From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752067AbdJXSnp (ORCPT ); Tue, 24 Oct 2017 14:43:45 -0400 Received: from mail-sn1nam02on0054.outbound.protection.outlook.com ([104.47.36.54]:60257 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932201AbdJXSm4 (ORCPT ); Tue, 24 Oct 2017 14:42:56 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Gary.Hook@amd.com; Subject: Re: [Part2 PATCH v6.1 19/38] crypto: ccp: Implement SEV_PEK_CERT_IMPORT ioctl command To: Brijesh Singh , Borislav Petkov Cc: Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Borislav Petkov , Herbert Xu , Tom Lendacky , linux-crypto@vger.kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org References: <20171020023413.122280-20-brijesh.singh@amd.com> <20171023221400.47047-1-brijesh.singh@amd.com> From: Gary R Hook Message-ID: Date: Tue, 24 Oct 2017 13:42:50 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171023221400.47047-1-brijesh.singh@amd.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: BN6PR04CA0025.namprd04.prod.outlook.com (10.174.93.142) To DM5PR12MB1323.namprd12.prod.outlook.com (10.168.238.10) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 45270dc9-fd10-4689-44e1-08d51b0f0999 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199);SRVR:DM5PR12MB1323; X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1323;3:LF1PMnbtqBwIcHXZxak9xbdwSAXHwFMJdRY8EFbk6OeBXenaCdCTPPc1iS4Is13fUT8tcO88Oj6R1d6AY6/+CuQayJoCUEuxm+DMPfwJLj1sF1FLN32v5vcvSWAgczqRxg3uYvZ0EpYY9aJ/O84L5haYgIaXSgkx5F45NPCdpMTV/7iicYGD1MEs3XZjMFLxVrhF1VrkrSf85bHdQOkKcaCHLHuOTfYWaOMN5fYE/3mSm46J02tzEKxNw3+0wr4+;25:bhiVP+0qiTZwqp4mBN1hmUYVtns4enHw8Y+b3P5xKlVzFkijVLWqHAW/TQbUjSka13CiddMCF2x2vssDXQt6IhSgzckDGit1Nr++R9Vd6db9O5KtaBB9LAnItd3BW+oCuW6MomNZ+OjVtS5EC/WvG9tAtT1PWCYd/YlUiBmF/vj4isL8alDGDrRjMMcOhAyioWZ2K2kurG5g0ZGOdbzTxftjXes5rr75+5XYqk7rKcUh32mXLDIZruIbkTLwEsEZss9J1ZTS5AKTE2O12KP4nG0AormWipB77AoF5EsQpythKF20MayqY9MuIxLdwqqwoZi3RxjrBt5nSr/R09bwzw==;31:DTNAnJViz3sCLe0hYzGSm2cDKpNnNsxI39buZ0UaLjEqc7exfUvqsHnb3We9KpDJyw68/32xq80BKhhbLJK1lGFuj3r7UNAKcpFUZb2lB49yUeo7ARFacAHsnlP1PS7K0MS1bIXfkltL/QNBYk/dM85QDDvgaKciGnKXucy5Wg2/pngEDrTngp95x8HT43k0zklrFNuonNr6vBH1V7vBvVi6W8l/wfabf6cxQ/ueqnQ= X-MS-TrafficTypeDiagnostic: DM5PR12MB1323: X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1323;20:oKVoUdrxNIjmclc8jPhG2aRye8Z3viyqV9Ncwza+u3pi7+s8PsMwZ5PVUxV5WLn/XY6RIcEPI7t5fNDwpf0+Aez56IFO/Vps5HXV4TrQ3fWPO2PFKA/y2TIqvC8rWjfuNbweSd3pq9q6vBm0pN9VdgVg0NiuWU06Yk58M/2+C1i2odNimVvdw+QOQ5Rb8qQ6toH8hesOUt3lMa/j2eQ9IAD2wnbVkxAsPwu7uLcOA/ZSveQ9b2jTTKPqdqIiDeYlqDMoKUYFe6w38QVMMGCLTvX2i2I4+bBzlXXgQtkcyuF4iRNsOL+zGpKcY9Bqvc22JhbyGgRIGg1IszEutHN+XjGz4SulgcjQ0C5xArfh3J1xu2USa8ruUP+6BJVfwZK8McOcbqqorzuBKCLMSgLkZFK/qCDG48RSKb1AYDSPKZM2IladAxl9EnkAA/lfevq/+yxre0UR2MLq1JLU5aqiTAe61kJmaHeiN+9U05M13OTFF50//ccTN1Btw00BJCLX;4:E7m/wU6AGhFNGI2L0CERa59uV7ZgzvvVYvWskFAnROB1cGFl5mzWvo/WwTpWba8pWQe6keCiXXaMLve2GaS6ibbcw7oiz0jDLgZN6Bfy0oORpgFT0BcYCRMKuKS4UH5Q7wRF2l3jjNGS/ycd+JM7OoVLcAAXf2ZuDjDO6ECnw+fUfp8qJWIp64b9Buf5J9Qwn1pQzo1nzvPXlqiDIdplI66JtaniykQ3KGsy/Qpju5KG+FiGwg6OGaB1tGXO3CY5YjjtUXFSxgY4lzr2QWVpncKQSJ0h8g71PfOIn27aPl1M0eHaHWHYL1XziLe52SxuSU3N2rSK70dxGCW6GZcLug== X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(100000703101)(100105400095)(3231020)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123562025)(20161123558100)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM5PR12MB1323;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM5PR12MB1323; X-Forefront-PRVS: 047001DADA X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6049001)(6009001)(376002)(346002)(39860400002)(189002)(199003)(24454002)(53546010)(16576012)(189998001)(316002)(31686004)(47776003)(81166006)(50986999)(101416001)(478600001)(54356999)(76176999)(16526018)(229853002)(65956001)(65806001)(66066001)(2906002)(72206003)(8936002)(305945005)(8676002)(4326008)(7736002)(83506002)(25786009)(68736007)(36756003)(23676002)(50466002)(3846002)(53936002)(6116002)(81156014)(86362001)(31696002)(64126003)(90366009)(6486002)(77096006)(6246003)(54906003)(33646002)(110136005)(58126008)(106356001)(2870700001)(105586002)(2950100002)(97736004)(65826007)(5660300001);DIR:OUT;SFP:1101;SCL:1;SRVR:DM5PR12MB1323;H:[10.236.19.127];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjEyTUIxMzIzOzIzOjR6ZjNyZFdxdnBYYW1zVm5DSEQ5cTR0QWVX?= =?utf-8?B?NXlnZlFydlJueE04QklhNWJVc0FQcEY1NlV2TlFrVDNSTk5sWW1EUi9JTUxj?= =?utf-8?B?aFBPSllUdi9qZFJTdkxka1lRYzZYd2VDRVQwTHlDS1c4ai9sSmhTcUFUYnYy?= =?utf-8?B?ZlBNZ1VvbDNIUWlnb3g0WmlUUXJYcVJXWGREa1dTOHQ0TnJOUjlJSjg5V3BR?= =?utf-8?B?R05OYlJpS0tQMytnYUpqNE9oZm85YllZdFZzVS9CeDVQR00zeUc5MDIxM0Y4?= =?utf-8?B?L3MyYnhlTXhZaTRNTFJOL2Jab3hrU2dhYXhQWTJhalNUTWxFZHZZa09Iazh0?= =?utf-8?B?eVJzcnNpSkJxYWpvRmh6ZkJzMXdRQ2RiQ0RQa3BQN1JaTml1UVMzTklOSThz?= =?utf-8?B?L2puQ2NIcC9aVy9tMmpXemhYSFlMWHlIWXJpMFd2TU1leHVFaVRCTml4WndL?= =?utf-8?B?WVdCeEFabGVEZlp2ZDRVZlJxU2JmNEdXQTJYV3lFR0hFQ1U5Uzg2K3pWRFp6?= =?utf-8?B?ZzdiOUFGWDNlQkdoQ0swR0hUN3RyM0tYQ3pQeXpGaVR0RFpJaGtXWFNWemQ3?= =?utf-8?B?YWZIUmpUM0pPa0JTUGVpZkZOa01XNStZSTgzM2pnbHBwb2pvb21nQzV5Z1JE?