdata(pdev);
1000
1001 free_shared_pages(snp_dev->certs_data, SEV_FW_BLOB_MAX_SIZE);
1002 free_shared_pages(snp_dev->response, sizeof(struct snp_guest_msg));
1003 free_shared_pages(snp_dev->request, sizeof(struct snp_guest_msg));
1004 deinit_crypto(snp_dev->crypto);
1005 misc_deregister(&snp_dev->misc);
1006}
1007
1008/*
1009 * This driver is meant to be a common SEV guest interface driver and to
1010 * support any SEV guest API. As such, even though it has been introduced
1011 * with the SEV-SNP support, it is named "sev-guest".
1012 */
1013static struct platform_driver sev_guest_driver = {
1014 .remove_new = __exit_p(sev_guest_remove),
1015 .driver = {
1016 .name = "sev-guest",
1017 },
1018};
1019
1020module_platform_driver_probe(sev_guest_driver, sev_guest_probe);
1021
1022MODULE_AUTHOR("Brijesh Singh <brijesh.singh@amd.com>");
1023MODULE_LICENSE("GPL");
1024MODULE_VERSION("1.0.0");
1025MODULE_DESCRIPTION("AMD SEV Guest Driver");
1026MODULE_ALIAS("platform:sev-guest");
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * AMD Secure Encrypted Virtualization (SEV) guest driver interface
4 *
5 * Copyright (C) 2021-2024 Advanced Micro Devices, Inc.
6 *
7 * Author: Brijesh Singh <brijesh.singh@amd.com>
8 */
9
10#include <linux/module.h>
11#include <linux/kernel.h>
12#include <linux/types.h>
13#include <linux/mutex.h>
14#include <linux/io.h>
15#include <linux/platform_device.h>
16#include <linux/miscdevice.h>
17#include <linux/set_memory.h>
18#include <linux/fs.h>
19#include <linux/tsm.h>
20#include <crypto/gcm.h>
21#include <linux/psp-sev.h>
22#include <linux/sockptr.h>
23#include <linux/cleanup.h>
24#include <linux/uuid.h>
25#include <linux/configfs.h>
26#include <uapi/linux/sev-guest.h>
27#include <uapi/linux/psp-sev.h>
28
29#include <asm/svm.h>
30#include <asm/sev.h>
31
32#define DEVICE_NAME "sev-guest"
33
34#define SNP_REQ_MAX_RETRY_DURATION (60*HZ)
35#define SNP_REQ_RETRY_DELAY (2*HZ)
36
37#define SVSM_MAX_RETRIES 3
38
39struct snp_guest_dev {
40 struct device *dev;
41 struct miscdevice misc;
42
43 struct snp_msg_desc *msg_desc;
44};
45
46/*
47 * The VMPCK ID represents the key used by the SNP guest to communicate with the
48 * SEV firmware in the AMD Secure Processor (ASP, aka PSP). By default, the key
49 * used will be the key associated with the VMPL at which the guest is running.
50 * Should the default key be wiped (see snp_disable_vmpck()), this parameter
51 * allows for using one of the remaining VMPCKs.
52 */
53static int vmpck_id = -1;
54module_param(vmpck_id, int, 0444);
55MODULE_PARM_DESC(vmpck_id, "The VMPCK ID to use when communicating with the PSP.");
56
57/* Mutex to serialize the shared buffer access and command handling. */
58static DEFINE_MUTEX(snp_cmd_mutex);
59
60static bool is_vmpck_empty(struct snp_msg_desc *mdesc)
61{
62 char zero_key[VMPCK_KEY_LEN] = {0};
63
64 if (mdesc->vmpck)
65 return !memcmp(mdesc->vmpck, zero_key, VMPCK_KEY_LEN);
66
67 return true;
68}
69
70/*
71 * If an error is received from the host or AMD Secure Processor (ASP) there
72 * are two options. Either retry the exact same encrypted request or discontinue
73 * using the VMPCK.
74 *
75 * This is because in the current encryption scheme GHCB v2 uses AES-GCM to
76 * encrypt the requests. The IV for this scheme is the sequence number. GCM
77 * cannot tolerate IV reuse.
78 *
79 * The ASP FW v1.51 only increments the sequence numbers on a successful
80 * guest<->ASP back and forth and only accepts messages at its exact sequence
81 * number.
82 *
83 * So if the sequence number were to be reused the encryption scheme is
84 * vulnerable. If the sequence number were incremented for a fresh IV the ASP
85 * will reject the request.
86 */
87static void snp_disable_vmpck(struct snp_msg_desc *mdesc)
88{
89 pr_alert("Disabling VMPCK%d communication key to prevent IV reuse.\n",
90 vmpck_id);
91 memzero_explicit(mdesc->vmpck, VMPCK_KEY_LEN);
92 mdesc->vmpck = NULL;
93}
94
95static inline u64 __snp_get_msg_seqno(struct snp_msg_desc *mdesc)
96{
97 u64 count;
98
99 lockdep_assert_held(&snp_cmd_mutex);
100
101 /* Read the current message sequence counter from secrets pages */
102 count = *mdesc->os_area_msg_seqno;
103
104 return count + 1;
105}
106
107/* Return a non-zero on success */
108static u64 snp_get_msg_seqno(struct snp_msg_desc *mdesc)
109{
110 u64 count = __snp_get_msg_seqno(mdesc);
111
112 /*
113 * The message sequence counter for the SNP guest request is a 64-bit
114 * value but the version 2 of GHCB specification defines a 32-bit storage
115 * for it. If the counter exceeds the 32-bit value then return zero.
