Thread (239 messages) 239 messages, 19 authors, 2022-09-19

Re: [PATCH Part2 v5 16/45] crypto: ccp: Add the SNP_PLATFORM_STATUS command

From: Marc Orr <hidden>
Date: 2021-09-10 03:18:17
Also in: kvm, linux-coco, linux-mm, lkml

On Fri, Aug 20, 2021 at 9:00 AM Brijesh Singh [off-list ref] wrote:
quoted hunk ↗ jump to hunk
The command can be used by the userspace to query the SNP platform status
report. See the SEV-SNP spec for more details.

Signed-off-by: Brijesh Singh <redacted>
---
 Documentation/virt/coco/sevguest.rst | 27 +++++++++++++++++
 drivers/crypto/ccp/sev-dev.c         | 45 ++++++++++++++++++++++++++++
 include/uapi/linux/psp-sev.h         |  1 +
 3 files changed, 73 insertions(+)
diff --git a/Documentation/virt/coco/sevguest.rst b/Documentation/virt/coco/sevguest.rst
index 7acb8696fca4..7c51da010039 100644
--- a/Documentation/virt/coco/sevguest.rst
+++ b/Documentation/virt/coco/sevguest.rst
@@ -52,6 +52,22 @@ to execute due to the firmware error, then fw_err code will be set.
                 __u64 fw_err;
         };

+The host ioctl should be called to /dev/sev device. The ioctl accepts command
+id and command input structure.
+
+::
+        struct sev_issue_cmd {
+                /* Command ID */
+                __u32 cmd;
+
+                /* Command request structure */
+                __u64 data;
+
+                /* firmware error code on failure (see psp-sev.h) */
+                __u32 error;
+        };
+
+
 2.1 SNP_GET_REPORT
 ------------------
@@ -107,3 +123,14 @@ length of the blob is lesser than expected then snp_ext_report_req.certs_len wil
 be updated with the expected value.

 See GHCB specification for further detail on how to parse the certificate blob.
+
+2.3 SNP_PLATFORM_STATUS
+-----------------------
+:Technology: sev-snp
+:Type: hypervisor ioctl cmd
+:Parameters (in): struct sev_data_snp_platform_status
+:Returns (out): 0 on success, -negative on error
+
+The SNP_PLATFORM_STATUS command is used to query the SNP platform status. The
+status includes API major, minor version and more. See the SEV-SNP
+specification for further details.
diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index 4cd7d803a624..16c6df5d412c 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1394,6 +1394,48 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable)
        return ret;
 }

+static int sev_ioctl_snp_platform_status(struct sev_issue_cmd *argp)
+{
+       struct sev_device *sev = psp_master->sev_data;
+       struct sev_data_snp_platform_status_buf buf;
+       struct page *status_page;
+       void *data;
+       int ret;
+
+       if (!sev->snp_inited || !argp->data)
+               return -EINVAL;
+
+       status_page = alloc_page(GFP_KERNEL_ACCOUNT);
+       if (!status_page)
+               return -ENOMEM;
+
+       data = page_address(status_page);
+       if (snp_set_rmp_state(__pa(data), 1, true, true, false)) {
+               __free_pages(status_page, 0);
+               return -EFAULT;
+       }
+
+       buf.status_paddr = __psp_pa(data);
+       ret = __sev_do_cmd_locked(SEV_CMD_SNP_PLATFORM_STATUS, &buf, &argp->error);
+
+       /* Change the page state before accessing it */
+       if (snp_set_rmp_state(__pa(data), 1, false, true, true)) {
+               snp_leak_pages(__pa(data) >> PAGE_SHIFT, 1);
Calling `snp_leak_pages()` here seems wrong, because
`snp_set_rmp_state()` calls `snp_leak_pages()` when it returns an
error.
quoted hunk ↗ jump to hunk
+               return -EFAULT;
+       }
+
+       if (ret)
+               goto cleanup;
+
+       if (copy_to_user((void __user *)argp->data, data,
+                        sizeof(struct sev_user_data_snp_status)))
+               ret = -EFAULT;
+
+cleanup:
+       __free_pages(status_page, 0);
+       return ret;
+}
+
 static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
 {
        void __user *argp = (void __user *)arg;
@@ -1445,6 +1487,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
        case SEV_GET_ID2:
                ret = sev_ioctl_do_get_id2(&input);
                break;
+       case SNP_PLATFORM_STATUS:
+               ret = sev_ioctl_snp_platform_status(&input);
+               break;
        default:
                ret = -EINVAL;
                goto out;
diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h
index bed65a891223..ffd60e8b0a31 100644
--- a/include/uapi/linux/psp-sev.h
+++ b/include/uapi/linux/psp-sev.h
@@ -28,6 +28,7 @@ enum {
        SEV_PEK_CERT_IMPORT,
        SEV_GET_ID,     /* This command is deprecated, use SEV_GET_ID2 */
        SEV_GET_ID2,
+       SNP_PLATFORM_STATUS,

        SEV_MAX,
 };
--
2.17.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help