The second stage in the attestation process is for the guest to request
the VMM generate and sign a quote based on the TDREPORT acquired
earlier. More details about the steps involved in attestation process
can be found in TDX Guest-Host Communication Interface (GHCI) for Intel
TDX 1.5, section titled "TD attestation"
Add tdx_hcall_get_quote() helper function to implement the GetQuote
hypercall.
More details about the GetQuote TDVMCALL are in the Guest-Host
Communication Interface (GHCI) Specification, sec 3.3, titled
"VP.VMCALL<GetQuote>".
This will be used by the TD attestation driver in follow-on patches.
Reviewed-by: Tony Luck <tony.luck@xxxxxxxxx>
Reviewed-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>
---
arch/x86/coco/tdx.c | 46 ++++++++++++++++++++++++++++++++++++++
arch/x86/include/asm/tdx.h | 2 ++
2 files changed, 48 insertions(+)
diff --git a/arch/x86/coco/tdx.c b/arch/x86/coco/tdx.c
index f01b03e41572..2c07f9551d3b 100644
--- a/arch/x86/coco/tdx.c
+++ b/arch/x86/coco/tdx.c
@@ -21,6 +21,7 @@
/* TDX hypercall Leaf IDs */
#define TDVMCALL_MAP_GPA 0x10001
+#define TDVMCALL_GET_QUOTE 0x10002
/* MMIO direction */
#define EPT_READ 0
@@ -38,6 +39,10 @@
#define TDCALL_INVALID_OPERAND 0x8000000000000000
#define TDCALL_OPERAND_BUSY 0x8000020000000000
+/* TDX hypercall error codes */
+#define TDVMCALL_INVALID_OPERAND 0x8000000000000000
+#define TDVMCALL_GPA_IN_USE 0x8000000000000001
+
static struct {
unsigned int gpa_width;
unsigned long attributes;
@@ -129,6 +134,47 @@ int tdx_mcall_tdreport(void *data, void *reportdata)
}
EXPORT_SYMBOL_GPL(tdx_mcall_tdreport);
+/*
+ * tdx_hcall_get_quote() - Generate TDQUOTE using TDREPORT_STRUCT.
+ *
+ * @data : Address of 8KB GPA memory which contains
+ * TDREPORT_STRUCT.
+ *
+ * return 0 on success or failure error number.
+ */
+int tdx_hcall_get_quote(void *data)
+{
+ u64 ret;
+
+ /*
+ * Use confidential guest TDX check to ensure this API is only
+ * used by TDX guest platforms.
+ */
+ if (!data || !cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
+ return -EINVAL;
+
+ /*
+ * Pass the physical address of tdreport data to the VMM
+ * and trigger the tdquote generation. Quote data will be
+ * stored back in the same physical address space. More info
+ * about ABI can be found in TDX Guest-Host-Communication
+ * Interface (GHCI), sec titled "TDG.VP.VMCALL<GetQuote>".
+ */
+ ret = _tdx_hypercall(TDVMCALL_GET_QUOTE, cc_mkdec(virt_to_phys(data)),
+ 0, 0, 0);
+
+ if (ret) {
+ if (ret == TDVMCALL_INVALID_OPERAND)
+ return -EINVAL;
+ else if (ret == TDVMCALL_GPA_IN_USE)
+ return -EBUSY;
+ return -EIO;
+ }
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(tdx_hcall_get_quote);
+
static void get_info(void)
{
struct tdx_module_output out;
diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
index b2e76ae8fdf1..e93ca229d512 100644
--- a/arch/x86/include/asm/tdx.h
+++ b/arch/x86/include/asm/tdx.h
@@ -60,6 +60,8 @@ bool tdx_early_handle_ve(struct pt_regs *regs);
int tdx_mcall_tdreport(void *data, void *reportdata);
+int tdx_hcall_get_quote(void *data);
+
#else
static inline void tdx_early_init(void) { };
--
2.25.1
