From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88C9AC352A1 for ; Sat, 3 Dec 2022 12:26:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229605AbiLCM0T (ORCPT ); Sat, 3 Dec 2022 07:26:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229462AbiLCM0Q (ORCPT ); Sat, 3 Dec 2022 07:26:16 -0500 Received: from mail.skyhub.de (mail.skyhub.de [5.9.137.197]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 344A910A9 for ; Sat, 3 Dec 2022 04:26:14 -0800 (PST) Received: from zn.tnic (p200300ea9733e766329c23fffea6a903.dip0.t-ipconnect.de [IPv6:2003:ea:9733:e766:329c:23ff:fea6:a903]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id A55BF1EC0622; Sat, 3 Dec 2022 13:26:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1670070372; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rPVN6m3qIHKCJVTyQj6CWw40yJUK2VfroWKDAdNkbyY=; b=ehB7UkY3DhaLGbyBNjoo/HWkFAa3TOT5lEUPD+KPh3JrCbBkJMWnEYHB51YCXSm5jnoZb6 tCBdab34BfgS9chGe2AfyP8miTQ+wIcTIRbzuw/ifgtFKbdSFJKUFInSlXexDmPqzioMoq u7PQQvfKmTUSt/Imctc22GJnYRCuaQ0= Date: Sat, 3 Dec 2022 13:26:07 +0100 From: Borislav Petkov To: Dionna Glaze Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Peter Gonda , Thomas Lendacky , Paolo Bonzini , Joerg Roedel , Ingo Molnar , Andy Lutomirsky , John Allen , Herbert Xu , "David S. Miller" Subject: Re: [PATCH v8 1/4] crypto: ccp - Name -1 return value as SEV_RET_NO_FW_CALL Message-ID: References: <20221104230040.2346862-1-dionnaglaze@google.com> <20221104230040.2346862-2-dionnaglaze@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20221104230040.2346862-2-dionnaglaze@google.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 04, 2022 at 11:00:37PM +0000, Dionna Glaze wrote: > From: Peter Gonda > > The PSP can return a "firmware error" code of -1 in circumstances where > the PSP is not actually called. To make this protocol unambiguous, we Please use passive voice in your commit message: no "we" or "I", etc, and describe your changes in imperative mood. > add a constant naming the return value. > > Cc: Thomas Lendacky > Cc: Paolo Bonzini > Cc: Joerg Roedel > Cc: Ingo Molnar > Cc: Andy Lutomirsky > Cc: John Allen > Cc: Herbert Xu > Cc: "David S. Miller" > > Signed-off-by: Peter Gonda > Signed-off-by: Dionna Glaze > --- > drivers/crypto/ccp/sev-dev.c | 2 +- > include/uapi/linux/psp-sev.h | 7 +++++++ > 2 files changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c > index 06fc7156c04f..97eb3544ab36 100644 > --- a/drivers/crypto/ccp/sev-dev.c > +++ b/drivers/crypto/ccp/sev-dev.c > @@ -444,7 +444,7 @@ static int __sev_platform_init_locked(int *error) > { > struct psp_device *psp = psp_master; > struct sev_device *sev; > - int rc = 0, psp_ret = -1; > + int rc = 0, psp_ret = SEV_RET_NO_FW_CALL; > int (*init_function)(int *error); > > if (!psp || !psp->sev_data) Ok, lemme chase down this flow here: __sev_platform_init_locked() calls that automatic variable function pointer ->init_function which already looks funky. See the end of this mail for a diff removing it and making the code more readable. The called function can be one of two and both get the pointer to psp_ret as its only argument. 1. __sev_init_ex_locked() calls __sev_do_cmd_locked() and passes down *psp_ret. or 2. __sev_init_locked(). Ditto. Now, __sev_do_cmd_locked() will overwrite psp_ret when sev_wait_cmd_ioc() fails. So far so good. In the case __sev_do_cmd_locked() succeeds, it'll put there something else: if (psp_ret) *psp_ret = reg & PSP_CMDRESP_ERR_MASK; So no caller will ever see SEV_RET_NO_FW_CALL, as far as I can tell. And looking further through the rest of the set, nothing tests SEV_RET_NO_FW_CALL - it only gets assigned. So why are we even bothering with this? You can hand in *psp_ret uninitialized and you'll get a value in all cases. Unless I'm missing an angle. > diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h > index 91b4c63d5cbf..1ad7f0a7e328 100644 > --- a/include/uapi/linux/psp-sev.h > +++ b/include/uapi/linux/psp-sev.h > @@ -36,6 +36,13 @@ enum { > * SEV Firmware status code > */ > typedef enum { > + /* > + * This error code is not in the SEV spec but is added to convey that > + * there was an error that prevented the SEV Firmware from being called. > + * This is (u32)-1 since the firmware error code is represented as a > + * 32-bit integer. > + */ > + SEV_RET_NO_FW_CALL = 0xffffffff, What's wrong with having -1 here? > SEV_RET_SUCCESS = 0, > SEV_RET_INVALID_PLATFORM_STATE, > SEV_RET_INVALID_GUEST_STATE, > -- diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 97eb3544ab36..8bc4209b338b 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -440,12 +440,20 @@ static int __sev_init_ex_locked(int *error) return __sev_do_cmd_locked(SEV_CMD_INIT_EX, &data, error); } +static inline int __sev_do_init_locked(int *psp_ret) +{ + if (sev_init_ex_buffer) + return __sev_init_ex_locked(psp_ret); + else + + return __sev_init_locked(psp_ret); +} + static int __sev_platform_init_locked(int *error) { struct psp_device *psp = psp_master; struct sev_device *sev; - int rc = 0, psp_ret = SEV_RET_NO_FW_CALL; - int (*init_function)(int *error); + int rc = 0, psp_ret; if (!psp || !psp->sev_data) return -ENODEV; @@ -456,15 +464,12 @@ static int __sev_platform_init_locked(int *error) return 0; if (sev_init_ex_buffer) { - init_function = __sev_init_ex_locked; rc = sev_read_init_ex_file(); if (rc) return rc; - } else { - init_function = __sev_init_locked; } - rc = init_function(&psp_ret); + rc = __sev_do_init_locked(&psp_ret); if (rc && psp_ret == SEV_RET_SECURE_DATA_INVALID) { /* * Initialization command returned an integrity check failure @@ -473,9 +478,12 @@ static int __sev_platform_init_locked(int *error) * initialization function should succeed by replacing the state * with a reset state. */ - dev_err(sev->dev, "SEV: retrying INIT command because of SECURE_DATA_INVALID error. Retrying once to reset PSP SEV state."); - rc = init_function(&psp_ret); + dev_err(sev->dev, +"SEV: retrying INIT command because of SECURE_DATA_INVALID error. Retrying once to reset PSP SEV state."); + + rc = __sev_do_init_locked(&psp_ret); } + if (error) *error = psp_ret; diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h index 1ad7f0a7e328..a9ed9e846cd2 100644 --- a/include/uapi/linux/psp-sev.h +++ b/include/uapi/linux/psp-sev.h @@ -42,7 +42,7 @@ typedef enum { * This is (u32)-1 since the firmware error code is represented as a * 32-bit integer. */ - SEV_RET_NO_FW_CALL = 0xffffffff, + SEV_RET_NO_FW_CALL = -1, SEV_RET_SUCCESS = 0, SEV_RET_INVALID_PLATFORM_STATE, SEV_RET_INVALID_GUEST_STATE, -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette