diff mbox series

[v1,26/26] crypto: ccp: Add the SNP_SET_CONFIG command

Message ID 20231230161954.569267-27-michael.roth@amd.com (mailing list archive)
State New
Headers show
Series Add AMD Secure Nested Paging (SEV-SNP) Initialization Support | expand

Commit Message

Michael Roth Dec. 30, 2023, 4:19 p.m. UTC
From: Brijesh Singh <brijesh.singh@amd.com>

The SEV-SNP firmware provides the SNP_CONFIG command used to set various
system-wide configuration values for SNP guests, such as the TCB version
to be reported in guest attestation reports. Add an interface to set
this via userspace.

Co-developed-by: Alexey Kardashevskiy <aik@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Co-developed-by: Dionna Glaze <dionnaglaze@google.com>
Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
[mdr: squash in doc patch from Dionna, drop extended request/certificate
 handling and simplify this to a simple wrapper around SNP_CONFIG fw
 cmd]
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
 Documentation/virt/coco/sev-guest.rst | 13 +++++++++++++
 drivers/crypto/ccp/sev-dev.c          | 20 ++++++++++++++++++++
 include/uapi/linux/psp-sev.h          |  1 +
 3 files changed, 34 insertions(+)

Comments

Borislav Petkov Jan. 21, 2024, 12:41 p.m. UTC | #1
On Sat, Dec 30, 2023 at 10:19:54AM -0600, Michael Roth wrote:
> +The SNP_SET_CONFIG is used to set the system-wide configuration such as
> +reported TCB version in the attestation report. The command is similar to
> +SNP_CONFIG command defined in the SEV-SNP spec. The current values of the
> +firmware parameters affected by this command can be queried via
> +SNP_PLATFORM_STATUS.

diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst
index 4f696aacc866..14c9de997b7d 100644
--- a/Documentation/virt/coco/sev-guest.rst
+++ b/Documentation/virt/coco/sev-guest.rst
@@ -169,10 +169,10 @@ that of the currently installed firmware.
 :Parameters (in): struct sev_user_data_snp_config
 :Returns (out): 0 on success, -negative on error
 
-The SNP_SET_CONFIG is used to set the system-wide configuration such as
-reported TCB version in the attestation report. The command is similar to
-SNP_CONFIG command defined in the SEV-SNP spec. The current values of the
-firmware parameters affected by this command can be queried via
+SNP_SET_CONFIG is used to set the system-wide configuration such as
+reported TCB version in the attestation report. The command is similar
+to SNP_CONFIG command defined in the SEV-SNP spec. The current values of
+the firmware parameters affected by this command can be queried via
 SNP_PLATFORM_STATUS.
 
 3. SEV-SNP CPUID Enforcement

---

Ok, you're all reviewed. Please send a new revision with *all* feedback
addressed so that I can queue it.

Thx.
Michael Roth Jan. 26, 2024, 1:30 p.m. UTC | #2
On Sun, Jan 21, 2024 at 01:41:02PM +0100, Borislav Petkov wrote:
> On Sat, Dec 30, 2023 at 10:19:54AM -0600, Michael Roth wrote:
> > +The SNP_SET_CONFIG is used to set the system-wide configuration such as
> > +reported TCB version in the attestation report. The command is similar to
> > +SNP_CONFIG command defined in the SEV-SNP spec. The current values of the
> > +firmware parameters affected by this command can be queried via
> > +SNP_PLATFORM_STATUS.
> 
> diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst
> index 4f696aacc866..14c9de997b7d 100644
> --- a/Documentation/virt/coco/sev-guest.rst
> +++ b/Documentation/virt/coco/sev-guest.rst
> @@ -169,10 +169,10 @@ that of the currently installed firmware.
>  :Parameters (in): struct sev_user_data_snp_config
>  :Returns (out): 0 on success, -negative on error
>  
> -The SNP_SET_CONFIG is used to set the system-wide configuration such as
> -reported TCB version in the attestation report. The command is similar to
> -SNP_CONFIG command defined in the SEV-SNP spec. The current values of the
> -firmware parameters affected by this command can be queried via
> +SNP_SET_CONFIG is used to set the system-wide configuration such as
> +reported TCB version in the attestation report. The command is similar
> +to SNP_CONFIG command defined in the SEV-SNP spec. The current values of
> +the firmware parameters affected by this command can be queried via
>  SNP_PLATFORM_STATUS.
>  
>  3. SEV-SNP CPUID Enforcement
> 
> ---
> 
> Ok, you're all reviewed. Please send a new revision with *all* feedback
> addressed so that I can queue it.

Thanks! Unless otherwise noted, I *think* I got everything this time. :)

-Mike

> 
> Thx.
> 
> -- 
> Regards/Gruss,
>     Boris.
> 
> https://people.kernel.org/tglx/notes-about-netiquette
>
diff mbox series

Patch

diff --git a/Documentation/virt/coco/sev-guest.rst b/Documentation/virt/coco/sev-guest.rst
index 007ae828aa2a..4f696aacc866 100644
--- a/Documentation/virt/coco/sev-guest.rst
+++ b/Documentation/virt/coco/sev-guest.rst
@@ -162,6 +162,19 @@  SEV-SNP firmware SNP_COMMIT command. This prevents roll-back to a previously
 committed firmware version. This will also update the reported TCB to match
 that of the currently installed firmware.
 
+2.6 SNP_SET_CONFIG
+------------------
+:Technology: sev-snp
+:Type: hypervisor ioctl cmd
+:Parameters (in): struct sev_user_data_snp_config
+:Returns (out): 0 on success, -negative on error
+
+The SNP_SET_CONFIG is used to set the system-wide configuration such as
+reported TCB version in the attestation report. The command is similar to
+SNP_CONFIG command defined in the SEV-SNP spec. The current values of the
+firmware parameters affected by this command can be queried via
+SNP_PLATFORM_STATUS.
+
 3. SEV-SNP CPUID Enforcement
 ============================
 
diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index 9c051a9b43e2..c5b26b3fe7ff 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2018,6 +2018,23 @@  static int sev_ioctl_do_snp_commit(struct sev_issue_cmd *argp)
 	return __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error);
 }
 
+static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable)
+{
+	struct sev_device *sev = psp_master->sev_data;
+	struct sev_user_data_snp_config config;
+
+	if (!sev->snp_initialized || !argp->data)
+		return -EINVAL;
+
+	if (!writable)
+		return -EPERM;
+
+	if (copy_from_user(&config, (void __user *)argp->data, sizeof(config)))
+		return -EFAULT;
+
+	return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error);
+}
+
 static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
 {
 	void __user *argp = (void __user *)arg;
@@ -2075,6 +2092,9 @@  static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
 	case SNP_COMMIT:
 		ret = sev_ioctl_do_snp_commit(&input);
 		break;
+	case SNP_SET_CONFIG:
+		ret = sev_ioctl_do_snp_set_config(&input, writable);
+		break;
 	default:
 		ret = -EINVAL;
 		goto out;
diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h
index 01aab4b340f4..f28d4fb5bc21 100644
--- a/include/uapi/linux/psp-sev.h
+++ b/include/uapi/linux/psp-sev.h
@@ -30,6 +30,7 @@  enum {
 	SEV_GET_ID2,
 	SNP_PLATFORM_STATUS,
 	SNP_COMMIT,
+	SNP_SET_CONFIG,
 
 	SEV_MAX,
 };