On Fri, Apr 15, 2022 at 03:01:09PM -0700,
Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx> wrote:
...
> diff --git a/drivers/platform/x86/intel/tdx/intel_tdx_attest.c b/drivers/platform/x86/intel/tdx/intel_tdx_attest.c
> new file mode 100644
> index 000000000000..9124db800d4f
> --- /dev/null
> +++ b/drivers/platform/x86/intel/tdx/intel_tdx_attest.c
...
> +static long tdx_attest_ioctl(struct file *file, unsigned int cmd,
> + unsigned long arg)
> +{
> + struct attest_dev *adev = platform_get_drvdata(pdev);
> + void __user *argp = (void __user *)arg;
> + struct tdx_gen_quote tdquote_req;
> + long ret = 0, err;
> +
> + mutex_lock(&adev->lock);
> +
> + switch (cmd) {
> + case TDX_CMD_GET_TDREPORT:
> + if (copy_from_user(adev->report_buf, argp,
> + TDX_REPORT_DATA_LEN)) {
> + ret = -EFAULT;
> + break;
> + }
> +
> + /* Generate TDREPORT_STRUCT */
> + err = tdx_mcall_tdreport(adev->tdreport_buf, adev->report_buf);
> + if (err) {
> + ret = put_user(err, (long __user *)argp);
> + ret = -EIO;
> + break;
> + }
> +
> + if (copy_to_user(argp, adev->tdreport_buf, TDX_TDREPORT_LEN))
> + ret = -EFAULT;
> + break;
> + case TDX_CMD_GEN_QUOTE:
> + reinit_completion(&adev->req_compl);
> +
> + /* Copy TDREPORT data from user buffer */
> + if (copy_from_user(&tdquote_req, argp, sizeof(struct tdx_gen_quote))) {
> + ret = -EFAULT;
> + break;
> + }
> +
> + if (tdquote_req.len <= 0 || tdquote_req.len > GET_QUOTE_MAX_SIZE) {
> + ret = -EINVAL;
> + break;
> + }
> +
> + if (copy_from_user(adev->tdquote_buf, (void __user *)tdquote_req.buf,
> + tdquote_req.len)) {
> + ret = -EFAULT;
> + break;
> + }
> +
> + /* Submit GetQuote Request */
> + err = tdx_hcall_get_quote(adev->tdquote_buf, GET_QUOTE_MAX_SIZE);
> + if (err) {
> + ret = put_user(err, (long __user *)argp);
> + ret = -EIO;
> + break;
> + }
> +
> + /* Wait for attestation completion */
> + ret = wait_for_completion_interruptible_timeout(
> + &adev->req_compl,
> + msecs_to_jiffies(GET_QUOTE_TIMEOUT));
If timeout occurs, the state of adev->tdquote_buf is unknown. It's not safe
to continue to using adev->tdquote_buf. VMM would continue to processing
getquote request with this buffer. What if TDX_CMD_GEN_QUOTE is issued again,
and tdquote_buf is re-used?
--
Isaku Yamahata <isaku.yamahata@xxxxxxxxx>
