include/linux/psp-sev.h

   1 /*
   2  * AMD Secure Encrypted Virtualization (SEV) driver interface
   3  *
   4  * Copyright (C) 2016-2017 Advanced Micro Devices, Inc.
   5  *
   6  * Author: Brijesh Singh <brijesh.singh@amd.com>
   7  *
   8  * SEV spec 0.14 is available at:
   9  * http://support.amd.com/TechDocs/55766_SEV-KM API_Specification.pdf
  10  *
  11  * This program is free software; you can redistribute it and/or modify
  12  * it under the terms of the GNU General Public License version 2 as
  13  * published by the Free Software Foundation.
  14  */
  15
  16 #ifndef __PSP_SEV_H__
  17 #define __PSP_SEV_H__
  18
  19 #include <uapi/linux/psp-sev.h>
  20
  21 #ifdef CONFIG_X86
  22 #include <linux/mem_encrypt.h>
  23
  24 #define __psp_pa(x)     __sme_pa(x)
  25 #else
  26 #define __psp_pa(x)     __pa(x)
  27 #endif
  28
  29 #define SEV_FW_BLOB_MAX_SIZE    0x4000  /* 16KB */
  30
  31 /**
  32  * SEV platform state
  33  */
  34 enum sev_state {
  35         SEV_STATE_UNINIT                = 0x0,
  36         SEV_STATE_INIT                  = 0x1,
  37         SEV_STATE_WORKING               = 0x2,
  38
  39         SEV_STATE_MAX
  40 };
  41
  42 /**
  43  * SEV platform and guest management commands
  44  */
  45 enum sev_cmd {
  46         /* platform commands */
  47         SEV_CMD_INIT                    = 0x001,
  48         SEV_CMD_SHUTDOWN                = 0x002,
  49         SEV_CMD_FACTORY_RESET           = 0x003,
  50         SEV_CMD_PLATFORM_STATUS         = 0x004,
  51         SEV_CMD_PEK_GEN                 = 0x005,
  52         SEV_CMD_PEK_CSR                 = 0x006,
  53         SEV_CMD_PEK_CERT_IMPORT         = 0x007,
  54         SEV_CMD_PDH_CERT_EXPORT         = 0x008,
  55         SEV_CMD_PDH_GEN                 = 0x009,
  56         SEV_CMD_DF_FLUSH                = 0x00A,
  57
  58         /* Guest commands */
  59         SEV_CMD_DECOMMISSION            = 0x020,
  60         SEV_CMD_ACTIVATE                = 0x021,
  61         SEV_CMD_DEACTIVATE              = 0x022,
  62         SEV_CMD_GUEST_STATUS            = 0x023,
  63
  64         /* Guest launch commands */
  65         SEV_CMD_LAUNCH_START            = 0x030,
  66         SEV_CMD_LAUNCH_UPDATE_DATA      = 0x031,
  67         SEV_CMD_LAUNCH_UPDATE_VMSA      = 0x032,
  68         SEV_CMD_LAUNCH_MEASURE          = 0x033,
  69         SEV_CMD_LAUNCH_UPDATE_SECRET    = 0x034,
  70         SEV_CMD_LAUNCH_FINISH           = 0x035,
  71
  72         /* Guest migration commands (outgoing) */
  73         SEV_CMD_SEND_START              = 0x040,
  74         SEV_CMD_SEND_UPDATE_DATA        = 0x041,
  75         SEV_CMD_SEND_UPDATE_VMSA        = 0x042,
  76         SEV_CMD_SEND_FINISH             = 0x043,
  77
  78         /* Guest migration commands (incoming) */
  79         SEV_CMD_RECEIVE_START           = 0x050,
  80         SEV_CMD_RECEIVE_UPDATE_DATA     = 0x051,
  81         SEV_CMD_RECEIVE_UPDATE_VMSA     = 0x052,
  82         SEV_CMD_RECEIVE_FINISH          = 0x053,
  83
  84         /* Guest debug commands */
  85         SEV_CMD_DBG_DECRYPT             = 0x060,
  86         SEV_CMD_DBG_ENCRYPT             = 0x061,
  87
  88         SEV_CMD_MAX,
  89 };
  90
  91 /**
  92  * struct sev_data_init - INIT command parameters
  93  *
  94  * @flags: processing flags
  95  * @tmr_address: system physical address used for SEV-ES
  96  * @tmr_len: len of tmr_address
  97  */
  98 struct sev_data_init {
  99         u32 flags;                      /* In */
 100         u32 reserved;                   /* In */
 101         u64 tmr_address;                /* In */
 102         u32 tmr_len;                    /* In */
 103 } __packed;
 104
 105 /**
 106  * struct sev_data_pek_csr - PEK_CSR command parameters
 107  *
 108  * @address: PEK certificate chain
 109  * @len: len of certificate
 110  */
 111 struct sev_data_pek_csr {
 112         u64 address;                            /* In */
 113         u32 len;                                /* In/Out */
 114 } __packed;
 115
 116 /**
 117  * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters
 118  *
 119  * @pek_address: PEK certificate chain
 120  * @pek_len: len of PEK certificate
 121  * @oca_address: OCA certificate chain
 122  * @oca_len: len of OCA certificate
 123  */
 124 struct sev_data_pek_cert_import {
 125         u64 pek_cert_address;                   /* In */
 126         u32 pek_cert_len;                       /* In */
 127         u32 reserved;                           /* In */
 128         u64 oca_cert_address;                   /* In */
 129         u32 oca_cert_len;                       /* In */
 130 } __packed;
 131
 132 /**
 133  * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters
 134  *
 135  * @pdh_address: PDH certificate address
 136  * @pdh_len: len of PDH certificate