= =?utf-8?B?VXdRSmFmZ3JJVzBCQllUdmJMYi9ucGpPcnFoVTI1L2xPWitkWCszMUJNbmRZ?= =?utf-8?B?L1RyMnBES0dDQXFEbzhFbFhtbHBIVEFqelZWR0pQN1FkSTRwOTBLcVRPRVBV?= =?utf-8?B?dmRBTFNXUHo1d1BmdnczN09vVVo2QWo3WDNrZW5RbnNPcERua2NuYWtZdlBV?= =?utf-8?B?YzNCa0ZvVStyc0JyN2paQy9rSVZDMGdvK1RpTVBaT0FCa2diRmYxTG5vOWsr?= =?utf-8?B?eExoUXVGOVpsNGxFdDcxR21MWHpGRWNtbTI2QTI3RUY2ZVltc1k2Nm12cStT?= =?utf-8?B?dm14UWVldEVWQlUvSHQrT0dXcjNZdzJNTE5wajdEK1lIalBHL25pOUp4dGRX?= =?utf-8?B?RzhoclN2dllTdFpRMTlWbUE3YnNuTzRKaWxnOTgyU09xWkZ1aEQwSDlkL3NZ?= =?utf-8?B?L0k0cUExeCszWVp0aEN6WWtxeGpXY3J3RUp5QWJkTHRRbHVndWlTeGZaZW1o?= =?utf-8?B?S0dvN2tCQzdrZkJxcTVVSm8weUlyTDFXOVZHSm9pcysyd2EwSHI2V2ZSUEto?= =?utf-8?B?ZXZRQld2azF1UzV6THUrRXZkRWw3YnYvY011OVptNnNPcElhNW1qUW5MQUpx?= =?utf-8?B?Nkk1R3dRaHRHNDRrWkU2cDNZT3B4M3E2UW9TelFHSXB2WEtMMmVsS3A3OWVo?= =?utf-8?B?WGt2RzFNa2FqRjhqVkh2bjdES0hZU1p1SkhlZzFiOFp6dWRPbzdSUUs4TnRN?= =?utf-8?B?cDBENzlPM3c0SzZ0Q09SRDRSaEN0bGczR3A5UzlsWXBKdVB5cVk3RE9HU3dE?= =?utf-8?B?M2lXaW1yaWJkc3ZxbmtyOHZDSTI1ZTBobU9qZjNTWUJ5UE1aV1YwYXNXTlV3?= =?utf-8?B?OHRudXJpL3UrQVpIaytPRHgxWU11dW5GNUE2YWtKM0h5aVVMUkUxYTRSM2Mx?= =?utf-8?B?T24zb2dESHVYUytNalBRRmpSOHZhakdSVkxuQWNtYWVUOVZkb0tHSmxSRitP?= =?utf-8?B?ZUw2R1pZOWgzb3M3dHRMd0xCUzloU0Qyc1JWQjNmUUZGdWV4cmFncVVPMGhs?= =?utf-8?B?ZnNvZ2pmSzYyWWFMMGhmTlRtVm1SMVNxZGMvdWZaUHdSVEd2eFVsYnF5US9z?= =?utf-8?B?RWM2aHVUSTBVTEZKcS9kYldMNXhWclpZc3dkYWNRQ3d3OEJvMy93ZXdwenRv?= =?utf-8?B?MG9KcmhaMXZEZXlRR3E2OXNvK1lSR1NMOEpqOGpuTDlaUzlJcHpUNS9McHdu?= =?utf-8?Q?to1o9lxMlWH7ATPZsd8JBwpGIcYuLDvR?= X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1323;6:F/fWzn8j1langpKyeV8QwlcJ2ydOZAOC+3zc7bY1iICabvjOIuRbj1/Y4KUJFtoqXjvB6uzBOLSeuAMPOvgzhZiY3SJpvNpQb/G23oFv4Dty4oi3uHTdRLR1dvvdJmkP5CeFsM4+fYTbq5mX1BDnSzeUd2fltN5G4UxcOkL6VJDByZy27AaQXoYgZq2we19/Q6uLSx+YEgGqFKJod3WdQsCDF+o0Jw3aglvSVyxtA8AiR2xk5ZGscpWCzXxXkZItJlXRYHU75XH+cv0Nw4+7zXY1vzZd/Fet6EnynFljN91H8jtvQjMRD7eWzEmadsEdUbWl+rtCK8r9nuIv7+zS2GrgMAc5cSBbyqAdj3sAPdg=;5:JZmTBZXQkWMolpysWoNyzEzZBycSBQhd47iz6SoP89OgXETuiBs/ForrpJNAcgRyr1F2NjuWdqylBSQ8NDAj98HE8wVj25G/xGM8xdt2KodA3hl0jZvYZyiKQf/FgG9uKEEhEaROUxqFsH5qa6MDvPFbDLzC/GTIwkKdSrQga74=;24:+rjPzcHKqXHdmQOITe+4aRkRHBA27H14kIuD1IX7xJkhc6AkqvaOlnT3T0MITm5e6499CMW9Z+Dmsc31rIBeB0scnZM1ngUc/P9rGB+Su5k=;7:xl6bsF2qjDC/emTZPssxSX49jDeb7FDaambsmlcM9k+AspCEe92jH6NiULvU7FC5TF9qt14AsiaQoV7c5A/J+rIVpeXSMXaTJguKXCtTi2Wb3iyh2uKxFEcEkbXxDJfeO3jEcQL4cy+VHiMVJX731wbNurDzxMmJEH3HWih4izceG8d98K66lobzbb9nK00WPrOddHWyAcZb93lENNsY11VpdhAcRQHKL2W2RMweguhDB5wrTwCInoOuKGv+E6r3 