From patchwork Mon Dec 9 23:25:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ashish Kalra X-Patchwork-Id: 848481 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2077.outbound.protection.outlook.com [40.107.92.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1BD531FD78B; Mon, 9 Dec 2024 23:25:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.92.77 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733786731; cv=fail; b=SiU4lcLE0pBMnU7aPTtrhBohIz2mvQ9RobrjdWhQrro3BVVsDgy4RiTe4SKclYnw7I6Ksd8vOfhdgmL3G9/PfXG19CGlkLW4FbdCjk7B7iigmc7XGUO5oZzV4xFVCf/8eK8hSGaEuZVx1JzYCXwb1JfnFkhxxsJ4jTGtEKhBBSE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733786731; c=relaxed/simple; bh=UQW7ojek5ljET2pPQ+4Hpvk76wSJhEUuhgnJVBIqW+Y=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=t3t+1XMqczQrj6UJiM4H26gGrahfhW2x02vOFfH3rttcIW4AQkIvPs5Zra7z7WM7SiHoCuDKCZXkQ6sCqj6WXDU8lL2D03aSP3rgUH38Xbgjsnhma23BAqWf8bX3fjQCG/MCNlRIAaksh6nI7mijBf54aTQfCO4CnceMsnFV2hA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=V0NoV7HV; arc=fail smtp.client-ip=40.107.92.77 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="V0NoV7HV" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=b5p3/x8rKtTQvY4dd40P8cY3/Uz8s0YHYCuuvhP+DXSd2X01/pCLGC4qmaDGzTx1si9yEpBucM4IjCQzHO8q7aMsA1OJ4AdmORXNG/DiboHDA/d+Y44j9SwGAS9ZOVcjt3lOGGxZp2+bEIQyiZGlbTwLQfkPg8m82B4h4bs1lIPROOvCJ/H9uuMmkmv0LTi+A19ONPmqMqMnG9Osl7emJ1RLzyRHAHYc+YeIPKCkUxEDIQEKwsfbFmknM8japZ7USW1cR7enVoHlJcly5UaSVKGqxKISOpQC8zzCLUlg93Adchl9XzOIZwmLx7qwQHdUVdT6nNi7vM4lKe4dKAIngg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rkEfdr6q4hJqBVJ/yMQParUHiblmJCjjaQQf507BzJA=; b=N9laZrhTVhHv07Rlh3JMyYZRQRnRYHjuu1m+4G6rukb5jc+XbvJ6pFPqethD5oRtM/OUwRV75vl0/GFXuEy1Vui+x7biPpa66/nGH43NzHOq0kZYrapc2k+PFHV+69lXzenmsaAmB50g5Nt42nUk00U1COJ5SmvnKDRPFRZ//zRVQjKqIAkuv3KlLpKSGkveus+ZW2Kkh+PzxxJEFOb/KZV4YNOhwB6QrKgqp5KkhM95aaCjgeeh9WixHM460MU77DzatSRjT9PRsxKRKdyeemhwC1abpu1iVE7vUhwLfKFKGYSp41KmsfjpFEd12RR1crZ0Fv20OBM6SK4DNca00g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=google.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rkEfdr6q4hJqBVJ/yMQParUHiblmJCjjaQQf507BzJA=; b=V0NoV7HVImgVivYtR/qjm0X4OCavYh47t290uCZJ6SpcBp4ok4Ko4Dfe+9ClWs6fjgwokpSuFeZqTwwVZqEjtsErNnRLxydsE5a3g91ftBoUu4+CUNtdumbwlVKYm7PxESNpzNndg91C9FXU4PGGzxufpVgT3gI9+9JcOKxjGqE= Received: from SA1PR05CA0014.namprd05.prod.outlook.com (2603:10b6:806:2d2::23) by PH0PR12MB7485.namprd12.prod.outlook.com (2603:10b6:510:1e9::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.18; Mon, 9 Dec 2024 23:25:22 +0000 Received: from SA2PEPF00003F62.namprd04.prod.outlook.com (2603:10b6:806:2d2:cafe::23) by SA1PR05CA0014.outlook.office365.com (2603:10b6:806:2d2::23) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8251.13 via Frontend Transport; Mon, 9 Dec 2024 23:25:22 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SA2PEPF00003F62.mail.protection.outlook.com (10.167.248.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.8230.7 via Frontend Transport; Mon, 9 Dec 2024 23:25:22 +0000 Received: from ethanolx7e2ehost.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 9 Dec 2024 17:25:21 -0600 From: Ashish Kalra To: , , , , , , , , , , , CC: , , , , , Subject: [PATCH 2/7] crypto: ccp: Fix implicit SEV/SNP init and shutdown in ioctls Date: Mon, 9 Dec 2024 23:25:12 +0000 Message-ID: <649eb6196ec94bcfe4504151e9369dd6f8c0b2db.1733785468.git.ashish.kalra@amd.