From patchwork Tue Dec 10 14:34:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Garzarella X-Patchwork-Id: 13901532 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D06E1BBBCA for ; Tue, 10 Dec 2024 14:34:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733841285; cv=none; b=HVGXl48B0b/FLota/cv0ZerWcxhdPZcyPhxYGU4tl6JsLKBo8k47Y7QrY1Z26SHd8OitxgvUqyjdqRqVgV8J2YwuEThtuXpCAFTD5G6yBCA+UQClolfMDKMVGQ9x5EGCZ/aeTrNHfQFCFQ54BmOVxvkOo5RouMv40TI+X4RWtPo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733841285; c=relaxed/simple; bh=YV/Bg/GvqXh41XMQKcC78+GvpEsuDVEuBZeCJxhmFaY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jg+Q0zPTxj6a8p3JC9TAxikxE3LWC8MzWzLPo2R6Sed3HmK5M4Eohhh1IJeyWvBBqY7BvQ4aCOe3rLGVKS4w47W1eTwcMGWMfvO3yt6fL7zPrzpqcqz9/yfNNUHVhOWyWL5Z+fcFfnEKfRt4VZspS/oerLcf6oMVt7FrjbS/zBs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Q/8ASODn; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Q/8ASODn" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1733841282; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mDnBbe1BmERY/J1Wfq/4Vteahq+sGBYwUfN+slK2gHE=; b=Q/8ASODn9/XO0oXFGJZcw9b4j8ImxTlW9M8k7uSzO377wr6Dj9l8Hq7vdtzF9J8pDY3Ohu LCM7pPnHZ9uBKd601Wj4AXpdtwqqm/iLq5n+zYh90i484oSp2W/Cb3hg5s5XLtbgkYAjGd Gvz7Js98iHVWHS1bzN/7HiWBwDOZVz0= Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-226-L_-PBh5CPF6J-0aGDKzlhw-1; Tue, 10 Dec 2024 09:34:41 -0500 X-MC-Unique: L_-PBh5CPF6J-0aGDKzlhw-1 X-Mimecast-MFC-AGG-ID: L_-PBh5CPF6J-0aGDKzlhw Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-6d87efed6c4so97072206d6.1 for ; Tue, 10 Dec 2024 06:34:41 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733841280; x=1734446080; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mDnBbe1BmERY/J1Wfq/4Vteahq+sGBYwUfN+slK2gHE=; b=eaTijnVra71crcqnKiiY7Rvdjj4NPx7WM0wCeJT143uwZuwV9j5MH3tzHTUgvuXoMW Hg+Qty2JgSM51/uf7uty2Vg/PPAfUkbfi/boJRFPtjgiX/r9vL2SNEV0lveZ2/9sakS0 CLU2CeBeh+HVrRjh9AOV4ZSm0rTzJYAyu088/7nhGQBVYn6tT7m853vqjJKExfPHV30B Z8QEBxLAdyfPSftHyeuVNxXX6CHNvA0b7KrU8kbbFsQqzBtKsTYp+PmOSOg348bVsX7t 2p16BM9MU57ReS8xWXCAkN3es65RYDyga4moCoG9YF7KESnGIGtaEDCtS2eiI/BcTZUh 5A/A== X-Forwarded-Encrypted: i=1; AJvYcCXpkfVzpypW7tqZl5VmoWNTcvhkw/7Dzh5UmB6Ale4dkCyz9FkndVnWNt35HV2mbLz21rEM2EcjR12eWioAjVM=@vger.kernel.org X-Gm-Message-State: AOJu0YyKlEDE3oosxWkW/pOKz5AzH04S5WgEQQo2qqc1+EXDVz6Omv6w QyQ1MgIFEA38uGHhPLx54QGm5YiDzNdgKk7SICKYCcEtqd+KMAzlbwBPAdbhSCDX81E4Jz59xow MwQHeQaZKy9aUc8NdA45W3trewyYX2vzwO5lfZRH7Jq6QfVEeFKzVZXWqOx+Sao7rdw== X-Gm-Gg: ASbGncskINgNAn+9/H1D0x/dw8TEYtws3NqoNuSeRV036fyF2dHdbroRzhVOvklUFB7 VyJnmBeD3VVoDUiMcQrOkPkFNr6tbjT3hgsci0zsOF0kwzqbw6P8H4MLThoSZFQg8zT5ivOGBFx 7xqkt8YAtcu7kqN9gXw2c5O99uJEUqtpRh7SZxfHZzwUyVb7sXz3vbmpLlWkLFYisyqvc6vb7a6 a7vK1KUrgQW6AB/EOpah0dfpFxTdKBmzXJEMQc871I4X0lE+B1pONb9Hh0TMXM+AYfH20JyEYZf obUH9arMlPl+iFIM7RlMaOcxdLRLKYc= X-Received: by 2002:a05:6214:1c4b:b0:6cb:edd7:ac32 with SMTP id 6a1803df08f44-6d8e7118b40mr276775476d6.12.1733841280302; Tue, 10 Dec 2024 06:34:40 -0800 (PST) X-Google-Smtp-Source: AGHT+IEd9Xhzi92yMy9pvFO8lvm7KNjYH3fF75o4ZDwOrQBpyHy5E2nWLC7J0gQUJoL3IfKFPJkFLA== X-Received: by 2002:a05:6214:1c4b:b0:6cb:edd7:ac32 with SMTP id 6a1803df08f44-6d8e7118b40mr276774916d6.12.1733841279791; Tue, 10 Dec 2024 06:34:39 -0800 (PST) Received: from step1.redhat.com (host-87-12-25-244.business.telecomitalia.it. [87.12.25.244]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6d8da9fd1f2sm60439976d6.81.2024.12.10.06.34.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2024 06:34:35 -0800 (PST) From: Stefano Garzarella To: linux-coco@lists.linux.dev Cc: Borislav Petkov , Dave Hansen , Peter Huewe , "H. Peter Anvin" , linux-integrity@vger.kernel.org, James Bottomley , x86@kernel.org, Joerg Roedel , Jason Gunthorpe , Jarkko Sakkinen , linux-kernel@vger.kernel.org, Ingo Molnar , Thomas Gleixner , Claudio Carvalho , Dov Murik , Tom Lendacky , Stefano Garzarella Subject: [PATCH 1/3] tpm: add generic platform device Date: Tue, 10 Dec 2024 15:34:21 +0100 Message-ID: <20241210143423.101774-2-sgarzare@redhat.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241210143423.101774-1-sgarzare@redhat.com> References: <20241210143423.101774-1-sgarzare@redhat.com> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: James Bottomley This is primarily designed to support an enlightened driver for the AMD svsm based vTPM, but it could be used by any platform which communicates with a TPM device. The platform must fill in struct tpm_platform_ops as the platform_data and set the device name to "tpm" to have the binding by name work correctly. The sole sendrcv function is designed to do a single buffer request/response conforming to the MSSIM protocol. For the svsm vTPM case, this protocol is transmitted directly to the SVSM, but it could be massaged for other function type platform interfaces. Signed-off-by: James Bottomley Signed-off-by: Claudio Carvalho [SG] changed references/links to TCG TPM repo Signed-off-by: Stefano Garzarella --- include/linux/tpm_platform.h | 90 ++++++++++++++++++++ drivers/char/tpm/tpm_platform.c | 141 ++++++++++++++++++++++++++++++++ drivers/char/tpm/Kconfig | 7 ++ drivers/char/tpm/Makefile | 1 + 4 files changed, 239 insertions(+) create mode 100644 include/linux/tpm_platform.h create mode 100644 drivers/char/tpm/tpm_platform.c diff --git a/include/linux/tpm_platform.h b/include/linux/tpm_platform.h new file mode 100644 index 000000000000..95c17a75d59d --- /dev/null +++ b/include/linux/tpm_platform.h @@ -0,0 +1,90 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Copyright (C) 2023 James.Bottomley@HansenPartnership.com + * + * Interface specification for platforms wishing to activate the + * platform tpm device. The device must be a platform device created + * with the name "tpm" and it must populate platform_data with struct + * tpm_platform_ops + */ + +/* + * The current MSSIM TPM commands we support. The complete list is + * in the TcpTpmProtocol header: + * + * https://github.com/TrustedComputingGroup/TPM/blob/main/TPMCmd/Simulator/include/TpmTcpProtocol.h + */ + +#define TPM_SEND_COMMAND 8 +#define TPM_SIGNAL_CANCEL_ON 9 +#define TPM_SIGNAL_CANCEL_OFF 10 +/* + * Any platform specific commands should be placed here and should start + * at 0x8000 to avoid clashes with the MSSIM protocol. They should follow + * the same self describing buffer format below + */ + +#define TPM_PLATFORM_MAX_BUFFER 4096 /* max req/resp buffer size */ + +/** + * struct tpm_platform_ops - the share platform operations + * + * @sendrcv: Send a TPM command using the MSSIM protocol. + * + * The MSSIM protocol is designed for a network, so the buffers are + * self describing. The minimum buffer size is sizeof(u32). Every + * MSSIM command defines its own transport buffer and the command is + * sent in the first u32 array. The only modification we make is that + * the MSSIM uses network order and we use the endianness of the + * architecture. The response to every command (in the same buffer) + * is a u32 size preceded array. Most of the MSSIM commands simply + * return zero here because they have no defined response. + * + * The only command with a defined request/response size is TPM_SEND_COMMAND + * The definition is in the structures below + */ +struct tpm_platform_ops { + int (*sendrcv)(u8 *buffer); +}; + +/** + * struct tpm_send_cmd_req - Structure for a TPM_SEND_COMMAND + * + * @cmd: The command (must be TPM_SEND_COMMAND) + * @locality: The locality + * @inbuf_size: The size of the input buffer following + * @inbuf: A buffer of size inbuf_size + * + * Note that MSSIM expects @inbuf_size to be equal to the size of the + * specific TPM command, otherwise an TPM_RC_COMMAND_SIZE error is + * returned. + */ +struct tpm_send_cmd_req { + u32 cmd; + u8 locality; + u32 inbuf_size; + u8 inbuf[]; +} __packed; + +/** + * struct tpm_req - generic request header for single word command + * + * @cmd: The command to send + */ +struct tpm_req { + u32 cmd; +} __packed; + +/** + * struct tpm_resp - generic response header + * + * @size: The response size (zero if nothing follows) + * + * Note: most MSSIM commands simply return zero here with no indication + * of success or failure. + */ + +struct tpm_resp { + s32 size; +} __packed; + diff --git a/drivers/char/tpm/tpm_platform.c b/drivers/char/tpm/tpm_platform.c new file mode 100644 index 000000000000..b53d74344d61 --- /dev/null +++ b/drivers/char/tpm/tpm_platform.c @@ -0,0 +1,141 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Platform based TPM emulator + * + * Copyright (C) 2023 James.Bottomley@HansenPartnership.com + * + * Designed to handle a simple function request/response single buffer + * TPM or vTPM rooted in the platform. This device driver uses the + * MSSIM protocol from the official TCG reference implementation + * + * https://github.com/TrustedComputingGroup/TPM + * + * to communicate between the driver and the platform. This is rich + * enough to allow platform operations like cancellation The platform + * should not act on platform commands like power on/off and reset + * which can disrupt the TPM guarantees. + * + * This driver is designed to be single threaded (one call in to the + * platform TPM at any one time). The