mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-18 16:44:27 +08:00
99485c4c02
There are few uses of CoCo that don't rely on working cryptography and hence a working RNG. Unfortunately, the CoCo threat model means that the VM host cannot be trusted and may actively work against guests to extract secrets or manipulate computation. Since a malicious host can modify or observe nearly all inputs to guests, the only remaining source of entropy for CoCo guests is RDRAND. If RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole is meant to gracefully continue on gathering entropy from other sources, but since there aren't other sources on CoCo, this is catastrophic. This is mostly a concern at boot time when initially seeding the RNG, as after that the consequences of a broken RDRAND are much more theoretical. So, try at boot to seed the RNG using 256 bits of RDRAND output. If this fails, panic(). This will also trigger if the system is booted without RDRAND, as RDRAND is essential for a safe CoCo boot. Add this deliberately to be "just a CoCo x86 driver feature" and not part of the RNG itself. Many device drivers and platforms have some desire to contribute something to the RNG, and add_device_randomness() is specifically meant for this purpose. Any driver can call it with seed data of any quality, or even garbage quality, and it can only possibly make the quality of the RNG better or have no effect, but can never make it worse. Rather than trying to build something into the core of the RNG, consider the particular CoCo issue just a CoCo issue, and therefore separate it all out into driver (well, arch/platform) code. [ bp: Massage commit message. ] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Elena Reshetova <elena.reshetova@intel.com> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reviewed-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240326160735.73531-1-Jason@zx2c4.com
192 lines
4.9 KiB
C
192 lines
4.9 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Confidential Computing Platform Capability checks
|
|
*
|
|
* Copyright (C) 2021 Advanced Micro Devices, Inc.
|
|
* Copyright (C) 2024 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
|
|
*
|
|
* Author: Tom Lendacky <thomas.lendacky@amd.com>
|
|
*/
|
|
|
|
#include <linux/export.h>
|
|
#include <linux/cc_platform.h>
|
|
#include <linux/string.h>
|
|
#include <linux/random.h>
|
|
|
|
#include <asm/archrandom.h>
|
|
#include <asm/coco.h>
|
|
#include <asm/processor.h>
|
|
|
|
enum cc_vendor cc_vendor __ro_after_init = CC_VENDOR_NONE;
|
|
u64 cc_mask __ro_after_init;
|
|
|
|
static bool noinstr intel_cc_platform_has(enum cc_attr attr)
|
|
{
|
|
switch (attr) {
|
|
case CC_ATTR_GUEST_UNROLL_STRING_IO:
|
|
case CC_ATTR_HOTPLUG_DISABLED:
|
|
case CC_ATTR_GUEST_MEM_ENCRYPT:
|
|
case CC_ATTR_MEM_ENCRYPT:
|
|
return true;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Handle the SEV-SNP vTOM case where sme_me_mask is zero, and
|
|
* the other levels of SME/SEV functionality, including C-bit
|
|
* based SEV-SNP, are not enabled.
|
|
*/
|
|
static __maybe_unused __always_inline bool amd_cc_platform_vtom(enum cc_attr attr)
|
|
{
|
|
switch (attr) {
|
|
case CC_ATTR_GUEST_MEM_ENCRYPT:
|
|
case CC_ATTR_MEM_ENCRYPT:
|
|
return true;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* SME and SEV are very similar but they are not the same, so there are
|
|
* times that the kernel will need to distinguish between SME and SEV. The
|
|
* cc_platform_has() function is used for this. When a distinction isn't
|
|
* needed, the CC_ATTR_MEM_ENCRYPT attribute can be used.
|
|
*
|
|
* The trampoline code is a good example for this requirement. Before
|
|
* paging is activated, SME will access all memory as decrypted, but SEV
|
|
* will access all memory as encrypted. So, when APs are being brought
|
|
* up under SME the trampoline area cannot be encrypted, whereas under SEV
|
|
* the trampoline area must be encrypted.
