Hi Brijesh, On 24/02/2022 18:56, Brijesh Singh wrote: > The SEV-SNP specification provides the guest a mechanism to communicate > with the PSP without risk from a malicious hypervisor who wishes to > read, alter, drop or replay the messages sent. The driver uses > snp_issue_guest_request() to issue GHCB SNP_GUEST_REQUEST or > SNP_EXT_GUEST_REQUEST NAE events to submit the request to PSP. > > The PSP requires that all communication should be encrypted using key > specified through the platform_data. > > Userspace can use SNP_GET_REPORT ioctl() to query the guest attestation > report. > > See SEV-SNP spec section Guest Messages for more details. > > Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx> > --- [...] > + > +static struct snp_guest_crypto *init_crypto(struct snp_guest_dev *snp_dev, u8 *key, size_t keylen) > +{ > + struct snp_guest_crypto *crypto; > + > + crypto = kzalloc(sizeof(*crypto), GFP_KERNEL_ACCOUNT); > + if (!crypto) > + return NULL; > + > + crypto->tfm = crypto_alloc_aead("gcm(aes)", 0, 0); > + if (IS_ERR(crypto->tfm)) > + goto e_free; When trying this series, the sevguest module didn't load (and printed no error message). After adding some debug messages, I found that the crypto_alloc_read() call returned an error. I found out that CONFIG_CRYPTO_GCM was disabled in my config. Consider modifying sevguest/Kconfig to force it in: diff --git a/drivers/virt/coco/sevguest/Kconfig b/drivers/virt/coco/sevguest/Kconfig index 2be45820e86c..74ca1fe09437 100644 --- a/drivers/virt/coco/sevguest/Kconfig +++ b/drivers/virt/coco/sevguest/Kconfig @@ -1,7 +1,9 @@ config SEV_GUEST tristate "AMD SEV Guest driver" default m - depends on AMD_MEM_ENCRYPT && CRYPTO_AEAD2 + depends on AMD_MEM_ENCRYPT + select CRYPTO_AEAD2 + select CRYPTO_GCM help SEV-SNP firmware provides the guest a mechanism to communicate with the PSP without risk from a malicious hypervisor who wishes to read, Another thing to consider is to add messages to the various error paths in snp_guest_probe(). Not sure what is the common practice in other modules. -Dov > + > + if (crypto_aead_setkey(crypto->tfm, key, keylen)) > + goto e_free_crypto; > + > + crypto->iv_len = crypto_aead_ivsize(crypto->tfm); > + crypto->iv = kmalloc(crypto->iv_len, GFP_KERNEL_ACCOUNT); > + if (!crypto->iv) > + goto e_free_crypto; > + > + if (crypto_aead_authsize(crypto->tfm) > MAX_AUTHTAG_LEN) { > + if (crypto_aead_setauthsize(crypto->tfm, MAX_AUTHTAG_LEN)) { > + dev_err(snp_dev->dev, "failed to set authsize to %d\n", MAX_AUTHTAG_LEN); > + goto e_free_iv; > + } > + } > + > + crypto->a_len = crypto_aead_authsize(crypto->tfm); > + crypto->authtag = kmalloc(crypto->a_len, GFP_KERNEL_ACCOUNT); > + if (!crypto->authtag) > + goto e_free_auth; > + > + return crypto; > + > +e_free_auth: > + kfree(crypto->authtag); > +e_free_iv: > + kfree(crypto->iv); > +e_free_crypto: > + crypto_free_aead(crypto->tfm); > +e_free: > + kfree(crypto); > + > + return NULL; > +} [...]