Re: [PATCH Part2 v6 18/49] crypto: ccp: Provide APIs to query extended attestation report
From: Jarkko Sakkinen <jarkko@kernel.org>
Date: 2022-08-02 12:40:05
Also in:
kvm, linux-crypto, linux-mm, lkml
I'd rephrase "Provide in-kernel API..." (e.g. not uapi). On Mon, Jun 20, 2022 at 11:06:06PM +0000, Ashish Kalra wrote:
From: Brijesh Singh <redacted> Version 2 of the GHCB specification defines VMGEXIT that is used to get the extended attestation report. The extended attestation report includes the certificate blobs provided through the SNP_SET_EXT_CONFIG. The snp_guest_ext_guest_request() will be used by the hypervisor to get the extended attestation report. See the GHCB specification for more details.
What is "the hypersivor"? Could it be replaced with e.g. KVM for clarity?
quoted hunk ↗ jump to hunk
Signed-off-by: Brijesh Singh <redacted> --- drivers/crypto/ccp/sev-dev.c | 43 ++++++++++++++++++++++++++++++++++++ include/linux/psp-sev.h | 24 ++++++++++++++++++++ 2 files changed, 67 insertions(+)diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 97b479d5aa86..f6306b820b86 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c@@ -25,6 +25,7 @@ #include <linux/fs.h> #include <asm/smp.h> +#include <asm/sev.h> #include "psp-dev.h" #include "sev-dev.h"@@ -1857,6 +1858,48 @@ int snp_guest_dbg_decrypt(struct sev_data_snp_dbg *data, int *error) } EXPORT_SYMBOL_GPL(snp_guest_dbg_decrypt); +int snp_guest_ext_guest_request(struct sev_data_snp_guest_request *data, + unsigned long vaddr, unsigned long *npages, unsigned long *fw_err) +{ + unsigned long expected_npages; + struct sev_device *sev; + int rc; + + if (!psp_master || !psp_master->sev_data) + return -ENODEV; + + sev = psp_master->sev_data; + + if (!sev->snp_inited) + return -EINVAL; + + /* + * Check if there is enough space to copy the certificate chain. Otherwise + * return ERROR code defined in the GHCB specification. + */ + expected_npages = sev->snp_certs_len >> PAGE_SHIFT; + if (*npages < expected_npages) { + *npages = expected_npages; + *fw_err = SNP_GUEST_REQ_INVALID_LEN; + return -EINVAL; + } + + rc = sev_do_cmd(SEV_CMD_SNP_GUEST_REQUEST, data, (int *)&fw_err); + if (rc) + return rc; + + /* Copy the certificate blob */ + if (sev->snp_certs_data) { + *npages = expected_npages; + memcpy((void *)vaddr, sev->snp_certs_data, *npages << PAGE_SHIFT); + } else { + *npages = 0; + } + + return rc; +} +EXPORT_SYMBOL_GPL(snp_guest_ext_guest_request);
Undocumented export.
quoted hunk ↗ jump to hunk
+ static void sev_exit(struct kref *ref) { misc_deregister(&misc_dev->misc);diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index a3bb792bb842..cd37ccd1fa1f 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h@@ -945,6 +945,23 @@ void *psp_copy_user_blob(u64 uaddr, u32 len); void *snp_alloc_firmware_page(gfp_t mask); void snp_free_firmware_page(void *addr); +/** + * snp_guest_ext_guest_request - perform the SNP extended guest request command + * defined in the GHCB specification. + * + * @data: the input guest request structure + * @vaddr: address where the certificate blob need to be copied. + * @npages: number of pages for the certificate blob. + * If the specified page count is less than the certificate blob size, then the + * required page count is returned with error code defined in the GHCB spec. + * If the specified page count is more than the certificate blob size, then + * page count is updated to reflect the amount of valid data copied in the + * vaddr. + */
This kdoc is misplaced: it should be in sev-dev.c, right before the implementation. Also it does not say anything about return value, and still the return type is "int".
quoted hunk ↗ jump to hunk
+int snp_guest_ext_guest_request(struct sev_data_snp_guest_request *data, + unsigned long vaddr, unsigned long *npages, + unsigned long *error); + #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ static inline int@@ -992,6 +1009,13 @@ static inline void *snp_alloc_firmware_page(gfp_t mask) static inline void snp_free_firmware_page(void *addr) { } +static inline int snp_guest_ext_guest_request(struct sev_data_snp_guest_request *data, + unsigned long vaddr, unsigned long *n, + unsigned long *error) +{ + return -ENODEV; +} + #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ #endif /* __PSP_SEV_H__ */-- 2.25.1
BR, Jarkko