116 * The caller should check the return value, but if the caller happens to
117 * not check the value and use it, then the firmware treats zero as an
118 * invalid number and will fail the message request.
119 */
120 if (count >= UINT_MAX) {
121 pr_err("request message sequence counter overflow\n");
122 return 0;
123 }
124
125 return count;
126}
127
128static void snp_inc_msg_seqno(struct snp_msg_desc *mdesc)
129{
130 /*
131 * The counter is also incremented by the PSP, so increment it by 2
132 * and save in secrets page.
133 */
134 *mdesc->os_area_msg_seqno += 2;
135}
136
137static inline struct snp_guest_dev *to_snp_dev(struct file *file)
138{
139 struct miscdevice *dev = file->private_data;
140
141 return container_of(dev, struct snp_guest_dev, misc);
142}
143
144static struct aesgcm_ctx *snp_init_crypto(u8 *key, size_t keylen)
145{
146 struct aesgcm_ctx *ctx;
147
148 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL_ACCOUNT);
149 if (!ctx)
150 return NULL;
151
152 if (aesgcm_expandkey(ctx, key, keylen, AUTHTAG_LEN)) {
153 pr_err("Crypto context initialization failed\n");
154 kfree(ctx);
155 return NULL;
156 }
157
158 return ctx;
159}
160
161static int verify_and_dec_payload(struct snp_msg_desc *mdesc, struct snp_guest_req *req)
162{
163 struct snp_guest_msg *resp_msg = &mdesc->secret_response;
164 struct snp_guest_msg *req_msg = &mdesc->secret_request;
165 struct snp_guest_msg_hdr *req_msg_hdr = &req_msg->hdr;
166 struct snp_guest_msg_hdr *resp_msg_hdr = &resp_msg->hdr;
167 struct aesgcm_ctx *ctx = mdesc->ctx;
168 u8 iv[GCM_AES_IV_SIZE] = {};
169
170 pr_debug("response [seqno %lld type %d version %d sz %d]\n",
171 resp_msg_hdr->msg_seqno, resp_msg_hdr->msg_type, resp_msg_hdr->msg_version,
172 resp_msg_hdr->msg_sz);
173
174 /* Copy response from shared memory to encrypted memory. */
175 memcpy(resp_msg, mdesc->response, sizeof(*resp_msg));
176
177 /* Verify that the sequence counter is incremented by 1 */
178 if (unlikely(resp_msg_hdr->msg_seqno != (req_msg_hdr->msg_seqno + 1)))
179 return -EBADMSG;
180
181 /* Verify response message type and version number. */
182 if (resp_msg_hdr->msg_type != (req_msg_hdr->msg_type + 1) ||
183 resp_msg_hdr->msg_version != req_msg_hdr->msg_version)
184 return -EBADMSG;
185
186 /*
187 * If the message size is greater than our buffer length then return
188 * an error.
189 */
190 if (unlikely((resp_msg_hdr->msg_sz + ctx->authsize) > req->resp_sz))
191 return -EBADMSG;
192
193 /* Decrypt the payload */
194 memcpy(iv, &resp_msg_hdr->msg_seqno, min(sizeof(iv), sizeof(resp_msg_hdr->msg_seqno)));
195 if (!aesgcm_decrypt(ctx, req->resp_buf, resp_msg->payload, resp_msg_hdr->msg_sz,
196 &resp_msg_hdr->algo, AAD_LEN, iv, resp_msg_hdr->authtag))
197 return -EBADMSG;
198
199 return 0;
200}
201
202static int enc_payload(struct snp_msg_desc *mdesc, u64 seqno, struct snp_guest_req *req)
203{
204 struct snp_guest_msg *msg = &mdesc->secret_request;
205 struct snp_guest_msg_hdr *hdr = &msg->hdr;
206 struct aesgcm_ctx *ctx = mdesc->ctx;
207 u8 iv[GCM_AES_IV_SIZE] = {};
208
209 memset(msg, 0, sizeof(*msg));
210
211 hdr->algo = SNP_AEAD_AES_256_GCM;
212 hdr->hdr_version = MSG_HDR_VER;
213 hdr->hdr_sz = sizeof(*hdr);
214 hdr->msg_type = req->msg_type;
215 hdr->msg_version = req->msg_version;
216 hdr->msg_seqno = seqno;
217 hdr->msg_vmpck = req->vmpck_id;
218 hdr->msg_sz = req->req_sz;
219
220 /* Verify the sequence number is non-zero */
221 if (!hdr->msg_seqno)
222 return -ENOSR;
223
224 pr_debug("request [seqno %lld type %d version %d sz %d]\n",
225 hdr->msg_seqno, hdr->msg_type, hdr->msg_version, hdr->msg_sz);
226
227 if (WARN_ON((req->req_sz + ctx->authsize) > sizeof(msg->payload)))
228 return -EBADMSG;
229
230 memcpy(iv, &hdr->msg_seqno, min(sizeof(iv), sizeof(hdr->msg_seqno)));
231 aesgcm_encrypt(ctx, msg->payload, req->req_buf, req->req_sz, &hdr->algo,
232 AAD_LEN, iv, hdr->authtag);
233
234 return 0;
235}
236
237static int __handle_guest_request(struct snp_msg_desc *mdesc, struct snp_guest_req *req,
238 struct snp_guest_request_ioctl *rio)
239{
240 unsigned long req_start = jiffies;
241 unsigned int override_npages = 0;
242 u64 override_err = 0;
243 int rc;
244
245retry_request:
246 /*
247 * Call firmware to process the request. In this function the encrypted
248 * message enters shared memory with the host. So after this call the
249 * sequence number must be incremented or the VMPCK must be deleted to
250 * prevent reuse of the IV.