|
|
*/
|
|
|
|
static bool noinstr amd_cc_platform_has(enum cc_attr attr)
|
|
{
|
|
#ifdef CONFIG_AMD_MEM_ENCRYPT
|
|
|
|
if (sev_status & MSR_AMD64_SNP_VTOM)
|
|
return amd_cc_platform_vtom(attr);
|
|
|
|
switch (attr) {
|
|
case CC_ATTR_MEM_ENCRYPT:
|
|
return sme_me_mask;
|
|
|
|
case CC_ATTR_HOST_MEM_ENCRYPT:
|
|
return sme_me_mask && !(sev_status & MSR_AMD64_SEV_ENABLED);
|
|
|
|
case CC_ATTR_GUEST_MEM_ENCRYPT:
|
|
return sev_status & MSR_AMD64_SEV_ENABLED;
|
|
|
|
case CC_ATTR_GUEST_STATE_ENCRYPT:
|
|
return sev_status & MSR_AMD64_SEV_ES_ENABLED;
|
|
|
|
/*
|
|
* With SEV, the rep string I/O instructions need to be unrolled
|
|
* but SEV-ES supports them through the #VC handler.
|
|
*/
|
|
case CC_ATTR_GUEST_UNROLL_STRING_IO:
|
|
return (sev_status & MSR_AMD64_SEV_ENABLED) &&
|
|
!(sev_status & MSR_AMD64_SEV_ES_ENABLED);
|
|
|
|
case CC_ATTR_GUEST_SEV_SNP:
|
|
return sev_status & MSR_AMD64_SEV_SNP_ENABLED;
|
|
|
|
default:
|
|
return false;
|
|
}
|
|
#else
|
|
return false;
|
|
#endif
|
|
}
|
|
|
|
bool noinstr cc_platform_has(enum cc_attr attr)
|
|
{
|
|
switch (cc_vendor) {
|
|
case CC_VENDOR_AMD:
|
|
return amd_cc_platform_has(attr);
|
|
case CC_VENDOR_INTEL:
|
|
return intel_cc_platform_has(attr);
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(cc_platform_has);
|
|
|
|
u64 cc_mkenc(u64 val)
|
|
{
|
|
/*
|
|
* Both AMD and Intel use a bit in the page table to indicate
|
|
* encryption status of the page.
|
|
*
|
|
* - for AMD, bit *set* means the page is encrypted
|
|
* - for AMD with vTOM and for Intel, *clear* means encrypted
|
|
*/
|
|
switch (cc_vendor) {
|
|
case CC_VENDOR_AMD:
|
|
if (sev_status & MSR_AMD64_SNP_VTOM)
|
|
return val & ~cc_mask;
|
|
else
|
|
return val | cc_mask;
|
|
case CC_VENDOR_INTEL:
|
|
return val & ~cc_mask;
|
|
default:
|
|
return val;
|
|
}
|
|
}
|
|
|
|
u64 cc_mkdec(u64 val)
|
|
{
|
|
/* See comment in cc_mkenc() */
|
|
switch (cc_vendor) {
|
|
case CC_VENDOR_AMD:
|
|
if (sev_status & MSR_AMD64_SNP_VTOM)
|
|
return val | cc_mask;
|
|
else
|
|
return val & ~cc_mask;
|
|
case CC_VENDOR_INTEL:
|
|
return val | cc_mask;
|
|
default:
|
|
return val;
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(cc_mkdec);
|
|
|
|
__init void cc_random_init(void)
|
|
{
|
|
/*
|
|
* The seed is 32 bytes (in units of longs), which is 256 bits, which
|
|
* is the security level that the RNG is targeting.
|
|
*/
|
|
unsigned long rng_seed[32 / sizeof(long)];
|
|
size_t i, longs;
|
|
|
|
if (!cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))
|
|
return;
|
|
|
|
/*
|
|
* Since the CoCo threat model includes the host, the only reliable
|
|
* source of entropy that can be neither observed nor manipulated is
|
|
* RDRAND. Usually, RDRAND failure is considered tolerable, but since
|
|
* CoCo guests have no other unobservable source of entropy, it's
|
|
* important to at least ensure the RNG gets some initial random seeds.
|
|
*/
|
|
for (i = 0; i < ARRAY_SIZE(rng_seed); i += longs) {
|
|
longs = arch_get_random_longs(&rng_seed[i], ARRAY_SIZE(rng_seed) - i);
|
|
|
|
/*
|
|
* A zero return value means that the guest doesn't have RDRAND
|
|
* or the CPU is physically broken, and in both cases that
|
|
* means most crypto inside of the CoCo instance will be
|
|
* broken, defeating the purpose of CoCo in the first place. So
|
|
* just panic here because it's absolutely unsafe to continue
|
|
* executing.
|
|
*/
|
|
if (longs == 0)
|
|
panic("RDRAND is defective.");
|
|
}
|
|
add_device_randomness(rng_seed, sizeof(rng_seed));
|
|
memzero_explicit(rng_seed, sizeof(rng_seed));
|
|
}
|