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SA2PEPF00003F62:EE_|PH0PR12MB7485:EE_ X-MS-Office365-Filtering-Correlation-Id: 40479a46-cc8f-4e60-eb8d-08dd18a8c0ce X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|1800799024|36860700013|82310400026|376014|7416014|921020; X-Microsoft-Antispam-Message-Info: MrrM5wjq9r75sYgDSDPV0b058CZTH+mFP+JJB+j8BrWC6EIe8WKj0EFSvcU3crsO+kUlvDD7Z2AFEgawhwSWHa9HnpeFB37JRcOHGJZ9MVwac6oKJ6peA7G1PZCZgRJhkoEh3hQAKJNmj+42UCCiIICXE5TRX0PxWP3oRKV1tNkOEl/FPziwMRheB5dT+i1/MEcWabOf1ZNoBH9Jjf0M4XEMCcILCi2mUyoNoNzEcbFDgPCFvr8s5idbk/DTJEuehAZkEbgSlYvkyruutpZDUhJXYRhEtuXTk/O9k+pfK52/SBWR9R5VyAijcAtrXGkEFuFszFVLizlVzSA3twE7s445aDVv7ydrPJI5PcMzVphRFXJSaXv3pscZYxhZ9ZKTaxxrNWCtmLF3DnKaNMVGWjbSDZkV/rH8XdzBexvdTyysam4nhSjye6WzUNh6/4ljcHjxpz0a5749CluWAkeec8SFRkNJyobYYdAtttJWkXnIAOgn824fzTZlkZ3bJZ4gvvJCw+PZDx+ea9DI8prB1l6+EK+0XrOs0bN4rZca8YC4pP8XGHnXngA/TD2bOPa/VoUAksuibgC/zqD42aXrUeC0rSFM0I+U3bQmVbKTUaPKsRjDaV+HwjEGtprRMZMqfDeLkpEgiWaY4BIbkaxO8uf7sTePiwZC1vA6Oia8Aoh+ZYpp8f0NXSSVNK1el97a29FQ89/xXtyGLjOUHF4N6ZxtjlaRq/EixP/m/eeiNAeCBrKOrUSWI+I9wRPly8BlmVQbT/mFe+0D1IQnVXpX/rRwo6rUxaODtcolQGjsAgFgS5Sc/KjPHAPYWjY54X6jY+hLGHLdhqIebU1WXEg1W+e6+zGJx28Sw1FtzEAQge4DPPrHt+ZePQ6dKdDbYbT+Hn34TVgHOpXEbaoUWQ0uSahkHr0Gp4aup4ioN+7WW5STxFVWKl1hOWAOQW25MGNRmDqhyQ1aUDD0Ll0V4MYqo29yfpkt/xbI+aPIH8GbwScx2tIfnUaqDUL34iX25W72HrJ7BG85P62gm+gASgFRfaDsXhGh+FgKRX5TFFcgq2fjaBTBgMctUN4xNhkpjk8cKAX2cOK2a7CKtvNrSB6bj41Az2+f3K4bWC6Ogoos0j5sLcvp3fcIClEOgqyn/sgBWPjIORlyqm35zWmHhVMLyUBG6u4l09JpK+6kgdwxeJHgAPKC52+84m1WmlES4/gCV9tcG1unRARwm5Borr/4wPJFLzg8IDGZO6Ftpn+y9nJunL8/fC1qdPVswvqL7BNfeZcpsmMFxoq+UtrNx0uUX9uPaLO3ZheJ9goUsFwJjh+2C2CxSTYRwaaseXH/ElyEXxg1Vn25MkZ8fksI6k61pSOhK5FI757anQkWonVb4KVpYftWidZBdny6NYqVG//X15buSHPUv5ArgR7LKPIRA636DJ/okrK20+21kVIJTjxzlZH/VJd7K9zl24OCCMjU1FvJ5ibd2XK/lJKhSn/V5g== X-Forefront-Antispam-Report: CIP:165.204.84.17; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:SATLEXMB04.amd.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230040)(1800799024)(36860700013)(82310400026)(376014)(7416014)(921020); DIR:OUT; SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2024 23:25:22.3899 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 40479a46-cc8f-4e60-eb8d-08dd18a8c0ce X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d; Ip=[165.204.84.17]; Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF00003F62.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB7485 From: Ashish Kalra Modify the behavior of implicit SEV initialization in some of the SEV ioctls to do both SEV initialization and shutdown and adds implicit SNP initialization and shutdown to some of the SNP ioctls so that the change of SEV/SNP platform initialization not being done during PSP driver probe time does not break userspace tools such as sevtool, etc. Signed-off-by: Ashish Kalra --- drivers/crypto/ccp/sev-dev.c | 149 +++++++++++++++++++++++++++++------ 1 file changed, 125 insertions(+), 24 deletions(-) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index a17796729725..d8673d8836f1 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -1453,7 +1453,8 @@ static int sev_ioctl_do_platform_status(struct sev_issue_cmd *argp) static int sev_ioctl_do_pek_pdh_gen(int cmd, struct sev_issue_cmd *argp, bool writable) { struct sev_device *sev = psp_master->sev_data; - int rc; + bool shutdown_required = false; + int rc, ret, error; if (!writable) return -EPERM; @@ -1462,19 +1463,30 @@ static int sev_ioctl_do_pek_pdh_gen(int cmd, struct sev_issue_cmd *argp, bool wr rc = __sev_platform_init_locked(&argp->error); if (rc) return rc; + shutdown_required = true; + } + + rc = __sev_do_cmd_locked(cmd, NULL, &argp->error); + + if (shutdown_required) { + ret = __sev_platform_shutdown_locked(&error); + if (ret) + dev_err(sev->dev, "SEV: failed to SHUTDOWN error %#x, rc %d\n", + error, ret); } - return __sev_do_cmd_locked(cmd, NULL, &argp->error); + return rc; } static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp, bool writable) { struct sev_device *sev = psp_master->sev_data; struct sev_user_data_pek_csr input; + bool shutdown_required = false; struct sev_data_pek_csr data; void __user *input_address; + int ret, rc, error; void *blob = NULL; - int ret; if (!writable) return -EPERM; @@ -1505,6 +1517,7 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp, bool writable) ret = __sev_platform_init_locked(&argp->error); if (ret) goto e_free_blob; + shutdown_required = true; } ret = __sev_do_cmd_locked(SEV_CMD_PEK_CSR, &data, &argp->error); @@ -1523,6 +1536,13 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp, bool writable) } e_free_blob: + if (shutdown_required) { + rc = __sev_platform_shutdown_locked(&error); + if (rc) + dev_err(sev->dev, "SEV: failed to SHUTDOWN error %#x, rc %d\n", + error, rc); + } + kfree(blob); return ret; } @@ -1738,8 +1758,9 @@ static int sev_ioctl_do_pek_import(struct sev_issue_cmd *argp, bool writable) struct sev_device *sev = psp_master->sev_data; struct sev_user_data_pek_cert_import input; struct sev_data_pek_cert_import data; + bool shutdown_required = false; void *pek_blob, *oca_blob; - int ret; + int ret, rc, error; if (!writable) return -EPERM; @@ -1771,11 +1792,19 @@ static int sev_ioctl_do_pek_import(struct sev_issue_cmd *argp, bool writable) ret = __sev_platform_init_locked(&argp->error); if (ret) goto e_free_oca; + shutdown_required = true; } ret = __sev_do_cmd_locked(SEV_CMD_PEK_CERT_IMPORT, &data, &argp->error); e_free_oca: + if (shutdown_required) { + rc = __sev_platform_shutdown_locked(&error); + if (rc) + dev_err(sev->dev, "SEV: failed to SHUTDOWN error %#x, rc %d\n", + error, rc); + } + kfree(oca_blob); e_free_pek: kfree(pek_blob); @@ -1892,17 +1921,8 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) struct sev_data_pdh_cert_export data; void __user *input_cert_chain_address; void __user *input_pdh_cert_address; - int ret; - - /* If platform is not in INIT state then transition it to INIT. */ - if (sev->state != SEV_STATE_INIT) { - if (!writable) - return -EPERM; - - ret = __sev_platform_init_locked(&argp->error); - if (ret) - return ret; - } + bool shutdown_required = false; + int ret, rc, error; if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) return -EFAULT; @@ -1943,6 +1963,16 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) data.cert_chain_len = input.cert_chain_len; cmd: + /* If platform is not in INIT state then transition it to INIT. */ + if (sev->state != SEV_STATE_INIT) { + if (!writable) + return -EPERM; + ret = __sev_platform_init_locked(&argp->error); + if (ret) + goto e_free_cert; + shutdown_required = true; + } + ret = __sev_do_cmd_locked(SEV_CMD_PDH_CERT_EXPORT, &data, &argp->error); /* If we query the length, FW responded with expected data. */ @@ -1969,6 +1999,13 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) } e_free_cert: + if (shutdown_required) { + rc = __sev_platform_shutdown_locked(&error); + if (rc) + dev_err(sev->dev, "SEV: failed to SHUTDOWN error %#x, rc %d\n", + error, rc); + } + kfree(cert_blob); e_free_pdh: kfree(pdh_blob); @@ -1978,12 +2015,13 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp) { struct sev_device *sev = psp_master->sev_data; + bool shutdown_required = false; struct sev_data_snp_addr buf; struct