mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-14 06:24:53 +08:00
f47906782c
The sevguest driver was a first mover in the confidential computing
space. As a first mover that afforded some leeway to build the driver
without concern for common infrastructure.
Now that sevguest is no longer a singleton [1] the common operation of
building and transmitting attestation report blobs can / should be made
common. In this model the so called "TSM-provider" implementations can
share a common envelope ABI even if the contents of that envelope remain
vendor-specific. When / if the industry agrees on an attestation record
format, that definition can also fit in the same ABI. In the meantime
the kernel's maintenance burden is reduced and collaboration on the
commons is increased.
Convert sevguest to use CONFIG_TSM_REPORTS to retrieve the data that
the SNP_GET_EXT_REPORT ioctl produces. An example flow follows for
retrieving the report blob via the TSM interface utility,
assuming no nonce and VMPL==2:
report=/sys/kernel/config/tsm/report/report0
mkdir $report
echo 2 > $report/privlevel
dd if=/dev/urandom bs=64 count=1 > $report/inblob
hexdump -C $report/outblob # SNP report
hexdump -C $report/auxblob # cert_table
rmdir $report
Given that the platform implementation is free to return empty
certificate data if none is available it lets configfs-tsm be simplified
as it only needs to worry about wrapping SNP_GET_EXT_REPORT, and leave
SNP_GET_REPORT alone.
The old ioctls can be lazily deprecated, the main motivation of this
effort is to stop the proliferation of new ioctls, and to increase
cross-vendor collaboration.
Link: http://lore.kernel.org/r/64961c3baf8ce_142af829436@dwillia2-xfh.jf.intel.com.notmuch [1]
Cc: Borislav Petkov <bp@alien8.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Dionna Glaze <dionnaglaze@google.com>
Cc: Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>
Tested-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Tested-by: Alexey Kardashevskiy <aik@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
97 lines
2.3 KiB
C
97 lines
2.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */
|
|
/*
|
|
* Userspace interface for AMD SEV and SNP guest driver.
|
|
*
|
|
* Copyright (C) 2021 Advanced Micro Devices, Inc.
|
|
*
|
|
* Author: Brijesh Singh <brijesh.singh@amd.com>
|
|
*
|
|
* SEV API specification is available at: https://developer.amd.com/sev/
|
|
*/
|
|
|
|
#ifndef __UAPI_LINUX_SEV_GUEST_H_
|
|
#define __UAPI_LINUX_SEV_GUEST_H_
|
|
|
|
#include <linux/types.h>
|
|
|
|
#define SNP_REPORT_USER_DATA_SIZE 64
|
|
|
|
struct snp_report_req {
|
|
/* user data that should be included in the report */
|
|
__u8 user_data[SNP_REPORT_USER_DATA_SIZE];
|
|
|
|
/* The vmpl level to be included in the report */
|
|
__u32 vmpl;
|
|
|
|
/* Must be zero filled */
|
|
__u8 rsvd[28];
|
|
};
|
|
|
|
struct snp_report_resp {
|
|
/* response data, see SEV-SNP spec for the format */
|
|
__u8 data[4000];
|
|
};
|
|
|
|
struct snp_derived_key_req {
|
|
__u32 root_key_select;
|
|
__u32 rsvd;
|
|
__u64 guest_field_select;
|
|
__u32 vmpl;
|
|
__u32 guest_svn;
|
|
__u64 tcb_version;
|
|
};
|
|
|
|
struct snp_derived_key_resp {
|
|
/* response data, see SEV-SNP spec for the format */
|
|
__u8 data[64];
|
|
};
|
|
|
|
struct snp_guest_request_ioctl {
|
|
/* message version number (must be non-zero) */
|
|
__u8 msg_version;
|
|
|
|
/* Request and response structure address */
|
|
__u64 req_data;
|
|
__u64 resp_data;
|
|
|
|
/* bits[63:32]: VMM error code, bits[31:0] firmware error code (see psp-sev.h) */
|
|
union {
|
|
__u64 exitinfo2;
|
|
struct {
|
|
__u32 fw_error;
|
|
__u32 vmm_error;
|
|
};
|
|
};
|
|
};
|
|
|
|
struct snp_ext_report_req {
|
|
struct snp_report_req data;
|
|
|
|
/* where to copy the certificate blob */
|
|
__u64 certs_address;
|
|
|
|
/* length of the certificate blob */
|
|
__u32 certs_len;
|
|
};
|
|
|
|
#define SNP_GUEST_REQ_IOC_TYPE 'S'
|
|
|
|
/* Get SNP attestation report */
|
|
#define SNP_GET_REPORT _IOWR(SNP_GUEST_REQ_IOC_TYPE, 0x0, struct snp_guest_request_ioctl)
|
|
|
|
/* Get a derived key from the root */
|
|
#define SNP_GET_DERIVED_KEY _IOWR(SNP_GUEST_REQ_IOC_TYPE, 0x1, struct snp_guest_request_ioctl)
|
|
|
|
/* Get SNP extended report as defined in the GHCB specification version 2. */
|
|
#define SNP_GET_EXT_REPORT _IOWR(SNP_GUEST_REQ_IOC_TYPE, 0x2, struct snp_guest_request_ioctl)
|
|
|
|
/* Guest message request EXIT_INFO_2 constants */
|
|
#define SNP_GUEST_FW_ERR_MASK GENMASK_ULL(31, 0)
|
|
#define SNP_GUEST_VMM_ERR_SHIFT 32
|
|
#define SNP_GUEST_VMM_ERR(x) (((u64)x) << SNP_GUEST_VMM_ERR_SHIFT)
|
|
|
|
#define SNP_GUEST_VMM_ERR_INVALID_LEN 1
|
|
#define SNP_GUEST_VMM_ERR_BUSY 2
|
|
|
|
#endif /* __UAPI_LINUX_SEV_GUEST_H_ */
|