From: Michael Roth <michael.roth@amd.com> To: <kvm@vger.kernel.org> Cc: <linux-coco@lists.linux.dev>, <linux-mm@kvack.org>, <linux-crypto@vger.kernel.org>, <x86@kernel.org>, <linux-kernel@vger.kernel.org>, <tglx@linutronix.de>, <mingo@redhat.com>, <jroedel@suse.de>, <thomas.lendacky@amd.com>, <hpa@zytor.com>, <ardb@kernel.org>, <pbonzini@redhat.com>, <seanjc@google.com>, <vkuznets@redhat.com>, <jmattson@google.com>, <luto@kernel.org>, <dave.hansen@linux.intel.com>, <slp@redhat.com>, <pgonda@google.com>, <peterz@infradead.org>, <srinivas.pandruvada@linux.intel.com>, <rientjes@google.com>, <dovmurik@linux.ibm.com>, <tobin@ibm.com>, <bp@alien8.de>, <vbabka@suse.cz>, <kirill@shutemov.name>, <ak@linux.intel.com>, <tony.luck@intel.com>, <sathyanarayanan.kuppuswamy@linux.intel.com>, <alpergun@google.com>, <jarkko@kernel.org>, <ashish.kalra@amd.com>, <nikunj.dadhania@amd.com>, <pankaj.gupta@amd.com>, <liam.merwick@oracle.com> Subject: [PATCH v12 27/29] crypto: ccp: Add the SNP_VLEK_LOAD command Date: Fri, 29 Mar 2024 17:58:33 -0500 [thread overview] Message-ID: <20240329225835.400662-28-michael.roth@amd.com> (raw) In-Reply-To: <20240329225835.400662-1-michael.roth@amd.com> When requesting an attestation report a guest is able to specify whether it wants SNP firmware to sign the report using either a Versioned Chip Endorsement Key (VCEK), which is derived from chip-unique secrets, or a Versioned Loaded Endorsement Key (VLEK) which is obtained from an AMD Key Derivation Service (KDS) and derived from seeds allocated to enrolled cloud service providers (CSPs). For VLEK keys, an SNP_VLEK_LOAD SNP firmware command is used to load them into the system after obtaining them from the KDS. Add a corresponding userspace interface so to allow the loading of VLEK keys into the system. See SEV-SNP Firmware ABI 1.54, SNP_VLEK_LOAD for more details. Signed-off-by: Michael Roth <michael.roth@amd.com> --- drivers/crypto/ccp/sev-dev.c | 36 ++++++++++++++++++++++++++++++++++++ include/uapi/linux/psp-sev.h | 27 +++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 2102377f727b..97a7959406ee 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2027,6 +2027,39 @@ static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error); } +static int sev_ioctl_do_snp_vlek_load(struct sev_issue_cmd *argp, bool writable) +{ + struct sev_device *sev = psp_master->sev_data; + struct sev_user_data_snp_vlek_load input; + void *blob; + int ret; + + if (!sev->snp_initialized || !argp->data) + return -EINVAL; + + if (!writable) + return -EPERM; + + if (copy_from_user(&input, u64_to_user_ptr(argp->data), sizeof(input))) + return -EFAULT; + + if (input.len != sizeof(input) || input.vlek_wrapped_version != 0) + return -EINVAL; + + blob = psp_copy_user_blob(input.vlek_wrapped_address, + sizeof(struct sev_user_data_snp_wrapped_vlek_hashstick)); + if (IS_ERR(blob)) + return PTR_ERR(blob); + + input.vlek_wrapped_address = __psp_pa(blob); + + ret = __sev_do_cmd_locked(SEV_CMD_SNP_VLEK_LOAD, &input, &argp->error); + + kfree(blob); + + return ret; +} + static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) { void __user *argp = (void __user *)arg; @@ -2087,6 +2120,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) case SNP_SET_CONFIG: ret = sev_ioctl_do_snp_set_config(&input, writable); break; + case SNP_VLEK_LOAD: + ret = sev_ioctl_do_snp_vlek_load(&input, writable); + break; default: ret = -EINVAL; goto out; diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h index b7a2c2ee35b7..2289b7c76c59 100644 --- a/include/uapi/linux/psp-sev.h +++ b/include/uapi/linux/psp-sev.h @@ -31,6 +31,7 @@ enum { SNP_PLATFORM_STATUS, SNP_COMMIT, SNP_SET_CONFIG, + SNP_VLEK_LOAD, SEV_MAX, }; @@ -214,6 +215,32 @@ struct sev_user_data_snp_config { __u8 rsvd1[52]; } __packed; +/** + * struct sev_data_snp_vlek_load - SNP_VLEK_LOAD structure + * + * @len: length of the command buffer read by the PSP + * @vlek_wrapped_version: version of wrapped VLEK hashstick (Must be 0h) + * @rsvd: reserved + * @vlek_wrapped_address: address of a wrapped VLEK hashstick + * (struct sev_user_data_snp_wrapped_vlek_hashstick) + */ +struct sev_user_data_snp_vlek_load { + __u32 len; /* In */ + __u8 vlek_wrapped_version; /* In */ + __u8 rsvd[3]; /* In */ + __u64 vlek_wrapped_address; /* In */ +} __packed; + +/** + * struct sev_user_data_snp_vlek_wrapped_vlek_hashstick - Wrapped VLEK data + * + * @data: Opaque data provided by AMD KDS (as described in SEV-SNP Firmware ABI + * 1.54, SNP_VLEK_LOAD) + */ +struct sev_user_data_snp_wrapped_vlek_hashstick { + __u8 data[432]; /* In */ +} __packed; + /** * struct sev_issue_cmd - SEV ioctl parameters * -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Michael Roth <michael.roth@amd.com> To: <kvm@vger.kernel.org> Cc: <linux-coco@lists.linux.dev>, <linux-mm@kvack.org>, <linux-crypto@vger.kernel.org>, <x86@kernel.org>, <linux-kernel@vger.kernel.org>, <tglx@linutronix.de>, <mingo@redhat.com>, <jroedel@suse.de>, <thomas.lendacky@amd.com>, <hpa@zytor.com>, <ardb@kernel.org>, <pbonzini@redhat.com>, <seanjc@google.com>, <vkuznets@redhat.com>, <jmattson@google.com>, <luto@kernel.org>, <dave.hansen@linux.intel.com>, <slp@redhat.com>, <pgonda@google.com>, <peterz@infradead.org>, <srinivas.pandruvada@linux.intel.com>, <rientjes@google.com>, <dovmurik@linux.ibm.com>, <tobin@ibm.com>, <bp@alien8.de>, <vbabka@suse.cz>, <kirill@shutemov.name>, <ak@linux.intel.com>, <tony.luck@intel.com>, <sathyanarayanan.kuppuswamy@linux.intel.com>, <alpergun@google.com>, <jarkko@kernel.org>, <ashish.kalra@amd.com>, <nikunj.dadhania@amd.com>, <pankaj.gupta@amd.com>, <liam.merwick@oracle.com> Subject: [PATCH v12 27/29] crypto: ccp: Add the SNP_VLEK_LOAD command Date: Fri, 29 Mar 2024 17:58:33 -0500 [thread overview] Message-ID: <20240329225835.400662-28-michael.roth@amd.com> (raw) Message-ID: <20240329225833.iB2yPRP7_u0zFHaQbLIPp16wh-a4bNDNxUmfFZN89Ng@z> (raw) In-Reply-To: <20240329225835.400662-1-michael.roth@amd.com> When requesting an attestation report a guest is able to specify whether it wants SNP firmware to sign the report using either a Versioned Chip Endorsement Key (VCEK), which is derived from chip-unique secrets, or a Versioned Loaded Endorsement Key (VLEK) which is obtained from an AMD Key Derivation Service (KDS) and derived from seeds allocated to enrolled cloud service providers (CSPs). For VLEK keys, an SNP_VLEK_LOAD SNP firmware command is used to load them into the system after obtaining them from the KDS. Add a corresponding userspace interface so to allow the loading of VLEK keys into the system. See SEV-SNP Firmware ABI 1.54, SNP_VLEK_LOAD for more details. Signed-off-by: Michael Roth <michael.roth@amd.com> --- drivers/crypto/ccp/sev-dev.c | 36 ++++++++++++++++++++++++++++++++++++ include/uapi/linux/psp-sev.h | 27 +++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 2102377f727b..97a7959406ee 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2027,6 +2027,39 @@ static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error); } +static int sev_ioctl_do_snp_vlek_load(struct sev_issue_cmd *argp, bool writable) +{ + struct sev_device *sev = psp_master->sev_data; + struct sev_user_data_snp_vlek_load input; + void *blob; + int ret; + + if (!sev->snp_initialized || !argp->data) + return -EINVAL; + + if (!writable) + return -EPERM; + + if (copy_from_user(&input, u64_to_user_ptr(argp->data), sizeof(input))) + return -EFAULT; + + if (input.len != sizeof(input) || input.vlek_wrapped_version != 0) + return -EINVAL; + + blob = psp_copy_user_blob(input.vlek_wrapped_address, + sizeof(struct sev_user_data_snp_wrapped_vlek_hashstick)); + if (IS_ERR(blob)) + return PTR_ERR(blob); + + input.vlek_wrapped_address = __psp_pa(blob); + + ret = __sev_do_cmd_locked(SEV_CMD_SNP_VLEK_LOAD, &input, &argp->error); + + kfree(blob); + + return ret; +} + static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) { void __user *argp = (void __user *)arg; @@ -2087,6 +2120,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) case SNP_SET_CONFIG: ret = sev_ioctl_do_snp_set_config(&input, writable); break; + case SNP_VLEK_LOAD: + ret = sev_ioctl_do_snp_vlek_load(&input, writable); + break; default: ret = -EINVAL; goto out; diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h index b7a2c2ee35b7..2289b7c76c59 100644 --- a/include/uapi/linux/psp-sev.h +++ b/include/uapi/linux/psp-sev.h @@ -31,6 +31,7 @@ enum { SNP_PLATFORM_STATUS, SNP_COMMIT, SNP_SET_CONFIG, + SNP_VLEK_LOAD, SEV_MAX, }; @@ -214,6 +215,32 @@ struct sev_user_data_snp_config { __u8 rsvd1[52]; } __packed; +/** + * struct sev_data_snp_vlek_load - SNP_VLEK_LOAD structure + * + * @len: length of the command buffer read by the PSP + * @vlek_wrapped_version: version of wrapped VLEK hashstick (Must be 0h) + * @rsvd: reserved + * @vlek_wrapped_address: address of a wrapped VLEK hashstick + * (struct sev_user_data_snp_wrapped_vlek_hashstick) + */ +struct sev_user_data_snp_vlek_load { + __u32 len; /* In */ + __u8 vlek_wrapped_version; /* In */ + __u8 rsvd[3]; /* In */ + __u64 vlek_wrapped_address; /* In */ +} __packed; + +/** + * struct sev_user_data_snp_vlek_wrapped_vlek_hashstick - Wrapped VLEK data + * + * @data: Opaque data provided by AMD KDS (as described in SEV-SNP Firmware ABI + * 1.54, SNP_VLEK_LOAD) + */ +struct sev_user_data_snp_wrapped_vlek_hashstick { + __u8 data[432]; /* In */ +} __packed; + /** * struct sev_issue_cmd - SEV ioctl parameters * -- 2.25.1 X-sender: <linux-kernel+bounces-125510-steffen.klassert=secunet.com@vger.kernel.org> X-Receiver: <steffen.klassert@secunet.com> ORCPT=rfc822;steffen.klassert@secunet.com NOTIFY=NEVER; X-ExtendedProps=DwA1AAAATWljcm9zb2Z0LkV4Y2hhbmdlLlRyYW5zcG9ydC5EaXJlY3RvcnlEYXRhLklzUmVzb3VyY2UCAAAFABUAFgACAAAABQAUABEA8MUJLbkECUOS0gjaDTZ+uAUAagAJAAEAAAAAAAAABQAWAAIAAAUAQwACAAAFAEYABwADAAAABQBHAAIAAAUAEgAPAGIAAAAvbz1zZWN1bmV0L291PUV4Y2hhbmdlIEFkbWluaXN0cmF0aXZlIEdyb3VwIChGWURJQk9IRjIzU1BETFQpL2NuPVJlY2lwaWVudHMvY249U3RlZmZlbiBLbGFzc2VydDY4YwUACwAXAL4AAACheZxkHSGBRqAcAp3ukbifQ049REI2LENOPURhdGFiYXNlcyxDTj1FeGNoYW5nZSBBZG1pbmlzdHJhdGl2ZSBHcm91cCAoRllESUJPSEYyM1NQRExUKSxDTj1BZG1pbmlzdHJhdGl2ZSBHcm91cHMsQ049c2VjdW5ldCxDTj1NaWNyb3NvZnQgRXhjaGFuZ2UsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZWN1bmV0LERDPWRlBQAOABEABiAS9uuMOkqzwmEZDvWNNQUAHQAPAAwAAABtYngtZXNzZW4tMDIFADwAAgAADwA2AAAATWljcm9zb2Z0LkV4Y2hhbmdlLlRyYW5zcG9ydC5NYWlsUmVjaXBpZW50LkRpc3BsYXlOYW1lDwARAAAAS2xhc3NlcnQsIFN0ZWZmZW4FAGwAAgAABQBYABcASgAAAPDFCS25BAlDktII2g02frhDTj1LbGFzc2VydCBTdGVmZmVuLE9VPVVzZXJzLE9VPU1pZ3JhdGlvbixEQz1zZWN1bmV0LERDPWRlBQAMAAIAAAUAJgACAAEFACIADwAxAAAAQXV0b1Jlc3BvbnNlU3VwcHJlc3M6IDANClRyYW5zbWl0SGlzdG9yeTogRmFsc2UNCg8ALwAAAE1pY3Jvc29mdC5FeGNoYW5nZS5UcmFuc3BvcnQuRXhwYW5zaW9uR3JvdXBUeXBlDwAVAAAATWVtYmVyc0dyb3VwRXhwYW5zaW9uBQAjAAIAAQ== X-CreatedBy: MSExchange15 X-HeloDomain: b.mx.secunet.com X-ExtendedProps: BQBjAAoA6kmmlidQ3AgFAGEACAABAAAABQA3AAIAAA8APAAAAE1pY3Jvc29mdC5FeGNoYW5nZS5UcmFuc3BvcnQuTWFpbFJlY2lwaWVudC5Pcmdhbml6YXRpb25TY29wZREAAAAAAAAAAAAAAAAAAAAAAAUASQACAAEFAAQAFCABAAAAHAAAAHN0ZWZmZW4ua2xhc3NlcnRAc2VjdW5ldC5jb20FAAYAAgABDwAqAAAATWljcm9zb2Z0LkV4Y2hhbmdlLlRyYW5zcG9ydC5SZXN1Ym1pdENvdW50BwACAAAADwAJAAAAQ0lBdWRpdGVkAgABBQACAAcAAQAAAAUAAwAHAAAAAAAFAAUAAgABBQBiAAoATwAAAM6KAAAFAGQADwADAAAASHViBQApAAIAAQ8APwAAAE1pY3Jvc29mdC5FeGNoYW5nZS5UcmFuc3BvcnQuRGlyZWN0b3J5RGF0YS5NYWlsRGVsaXZlcnlQcmlvcml0eQ8AAwAAAExvdw== X-Source: SMTP:Default MBX-ESSEN-02 X-SourceIPAddress: 62.96.220.37 X-EndOfInjectedXHeaders: 22661 Received: from cas-essen-01.secunet.de (10.53.40.201) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.37; Sat, 30 Mar 2024 00:06:39 +0100 Received: from b.mx.secunet.com (62.96.220.37) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Sat, 30 Mar 2024 00:06:39 +0100 Received: from localhost (localhost [127.0.0.1]) by b.mx.secunet.com (Postfix) with ESMTP id 9C3452032C for <steffen.klassert@secunet.com>; Sat, 30 Mar 2024 00:06:39 +0100 (CET) X-Virus-Scanned: by secunet X-Spam-Flag: NO X-Spam-Score: -5.15 X-Spam-Level: X-Spam-Status: No, score=-5.15 tagged_above=-999 required=2.1 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.099, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: a.mx.secunet.com (amavisd-new); dkim=pass (1024-bit key) header.d=amd.com Received: from b.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4pwceeobCkH for <steffen.klassert@secunet.com>; Sat, 30 Mar 2024 00:06:39 +0100 (CET) Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=147.75.199.223; helo=ny.mirrors.kernel.org; envelope-from=linux-kernel+bounces-125510-steffen.klassert=secunet.com@vger.kernel.org; receiver=steffen.klassert@secunet.com DKIM-Filter: OpenDKIM Filter v2.11.0 b.mx.secunet.com CF6F6200BB Authentication-Results: b.mx.secunet.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="pVQbPIWb" Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [147.75.199.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by b.mx.secunet.com (Postfix) with ESMTPS id CF6F6200BB for <steffen.klassert@secunet.com>; Sat, 30 Mar 2024 00:06:38 +0100 (CET) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D67FB1C2146E for <steffen.klassert@secunet.com>; Fri, 29 Mar 2024 23:06:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F404B13F435; Fri, 29 Mar 2024 23:06:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="pVQbPIWb" Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2048.outbound.protection.outlook.com [40.107.101.