threading guarantees are + * provided by the chip mutex. + */ + +#include +#include +#include +#include + +#include "tpm.h" + +static struct tpm_platform_ops *pops; + +static u8 *buffer; +/* + * FIXME: before implementing locality we need to agree what it means + * to the platform + */ +static u8 locality; + +static int tpm_platform_send(struct tpm_chip *chip, u8 *buf, size_t len) +{ + int ret; + struct tpm_send_cmd_req *req = (struct tpm_send_cmd_req *)buffer; + + if (len > TPM_PLATFORM_MAX_BUFFER - sizeof(*req)) + return -EINVAL; + req->cmd = TPM_SEND_COMMAND; + req->locality = locality; + req->inbuf_size = len; + memcpy(req->inbuf, buf, len); + + ret = pops->sendrcv(buffer); + if (ret) + return ret; + + return 0; +} + +static int tpm_platform_recv(struct tpm_chip *chip, u8 *buf, size_t len) +{ + struct tpm_resp *resp = (struct tpm_resp *)buffer; + + if (resp->size < 0) + return resp->size; + + if (len < resp->size) + return -E2BIG; + + if (resp->size > TPM_PLATFORM_MAX_BUFFER - sizeof(*resp)) + return -EINVAL; // Invalid response from the platform TPM + + memcpy(buf, buffer + sizeof(*resp), resp->size); + + return resp->size; +} + +static struct tpm_class_ops tpm_chip_ops = { + .flags = TPM_OPS_AUTO_STARTUP, + .send = tpm_platform_send, + .recv = tpm_platform_recv, +}; + +static struct platform_driver tpm_platform_driver = { + .driver = { + .name = "tpm", + }, +}; + +static int __init tpm_platform_probe(struct platform_device *pdev) +{ + struct device *dev = &pdev->dev; + struct tpm_chip *chip; + int err; + + if (!dev->platform_data) + return -ENODEV; + + /* + * in theory platform matching should mean this is always + * true, but just in case anyone tries force binding + */ + if (strcmp(pdev->name, tpm_platform_driver.driver.name) != 0) + return -ENODEV; + + if (!buffer) + buffer = kmalloc(TPM_PLATFORM_MAX_BUFFER, GFP_KERNEL); + + if (!buffer) + return -ENOMEM; + + pops = dev->platform_data; + + chip = tpmm_chip_alloc(dev, &tpm_chip_ops); + if (IS_ERR(chip)) + return PTR_ERR(chip); + + /* + * Setting TPM_CHIP_FLAG_IRQ guarantees that ->recv will be + * called straight after ->send and means we don't need to + * implement any other chip ops. + */ + chip->flags |= TPM_CHIP_FLAG_IRQ; + err = tpm2_probe(chip); + if (err) + return err; + + err = tpm_chip_register(chip); + if (err) + return err; + + dev_info(dev, "TPM %s platform device\n", + (chip->flags & TPM_CHIP_FLAG_TPM2) ? "2.0" : "1.2"); + + return 0; +} + +module_platform_driver_probe(tpm_platform_driver, tpm_platform_probe); + +MODULE_AUTHOR("James Bottomley "); +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("Platform TPM Driver"); +MODULE_ALIAS("platform:tpm"); diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index 0fc9a510e059..b162f59305ef 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -225,5 +225,12 @@ config TCG_FTPM_TEE help This driver proxies for firmware TPM running in TEE. +config TCG_PLATFORM + tristate "Platform TPM Device" + help + This driver requires a platform implementation to provide the + TPM function. It will not