 137  * @cert_chain_address: PDH certificate chain
 138  * @cert_chain_len: len of PDH certificate chain
 139  */
 140 struct sev_data_pdh_cert_export {
 141         u64 pdh_cert_address;                   /* In */
 142         u32 pdh_cert_len;                       /* In/Out */
 143         u32 reserved;                           /* In */
 144         u64 cert_chain_address;                 /* In */
 145         u32 cert_chain_len;                     /* In/Out */
 146 } __packed;
 147
 148 /**
 149  * struct sev_data_decommission - DECOMMISSION command parameters
 150  *
 151  * @handle: handle of the VM to decommission
 152  */
 153 struct sev_data_decommission {
 154         u32 handle;                             /* In */
 155 } __packed;
 156
 157 /**
 158  * struct sev_data_activate - ACTIVATE command parameters
 159  *
 160  * @handle: handle of the VM to activate
 161  * @asid: asid assigned to the VM
 162  */
 163 struct sev_data_activate {
 164         u32 handle;                             /* In */
 165         u32 asid;                               /* In */
 166 } __packed;
 167
 168 /**
 169  * struct sev_data_deactivate - DEACTIVATE command parameters
 170  *
 171  * @handle: handle of the VM to deactivate
 172  */
 173 struct sev_data_deactivate {
 174         u32 handle;                             /* In */
 175 } __packed;
 176
 177 /**
 178  * struct sev_data_guest_status - SEV GUEST_STATUS command parameters
 179  *
 180  * @handle: handle of the VM to retrieve status
 181  * @policy: policy information for the VM
 182  * @asid: current ASID of the VM
 183  * @state: current state of the VM
 184  */
 185 struct sev_data_guest_status {
 186         u32 handle;                             /* In */
 187         u32 policy;                             /* Out */
 188         u32 asid;                               /* Out */
 189         u8 state;                               /* Out */
 190 } __packed;
 191
 192 /**
 193  * struct sev_data_launch_start - LAUNCH_START command parameters
 194  *
 195  * @handle: handle assigned to the VM
 196  * @policy: guest launch policy
 197  * @dh_cert_address: physical address of DH certificate blob
 198  * @dh_cert_len: len of DH certificate blob
 199  * @session_address: physical address of session parameters
 200  * @session_len: len of session parameters
 201  */
 202 struct sev_data_launch_start {
 203         u32 handle;                             /* In/Out */
 204         u32 policy;                             /* In */
 205         u64 dh_cert_address;                    /* In */
 206         u32 dh_cert_len;                        /* In */
 207         u32 reserved;                           /* In */
 208         u64 session_address;                    /* In */
 209         u32 session_len;                        /* In */
 210 } __packed;
 211
 212 /**
 213  * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter
 214  *
 215  * @handle: handle of the VM to update
 216  * @len: len of memory to be encrypted
 217  * @address: physical address of memory region to encrypt
 218  */
 219 struct sev_data_launch_update_data {
 220         u32 handle;                             /* In */
 221         u32 reserved;
 222         u64 address;                            /* In */
 223         u32 len;                                /* In */
 224 } __packed;
 225
 226 /**
 227  * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command
 228  *
 229  * @handle: handle of the VM
 230  * @address: physical address of memory region to encrypt
 231  * @len: len of memory region to encrypt
 232  */
 233 struct sev_data_launch_update_vmsa {
 234         u32 handle;                             /* In */
 235         u32 reserved;
 236         u64 address;                            /* In */
 237         u32 len;                                /* In */
 238 } __packed;
 239
 240 /**
 241  * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters
 242  *
 243  * @handle: handle of the VM to process
 244  * @address: physical address containing the measurement blob
 245  * @len: len of measurement blob
 246  */
 247 struct sev_data_launch_measure {
 248         u32 handle;                             /* In */
 249         u32 reserved;
 250         u64 address;                            /* In */
 251         u32 len;                                /* In/Out */
 252 } __packed;
 253
 254 /**
 255  * struct sev_data_launch_secret - LAUNCH_SECRET command parameters
 256  *
 257  * @handle: handle of the VM to process
 258  * @hdr_address: physical address containing the packet header
 259  * @hdr_len: len of packet header
 260  * @guest_address: system physical address of guest memory region
 261  * @guest_len: len of guest_paddr
 262  * @trans_address: physical address of transport memory buffer
 263  * @trans_len: len of transport memory buffer
 264  */
 265 struct sev_data_launch_secret {
 266         u32 handle;                             /* In */
 267         u32 reserved1;
 268         u64 hdr_address;                        /* In */
 269         u32 hdr_len;                            /* In */
 270         u32 reserved2;
 271         u64 guest_address;                      /* In */
 272         u32 guest_len;                          /* In */
 273         u32 reserved3;
 274         u64 trans_address;                      /* In */
 275         u32 trans_len;                          /* In */
 276 } __packed;
 277
 278 /**
 279  * struct sev_data_launch_finish - LAUNCH_FINISH command parameters
 280  *
 281  * @handle: handle of the VM to process
 282  */
 283 struct sev_data_launch_finish {
 284         u32 handle;                             /* In */
 285 } __packed;
 286
 287 /**
 288  * struct sev_data_send_start - SEND_START command parameters
 289  *
 290  * @handle: handle of the VM to process
 291  * @policy: policy information for the VM
 292  * @pdh_cert_address: physical address containing PDH certificate
 293  * @pdh_cert_len: len of PDH certificate
 294  * @plat_certs_address: physical address containing platform certificate
 295  * @plat_certs_len: len of platform certificate
 296  * @amd_certs_address: physical address containing AMD certificate
 297  * @amd_certs_len: len of AMD certificate
 298  * @session_address: physical address containing Session data
 299  * @session_len: len of session data
 300  */
 301 struct sev_data_send_start {
 302         u32 handle;                             /* In */
 303         u32 policy;                             /* Out */
 304         u64 pdh_cert_address;                   /* In */
 305         u32 pdh_cert_len;                       /* In */
 306         u32 reserved1;
 307         u64 plat_cert_address;                  /* In */
 308         u32 plat_cert_len;                      /* In */
 309         u32 reserved2;
 310         u64 amd_cert_address;                   /* In */
 311         u32 amd_cert_len;                       /* In */
 312         u32 reserved3;
 313         u64 session_address;                    /* In */
 314         u32 session_len;                        /* In/Out */
 315 } __packed;
 316
 317 /**
 318  * struct sev_data_send_update - SEND_UPDATE_DATA command
 319  *
 320  * @handle: handle of the VM to process
 321  * @hdr_address: physical address containing packet header
 322  * @hdr_len: len of packet header
 323  * @guest_address: physical address of guest memory region to send
 324  * @guest_len: len of guest memory region to send
 325  * @trans_address: physical address of host memory region
 326  * @trans_len: len of host memory region
 327  */
 328 struct sev_data_send_update_data {
 329         u32 handle;                             /* In */
 330         u32 reserved1;
 331         u64 hdr_address;                        /* In */
 332         u32 hdr_len;                            /* In/Out */
 333         u32 reserved2;
 334         u64 guest_address;                      /* In */
 335         u32 guest_len;                          /* In */
 336         u32 reserved3;
 337         u64 trans_address;                      /* In */
 338         u32 trans_len;                          /* In */
 339 } __packed;
 340
 341 /**
 342  * struct sev_data_send_update - SEND_UPDATE_VMSA command
 343  *
 344  * @handle: handle of the VM to process
 345  * @hdr_address: physical address containing packet header
 346  * @hdr_len: len of packet header
 347  * @guest_address: physical address of guest memory region to send
 348  * @guest_len: len of guest memory region to send
 349  * @trans_address: physical address of host memory region
 350  * @trans_len: len of host memory region
 351  */
 352 struct sev_data_send_update_vmsa {
 353         u32 handle;                             /* In */
 354         u64 hdr_address;                        /* In */
 355         u32 hdr_len;                            /* In/Out */
 356         u32 reserved2;
 357         u64 guest_address;                      /* In */
 358         u32 guest_len;                          /* In */
 359         u32 reserved3;
 360         u64 trans_address;                      /* In */
 361         u32 trans_len;                          /* In */
 362 } __packed;
 363
 364 /**
 365  * struct sev_data_send_finish - SEND_FINISH command parameters
 366  *
 367  * @handle: handle of the VM to process
 368  */
 369 struct sev_data_send_finish {
 370         u32 handle;                             /* In */
 371 } __packed;
 372
 373 /**
 374  * struct sev_data_receive_start - RECEIVE_START command parameters
 375  *
 376  * @handle: handle of the VM to perform receive operation
 377  * @pdh_cert_address: system physical address containing PDH certificate blob