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 807FB4B5DA; Fri, 29 Mar 2024 23:06:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.101.48 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711753565; cv=fail; b=nySl60dntVQyPamC5zHokQ59i8eUA14VcdmUSIxZVrv4o47wSi2elTNxC+0KAI+xBvRR1sZ2v8HUEYX4B2acaXAd+qH0TnIR7Q7+sZsumOQ9ZNju1Fx6OSRxJjn4j0p84rj90JPzlqxNnU9GHhvHZNXZWDRlF+W/GuH+aAiTJug= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711753565; c=relaxed/simple; bh=1mt+dPqGVGgxhVCKEG3pXqMiUa4XApuT0BM0owhsWto=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=MiA9QHfN5QPr81nmkTuaS5BtC7vny4OCpm2fNYUYj783qUCLSPRTm9S1SoUx3OCOiP2TV1katS6TRLP7s1Hn+O7vKGjZzdlBAc0uDl496/6oAq8XFpbE1NnIimM/kIBiMn52lb2Ivs1No1ZN9z6NUmFXuH98rYfvzDBSIsRaAAQ= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=pVQbPIWb; arc=fail smtp.client-ip=40.107.101.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=imaqi7zO++Pueh1kiczxyzbdLQbAvufU75qRWyu2zj1Gky5hCoS3w+yInJ0L3dUXfuaFx9DN08KYjvM03AxEFOUF1M700WDoWkkppUeah6369frkyhubt9gmIPSzEJupYZDwODCSA7DU2A/QdTKWtIvajcJYH+UfhcoaOwL8rbBfvy2IZTm7BukJIUrD6yjpky4ro99oL7ugAgDAIYnTLgywKVhVkw3JZA2jDJmw3s1UPHwouImDX6DyfV8MusvmSstKSkVyQDunHM7KEzBPEyneL7ih4zbEvEb1YRSzyQce/Swsfc3YtoduzRQ9kO36itueeu7Kz2yuT97MVHXOXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CFi7FUdlAWZbxIeQZPeXjgozeEMcnuRszCmTYDdmjJw=; b=jr3CpJ2B9ia9wR1FHBCqA3R/rAM6kID2KydtbDP63g9WFvHXi453xc7V7PwiJhBUZYCUj89Xzes5WQvlV0sh/cFMXbKXRy3Ym5LJIngzSC3Vqj55baspbaJHUWtMWx1OUZraxO/2tnABuT/ZhXYqfWXp3U/8WNP/DhkXylSlqMqcIGJ1rp2fZI7/9h6kK6I3pO9kIh3sw/VP9XIA4Q9tdF4fcH+MxqkCVJkBSj7eWj6ZKV9UQ8CPArPPbdh1+nqisbzHp5SyIalfBZnmAv2U/QkEVLAntvMg8ecAQE9lvv9LUqwM6UbuPL2wpiGXvA/uDycwDsIEV1wxijg+TN3tMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CFi7FUdlAWZbxIeQZPeXjgozeEMcnuRszCmTYDdmjJw=; b=pVQbPIWbese89EZLyabCbuNSndnvJlEBLQ0FbXJsU/BU5bRdWBMXFlEV5gp+Ry0aZm+Qr6tDyl90OpotfnuRujcOYxMvAlkxrHJvJLYBQCU7ctGa6tenr4X0tdWCCVzDbi7ndk8u5ZUER2aAQ944jHEIlPJOWvsMJVItu6bqIwY= Received: from DM5PR08CA0040.namprd08.prod.outlook.com (2603:10b6:4:60::29) by DS0PR12MB6389.namprd12.prod.outlook.com (2603:10b6:8:cf::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.32; Fri, 29 Mar 2024 23:06:01 +0000 Received: from DS1PEPF00017094.namprd03.prod.outlook.com (2603:10b6:4:60:cafe::4f) by DM5PR08CA0040.outlook.office365.com (2603:10b6:4:60::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.41 via Frontend Transport; Fri, 29 Mar 2024 23:06:01 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by DS1PEPF00017094.mail.protection.outlook.com (10.167.17.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7409.10 via Frontend Transport; Fri, 29 Mar 2024 23:06:00 +0000 Received: from localhost (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 29 Mar 2024 18:06:00 -0500 From: Michael Roth <michael.roth@amd.com> To: <kvm@vger.kernel.org> CC: <linux-coco@lists.linux.dev>, <linux-mm@kvack.org>, <linux-crypto@vger.kernel.org>, <x86@kernel.org>, <linux-kernel@vger.kernel.org>, <tglx@linutronix.de>, <mingo@redhat.com>, <jroedel@suse.de>, <thomas.lendacky@amd.com>, <hpa@zytor.com>, <ardb@kernel.org>, <pbonzini@redhat.com>, <seanjc@google.com>, <vkuznets@redhat.com>, <jmattson@google.com>, <luto@kernel.org>, <dave.hansen@linux.intel.com>, <slp@redhat.com>, <pgonda@google.com>, <peterz@infradead.org>, <srinivas.pandruvada@linux.intel.com>, <rientjes@google.com>, <dovmurik@linux.ibm.com>, <tobin@ibm.com>, <bp@alien8.de>, <vbabka@suse.cz>, <kirill@shutemov.name>, <ak@linux.intel.com>, <tony.luck@intel.com>, <sathyanarayanan.kuppuswamy@linux.intel.com>, <alpergun@google.com>, <jarkko@kernel.org>, <ashish.kalra@amd.com>, <nikunj.dadhania@amd.com>, <pankaj.gupta@amd.com>, <liam.merwick@oracle.com> Subject: [PATCH v12 27/29] crypto: ccp: Add the SNP_VLEK_LOAD command Date: Fri, 29 Mar 2024 17:58:33 -0500 Message-ID: <20240329225835.400662-28-michael.roth@amd.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240329225835.400662-1-michael.roth@amd.com> References: <20240329225835.400662-1-michael.roth@amd.