bind if the implementation is not + present. + source "drivers/char/tpm/st33zp24/Kconfig" endif # TCG_TPM diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index 9bb142c75243..4b2c04e23bd3 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -44,3 +44,4 @@ obj-$(CONFIG_TCG_XEN) += xen-tpmfront.o obj-$(CONFIG_TCG_CRB) += tpm_crb.o obj-$(CONFIG_TCG_VTPM_PROXY) += tpm_vtpm_proxy.o obj-$(CONFIG_TCG_FTPM_TEE) += tpm_ftpm_tee.o +obj-$(CONFIG_TCG_PLATFORM) += tpm_platform.o From patchwork Tue Dec 10 14:34:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Garzarella X-Patchwork-Id: 13901533 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28DF11BCA0F for ; Tue, 10 Dec 2024 14:34:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733841292; cv=none; b=tf0G/aAy70LxgAJnkxvp8hlz+R3OzjangBukejcgU/jS5nLqb12clw39kMjrBTe3FRDb2P8Y1n66+ytZey0llOjO8Bm8Z4yFLeIB+W0gXujsy8WfPkzzUsifq/9MvMwtHVKOZpVLJEJuYqHmkLTp1EvJrxoKt1M9xyYIXklV+SY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733841292; c=relaxed/simple; bh=hKVfthvsa17ETqwzM+IPunkLwW1BQ0tuuiDhl+vst78=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=D0Go1odDxW5K8+j9xYse/LEl6H7ranUvvfUCR9C8bnEU9BnZ8uE+qdI3I1cVv+oFH3wwloMe3Qu97NaQp1z2Z3+GtH9Zl3PALuWqh1yW7rU42LPvUzuTp0bmi9vWUw77XauM93wlXg7iiek7Kq18Ajs6M8ln5ugmO76E8RA3oww= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=SxgMOsZF; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="SxgMOsZF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1733841290; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kkig53CpkMCs8xZ5GQefN+G8yQyR6/dGUcen+HDOvno=; b=SxgMOsZFrRk8YnC7YJIl5DBBmlXfH3wqwjhLOwNp5s6MjUQ6sW1W1ybjjKhtLYDty86Wej 7c1GR3Eovd8vDR4EAyAvdr+X5dMCVFjygLZb9TSxA5rCQkPXEqpZEtiXdPvxy0mnxUUN91 u9+tyz+XrWJsK9384eMuF0HixuzwgXs= Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-651-EeLB0WxoOAmsI9IiQRZ_Vg-1; Tue, 10 Dec 2024 09:34:48 -0500 X-MC-Unique: EeLB0WxoOAmsI9IiQRZ_Vg-1 X-Mimecast-MFC-AGG-ID: EeLB0WxoOAmsI9IiQRZ_Vg Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-6d889fd0fd6so103892546d6.0 for ; Tue, 10 Dec 2024 06:34:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733841288; x=1734446088; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kkig53CpkMCs8xZ5GQefN+G8yQyR6/dGUcen+HDOvno=; b=Xz7RTdeI9nb6lD8c3pgM3FggPSYZO80rfvbHIq0QTH9PTsSLsTaypjflBCcOUzgvJa +M3wjhiHFu/aVfrbWFHYAvPV4jC9Rsr5yBMI64SAgaf5hvVUn88ScklGo30tG6K1gUJn k1N7ddByvVZzawpkn9h8AcwrsCFUxYnCwENlluDfAiXJJUXxWHs9BXO2ueD6wvkyIlQw mjX6aSIzpqcVw8nItAc5oeCbMxKiL25c4HDE+HzQSrhXPQQlKjzO2RJLPyfjkijvBitl x9RhuRRXzb5VUL/LCmwnycGnxBWrafIxr2wPuAj8uk4QJSFAGeabpNNG3dS0ivBXI5hE 44Ig== X-Forwarded-Encrypted: i=1; AJvYcCWbE5TlmUwCDwmQDh8VdAplARSSIaYmcgijsrCDQUkvj7vI0KpB7tV3d6cvXk48HZGiso+6zSLSAC79iz37YaA=@vger.kernel.org X-Gm-Message-State: AOJu0YzHPKMU9xpUFWvHHFj97tBbSlPTIjGcP7c6QB1keDs2+oYTrjZe nYK+9/Z8sD/RzRIdmVa2+Mhz5mW1mpmicZOpemxoCHQALNDpehc1kHWkkgYTnZwV/dselwIlTXD 1lLr2lhzc9CTahw5pRRreRAJPLkVO0dMqPqAQB34sG5T1AmejHALiKGiMpxBsr0YBGw== X-Gm-Gg: ASbGncvkIAwj+CT+kXfWzCA4XCvtjwlm1XAdsuh2dcEYLAuQJBEt1j6K7bl0C7LvbOU