251 */
252 rc = snp_issue_guest_request(req, &mdesc->input, rio);
253 switch (rc) {
254 case -ENOSPC:
255 /*
256 * If the extended guest request fails due to having too
257 * small of a certificate data buffer, retry the same
258 * guest request without the extended data request in
259 * order to increment the sequence number and thus avoid
260 * IV reuse.
261 */
262 override_npages = mdesc->input.data_npages;
263 req->exit_code = SVM_VMGEXIT_GUEST_REQUEST;
264
265 /*
266 * Override the error to inform callers the given extended
267 * request buffer size was too small and give the caller the
268 * required buffer size.
269 */
270 override_err = SNP_GUEST_VMM_ERR(SNP_GUEST_VMM_ERR_INVALID_LEN);
271
272 /*
273 * If this call to the firmware succeeds, the sequence number can
274 * be incremented allowing for continued use of the VMPCK. If
275 * there is an error reflected in the return value, this value
276 * is checked further down and the result will be the deletion
277 * of the VMPCK and the error code being propagated back to the
278 * user as an ioctl() return code.
279 */
280 goto retry_request;
281
282 /*
283 * The host may return SNP_GUEST_VMM_ERR_BUSY if the request has been
284 * throttled. Retry in the driver to avoid returning and reusing the
285 * message sequence number on a different message.
286 */
287 case -EAGAIN:
288 if (jiffies - req_start > SNP_REQ_MAX_RETRY_DURATION) {
289 rc = -ETIMEDOUT;
290 break;
291 }
292 schedule_timeout_killable(SNP_REQ_RETRY_DELAY);
293 goto retry_request;
294 }
295
296 /*
297 * Increment the message sequence number. There is no harm in doing
298 * this now because decryption uses the value stored in the response
299 * structure and any failure will wipe the VMPCK, preventing further
300 * use anyway.
301 */
302 snp_inc_msg_seqno(mdesc);
303
304 if (override_err) {
305 rio->exitinfo2 = override_err;
306
307 /*
308 * If an extended guest request was issued and the supplied certificate
309 * buffer was not large enough, a standard guest request was issued to
310 * prevent IV reuse. If the standard request was successful, return -EIO
311 * back to the caller as would have originally been returned.
312 */
313 if (!rc && override_err == SNP_GUEST_VMM_ERR(SNP_GUEST_VMM_ERR_INVALID_LEN))
314 rc = -EIO;
315 }
316
317 if (override_npages)
318 mdesc->input.data_npages = override_npages;
319
320 return rc;
321}
322
323static int snp_send_guest_request(struct snp_msg_desc *mdesc, struct snp_guest_req *req,
324 struct snp_guest_request_ioctl *rio)
325{
326 u64 seqno;
327 int rc;
328
329 guard(mutex)(&snp_cmd_mutex);
330
331 /* Check if the VMPCK is not empty */
332 if (is_vmpck_empty(mdesc)) {
333 pr_err_ratelimited("VMPCK is disabled\n");
334 return -ENOTTY;
335 }
336
337 /* Get message sequence and verify that its a non-zero */
338 seqno = snp_get_msg_seqno(mdesc);
339 if (!seqno)
340 return -EIO;
341
342 /* Clear shared memory's response for the host to populate. */
343 memset(mdesc->response, 0, sizeof(struct snp_guest_msg));
344
345 /* Encrypt the userspace provided payload in mdesc->secret_request. */
346 rc = enc_payload(mdesc, seqno, req);
347 if (rc)
348 return rc;
349
350 /*
351 * Write the fully encrypted request to the shared unencrypted
352 * request page.
353 */
354 memcpy(mdesc->request, &mdesc->secret_request,
355 sizeof(mdesc->secret_request));
356
357 rc = __handle_guest_request(mdesc, req, rio);
358 if (rc) {
359 if (rc == -EIO &&
360 rio->exitinfo2 == SNP_GUEST_VMM_ERR(SNP_GUEST_VMM_ERR_INVALID_LEN))
361 return rc;
362
363 pr_alert("Detected error from ASP request. rc: %d, exitinfo2: 0x%llx\n",
364 rc, rio->exitinfo2);
365
366 snp_disable_vmpck(mdesc);
367 return rc;
368 }
369
370 rc = verify_and_dec_payload(mdesc, req);
371 if (rc) {
372 pr_alert("Detected unexpected decode failure from ASP. rc: %d\n", rc);
373 snp_disable_vmpck(mdesc);
374 return rc;
375 }
376
377 return 0;
378}
379
380struct snp_req_resp {
381 sockptr_t req_data;
382 sockptr_t resp_data;
383};
384
385static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
386{
387 struct snp_report_req *report_req __free(kfree) = NULL;
388 struct snp_msg_desc *mdesc = snp_dev->msg_desc;
389 struct snp_report_resp *report_resp;
390 struct snp_guest_req req = {};
391 int rc, resp_len;
392
393 if (!arg->req_data || !arg->resp_data)
394 return -EINVAL;
395
396 report_req = kzalloc(sizeof(*report_req), GFP_KERNEL_ACCOUNT);
397 if (!report_req)
398 return -ENOMEM;
399
400 if (copy_from_user(report_req, (void __user *)arg->req_data, sizeof(*report_req)))
401 return -EFAULT;
402
403 /*
404 * The intermediate response buffer is used while decrypting the
405 * response payload. Make sure that it has enough space to cover the
406 * authtag.