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF00017094:EE_|DS0PR12MB6389:EE_ X-MS-Office365-Filtering-Correlation-Id: 9c5ce47d-5076-4cef-2387-08dc5044cd0d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: M108XjrRq0MG2qHrQcGm9f5QoZTpFMpGESUVMEAwEi0Jg/7J8Sx0JfHp3iC8H9S89d26XnzK5RVaR+N6ZfBRD7fWFThxq8QMDl68ulJk2Mf74+t6uO5YrRyhRhGmhr4yV/FrtLRjhb0oVT9g6eoMg4qUNl56tP7p0Krb8gQXsV1NVbL38MQrAiRhb3Y3OZ2XOQiASoe36x+FrWtjv17hp2luILOtcD49WV56UuLNfoTkyMu2hja3vxe8rGXeY6Sf8VqdOWqCz2lXkkVeVDW3NsxzZthoO860rK1TI9ukxS7YiyieJ7TFE7mWV02s5//sfWqDQEzl2784/fSh1eGv3Hp9Yt24EmhxIkqfkxCrV1JpR91l5nCDMwm/MxcL9VqtfoZowhaf9TiT2WXqATZoAMuxhmdA2nHqXz/7pIKpcA2ZYz80Cj0NrJ7fxQIiOGV/WYLsdspbT0crbgqWrSC947+aQzX3g192HkGgthx9y0Vt/xC26IOIGJq4DAI5cBLoAfwrUI5I87osChI5eKSPC9yb9tdrG3NBWVv5rihbacgKtUF9N3oe6SpKfBllelkVPDKY9NAZedjB9+W5QTua9kkbKUWCihKwymTqhwX21WuOjeGGRkq0V8uvQu6vITHwXdcMeuhXZn7ECZfLVvq7zLSf2T5+QxW0AocGlILVlcHt9omD7TQJLkhluUkwsSy+zCjBpvKY+PNuAyzevoWp7/aDmFS5H30wB41TKsS3LdL66ZIodV4x0jQ2fT+hIy4G X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(36860700004)(1800799015)(376005)(82310400014)(7416005);DIR:OUT;SFP:1101; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Mar 2024 23:06:00.7175 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9c5ce47d-5076-4cef-2387-08dc5044cd0d X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF00017094.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB6389 Return-Path: linux-kernel+bounces-125510-steffen.klassert=secunet.com@vger.kernel.org X-MS-Exchange-Organization-OriginalArrivalTime: 29 Mar 2024 23:06:39.6710 (UTC) X-MS-Exchange-Organization-Network-Message-Id: e96fe527-a006-49ca-5d2b-08dc5044e439 X-MS-Exchange-Organization-OriginalClientIPAddress: 62.96.220.37 X-MS-Exchange-Organization-OriginalServerIPAddress: 10.53.40.201 X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: cas-essen-01.secunet.de X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=mbx-essen-02.secunet.de:TOTAL-HUB=33145.636|SMR=0.142(SMRDE=0.003|SMRC=0.138(SMRCL=0.103|X-SMRCR=0.138))|CAT=0.076(CATOS=0.001 |CATRESL=0.028(CATRESLP2R=0.022)|CATORES=0.043(CATRS=0.043(CATRS-Transport Rule Agent=0.001 (X-ETREX=0.001)|CATRS-Index Routing Agent=0.041)))|QDM=13523.031|SMSC=0.582(X-SMSDR=0.020 )|SMS=5.485(SMSMBXD-INC=4.967)|QDM=19611.141|CAT=0.016(CATMS=0.003|CATRESL=0.010(CATRESLP2R=0.007 ))|UNK=0.001|QDM=5.237|CAT=0.176(CATRESL=0.175(CATRESLP2R=0.021));2024-03-30T08:19:05.324Z X-MS-Exchange-Forest-ArrivalHubServer: mbx-essen-02.secunet.de X-MS-Exchange-Organization-AuthSource: cas-essen-01.secunet.de X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-FromEntityHeader: Internet X-MS-Exchange-Organization-OriginalSize: 15889 X-MS-Exchange-Organization-HygienePolicy: Standard X-MS-Exchange-Organization-MessageLatency: SRV=cas-essen-01.secunet.de:TOTAL-FE=0.015|SMR=0.010(SMRPI=0.007(SMRPI-FrontendProxyAgent=0.007))|SMS=0.005 X-MS-Exchange-Organization-Recipient-Limit-Verified: True X-MS-Exchange-Organization-TotalRecipientCount: 1 X-MS-Exchange-Organization-Rules-Execution-History: 0b0cf904-14ac-4724-8bdf-482ee6223cf2%%%fd34672d-751c-45ae-a963-ed177fcabe23%%%d8080257-b0c3-47b4-b0db-23bc0c8ddb3c%%%95e591a2-5d7d-4afa-b1d0-7573d6c0a5d9%%%f7d0f6bc-4dcc-4876-8c5d-b3d6ddbb3d55%%%16355082-c50b-4214-9c7d-d39575f9f79b X-MS-Exchange-Forest-RulesExecuted: mbx-essen-02 X-MS-Exchange-Organization-RulesExecuted: mbx-essen-02 X-MS-Exchange-Forest-IndexAgent-0: AQ0CZW4AAV4JAAAPAAADH4sIAAAAAAAEAK1Xe0/bWBa/zsMhhtBS+u 7+cbvSziY0CRAeKbBTlaV0hQoFEaazUjWyHPsGLBLbazswTNvvtB9x zznXdpxnO9JaItzHef7Oy/7vX3+9Eg73xX/6Ight55IbDjfCEDZGaL t447l+yA1+iQTcDrjR7goeujzwhGl37vjtlQivhF/S7JDfGk4Y8NbH M96x/d6t4UtK+9LhQBML6weoSNjIBpI/CT8AVcLiB1e2V9IOHcv1A9 ETTsg/iDte/nRw+KFSBUW2eYUWWMK3b4C847s9bgJPre/Y4AAPhOmL MKhyF+SWtIHgY9ew4N+45GOQPBDstkPDdmLJgMT+ybuShpTvUKVEpC X8G9sUvPzhXasCRNawPYEQFoDU7bqmEcJh6JY04fhutwsbs+v2LSCR EjzfvbGBOeDlg9ZZUKmXtJL2HmxHs/i1uANPwAiAU8cT/fh0/90wuK bb66EFYHs/IGW8C66WNIC2x20H9oh7cBeEsDc6IQAuncQIEBEZjUTg Tp3vWxYiZ7q+LwLPdSykA9F+4BlgMUgUfgdXgYvK0M1b4ka1SOt2Bt ZDSgxbQA62hOCtw081dOR97Mj+P4/4en1rszribQfQ6LlAYAmwuhtI CZBPwqq5nU6tfbfLTyB6hujycze84v/oyV3dh91bo2fVAaM3Ja1Wq5 U0bmGg/GDV9O+80F01TW81EDc1S9zUTf6Vb2zzVz/wgCDbMbt9S6z2 Dc9e7dpO//dVL/BqIKx+BYIazVmCgL8BMeyKALLXcC6FVeXbGyATcM YUC8qvKuinZXc6vFa7hMIyVmea3p55jXGwxO+8sb7W2Gg2O81Gs12v 7zSN5s7WzubaNgRkfW1te3OTYPqOrpIGHnxX4du3vNZYazSrgCj939 jhcEZdxcQ0giK40W3XDLu65eqB4+mBCHXTdTr2ZTkI/b4ZkQRBX+hm z+Irhn/pVXnbdbv81rdD7EOAZPRA3fd9h+s6MoFE4NChBK+FVYZk0w 9O3umYWQenH98f/avKf5KaYIFSa2+E77t+ZQ/kfUPkX80y9KYrrnXM 9x+3E8L56gv8Rcam+AAvbAUrsOY/c8ghvWdAqfi1N3RrhMbeRD6sSb oeNgks9vphiuXGtcGkdtdtpw7RLQAMT1KHHV5+iSF8gxKhQ4S20bX/ gK7y9St/KWFChZUBywj4tcOjj5/2jyeITeMwjffs8PxknNV0vTsdex R5XP6J/Kvy/vamHroSBS/0yynzqjBv/hBup0yklcosne/3fzm+GFdK nPUuDMaXPw9LQyzkLUF+6xueJyz9Rk4aJF/7k/hgaKLIk6/kEh6WJ+ gxLAv6clAdVzH+RHZPzZnEdlRwZQRXMP/N60plbxiLo5Z+eH5eRotm QHl2cT4gGwF0qhvgtq6j454xiRFEE8Xsik5mBdRylByjNZ2Sed3xhZ iiDP2IquIb3cXtquvCYEvaQIwoNnC+gr+Qjk5AM4kqi6hSZ8QOJgF6 /MugY1Fl6hQU2TPA2fLQYQVO9+Je+lr20vXGWjXdSv+PtkWPaQSCpn Dr8CLql7uD21Tcwd5ZTTyORlL7e+NS2r4wrlMJl+hOoro7MeUmqR60 5UmaR4XEmuO9JTpGvxtO9XRQu6P3ly6847jUdIcG9sxXhPbM63hgt5 tGw2wIsbHVbtbrjcbrnXbTbG6bWzsjA3u2MDmwZ9Ngkm2sY4rBbxMT TDj9XjpfMSxnx/sX70/PT/TWxf7FL63q8O3B6cnJ0cXI4SCLUl1ruH Bx4iYsUNon+/9GId/i3F/flKm/Vd1oyNSf0tJk5qWNhlJ6zf3gxlr/ vNX4jeY79hwD28geTfrVlRW0a2VoKI/P1drIi6mk7vuCmKWEtzAxdj n8XMKLKLwI44tv/Ibe7nc6UNOQdbC+o6uz1lnEN2mW7PJ4qICk6E6+ Wie9mpdP+vBN1hZ87aoSiUJfd0ENfmMIa5L8qPnu8rgLg3xjigbJP+ X506OFpK3S29V332NSb0sQQ4g7wLo3zRL5rK7wI0cqSEd/Erh7P8SJ WH7e+G2W2omc25t8EuJ70ziHUvLVlJycANRkmCFVf00HE3nSSYr7XX 7qGfjFjJv4O5QSE7548UuQlw38zg5M327T6Jj4yTaUHhM+334g4lN8 +DISCqT/vLnRmBGMGYByApQPAzp4Y6+hc3I0cs/wjZ6AF/CAGLDBlr RGvbFVX8d2UdIYy7G8xuYzLDvPFlRWUFgmz1TYwjn8FthcgRVhAYdZ lpujNVzBGojhULIUmZZjKkjIsnyOziUvUOYUNs/yQCblKCwLxLCNiV VJDJKlxiwJB5OAXq6lHCADxgzZAGs4LLL5HNOAIEdykFdhpWibl9YC WeIL0CRX0ngyOzqRusC8EluEc9KVTRxP5EghJGEeuRRWQF7UlVVANe CpjpgBvwXAFg8LsM1EHqkA3ENyjbQvwKFKBIlMRQFilmErCQKjV8pL hTEZsoJSJOKsxpZyJAfOJ8gEpsnn6OkCW1xQSipjKluYQlaYfK5AHF leUdEeJSPXZI+aUL5gORlr8hdDgFeEFYEcYTvHHqhKYZllCKuspASy B8RF26KK2QIa7yfCn6eES+SnCH8izzWUM5clSKO1wuaQ954keDEcQc L/Pgm5R2YsZfAqD5T3WG4+ugLhgMzDDCp6Aes8W4ZwA2qLJIFsLkiW pI6IsUAJ+Txmz+UVVkSz5bkGLuQwW/JYj8o8Bf2hJM7F4OQiFfkhYl ZNcC6nPJIZVWSPQRckhBrh9lRSypjm2PKwXm0uDgpcZRV1PEaP4hjl oj4wRy4/RDlsmYK1CL85wq1IoaEt3KpYQXhSkK0gyx7koqs5WoD84n iOERT5H5a5KMkWo0R6JhNgLDPniOUvFPF8qpyfSPqxZFMT+gJ7TlF7 RurUdCWOlnBciWPnkytxjKww+VyBtIE+m5MoDdZo530gW6ZmpbKlOP OXUoAspZxdimQqi9jWlLwUKNeD0lbY01ReUfZm49qfV9kjSfOYaJLE SHfIInuUpQhKPGVviWcBWKWlkjnq53H2zkuyDE2fOXZvnDKBqMj+Pr 0KlqeU/AMy4G8ZLPZsSviz+IQwYS9hm6UyjwmeZnCYPpZia6OzQCpd iOYjtQ7pshyvchhlaFDKoZYaMffHRszidL+eSCMxB9DIgUlxV1SpOl RNeSSDSzMli+v/AbeVQTFLGQAAAQrwATw/eG1sIHZlcnNpb249IjEu MCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPEVtYWlsU2V0Pg0KICA8Vm Vyc2lvbj4xNS4wLjAuMDwvVmVyc2lvbj4NCiAgPEVtYWlscz4NCiAg ICA8RW1haWwgU3RhcnRJbmRleD0iNzIwIiBQb3NpdGlvbj0iU2lnbm F0dXJlIj4NCiAgICAgIDxFbWFpbFN0cmluZz5taWNoYWVsLnJvdGhA YW1kLmNvbTwvRW1haWxTdHJpbmc+DQogICAgPC9FbWFpbD4NCiAgPC 9FbWFpbHM+DQo8L0VtYWlsU2V0PgEMsAQ8P3htbCB2ZXJzaW9uPSIx LjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxDb250YWN0U2V0Pg0KIC A8VmVyc2lvbj4xNS4wLjAuMDwvVmVyc2lvbj4NCiAgPENvbnRhY3Rz Pg0KICAgIDxDb250YWN0IFN0YXJ0SW5kZXg9IjcwNiIgUG9zaXRpb2 49IlNpZ25hdHVyZSI+DQogICAgICA8UGVyc29uIFN0YXJ0SW5kZXg9 IjcwNiIgUG9zaXRpb249IlNpZ25hdHVyZSI+DQogICAgICAgIDxQZX Jzb25TdHJpbmc+TWljaGFlbCBSb3RoPC9QZXJzb25TdHJpbmc+DQog ICAgICA8L1BlcnNvbj4NCiAgICAgIDxFbWFpbHM+DQogICAgICAgID xFbWFpbCBTdGFydEluZGV4PSI3MjAiIFBvc2l0aW9uPSJTaWduYXR1 cmUiPg0KICAgICAgICAgIDxFbWFpbFN0cmluZz5taWNoYWVsLnJvdG hAYW1kLmNvbTwvRW1haWxTdHJpbmc+DQogICAgICAgIDwvRW1haWw+ DQogICAgICA8L0VtYWlscz4NCiAgICAgIDxDb250YWN0U3RyaW5nPk 1pY2hhZWwgUm90aCAmbHQ7bWljaGFlbC5yb3RoQGFtZC5jb208L0Nv bnRhY3RTdHJpbmc+DQogICAgPC9Db250YWN0Pg0KICA8L0NvbnRhY3 RzPg0KPC9Db250YWN0U2V0PgEOzwFSZXRyaWV2ZXJPcGVyYXRvciwx MCwxO1JldHJpZXZlck9wZXJhdG9yLDExLDI7UG9zdERvY1BhcnNlck 9wZXJhdG9yLDEwLDE7UG9zdERvY1BhcnNlck9wZXJhdG9yLDExLDA7 UG9zdFdvcmRCcmVha2VyRGlhZ25vc3RpY09wZXJhdG9yLDEwLDQ7UG 9zdFdvcmRCcmVha2VyRGlhZ25vc3RpY09wZXJhdG9yLDExLDA7VHJh bnNwb3J0V3JpdGVyUHJvZHVjZXIsMjAsMjM= X-MS-Exchange-Forest-IndexAgent: 1 3428 X-MS-Exchange-Forest-EmailMessageHash: 7CFE3980 X-MS-Exchange-Forest-Language: en X-MS-Exchange-Organization-Processed-By-Journaling: Journal Agent X-MS-Exchange-Organization-Transport-Properties: DeliveryPriority=Low X-MS-Exchange-Organization-Prioritization: 2:AMS:44612/1048576|ARC:76/50 X-MS-Exchange-Organization-IncludeInSla: False:AccRecipCountThresholdExceeded When requesting an attestation report a guest is able to specify whether it wants SNP firmware to sign the report using either a Versioned Chip Endorsement Key (VCEK), which is derived from chip-unique secrets, or a Versioned Loaded Endorsement Key (VLEK) which is obtained from an AMD Key Derivation Service (KDS) and derived from seeds allocated to enrolled cloud service providers (CSPs). For VLEK keys, an SNP_VLEK_LOAD SNP firmware command is used to load them into the system after obtaining them from the KDS. Add a corresponding userspace interface so to allow the loading of VLEK keys into the system. See SEV-SNP Firmware ABI 1.54, SNP_VLEK_LOAD for more details. Signed-off-by: Michael Roth <michael.roth@amd.com> --- drivers/crypto/ccp/sev-dev.c | 36 ++++++++++++++++++++++++++++++++++++ include/uapi/linux/psp-sev.h | 27 +++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 