ySKAhOhnOk4ebl1AZTKWsP5zekW/IdWhIEnu+WeDYEdLgqNK23SQnT+yvgKnGH1CGt937iEoPej cGC8uS03yv+KsXBujq9abAGy4XUtkDt6cvhSsfLhI/dqqUJzVKhcKdDtRrAjHn5SAoBMza/hS0a 8bnQIC6tueuhH4phF97UmerI2zr8s/O9up77/XlpM6jjbCJ2jO5PN3FhaKSi7zthPcQ9KQOYzAg D2FS0vNSIco3H+sML2MzDsRGq/t3qzc= X-Received: by 2002:a05:6214:5087:b0:6d8:f50e:8036 with SMTP id 6a1803df08f44-6d9213ba859mr65685806d6.20.1733841288302; Tue, 10 Dec 2024 06:34:48 -0800 (PST) X-Google-Smtp-Source: AGHT+IGSop28FY6IektnPFRQjQ8gA1PitVY9Yf0WUJf69W1zgtjztC/5xoivV4T26/rVtmO6MIg6TA== X-Received: by 2002:a05:6214:5087:b0:6d8:f50e:8036 with SMTP id 6a1803df08f44-6d9213ba859mr65685226d6.20.1733841287948; Tue, 10 Dec 2024 06:34:47 -0800 (PST) Received: from step1.redhat.com (host-87-12-25-244.business.telecomitalia.it. [87.12.25.244]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6d8dac1434esm60163516d6.124.2024.12.10.06.34.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2024 06:34:46 -0800 (PST) From: Stefano Garzarella To: linux-coco@lists.linux.dev Cc: Borislav Petkov , Dave Hansen , Peter Huewe , "H. Peter Anvin" , linux-integrity@vger.kernel.org, James Bottomley , x86@kernel.org, Joerg Roedel , Jason Gunthorpe , Jarkko Sakkinen , linux-kernel@vger.kernel.org, Ingo Molnar , Thomas Gleixner , Claudio Carvalho , Dov Murik , Tom Lendacky , Stefano Garzarella Subject: [PATCH 2/3] x86/sev: add SVSM call macros for the vTPM protocol Date: Tue, 10 Dec 2024 15:34:22 +0100 Message-ID: <20241210143423.101774-3-sgarzare@redhat.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241210143423.101774-1-sgarzare@redhat.com> References: <20241210143423.101774-1-sgarzare@redhat.com> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add macros for SVSM_VTPM_QUERY and SVSM_VTPM_CMD calls as defined in the "Secure VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00 Link: https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf Signed-off-by: Stefano Garzarella --- arch/x86/include/asm/sev.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 91f08af31078..97dcc8d938a6 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -365,6 +365,10 @@ struct svsm_call { #define SVSM_ATTEST_SERVICES 0 #define SVSM_ATTEST_SINGLE_SERVICE 1 +#define SVSM_VTPM_CALL(x) ((2ULL << 32) | (x)) +#define SVSM_VTPM_QUERY 0 +#define SVSM_VTPM_CMD 1 + #ifdef CONFIG_AMD_MEM_ENCRYPT extern u8 snp_vmpl; From patchwork Tue Dec 10 14:34:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Garzarella X-Patchwork-Id: 13901534 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E32B81AA1D0 for ; Tue, 10 Dec 2024 14:34:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733841301; cv=none; b=usgprRxB/Brc+wF0B9JspusNXUf6KPmehKgIKW4VRLdKHLvSC0UXf6Xmq8R34RzpSHbzd993ThMOiS4plUYkVqBcBJyP+9AgPpgDcWCjj1k94i45mfcVzUw2TbNFpNLKTZtcKi9c5X2P9lBatfnwbvlExFNBuS/uq+FwBswhadg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733841301; c=relaxed/simple; bh=I3+OgVND3ovs3EabmzXGFURX+i4WzYcd0zLU7C8kE5A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=svsFAHVZDTufhNzFoYPa0zhXfwOqy3d8a0P/8Ei0OVTiYydUInv2Mc6BzITVXHQbpaEtHhPmSIRZoCTh69LxNREt5Xb7rOqs3/TNgjkO1bum1yFtkNxmrUl3M8wgYe/1QIX7/joRGeveBzk+euwb3ztgaaV9x3AQpzMFoXepyv4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=GSTSfWwj; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="GSTSfWwj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1733841298; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZHZJG01hNeaIMCFXcC4aAtIq9wGcVNYKpI5sbt4iaAs=; b=GSTSfWwjz6mW6gDvawFrDVdyVn988gg5ba3vTjeRIK3v1CNB1bfMaCbf4tX+6IAZVVh96D 