407 */
408 resp_len = sizeof(report_resp->data) + mdesc->ctx->authsize;
409 report_resp = kzalloc(resp_len, GFP_KERNEL_ACCOUNT);
410 if (!report_resp)
411 return -ENOMEM;
412
413 req.msg_version = arg->msg_version;
414 req.msg_type = SNP_MSG_REPORT_REQ;
415 req.vmpck_id = vmpck_id;
416 req.req_buf = report_req;
417 req.req_sz = sizeof(*report_req);
418 req.resp_buf = report_resp->data;
419 req.resp_sz = resp_len;
420 req.exit_code = SVM_VMGEXIT_GUEST_REQUEST;
421
422 rc = snp_send_guest_request(mdesc, &req, arg);
423 if (rc)
424 goto e_free;
425
426 if (copy_to_user((void __user *)arg->resp_data, report_resp, sizeof(*report_resp)))
427 rc = -EFAULT;
428
429e_free:
430 kfree(report_resp);
431 return rc;
432}
433
434static int get_derived_key(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
435{
436 struct snp_derived_key_req *derived_key_req __free(kfree) = NULL;
437 struct snp_derived_key_resp derived_key_resp = {0};
438 struct snp_msg_desc *mdesc = snp_dev->msg_desc;
439 struct snp_guest_req req = {};
440 int rc, resp_len;
441 /* Response data is 64 bytes and max authsize for GCM is 16 bytes. */
442 u8 buf[64 + 16];
443
444 if (!arg->req_data || !arg->resp_data)
445 return -EINVAL;
446
447 /*
448 * The intermediate response buffer is used while decrypting the
449 * response payload. Make sure that it has enough space to cover the
450 * authtag.
451 */
452 resp_len = sizeof(derived_key_resp.data) + mdesc->ctx->authsize;
453 if (sizeof(buf) < resp_len)
454 return -ENOMEM;
455
456 derived_key_req = kzalloc(sizeof(*derived_key_req), GFP_KERNEL_ACCOUNT);
457 if (!derived_key_req)
458 return -ENOMEM;
459
460 if (copy_from_user(derived_key_req, (void __user *)arg->req_data,
461 sizeof(*derived_key_req)))
462 return -EFAULT;
463
464 req.msg_version = arg->msg_version;
465 req.msg_type = SNP_MSG_KEY_REQ;
466 req.vmpck_id = vmpck_id;
467 req.req_buf = derived_key_req;
468 req.req_sz = sizeof(*derived_key_req);
469 req.resp_buf = buf;
470 req.resp_sz = resp_len;
471 req.exit_code = SVM_VMGEXIT_GUEST_REQUEST;
472
473 rc = snp_send_guest_request(mdesc, &req, arg);
474 if (rc)
475 return rc;
476
477 memcpy(derived_key_resp.data, buf, sizeof(derived_key_resp.data));
478 if (copy_to_user((void __user *)arg->resp_data, &derived_key_resp,
479 sizeof(derived_key_resp)))
480 rc = -EFAULT;
481
482 /* The response buffer contains the sensitive data, explicitly clear it. */
483 memzero_explicit(buf, sizeof(buf));
484 memzero_explicit(&derived_key_resp, sizeof(derived_key_resp));
485 return rc;
486}
487
488static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg,
489 struct snp_req_resp *io)
490
491{
492 struct snp_ext_report_req *report_req __free(kfree) = NULL;
493 struct snp_msg_desc *mdesc = snp_dev->msg_desc;
494 struct snp_report_resp *report_resp;
495 struct snp_guest_req req = {};
496 int ret, npages = 0, resp_len;
497 sockptr_t certs_address;
498
499 if (sockptr_is_null(io->req_data) || sockptr_is_null(io->resp_data))
500 return -EINVAL;
501
502 report_req = kzalloc(sizeof(*report_req), GFP_KERNEL_ACCOUNT);
503 if (!report_req)
504 return -ENOMEM;
505
506 if (copy_from_sockptr(report_req, io->req_data, sizeof(*report_req)))
507 return -EFAULT;
508
509 /* caller does not want certificate data */
510 if (!report_req->certs_len || !report_req->certs_address)
511 goto cmd;
512
513 if (report_req->certs_len > SEV_FW_BLOB_MAX_SIZE ||
514 !IS_ALIGNED(report_req->certs_len, PAGE_SIZE))
515 return -EINVAL;
516
517 if (sockptr_is_kernel(io->resp_data)) {
518 certs_address = KERNEL_SOCKPTR((void *)report_req->certs_address);
519 } else {
520 certs_address = USER_SOCKPTR((void __user *)report_req->certs_address);
521 if (!access_ok(certs_address.user, report_req->certs_len))
522 return -EFAULT;
523 }
524
525 /*
526 * Initialize the intermediate buffer with all zeros. This buffer
527 * is used in the guest request message to get the certs blob from
528 * the host. If host does not supply any certs in it, then copy
529 * zeros to indicate that certificate data was not provided.
530 */
531 memset(mdesc->certs_data, 0, report_req->certs_len);
532 npages = report_req->certs_len >> PAGE_SHIFT;
533cmd:
534 /*
535 * The intermediate response buffer is used while decrypting the
536 * response payload. Make sure that it has enough space to cover the
537 * authtag.
538 */
539 resp_len = sizeof(report_resp->data) + mdesc->ctx->authsize;
540 report_resp = kzalloc(resp_len, GFP_KERNEL_ACCOUNT);
541 if (!report_resp)
542 return -ENOMEM;
543
544 mdesc->input.data_npages = npages;
545
546 req.msg_version = arg->msg_version;
547 req.msg_type = SNP_MSG_REPORT_REQ;
548 req.vmpck_id = vmpck_id;
549 req.req_buf = &report_req->data;
550 req.req_sz = sizeof(report_req->data);
551 req.resp_buf = report_resp->data;
552 req.resp_sz = resp_len;
553 req.exit_code = SVM_VMGEXIT_EXT_GUEST_REQUEST;
554
555 ret = snp_send_guest_request(mdesc, &req, arg);
556
557 /* If certs length is invalid then copy the returned length */
558 if (arg->vmm_error == SNP_GUEST_VMM_ERR_INVALID_LEN) {
559 report_req->certs_len = mdesc->input.data_npages << PAGE_SHIFT;
560
561 if (copy_to_sockptr(io->req_data, report_req, sizeof(*report_req)))
562 ret = -EFAULT;
563 }
564
565 if (ret)
566 goto e_free;
567
568 if (npages && copy_to_sockptr(certs_address, mdesc->certs_data, report_req->certs_len)) {
569 ret = -EFAULT;
570 goto e_free;
571 }
572
573 if (copy_to_sockptr(io->resp_data, report_resp, sizeof(*report_resp)))
574 ret = -EFAULT;
575
576e_free:
577 kfree(report_resp);
578 return ret;
579}
580
581static long snp_guest_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
582{
583 struct snp_guest_dev *snp_dev = to_snp_dev(file);
584 void __user *argp = (void __user *)arg;
585 struct snp_guest_request_ioctl input;
586 struct snp_req_resp io;
587 int ret = -ENOTTY;
588
589 if (copy_from_user(&input, argp, sizeof(input)))
590 return -EFAULT;
591
592 input.exitinfo2 = 0xff;
593
594 /* Message version must be non-zero */
595 if (!input.msg_version)
596 return -EINVAL;
597
598 switch (ioctl) {
599 case SNP_GET_REPORT:
600 ret = get_report(snp_dev, &input);
601 break;
602 case SNP_GET_DERIVED_KEY:
603 ret = get_derived_key(snp_dev, &input);
604 break;
605 case SNP_GET_EXT_REPORT:
606 /*
607 * As get_ext_report() may be called from the ioctl() path and a
608 * kernel internal path (configfs-tsm), decorate the passed
609 * buffers as user pointers.
610 */
611 io.req_data = USER_SOCKPTR((void __user *)input.req_data);
612 io.resp_data = USER_SOCKPTR((void __user *)input.resp_data);
613 ret = get_ext_report(snp_dev, &input, &io);
614 break;
615 default:
616 break;
617 }
618
619 if (input.exitinfo2 && copy_to_user(argp, &input, sizeof(input)))
620 return -EFAULT;
621
622 return ret;
623}
624
625static void free_shared_pages(void *buf, size_t sz)
626{
627 unsigned int npages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
628 int ret;
629
630 if (!buf)
631 return;
632
633 ret = set_memory_encrypted((unsigned long)buf, npages);
634 if (ret) {
635 WARN_ONCE(ret, "failed to restore encryption mask (leak it)\n");
636 return;
637 }
638
639 __free_pages(virt_to_page(buf), get_order(sz));
640}
641
642static void *alloc_shared_pages(struct device *dev, size_t sz)
643{
644 unsigned int npages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
645 struct page *page;
646 int ret;
647
648 page = alloc_pages(GFP_KERNEL_ACCOUNT, get_order(sz));
649 if (!page)
650 return NULL;
651
652 ret = set_memory_decrypted((unsigned long)page_address(page), npages);
653 if (ret) {
654 dev_err(dev, "failed to mark page shared, ret=%d\n", ret);
655 __free_pages(page, get_order(sz));
656 return NULL;
657 }
658
659 return page_address(page);
660}
661
662static const struct file_operations snp_guest_fops = {
663 .owner = THIS_MODULE,
664 .unlocked_ioctl = snp_guest_ioctl,
665};
666
667static u8 *get_vmpck(int id, struct snp_secrets_page *secrets, u32 **seqno)
668{
669 u8 *key = NULL;
670
671 switch (id) {
672 case 0:
673 *seqno = &secrets->os_area.msg_seqno_0;
674 key = secrets->vmpck0;
675 break;
676 case 1:
677 *seqno = &secrets->os_area.msg_seqno_1;
678 key = secrets->vmpck1;
679 break;
680 case 2:
681 *seqno = &secrets->os_area.msg_seqno_2;
682 key = secrets->vmpck2;
683 break;
684 case 3:
685 *seqno = &secrets->os_area.msg_seqno_3;
686 key = secrets->vmpck3;
687 break;
688 default:
689 break;
690 }
691
692 return key;
693}
694
695struct snp_msg_report_resp_hdr {
696 u32 status;
697 u32 report_size;
698 u8 rsvd[24];
699};
700
701struct snp_msg_cert_entry {
702 guid_t guid;
703 u32 offset;
704 u32 length;
705};
706
707static int sev_svsm_report_new(struct tsm_report *report, void *data)
708{
709 unsigned int rep_len, man_len, certs_len;
710 struct tsm_desc *desc = &report->desc;
711 struct svsm_attest_call ac = {};
712 unsigned int retry_count;
713 void *rep, *man, *certs;
714 struct svsm_call call;
715 unsigned int size;
716 bool try_again;
717 void *buffer;
718 u64 call_id;
719 int ret;
720
721 /*
722 * Allocate pages for the request:
723 * - Report blob (4K)
724 * - Manifest blob (4K)
725 * - Certificate blob (16K)
726 *
727 * Above addresses must be 4K aligned
728 */
729 rep_len = SZ_4K;
730 man_len = SZ_4K;
731 certs_len = SEV_FW_BLOB_MAX_SIZE;
732
733 if (guid_is_null(&desc->service_guid)) {
734 call_id = SVSM_ATTEST_CALL(SVSM_ATTEST_SERVICES);
735 } else {
736 export_guid(ac.service_guid, &desc->service_guid);
737 ac.service_manifest_ver = desc->service_manifest_version;
738
739 call_id = SVSM_ATTEST_CALL(SVSM_ATTEST_SINGLE_SERVICE);
740 }
741
742 retry_count = 0;
743
744retry:
745 memset(&call, 0, sizeof(call));
746
747 size = rep_len + man_len + certs_len;
748 buffer = alloc_pages_exact(size, __GFP_ZERO);
749 if (!buffer)
750 return -ENOMEM;
751
752 rep = buffer;
753 ac.report_buf.pa = __pa(rep);
754 ac.report_buf.len = rep_len;
755
756 man = rep + rep_len;
757 ac.manifest_buf.pa = __pa(man);
758 ac.manifest_buf.len = man_len;
759
760 certs = man + man_len;
761 ac.certificates_buf.pa = __pa(certs);
762 ac.certificates_buf.len = certs_len;
763
764 ac.nonce.pa = __pa(desc->inblob);
765 ac.nonce.len = desc->inblob_len;
766
767 ret = snp_issue_svsm_attest_req(call_id, &call, &ac);
768 if (ret) {
769 free_pages_exact(buffer, size);
770
771 switch (call.rax_out) {
772 case SVSM_ERR_INVALID_PARAMETER:
773 try_again = false;
774
775 if (ac.report_buf.len > rep_len) {
776 rep_len = PAGE_ALIGN(ac.report_buf.len);
777 try_again = true;
778 }
779
780 if (ac.manifest_buf.len > man_len) {
781 man_len = PAGE_ALIGN(ac.manifest_buf.len);
782 try_again = true;
783 }
784
785 if (ac.certificates_buf.len > certs_len) {
786 certs_len = PAGE_ALIGN(ac.certificates_buf.len);
787 try_again = true;
788 }
789
790 /* If one of the buffers wasn't large enough, retry the request */
791 if (try_again && retry_count < SVSM_MAX_RETRIES) {
792 retry_count++;
793 goto retry;
794 }
795
796 return -EINVAL;
797 default:
798 pr_err_ratelimited("SVSM attestation request failed (%d / 0x%llx)\n",
799 ret, call.rax_out);
800 return -EINVAL;
801 }
802 }
803
804 /*
805 * Allocate all the blob memory buffers at once so that the cleanup is
806 * done for errors that occur after the first allocation (i.e. before
807 * using no_free_ptr()).
808 */
809 rep_len = ac.report_buf.len;
810 void *rbuf __free(kvfree) = kvzalloc(rep_len, GFP_KERNEL);
811
812 man_len = ac.manifest_buf.len;
813 void *mbuf __free(kvfree) = kvzalloc(man_len, GFP_KERNEL);
814
815 certs_len = ac.certificates_buf.len;
816 void *cbuf __free(kvfree) = certs_len ? kvzalloc(certs_len, GFP_KERNEL) : NULL;
817
818 if (!rbuf || !mbuf || (certs_len && !cbuf)) {
819 free_pages_exact(buffer, size);
820 return -ENOMEM;
821 }
822
823 memcpy(rbuf, rep, rep_len);
824 report->outblob = no_free_ptr(rbuf);
825 report->outblob_len = rep_len;
826
827 memcpy(mbuf, man, man_len);
828 report->manifestblob = no_free_ptr(mbuf);
829 report->manifestblob_len = man_len;
830
831 if (certs_len) {
832 memcpy(cbuf, certs, certs_len);
833 report->auxblob = no_free_ptr(cbuf);
834 report->auxblob_len = certs_len;
835 }
836
837 free_pages_exact(buffer, size);
838
839 return 0;
840}
841
842static int sev_report_new(struct tsm_report *report, void *data)
843{
844 struct snp_msg_cert_entry *cert_table;
845 struct tsm_desc *desc = &report->desc;
846 struct snp_guest_dev *snp_dev = data;
847 struct snp_msg_report_resp_hdr hdr;
848 const u32 report_size = SZ_4K;
849 const u32 ext_size = SEV_FW_BLOB_MAX_SIZE;
850 u32 certs_size, i, size = report_size + ext_size;
851 int ret;
852
853 if (desc->inblob_len != SNP_REPORT_USER_DATA_SIZE)
854 return -EINVAL;
855
856 if (desc->service_provider) {
857 if (strcmp(desc->service_provider, "svsm"))