2102377f727b..97a7959406ee 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2027,6 +2027,39 @@ static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error); } +static int sev_ioctl_do_snp_vlek_load(struct sev_issue_cmd *argp, bool writable) +{ + struct sev_device *sev = psp_master->sev_data; + struct sev_user_data_snp_vlek_load input; + void *blob; + int ret; + + if (!sev->snp_initialized || !argp->data) + return -EINVAL; + + if (!writable) + return -EPERM; + + if (copy_from_user(&input, u64_to_user_ptr(argp->data), sizeof(input))) + return -EFAULT; + + if (input.len != sizeof(input) || input.vlek_wrapped_version != 0) + return -EINVAL; + + blob = psp_copy_user_blob(input.vlek_wrapped_address, + sizeof(struct sev_user_data_snp_wrapped_vlek_hashstick)); + if (IS_ERR(blob)) + return PTR_ERR(blob); + + input.vlek_wrapped_address = __psp_pa(blob); + + ret = __sev_do_cmd_locked(SEV_CMD_SNP_VLEK_LOAD, &input, &argp->error); + + kfree(blob); + + return ret; +} + static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) { void __user *argp = (void __user *)arg; @@ -2087,6 +2120,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) case SNP_SET_CONFIG: ret = sev_ioctl_do_snp_set_config(&input, writable); break; + case SNP_VLEK_LOAD: + ret = sev_ioctl_do_snp_vlek_load(&input, writable); + break; default: ret = -EINVAL; goto out; diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h index b7a2c2ee35b7..2289b7c76c59 100644 --- a/include/uapi/linux/psp-sev.h +++ b/include/uapi/linux/psp-sev.h @@ -31,6 +31,7 @@ enum { SNP_PLATFORM_STATUS, SNP_COMMIT, SNP_SET_CONFIG, + SNP_VLEK_LOAD, SEV_MAX, }; @@ -214,6 +215,32 @@ struct sev_user_data_snp_config { __u8 rsvd1[52]; } __packed; +/** + * struct sev_data_snp_vlek_load - SNP_VLEK_LOAD structure + * + * @len: length of the command buffer read by the PSP + * @vlek_wrapped_version: version of wrapped VLEK hashstick (Must be 0h) + * @rsvd: reserved + * @vlek_wrapped_address: address of a wrapped VLEK hashstick + * (struct sev_user_data_snp_wrapped_vlek_hashstick) + */ +struct sev_user_data_snp_vlek_load { + __u32 len; /* In */ + __u8 vlek_wrapped_version; /* In */ + __u8 rsvd[3]; /* In */ + __u64 vlek_wrapped_address; /* In */ +} __packed; + +/** + * struct sev_user_data_snp_vlek_wrapped_vlek_hashstick - Wrapped VLEK data + * + * @data: Opaque data provided by AMD KDS (as described in SEV-SNP Firmware ABI + * 1.54, SNP_VLEK_LOAD) + */ +struct sev_user_data_snp_wrapped_vlek_hashstick { + __u8 data[432]; /* In */ +} __packed; + /** * struct sev_issue_cmd - SEV ioctl parameters * -- 2.25.1
next prev parent reply other threads:[~2024-03-29 23:06 UTC|newest] Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-03-29 22:58 [PATCH v12 00/29] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 01/29] [TEMP] x86/kvm/Kconfig: Have KVM_AMD_SEV select ARCH_HAS_CC_PLATFORM Michael Roth 2024-03-29 22:58 ` [PATCH v12 02/29] [TEMP] x86/cc: Add cc_platform_set/_clear() helpers Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 03/29] [TEMP] x86/CPU/AMD: Track SNP host status with cc_platform_*() Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 04/29] [TEMP] fixup! KVM: SEV: sync FPU and AVX state at LAUNCH_UPDATE_VMSA time Michael Roth 2024-03-29 22:58 ` [PATCH v12 05/29] KVM: x86: Define RMP page fault error bits for #NPF Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 19:28 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 06/29] KVM: SEV: Select KVM_GENERIC_PRIVATE_MEM when CONFIG_KVM_AMD_SEV=y Michael Roth 2024-03-29 22:58 ` [PATCH v12 07/29] KVM: SEV: Add support to handle AP reset MSR protocol Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 08/29] KVM: SEV: Add GHCB handling for Hypervisor Feature Support requests Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 09/29] KVM: SEV: Add initial SEV-SNP support Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 19:58 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 10/29] KVM: SEV: Add KVM_SEV_SNP_LAUNCH_START command Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 20:20 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 11/29] KVM: SEV: Add KVM_SEV_SNP_LAUNCH_UPDATE command Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 20:31 ` Paolo Bonzini 2024-04-01 22:22 ` Michael Roth 2024-04-02 22:58 ` Isaku Yamahata 2024-04-03 12:51 ` Paolo Bonzini 2024-04-03 15:37 ` Isaku Yamahata 2024-04-04 16:03 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 12/29] KVM: SEV: Add KVM_SEV_SNP_LAUNCH_FINISH command Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 20:41 ` Paolo Bonzini 2024-04-01 23:17 ` Michael Roth 2024-04-03 12:56 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 13/29] KVM: SEV: Add support to handle GHCB GPA register VMGEXIT Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 14/29] KVM: SEV: Add support to handle MSR based Page State Change VMGEXIT Michael Roth 2024-03-29 22:58 ` [PATCH v12 15/29] KVM: SEV: Add support to handle " Michael Roth 2024-03-29 22:58 ` [PATCH v12 16/29] KVM: x86: Export the kvm_zap_gfn_range() for the SNP use Michael Roth 2024-03-30 20:51 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 17/29] KVM: SEV: Add support to handle RMP nested page faults Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 20:55 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 18/29] KVM: SEV: Use a VMSA physical address variable for populating VMCB Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 21:01 ` Paolo Bonzini 2024-04-16 11:53 ` Paolo Bonzini 2024-04-16 14:25 ` Tom Lendacky 2024-04-16 17:00 ` Paolo Bonzini 2024-04-17 20:57 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 19/29] KVM: SEV: Support SEV-SNP AP Creation NAE event Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 20/29] KVM: SEV: Add support for GHCB-based termination requests Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 21/29] KVM: SEV: Implement gmem hook for initializing private pages Michael Roth 2024-03-30 21:05 ` Paolo Bonzini 2024-03-30 21:05 ` Paolo Bonzini 2024-03-30 21:05 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 22/29] KVM: SEV: Implement gmem hook for invalidating " Michael Roth 2024-03-30 21:31 ` Paolo Bonzini 2024-03-30 21:31 ` Paolo Bonzini 2024-03-30 21:31 ` Paolo Bonzini 2024-04-18 19:57 ` Michael Roth 2024-03-29 22:58 ` [PATCH v12 23/29] KVM: x86: Implement gmem hook for determining max NPT mapping level Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-30 21:35 ` Paolo Bonzini 2024-03-30 21:35 ` Paolo Bonzini 2024-03-30 21:35 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 24/29] KVM: SEV: Avoid WBINVD for HVA-based MMU notifications for SNP Michael Roth 2024-03-30 21:35 ` Paolo Bonzini 2024-03-30 21:35 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 25/29] KVM: SVM: Add module parameter to enable the SEV-SNP Michael Roth 2024-03-30 21:35 ` Paolo Bonzini 2024-03-30 21:35 ` Paolo Bonzini 2024-03-29 22:58 ` [PATCH v12 26/29] KVM: SEV: Provide support for SNP_GUEST_REQUEST NAE event Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-04-10 22:14 ` Tom Lendacky 2024-03-29 22:58 ` Michael Roth [this message] 2024-03-29 22:58 ` [PATCH v12 27/29] crypto: ccp: Add the SNP_VLEK_LOAD command Michael Roth 2024-04-10 22:20 ` Tom Lendacky 2024-03-29 22:58 ` [PATCH v12 28/29] crypto: ccp: Add the SNP_{PAUSE,RESUME}_ATTESTATION commands Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-04-10 22:27 ` Tom Lendacky 2024-03-29 22:58 ` [PATCH v12 29/29] KVM: SEV: Provide support for SNP_EXTENDED_GUEST_REQUEST NAE event Michael Roth 2024-03-29 22:58 ` Michael Roth 2024-04-11 13:33 ` Tom Lendacky 2024-03-30 21:44 ` [PATCH v12 00/29] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support Paolo Bonzini 2024-03-30 21:44 ` Paolo Bonzini 2024-03-30 21:44 ` Paolo Bonzini
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20240329225835.400662-28-michael.roth@amd.com \ --to=michael.roth@amd.com \ --cc=ak@linux.intel.com \ --cc=alpergun@google.com \ --cc=ardb@kernel.org \ --cc=ashish.kalra@amd.com \ --cc=bp@alien8.de \ --cc=dave.hansen@linux.intel.com \ --cc=dovmurik@linux.ibm.com \ --cc=hpa@zytor.com \ --cc=jarkko@kernel.org \ --cc=jmattson@google.com \ --cc=jroedel@suse.de \ --cc=kirill@shutemov.name \ --cc=kvm@vger.kernel.org \ --cc=liam.merwick@oracle.com \ --cc=linux-coco@lists.linux.dev \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@kernel.org \ --cc=mingo@redhat.com \ --cc=nikunj.dadhania@amd.com \ --cc=pankaj.gupta@amd.com \ --cc=pbonzini@redhat.com \ --cc=peterz@infradead.org \ --cc=pgonda@google.com \ --cc=rientjes@google.com \ --cc=sathyanarayanan.kuppuswamy@linux.intel.com \ --cc=seanjc@google.com \ --cc=slp@redhat.com \ --cc=srinivas.pandruvada@linux.intel.com \ --cc=tglx@linutronix.de \ --cc=thomas.lendacky@amd.com \ --cc=tobin@ibm.com \ --cc=tony.luck@intel.com \ --cc=vbabka@suse.cz \ --cc=vkuznets@redhat.com \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.