Re: [PATCH v2] crypto: ccp: Add support for SEV-ES to the PSP driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/21/20 12:44 PM, Tom Lendacky wrote:
> To provide support for SEV-ES, the hypervisor must provide an area of
> memory to the PSP. Once this Trusted Memory Region (TMR) is provided to
> the PSP, the contents of this area of memory are no longer available to
> the x86.
>
> Update the PSP driver to allocate a 1MB region for the TMR that is 1MB
> aligned and then provide it to the PSP through the SEV INIT command.
>
> Signed-off-by: Tom Lendacky <thomas.lendacky@xxxxxxx>
>
> ---


Reviewed-by: Brijesh Singh <brijesh.singh@xxxxxxx>


> Changes since v1:
> - No need to over-allocate the memory area to obtain the required
>   alignment when using the page allocator.
> ---
>  drivers/crypto/ccp/sev-dev.c | 43 ++++++++++++++++++++++++++++++++++++
>  include/linux/psp-sev.h      |  2 ++
>  include/uapi/linux/psp-sev.h |  2 ++
>  3 files changed, 47 insertions(+)
>
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index 896f190b9a50..439cd737076e 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -20,6 +20,7 @@
>  #include <linux/hw_random.h>
>  #include <linux/ccp.h>
>  #include <linux/firmware.h>
> +#include <linux/gfp.h>
>  
>  #include <asm/smp.h>
>  
> @@ -44,6 +45,14 @@ MODULE_PARM_DESC(psp_probe_timeout, " default timeout value, in seconds, during
>  static bool psp_dead;
>  static int psp_timeout;
>  
> +/* Trusted Memory Region (TMR):
> + *   The TMR is a 1MB area that must be 1MB aligned.  Use the page allocator
> + *   to allocate the memory, which will return aligned memory for the specified
> + *   allocation order.
> + */
> +#define SEV_ES_TMR_SIZE		(1024 * 1024)
> +static void *sev_es_tmr;
> +
>  static inline bool sev_version_greater_or_equal(u8 maj, u8 min)
>  {
>  	struct sev_device *sev = psp_master->sev_data;
> @@ -214,6 +223,20 @@ static int __sev_platform_init_locked(int *error)
>  	if (sev->state == SEV_STATE_INIT)
>  		return 0;
>  
> +	if (sev_es_tmr) {
> +		u64 tmr_pa;
> +
> +		/*
> +		 * Do not include the encryption mask on the physical
> +		 * address of the TMR (firmware should clear it anyway).
> +		 */
> +		tmr_pa = __pa(sev_es_tmr);
> +
> +		sev->init_cmd_buf.flags |= SEV_INIT_FLAGS_SEV_ES;
> +		sev->init_cmd_buf.tmr_address = tmr_pa;
> +		sev->init_cmd_buf.tmr_len = SEV_ES_TMR_SIZE;
> +	}
> +
>  	rc = __sev_do_cmd_locked(SEV_CMD_INIT, &sev->init_cmd_buf, error);
>  	if (rc)
>  		return rc;
> @@ -1012,6 +1035,7 @@ EXPORT_SYMBOL_GPL(sev_issue_cmd_external_user);
>  void sev_pci_init(void)
>  {
>  	struct sev_device *sev = psp_master->sev_data;
> +	struct page *tmr_page;
>  	int error, rc;
>  
>  	if (!sev)
> @@ -1041,6 +1065,16 @@ void sev_pci_init(void)
>  	    sev_update_firmware(sev->dev) == 0)
>  		sev_get_api_version();
>  
> +	/* Obtain the TMR memory area for SEV-ES use */
> +	tmr_page = alloc_pages(GFP_KERNEL, get_order(SEV_ES_TMR_SIZE));
> +	if (tmr_page) {
> +		sev_es_tmr = page_address(tmr_page);
> +	} else {
> +		sev_es_tmr = NULL;
> +		dev_warn(sev->dev,
> +			 "SEV: TMR allocation failed, SEV-ES support unavailable\n");
> +	}
> +
>  	/* Initialize the platform */
>  	rc = sev_platform_init(&error);
>  	if (rc && (error == SEV_RET_SECURE_DATA_INVALID)) {
> @@ -1075,4 +1109,13 @@ void sev_pci_exit(void)
>  		return;
>  
>  	sev_platform_shutdown(NULL);
> +
> +	if (sev_es_tmr) {
> +		/* The TMR area was encrypted, flush it from the cache */
> +		wbinvd_on_all_cpus();
> +
> +		free_pages((unsigned long)sev_es_tmr,
> +			   get_order(SEV_ES_TMR_SIZE));
> +		sev_es_tmr = NULL;
> +	}
>  }
> diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
> index 5167bf2bfc75..7fbc8679145c 100644
> --- a/include/linux/psp-sev.h
> +++ b/include/linux/psp-sev.h
> @@ -100,6 +100,8 @@ struct sev_data_init {
>  	u32 tmr_len;			/* In */
>  } __packed;
>  
> +#define SEV_INIT_FLAGS_SEV_ES	0x01
> +
>  /**
>   * struct sev_data_pek_csr - PEK_CSR command parameters
>   *
> diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h
> index 0549a5c622bf..91b4c63d5cbf 100644
> --- a/include/uapi/linux/psp-sev.h
> +++ b/include/uapi/linux/psp-sev.h
> @@ -83,6 +83,8 @@ struct sev_user_data_status {
>  	__u32 guest_count;			/* Out */
>  } __packed;
>  
> +#define SEV_STATUS_FLAGS_CONFIG_ES	0x0100
> +
>  /**
>   * struct sev_user_data_pek_csr - PEK_CSR command parameters
>   *



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux