Message ID | 20231016132819.1002933-20-michael.roth@amd.com (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Herbert Xu |
Headers | show |
Series | Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support | expand |
On Mon, Oct 16, 2023 at 08:27:48AM -0500, Michael Roth wrote: > From: Brijesh Singh <brijesh.singh@amd.com> > > The command can be used by the userspace to query the SNP platform status s/by the userspace // > report. See the SEV-SNP spec for more details. > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > Signed-off-by: Ashish Kalra <ashish.kalra@amd.com> Mike, this doesn't have your SOB at the end. The whole set should have it if you're sending it. Please go through the whole thing. > --- > Documentation/virt/coco/sev-guest.rst | 27 ++++++++++++++++ > drivers/crypto/ccp/sev-dev.c | 45 +++++++++++++++++++++++++++ > include/uapi/linux/psp-sev.h | 1 + > 3 files changed, 73 insertions(+) > > diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst > index 68b0d2363af8..e828c5326936 100644 > --- a/Documentation/virt/coco/sev-guest.rst > +++ b/Documentation/virt/coco/sev-guest.rst > @@ -67,6 +67,22 @@ counter (e.g. counter overflow), then -EIO will be returned. > }; > }; > > +The host ioctl should be called to /dev/sev device. The ioctl accepts commanda "... should be sent to the... " > +id and command input structure. > + > +:: > + struct sev_issue_cmd { > + /* Command ID */ > + __u32 cmd; > + > + /* Command request structure */ > + __u64 data; > + > + /* firmware error code on failure (see psp-sev.h) */ > + __u32 error; > + }; > + > + > 2.1 SNP_GET_REPORT > ------------------ > > @@ -124,6 +140,17 @@ be updated with the expected value. > > See GHCB specification for further detail on how to parse the certificate blob. > > +2.4 SNP_PLATFORM_STATUS > +----------------------- > +:Technology: sev-snp > +:Type: hypervisor ioctl cmd > +:Parameters (in): struct sev_data_snp_platform_status > +:Returns (out): 0 on success, -negative on error > + > +The SNP_PLATFORM_STATUS command is used to query the SNP platform status. The > +status includes API major, minor version and more. See the SEV-SNP > +specification for further details. > + > 3. SEV-SNP CPUID Enforcement > ============================ > > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c > index b574b0ef2b1f..679b8d6fc09a 100644 > --- a/drivers/crypto/ccp/sev-dev.c > +++ b/drivers/crypto/ccp/sev-dev.c > @@ -1772,6 +1772,48 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) > return ret; > } > > +static int sev_ioctl_snp_platform_status(struct sev_issue_cmd *argp) sev_ioctl_do_snp_platform_status like the others. > +{ > + struct sev_device *sev = psp_master->sev_data; > + struct sev_data_snp_addr buf; > + struct page *status_page; > + void *data; > + int ret; > + > + if (!sev->snp_initialized || !argp->data) > + return -EINVAL; > + > + status_page = alloc_page(GFP_KERNEL_ACCOUNT); > + if (!status_page) > + return -ENOMEM; > + > + data = page_address(status_page); > + if (rmp_mark_pages_firmware(__pa(data), 1, true)) { > + __free_pages(status_page, 0); > + return -EFAULT; ret = -EFAULT; goto cleanup; instead. ...
diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst index 68b0d2363af8..e828c5326936 100644 --- a/Documentation/virt/coco/sev-guest.rst +++ b/Documentation/virt/coco/sev-guest.rst @@ -67,6 +67,22 @@ counter (e.g. counter overflow), then -EIO will be returned. }; }; +The host ioctl should be called to /dev/sev device. The ioctl accepts command +id and command input structure. + +:: + struct sev_issue_cmd { + /* Command ID */ + __u32 cmd; + + /* Command request structure */ + __u64 data; + + /* firmware error code on failure (see psp-sev.h) */ + __u32 error; + }; + + 2.1 SNP_GET_REPORT ------------------ @@ -124,6 +140,17 @@ be updated with the expected value. See GHCB specification for further detail on how to parse the certificate blob. +2.4 SNP_PLATFORM_STATUS +----------------------- +:Technology: sev-snp +:Type: hypervisor ioctl cmd +:Parameters (in): struct sev_data_snp_platform_status +:Returns (out): 0 on success, -negative on error + +The SNP_PLATFORM_STATUS command is used to query the SNP platform status. The +status includes API major, minor version and more. See the SEV-SNP +specification for further details. + 3. SEV-SNP CPUID Enforcement ============================ diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index b574b0ef2b1f..679b8d6fc09a 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -1772,6 +1772,48 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) return ret; } +static int sev_ioctl_snp_platform_status(struct sev_issue_cmd *argp) +{ + struct sev_device *sev = psp_master->sev_data; + struct sev_data_snp_addr buf; + struct page *status_page; + void *data; + int ret; + + if (!sev->snp_initialized || !argp->data) + return -EINVAL; + + status_page = alloc_page(GFP_KERNEL_ACCOUNT); + if (!status_page) + return -ENOMEM; + + data = page_address(status_page); + if (rmp_mark_pages_firmware(__pa(data), 1, true)) { + __free_pages(status_page, 0); + return -EFAULT; + } + + buf.gctx_paddr = __psp_pa(data); + ret = __sev_do_cmd_locked(SEV_CMD_SNP_PLATFORM_STATUS, &buf, &argp->error); + + /* Change the page state before accessing it */ + if (snp_reclaim_pages(__pa(data), 1, true)) { + snp_leak_pages(__pa(data) >> PAGE_SHIFT, 1); + return -EFAULT; + } + + if (ret) + goto cleanup; + + if (copy_to_user((void __user *)argp->data, data, + sizeof(struct sev_user_data_snp_status))) + ret = -EFAULT; + +cleanup: + __free_pages(status_page, 0); + return ret; +} + static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) { void __user *argp = (void __user *)arg; @@ -1823,6 +1865,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) case SEV_GET_ID2: ret = sev_ioctl_do_get_id2(&input); break; + case SNP_PLATFORM_STATUS: + ret = sev_ioctl_snp_platform_status(&input); + break; default: ret = -EINVAL; goto out; diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h index 48e3ef91559c..b94b3687edbb 100644 --- a/include/uapi/linux/psp-sev.h +++ b/include/uapi/linux/psp-sev.h @@ -28,6 +28,7 @@ enum { SEV_PEK_CERT_IMPORT, SEV_GET_ID, /* This command is deprecated, use SEV_GET_ID2 */ SEV_GET_ID2, + SNP_PLATFORM_STATUS, SEV_MAX, };