858 return -EINVAL;
859
860 return sev_svsm_report_new(report, data);
861 }
862
863 void *buf __free(kvfree) = kvzalloc(size, GFP_KERNEL);
864 if (!buf)
865 return -ENOMEM;
866
867 cert_table = buf + report_size;
868 struct snp_ext_report_req ext_req = {
869 .data = { .vmpl = desc->privlevel },
870 .certs_address = (__u64)cert_table,
871 .certs_len = ext_size,
872 };
873 memcpy(&ext_req.data.user_data, desc->inblob, desc->inblob_len);
874
875 struct snp_guest_request_ioctl input = {
876 .msg_version = 1,
877 .req_data = (__u64)&ext_req,
878 .resp_data = (__u64)buf,
879 .exitinfo2 = 0xff,
880 };
881 struct snp_req_resp io = {
882 .req_data = KERNEL_SOCKPTR(&ext_req),
883 .resp_data = KERNEL_SOCKPTR(buf),
884 };
885
886 ret = get_ext_report(snp_dev, &input, &io);
887 if (ret)
888 return ret;
889
890 memcpy(&hdr, buf, sizeof(hdr));
891 if (hdr.status == SEV_RET_INVALID_PARAM)
892 return -EINVAL;
893 if (hdr.status == SEV_RET_INVALID_KEY)
894 return -EINVAL;
895 if (hdr.status)
896 return -ENXIO;
897 if ((hdr.report_size + sizeof(hdr)) > report_size)
898 return -ENOMEM;
899
900 void *rbuf __free(kvfree) = kvzalloc(hdr.report_size, GFP_KERNEL);
901 if (!rbuf)
902 return -ENOMEM;
903
904 memcpy(rbuf, buf + sizeof(hdr), hdr.report_size);
905 report->outblob = no_free_ptr(rbuf);
906 report->outblob_len = hdr.report_size;
907
908 certs_size = 0;
909 for (i = 0; i < ext_size / sizeof(struct snp_msg_cert_entry); i++) {
910 struct snp_msg_cert_entry *ent = &cert_table[i];
911
912 if (guid_is_null(&ent->guid) && !ent->offset && !ent->length)
913 break;
914 certs_size = max(certs_size, ent->offset + ent->length);
915 }
916
917 /* Suspicious that the response populated entries without populating size */
918 if (!certs_size && i)
919 dev_warn_ratelimited(snp_dev->dev, "certificate slots conveyed without size\n");
920
921 /* No certs to report */
922 if (!certs_size)
923 return 0;
924
925 /* Suspicious that the certificate blob size contract was violated
926 */
927 if (certs_size > ext_size) {
928 dev_warn_ratelimited(snp_dev->dev, "certificate data truncated\n");
929 certs_size = ext_size;
930 }
931
932 void *cbuf __free(kvfree) = kvzalloc(certs_size, GFP_KERNEL);
933 if (!cbuf)
934 return -ENOMEM;
935
936 memcpy(cbuf, cert_table, certs_size);
937 report->auxblob = no_free_ptr(cbuf);
938 report->auxblob_len = certs_size;
939
940 return 0;
941}
942
943static bool sev_report_attr_visible(int n)
944{
945 switch (n) {
946 case TSM_REPORT_GENERATION:
947 case TSM_REPORT_PROVIDER:
948 case TSM_REPORT_PRIVLEVEL:
949 case TSM_REPORT_PRIVLEVEL_FLOOR:
950 return true;
951 case TSM_REPORT_SERVICE_PROVIDER:
952 case TSM_REPORT_SERVICE_GUID:
953 case TSM_REPORT_SERVICE_MANIFEST_VER:
954 return snp_vmpl;
955 }
956
957 return false;
958}
959
960static bool sev_report_bin_attr_visible(int n)
961{
962 switch (n) {
963 case TSM_REPORT_INBLOB:
964 case TSM_REPORT_OUTBLOB:
965 case TSM_REPORT_AUXBLOB:
966 return true;
967 case TSM_REPORT_MANIFESTBLOB:
968 return snp_vmpl;
969 }
970
971 return false;
972}
973
974static struct tsm_ops sev_tsm_ops = {
975 .name = KBUILD_MODNAME,
976 .report_new = sev_report_new,
977 .report_attr_visible = sev_report_attr_visible,
978 .report_bin_attr_visible = sev_report_bin_attr_visible,
979};
980
981static void unregister_sev_tsm(void *data)
982{
983 tsm_unregister(&sev_tsm_ops);
984}
985
986static int __init sev_guest_probe(struct platform_device *pdev)
987{
988 struct sev_guest_platform_data *data;
989 struct snp_secrets_page *secrets;
990 struct device *dev = &pdev->dev;
991 struct snp_guest_dev *snp_dev;
992 struct snp_msg_desc *mdesc;
993 struct miscdevice *misc;
994 void __iomem *mapping;
995 int ret;
996
997 BUILD_BUG_ON(sizeof(struct snp_guest_msg) > PAGE_SIZE);
998
999 if (!cc_platform_has(CC_ATTR_GUEST_SEV_SNP))
1000 return -ENODEV;
1001
1002 if (!dev->platform_data)
1003 return -ENODEV;
1004
1005 data = (struct sev_guest_platform_data *)dev->platform_data;
1006 mapping = ioremap_encrypted(data->secrets_gpa, PAGE_SIZE);
1007 if (!mapping)
1008 return -ENODEV;
1009
1010 secrets = (__force void *)mapping;
1011
1012 ret = -ENOMEM;
1013 snp_dev = devm_kzalloc(&pdev->dev, sizeof(struct snp_guest_dev), GFP_KERNEL);
