Hi Dov,
On 3/2/22 04:03, Dov Murik wrote:
Hi Brijesh,
On 24/02/2022 18:56, Brijesh Singh wrote:
The SEV-SNP specification provides the guest a mechanism to communicate
with the PSP without risk from a malicious hypervisor who wishes to
read, alter, drop or replay the messages sent. The driver uses
snp_issue_guest_request() to issue GHCB SNP_GUEST_REQUEST or
SNP_EXT_GUEST_REQUEST NAE events to submit the request to PSP.
The PSP requires that all communication should be encrypted using key
specified through the platform_data.
Userspace can use SNP_GET_REPORT ioctl() to query the guest attestation
report.
See SEV-SNP spec section Guest Messages for more details.
Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
---
[...]
+
+static struct snp_guest_crypto *init_crypto(struct snp_guest_dev *snp_dev, u8 *key, size_t keylen)
+{
+ struct snp_guest_crypto *crypto;
+
+ crypto = kzalloc(sizeof(*crypto), GFP_KERNEL_ACCOUNT);
+ if (!crypto)
+ return NULL;
+
+ crypto->tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
+ if (IS_ERR(crypto->tfm))
+ goto e_free;
When trying this series, the sevguest module didn't load (and printed no
error message). After adding some debug messages, I found that the
crypto_alloc_read() call returned an error. I found out that
CONFIG_CRYPTO_GCM was disabled in my config.
Consider modifying sevguest/Kconfig to force it in:
diff --git a/drivers/virt/coco/sevguest/Kconfig b/drivers/virt/coco/sevguest/Kconfig
index 2be45820e86c..74ca1fe09437 100644
--- a/drivers/virt/coco/sevguest/Kconfig
+++ b/drivers/virt/coco/sevguest/Kconfig
@@ -1,7 +1,9 @@
config SEV_GUEST
tristate "AMD SEV Guest driver"
default m
- depends on AMD_MEM_ENCRYPT && CRYPTO_AEAD2
+ depends on AMD_MEM_ENCRYPT
+ select CRYPTO_AEAD2
+ select CRYPTO_GCM
help
SEV-SNP firmware provides the guest a mechanism to communicate with
the PSP without risk from a malicious hypervisor who wishes to read,
Another thing to consider is to add messages to the various error paths
in snp_guest_probe(). Not sure what is the common practice in other modules.
I am not sure about sparkling the error message on the various paths,
but I agree with adding the 'select'.
If I happen to do v12, I will include it in my series; otherwise, the
maintainer can pull your above fixup on top of it.
thanks for looking into it.
~Brijesh