 378  * @pdh_cert_len: len of PDH certificate blob
 379  * @session_address: system physical address containing session blob
 380  * @session_len: len of session blob
 381  */
 382 struct sev_data_receive_start {
 383         u32 handle;                             /* In/Out */
 384         u32 policy;                             /* In */
 385         u64 pdh_cert_address;                   /* In */
 386         u32 pdh_cert_len;                       /* In */
 387         u32 reserved1;
 388         u64 session_address;                    /* In */
 389         u32 session_len;                        /* In */
 390 } __packed;
 391
 392 /**
 393  * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters
 394  *
 395  * @handle: handle of the VM to update
 396  * @hdr_address: physical address containing packet header blob
 397  * @hdr_len: len of packet header
 398  * @guest_address: system physical address of guest memory region
 399  * @guest_len: len of guest memory region
 400  * @trans_address: system physical address of transport buffer
 401  * @trans_len: len of transport buffer
 402  */
 403 struct sev_data_receive_update_data {
 404         u32 handle;                             /* In */
 405         u32 reserved1;
 406         u64 hdr_address;                        /* In */
 407         u32 hdr_len;                            /* In */
 408         u32 reserved2;
 409         u64 guest_address;                      /* In */
 410         u32 guest_len;                          /* In */
 411         u32 reserved3;
 412         u64 trans_address;                      /* In */
 413         u32 trans_len;                          /* In */
 414 } __packed;
 415
 416 /**
 417  * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters
 418  *
 419  * @handle: handle of the VM to update
 420  * @hdr_address: physical address containing packet header blob
 421  * @hdr_len: len of packet header
 422  * @guest_address: system physical address of guest memory region
 423  * @guest_len: len of guest memory region
 424  * @trans_address: system physical address of transport buffer
 425  * @trans_len: len of transport buffer
 426  */
 427 struct sev_data_receive_update_vmsa {
 428         u32 handle;                             /* In */
 429         u32 reserved1;
 430         u64 hdr_address;                        /* In */
 431         u32 hdr_len;                            /* In */
 432         u32 reserved2;
 433         u64 guest_address;                      /* In */
 434         u32 guest_len;                          /* In */
 435         u32 reserved3;
 436         u64 trans_address;                      /* In */
 437         u32 trans_len;                          /* In */
 438 } __packed;
 439
 440 /**
 441  * struct sev_data_receive_finish - RECEIVE_FINISH command parameters
 442  *
 443  * @handle: handle of the VM to finish
 444  */
 445 struct sev_data_receive_finish {
 446         u32 handle;                             /* In */
 447 } __packed;
 448
 449 /**
 450  * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters
 451  *
 452  * @handle: handle of the VM to perform debug operation
 453  * @src_addr: source address of data to operate on
 454  * @dst_addr: destination address of data to operate on
 455  * @len: len of data to operate on
 456  */
 457 struct sev_data_dbg {
 458         u32 handle;                             /* In */
 459         u32 reserved;
 460         u64 src_addr;                           /* In */
 461         u64 dst_addr;                           /* In */
 462         u32 len;                                /* In */
 463 } __packed;
 464
 465 #ifdef CONFIG_CRYPTO_DEV_SP_PSP
 466
 467 /**
 468  * sev_platform_init - perform SEV INIT command
 469  *
 470  * @error: SEV command return code
 471  *
 472  * Returns:
 473  * 0 if the SEV successfully processed the command
 474  * -%ENODEV    if the SEV device is not available
 475  * -%ENOTSUPP  if the SEV does not support SEV
 476  * -%ETIMEDOUT if the SEV command timed out
 477  * -%EIO       if the SEV returned a non-zero return code
 478  */
 479 int sev_platform_init(int *error);
 480
 481 /**
 482  * sev_platform_status - perform SEV PLATFORM_STATUS command
 483  *
 484  * @status: sev_user_data_status structure to be processed
 485  * @error: SEV command return code
 486  *
 487  * Returns:
 488  * 0 if the SEV successfully processed the command
 489  * -%ENODEV    if the SEV device is not available
 490  * -%ENOTSUPP  if the SEV does not support SEV
 491  * -%ETIMEDOUT if the SEV command timed out
 492  * -%EIO       if the SEV returned a non-zero return code
 493  */
 494 int sev_platform_status(struct sev_user_data_status *status, int *error);
 495
 496 /**
 497  * sev_issue_cmd_external_user - issue SEV command by other driver with a file
 498  * handle.
 499  *
 500  * This function can be used by other drivers to issue a SEV command on
 501  * behalf of userspace. The caller must pass a valid SEV file descriptor
 502  * so that we know that it has access to SEV device.
 503  *
 504  * @filep - SEV device file pointer
 505  * @cmd - command to issue
 506  * @data - command buffer
 507  * @error: SEV command return code
 508  *
 509  * Returns:
 510  * 0 if the SEV successfully processed the command
 511  * -%ENODEV    if the SEV device is not available
 512  * -%ENOTSUPP  if the SEV does not support SEV
 513  * -%ETIMEDOUT if the SEV command timed out
 514  * -%EIO       if the SEV returned a non-zero return code
 515  * -%EINVAL    if the SEV file descriptor is not valid
 516  */
 517 int sev_issue_cmd_external_user(struct file *filep, unsigned int id,
 518                                 void *data, int *error);
 519
 520 /**
 521  * sev_guest_deactivate - perform SEV DEACTIVATE command
 522  *
 523  * @deactivate: sev_data_deactivate structure to be processed
 524  * @sev_ret: sev command return code
 525  *
 526  * Returns:
 527  * 0 if the sev successfully processed the command
 528  * -%ENODEV    if the sev device is not available
 529  * -%ENOTSUPP  if the sev does not support SEV
 530  * -%ETIMEDOUT if the sev command timed out
 531  * -%EIO       if the sev returned a non-zero return code
 532  */
 533 int sev_guest_deactivate(struct sev_data_deactivate *data, int *error);
 534
 535 /**
 536  * sev_guest_activate - perform SEV ACTIVATE command
 537  *
 538  * @activate: sev_data_activate structure to be processed
 539  * @sev_ret: sev command return code
 540  *
 541  * Returns:
 542  * 0 if the sev successfully processed the command
 543  * -%ENODEV    if the sev device is not available
 544  * -%ENOTSUPP  if the sev does not support SEV
 545  * -%ETIMEDOUT if the sev command timed out
 546  * -%EIO       if the sev returned a non-zero return code
 547  */
 548 int sev_guest_activate(struct sev_data_activate *data, int *error);
 549
 550 /**
 551  * sev_guest_df_flush - perform SEV DF_FLUSH command
 552  *
 553  * @sev_ret: sev command return code
 554  *
 555  * Returns:
 556  * 0 if the sev successfully processed the command
 557  * -%ENODEV    if the sev device is not available
 558  * -%ENOTSUPP  if the sev does not support SEV
 559  * -%ETIMEDOUT if the sev command timed out
 560  * -%EIO       if the sev returned a non-zero return code
 561  */
 562 int sev_guest_df_flush(int *error);
 563
 564 /**
 565  * sev_guest_decommission - perform SEV DECOMMISSION command
 566  *
 567  * @decommission: sev_data_decommission structure to be processed
 568  * @sev_ret: sev command return code
 569  *
 570  * Returns:
 571  * 0 if the sev successfully processed the command
 572  * -%ENODEV    if the sev device is not available
 573  * -%ENOTSUPP  if the sev does not support SEV
 574  * -%ETIMEDOUT if the sev command timed out
 575  * -%EIO       if the sev returned a non-zero return code
 576  */
 577 int sev_guest_decommission(struct sev_data_decommission *data, int *error);
 578
 579 void *psp_copy_user_blob(u64 __user uaddr, u32 len);
 580
 581 #else   /* !CONFIG_CRYPTO_DEV_SP_PSP */
 582
 583 static inline int
 584 sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; }
 585
 586 static inline int sev_platform_init(int *error) { return -ENODEV; }
 587
 588 static inline int
 589 sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; }
 590
 591 static inline int
 592 sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; }
 593
 594 static inline int
 595 sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; }
 596
 597 static inline int sev_guest_df_flush(int *error) { return -ENODEV; }
 598
 599 static inline int
 600 sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; }
 601
 602 static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); }
 603
 604 #endif  /* CONFIG_CRYPTO_DEV_SP_PSP */
 605
 606 #endif  /* __PSP_SEV_H__ */