5K0N0oTGxy/YVaxbYUJRwrDZv8oF3JdFOJB66mfSvgmDfW29boD+aFtTmPf+sHSOKuelMu KAEx3BVxqOfp/3ZmlDE7cpc7qxBrCPY= Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-574-lGwS65ZkP5aPwgkc77m6Aw-1; Tue, 10 Dec 2024 09:34:57 -0500 X-MC-Unique: lGwS65ZkP5aPwgkc77m6Aw-1 X-Mimecast-MFC-AGG-ID: lGwS65ZkP5aPwgkc77m6Aw Received: by mail-qt1-f198.google.com with SMTP id d75a77b69052e-46692410a9aso72580441cf.2 for ; Tue, 10 Dec 2024 06:34:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733841297; x=1734446097; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZHZJG01hNeaIMCFXcC4aAtIq9wGcVNYKpI5sbt4iaAs=; b=FQ3IGke9B2tpa/9aPttcMecqYJmJ6X48c2wFst6MFHIGQ064fmHzoIq7PHHS1aiNRI btR14t8kRw5DmklluveyOSoi/hZsaP3cPJ6yLwSeIqNGi6Q+8A2qd8W0DrqhQgSA65b4 AEfO3F5XQvFhdFvh7djT2lyAqBVZiTzy6j1FuRH92nPi7EwF0aIl53lcnl//LjvKZ2VP Ec8Pw6yp2G/xt58LfznEddsFQoCEyzlmK4Yx6wXmYtorz4wOdE+8JzA6tK/J8uy5FsN5 GGODvfMHMhYqP9ORtcPQcRDvS2E5XP2GsbliYFpibwOnQ7uwTsh0N3ILhF9ThL3vA4GU j9mw== X-Forwarded-Encrypted: i=1; AJvYcCWdPt63bDbsW80yy9BAXspMeQhf0BxQBT/ppEj8WOmUmj3PktAKI2R3gy719Q4WuV2Qt/lpOy0fVHSFgIMOWeM=@vger.kernel.org X-Gm-Message-State: AOJu0YwHxqgC1JazH+daMce4j06yJJN/TakDpuw76HtK+/wEE7dBv8+n UjEJ+w36FcYUDgDQ3zrVXM+U3Ts/gIjj2dPrFly4nL+Dt4wmAUDvwlxwuCZLUlnh682OrAkwTU2 0ct5U2/VhcHleHtcTqBDPYC7gBgsZyRmWV/FwviNx1Lq6HpC7V0ZZXven3UYVmq6ZJg== X-Gm-Gg: ASbGncv5jKSTG61xx5ZlVq8WhWtDpVluORgWiLH/HJgYrSTyz8+BQ+73moueAyg1Nhn EBIoQF4oRXgPcPdAdQ9A49m0j/wXWc1ngxGbQJKTqegQh8EikY5bDP+g5uPwEu7W8Jy23RqOhb1 +J7WGaFsw9WjsYNd8B94DA6TkElTUGTC35z3+1GugHjPeSa9RtujMfWVOr0OxXHiu/XWghrD7vc 1A9ooTTvuSIwhe+/RvamQ6Gv2VW2KKcOZr/8nkVBXC9Wix8Qp8sQN+kQE8Pv1dhevo9uIQvRMY3 W45wOdtsBzS+2EMY/ergdmXBm/ZVt8I= X-Received: by 2002:ac8:5fc6:0:b0:467:6505:e3c with SMTP id d75a77b69052e-4676505132dmr138668281cf.24.1733841296844; Tue, 10 Dec 2024 06:34:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IEWTua5aJb1pNQFOVrnxFBRlJAcVPzKgg25Q3AMf1JLy1jJEt2pslYht0E+7saMZCCbUW+bWQ== X-Received: by 2002:ac8:5fc6:0:b0:467:6505:e3c with SMTP id d75a77b69052e-4676505132dmr138667721cf.24.1733841296367; Tue, 10 Dec 2024 06:34:56 -0800 (PST) Received: from step1.redhat.com (host-87-12-25-244.business.telecomitalia.it. [87.12.25.244]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4675d0d9039sm27218631cf.22.2024.12.10.06.34.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2024 06:34:54 -0800 (PST) From: Stefano Garzarella To: linux-coco@lists.linux.dev Cc: Borislav Petkov , Dave Hansen , Peter Huewe , "H. Peter Anvin" , linux-integrity@vger.kernel.org, James Bottomley , x86@kernel.org, Joerg Roedel , Jason Gunthorpe , Jarkko Sakkinen , linux-kernel@vger.kernel.org, Ingo Molnar , Thomas Gleixner , Claudio Carvalho , Dov Murik , Tom Lendacky , Stefano Garzarella Subject: [PATCH 3/3] x86/sev: add a SVSM vTPM platform device Date: Tue, 10 Dec 2024 15:34:23 +0100 Message-ID: <20241210143423.101774-4-sgarzare@redhat.