Message ID | 20231230161954.569267-27-michael.roth@amd.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add AMD Secure Nested Paging (SEV-SNP) Initialization Support | expand |
On Sat, Dec 30, 2023 at 10:19:54AM -0600, Michael Roth wrote: > +The SNP_SET_CONFIG is used to set the system-wide configuration such as > +reported TCB version in the attestation report. The command is similar to > +SNP_CONFIG command defined in the SEV-SNP spec. The current values of the > +firmware parameters affected by this command can be queried via > +SNP_PLATFORM_STATUS. diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst index 4f696aacc866..14c9de997b7d 100644 --- a/Documentation/virt/coco/sev-guest.rst +++ b/Documentation/virt/coco/sev-guest.rst @@ -169,10 +169,10 @@ that of the currently installed firmware. :Parameters (in): struct sev_user_data_snp_config :Returns (out): 0 on success, -negative on error -The SNP_SET_CONFIG is used to set the system-wide configuration such as -reported TCB version in the attestation report. The command is similar to -SNP_CONFIG command defined in the SEV-SNP spec. The current values of the -firmware parameters affected by this command can be queried via +SNP_SET_CONFIG is used to set the system-wide configuration such as +reported TCB version in the attestation report. The command is similar +to SNP_CONFIG command defined in the SEV-SNP spec. The current values of +the firmware parameters affected by this command can be queried via SNP_PLATFORM_STATUS. 3. SEV-SNP CPUID Enforcement --- Ok, you're all reviewed. Please send a new revision with *all* feedback addressed so that I can queue it. Thx.
On Sun, Jan 21, 2024 at 01:41:02PM +0100, Borislav Petkov wrote: > On Sat, Dec 30, 2023 at 10:19:54AM -0600, Michael Roth wrote: > > +The SNP_SET_CONFIG is used to set the system-wide configuration such as > > +reported TCB version in the attestation report. The command is similar to > > +SNP_CONFIG command defined in the SEV-SNP spec. The current values of the > > +firmware parameters affected by this command can be queried via > > +SNP_PLATFORM_STATUS. > > diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst > index 4f696aacc866..14c9de997b7d 100644 > --- a/Documentation/virt/coco/sev-guest.rst > +++ b/Documentation/virt/coco/sev-guest.rst > @@ -169,10 +169,10 @@ that of the currently installed firmware. > :Parameters (in): struct sev_user_data_snp_config > :Returns (out): 0 on success, -negative on error > > -The SNP_SET_CONFIG is used to set the system-wide configuration such as > -reported TCB version in the attestation report. The command is similar to > -SNP_CONFIG command defined in the SEV-SNP spec. The current values of the > -firmware parameters affected by this command can be queried via > +SNP_SET_CONFIG is used to set the system-wide configuration such as > +reported TCB version in the attestation report. The command is similar > +to SNP_CONFIG command defined in the SEV-SNP spec. The current values of > +the firmware parameters affected by this command can be queried via > SNP_PLATFORM_STATUS. > > 3. SEV-SNP CPUID Enforcement > > --- > > Ok, you're all reviewed. Please send a new revision with *all* feedback > addressed so that I can queue it. Thanks! Unless otherwise noted, I *think* I got everything this time. :) -Mike > > Thx. > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette >
diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst index 007ae828aa2a..4f696aacc866 100644 --- a/Documentation/virt/coco/sev-guest.rst +++ b/Documentation/virt/coco/sev-guest.rst @@ -162,6 +162,19 @@ SEV-SNP firmware SNP_COMMIT command. This prevents roll-back to a previously committed firmware version. This will also update the reported TCB to match that of the currently installed firmware. +2.6 SNP_SET_CONFIG +------------------ +:Technology: sev-snp +:Type: hypervisor ioctl cmd +:Parameters (in): struct sev_user_data_snp_config +:Returns (out): 0 on success, -negative on error + +The SNP_SET_CONFIG is used to set the system-wide configuration such as +reported TCB version in the attestation report. The command is similar to +SNP_CONFIG command defined in the SEV-SNP spec. The current values of the +firmware parameters affected by this command can be queried via +SNP_PLATFORM_STATUS. + 3. SEV-SNP CPUID Enforcement ============================ diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 9c051a9b43e2..c5b26b3fe7ff 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2018,6 +2018,23 @@ static int sev_ioctl_do_snp_commit(struct sev_issue_cmd *argp) return __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error); } +static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable) +{ + struct sev_device *sev = psp_master->sev_data; + struct sev_user_data_snp_config config; + + if (!sev->snp_initialized || !argp->data) + return -EINVAL; + + if (!writable) + return -EPERM; + + if (copy_from_user(&config, (void __user *)argp->data, sizeof(config))) + return -EFAULT; + + return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error); +} + static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) { void __user *argp = (void __user *)arg; @@ -2075,6 +2092,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) case SNP_COMMIT: ret = sev_ioctl_do_snp_commit(&input); break; + case SNP_SET_CONFIG: + ret = sev_ioctl_do_snp_set_config(&input, writable); + break; default: ret = -EINVAL; goto out; diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h index 01aab4b340f4..f28d4fb5bc21 100644 --- a/include/uapi/linux/psp-sev.h +++ b/include/uapi/linux/psp-sev.h @@ -30,6 +30,7 @@ enum { SEV_GET_ID2, SNP_PLATFORM_STATUS, SNP_COMMIT, + SNP_SET_CONFIG, SEV_MAX, };