1014 if (!snp_dev)
1015 goto e_unmap;
1016
1017 mdesc = devm_kzalloc(&pdev->dev, sizeof(struct snp_msg_desc), GFP_KERNEL);
1018 if (!mdesc)
1019 goto e_unmap;
1020
1021 /* Adjust the default VMPCK key based on the executing VMPL level */
1022 if (vmpck_id == -1)
1023 vmpck_id = snp_vmpl;
1024
1025 ret = -EINVAL;
1026 mdesc->vmpck = get_vmpck(vmpck_id, secrets, &mdesc->os_area_msg_seqno);
1027 if (!mdesc->vmpck) {
1028 dev_err(dev, "Invalid VMPCK%d communication key\n", vmpck_id);
1029 goto e_unmap;
1030 }
1031
1032 /* Verify that VMPCK is not zero. */
1033 if (is_vmpck_empty(mdesc)) {
1034 dev_err(dev, "Empty VMPCK%d communication key\n", vmpck_id);
1035 goto e_unmap;
1036 }
1037
1038 platform_set_drvdata(pdev, snp_dev);
1039 snp_dev->dev = dev;
1040 mdesc->secrets = secrets;
1041
1042 /* Allocate the shared page used for the request and response message. */
1043 mdesc->request = alloc_shared_pages(dev, sizeof(struct snp_guest_msg));
1044 if (!mdesc->request)
1045 goto e_unmap;
1046
1047 mdesc->response = alloc_shared_pages(dev, sizeof(struct snp_guest_msg));
1048 if (!mdesc->response)
1049 goto e_free_request;
1050
1051 mdesc->certs_data = alloc_shared_pages(dev, SEV_FW_BLOB_MAX_SIZE);
1052 if (!mdesc->certs_data)
1053 goto e_free_response;
1054
1055 ret = -EIO;
1056 mdesc->ctx = snp_init_crypto(mdesc->vmpck, VMPCK_KEY_LEN);
1057 if (!mdesc->ctx)
1058 goto e_free_cert_data;
1059
1060 misc = &snp_dev->misc;
1061 misc->minor = MISC_DYNAMIC_MINOR;
1062 misc->name = DEVICE_NAME;
1063 misc->fops = &snp_guest_fops;
1064
1065 /* Initialize the input addresses for guest request */
1066 mdesc->input.req_gpa = __pa(mdesc->request);
1067 mdesc->input.resp_gpa = __pa(mdesc->response);
1068 mdesc->input.data_gpa = __pa(mdesc->certs_data);
1069
1070 /* Set the privlevel_floor attribute based on the vmpck_id */
1071 sev_tsm_ops.privlevel_floor = vmpck_id;
1072
1073 ret = tsm_register(&sev_tsm_ops, snp_dev);
1074 if (ret)
1075 goto e_free_cert_data;
1076
1077 ret = devm_add_action_or_reset(&pdev->dev, unregister_sev_tsm, NULL);
1078 if (ret)
1079 goto e_free_cert_data;
1080
1081 ret = misc_register(misc);
1082 if (ret)
1083 goto e_free_ctx;
1084
1085 snp_dev->msg_desc = mdesc;
1086 dev_info(dev, "Initialized SEV guest driver (using VMPCK%d communication key)\n", vmpck_id);
1087 return 0;
1088
1089e_free_ctx:
1090 kfree(mdesc->ctx);
1091e_free_cert_data:
1092 free_shared_pages(mdesc->certs_data, SEV_FW_BLOB_MAX_SIZE);
1093e_free_response:
1094 free_shared_pages(mdesc->response, sizeof(struct snp_guest_msg));
1095e_free_request:
1096 free_shared_pages(mdesc->request, sizeof(struct snp_guest_msg));
1097e_unmap:
1098 iounmap(mapping);
1099 return ret;
1100}
1101
1102static void __exit sev_guest_remove(struct platform_device *pdev)
1103{
1104 struct snp_guest_dev *snp_dev = platform_get_drvdata(pdev);
1105 struct snp_msg_desc *mdesc = snp_dev->msg_desc;
1106
1107 free_shared_pages(mdesc->certs_data, SEV_FW_BLOB_MAX_SIZE);
1108 free_shared_pages(mdesc->response, sizeof(struct snp_guest_msg));
1109 free_shared_pages(mdesc->request, sizeof(struct snp_guest_msg));
1110 kfree(mdesc->ctx);
1111 misc_deregister(&snp_dev->misc);
1112}
1113
1114/*
1115 * This driver is meant to be a common SEV guest interface driver and to
1116 * support any SEV guest API. As such, even though it has been introduced
1117 * with the SEV-SNP support, it is named "sev-guest".
1118 *
1119 * sev_guest_remove() lives in .exit.text. For drivers registered via
1120 * module_platform_driver_probe() this is ok because they cannot get unbound
1121 * at runtime. So mark the driver struct with __refdata to prevent modpost
1122 * triggering a section mismatch warning.
1123 */
1124static struct platform_driver sev_guest_driver __refdata = {
1125 .remove = __exit_p(sev_guest_remove),
1126 .driver = {
1127 .name = "sev-guest",
1128 },
1129};
1130
1131module_platform_driver_probe(sev_guest_driver, sev_guest_probe);
1132
1133MODULE_AUTHOR("Brijesh Singh <brijesh.singh@amd.com>");
1134MODULE_LICENSE("GPL");
1135MODULE_VERSION("1.0.0");
1136MODULE_DESCRIPTION("AMD SEV Guest Driver");
1137MODULE_ALIAS("platform:sev-guest");