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241210143423.101774-1-sgarzare@redhat.com> References: <20241210143423.101774-1-sgarzare@redhat.com> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: James Bottomley If the SNP boot has a SVSM, probe for the vTPM device by sending a SVSM_VTPM_QUERY call (function 8). The SVSM will return a bitmap with the TPM_SEND_COMMAND bit set only if the vTPM is present and it is able to handle TPM commands at runtime. If a vTPM is found, register a platform device as "platform:tpm" so it can be attached to the tpm_platform.c driver. Signed-off-by: James Bottomley [CC] Used SVSM_VTPM_QUERY to probe the TPM Signed-off-by: Claudio Carvalho [SG] Code adjusted with some changes introduced in 6.11 [SG] Used macro for SVSM_VTPM_CALL Signed-off-by: Stefano Garzarella --- arch/x86/coco/sev/core.c | 64 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index c5b0148b8c0a..ec0153fddc9e 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include @@ -2578,6 +2579,51 @@ static struct platform_device sev_guest_device = { .id = -1, }; +static struct platform_device tpm_device = { + .name = "tpm", + .id = -1, +}; + +static int snp_issue_svsm_vtpm_send_command(u8 *buffer) +{ + struct svsm_call call = {}; + + call.caa = svsm_get_caa(); + call.rax = SVSM_VTPM_CALL(SVSM_VTPM_CMD); + call.rcx = __pa(buffer); + + return svsm_perform_call_protocol(&call); +} + +static bool is_svsm_vtpm_send_command_supported(void) +{ + struct svsm_call call = {}; + u64 send_cmd_mask = 0; + u64 platform_cmds; + u64 features; + int ret; + + call.caa = svsm_get_caa(); + call.rax = SVSM_VTPM_CALL(SVSM_VTPM_QUERY); + + ret = svsm_perform_call_protocol(&call); + + if (ret != SVSM_SUCCESS) + return false; + + features = call.rdx_out; + platform_cmds = call.rcx_out; + + /* No feature supported, it must be zero */ + if (features) + return false; + + /* TPM_SEND_COMMAND - platform command 8 */ + send_cmd_mask = 1 << 8; + + return (platform_cmds & send_cmd_mask) == send_cmd_mask; +} + static int __init snp_init_platform_device(void) { struct sev_guest_platform_data data; @@ -2593,6 +2639,24 @@ static int __init snp_init_platform_device(void) return -ENODEV; pr_info("SNP guest platform device initialized.\n"); + + /* + * The VTPM device is available only if we have a SVSM and + * its VTPM supports the TPM_SEND_COMMAND platform command + */ + if (IS_ENABLED(CONFIG_TCG_PLATFORM) && snp_vmpl && + is_svsm_vtpm_send_command_supported()) { + struct tpm_platform_ops pops = { + .sendrcv = snp_issue_svsm_vtpm_send_command, + }; + + if (platform_device_add_data(&tpm_device, &pops, sizeof(pops))) + return -ENODEV; + if (platform_device_register(&tpm_device)) + return -ENODEV; + pr_info("SNP SVSM VTPM platform device initialized\n"); + } + return 0; } device_initcall(snp_init_platform_device);