page *status_page; + int ret, rc, error; void *data; - int ret; - if (!sev->snp_initialized || !argp->data) + if (!argp->data) return -EINVAL; status_page = alloc_page(GFP_KERNEL_ACCOUNT); @@ -1992,6 +2030,13 @@ static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp) data = page_address(status_page); + if (!sev->snp_initialized) { + ret = __sev_snp_init_locked(&argp->error); + if (ret) + goto cleanup; + shutdown_required = true; + } + /* * Firmware expects status page to be in firmware-owned state, otherwise * it will report firmware error code INVALID_PAGE_STATE (0x1A). @@ -2020,6 +2065,13 @@ static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp) ret = -EFAULT; cleanup: + if (shutdown_required) { + rc = __sev_snp_shutdown_locked(&error, false); + if (rc) + dev_err(sev->dev, "SEV-SNP: failed to SHUTDOWN error %#x, rc %d\n", + error, rc); + } + __free_pages(status_page, 0); return ret; } @@ -2028,21 +2080,38 @@ static int sev_ioctl_do_snp_commit(struct sev_issue_cmd *argp) { struct sev_device *sev = psp_master->sev_data; struct sev_data_snp_commit buf; + bool shutdown_required = false; + int ret, rc, error; - if (!sev->snp_initialized) - return -EINVAL; + if (!sev->snp_initialized) { + ret = __sev_snp_init_locked(&argp->error); + if (ret) + return ret; + shutdown_required = true; + } buf.len = sizeof(buf); - return __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error); + ret = __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error); + + if (shutdown_required) { + rc = __sev_snp_shutdown_locked(&error, false); + if (rc) + dev_err(sev->dev, "SEV-SNP: failed to SHUTDOWN error %#x, rc %d\n", + error, rc); + } + + return ret; } static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable) { struct sev_device *sev = psp_master->sev_data; struct sev_user_data_snp_config config; + bool shutdown_required = false; + int ret, rc, error; - if (!sev->snp_initialized || !argp->data) + if (!argp->data) return -EINVAL; if (!writable) @@ -2051,17 +2120,34 @@ static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable if (copy_from_user(&config, (void __user *)argp->data, sizeof(config))) return -EFAULT; - return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error); + if (!sev->snp_initialized) { + ret = __sev_snp_init_locked(&argp->error); + if (ret) + return ret; + shutdown_required = true; + } + + ret = __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error); + + if (shutdown_required) { + rc = __sev_snp_shutdown_locked(&error, false); + if (rc) + dev_err(sev->dev, "SEV-SNP: failed to SHUTDOWN error %#x, rc %d\n", + error, rc); + } + + return ret; } static int sev_ioctl_do_snp_vlek_load(struct sev_issue_cmd *argp, bool writable) { struct sev_device *sev = psp_master->sev_data; struct sev_user_data_snp_vlek_load input; + bool shutdown_required = false; + int ret, rc, error; void *blob; - int ret; - if (!sev->snp_initialized || !argp->data) + if (!argp->data) return -EINVAL; if (!writable) @@ -2080,8 +2166,23 @@ static int sev_ioctl_do_snp_vlek_load(struct sev_issue_cmd *argp, bool writable) input.vlek_wrapped_address = __psp_pa(blob); + if (!sev->snp_initialized) { + ret = __sev_snp_init_locked(&argp->error); + if (ret) + goto cleanup; + shutdown_required = true; + } + ret = __sev_do_cmd_locked(SEV_CMD_SNP_VLEK_LOAD, &input, &argp->error); + if (shutdown_required) { + rc = __sev_snp_shutdown_locked(&error, false); + if (rc) + dev_err(sev->dev, "SEV-SNP: failed to SHUTDOWN error %#x, rc %d\n", + error, rc); + } + +cleanup: kfree(blob); return ret;