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1323;20:UGVahVENq6EZ8CFLf85hn226g0ymyVvviqRTcg1t3hQW+9rrnCEsGXEUz0vpZkZg6U/81A/NLH1nt7sM3K8+kaDKofbUdq49ii97l4v2KojOjqlj46BV5y7VnebUl1hWz38Li1dj5XSmWQ2CFLtOIC7I60C6xQ7vcf3teJK40iuFx1UkAyc9gLLFC9B503MZmWGFlmCx4EUtfQxhCuWx260Vh0dlX4zAz2t3hFOrNrdWllykyeRxF2hUdInGHBsS X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2017 18:42:53.1823 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 45270dc9-fd10-4689-44e1-08d51b0f0999 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1323 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/23/2017 05:14 PM, Brijesh Singh wrote: > The SEV_PEK_CERT_IMPORT command can be used to import the signed PEK > certificate. The command is defined in SEV spec section 5.8. > > Cc: Paolo Bonzini > Cc: "Radim Krčmář" > Cc: Borislav Petkov > Cc: Herbert Xu > Cc: Gary Hook > Cc: Tom Lendacky > Cc: linux-crypto@vger.kernel.org > Cc: kvm@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Signed-off-by: Brijesh Singh Acked-by: Gary R Hook > --- > > Changes since v6: > * when sev_do_cmd() and sev_platform_shutdown() fails then propogate > the error status code from sev_do_cmd() because it can give us > much better reason for the failure. > > drivers/crypto/ccp/psp-dev.c | 92 ++++++++++++++++++++++++++++++++++++++++++++ > include/linux/psp-sev.h | 4 ++ > 2 files changed, 96 insertions(+) > > diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c > index aaf1c5cf821d..108fc06bcdb3 100644 > --- a/drivers/crypto/ccp/psp-dev.c > +++ b/drivers/crypto/ccp/psp-dev.c > @@ -301,6 +301,95 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp) > return ret; > } > > +void *psp_copy_user_blob(u64 __user uaddr, u32 len) > +{ > + void *data; > + > + if (!uaddr || !len) > + return ERR_PTR(-EINVAL); > + > + /* verify that blob length does not exceed our limit */ > + if (len > SEV_FW_BLOB_MAX_SIZE) > + return ERR_PTR(-EINVAL); > + > + data = kmalloc(len, GFP_KERNEL); > + if (!data) > + return ERR_PTR(-ENOMEM); > + > + if (copy_from_user(data, (void __user *)(uintptr_t)uaddr, len)) > + goto e_free; > + > + return data; > + > +e_free: > + kfree(data); > + return ERR_PTR(-EFAULT); > +} > +EXPORT_SYMBOL_GPL(psp_copy_user_blob); > + > +static int sev_ioctl_do_pek_cert_import(struct sev_issue_cmd *argp) > +{ > + struct sev_user_data_pek_cert_import input; > + struct sev_data_pek_cert_import *data; > + void *pek_blob, *oca_blob; > + int ret, err; > + > + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) > + return -EFAULT; > + > + data = kzalloc(sizeof(*data), GFP_KERNEL); > + if (!data) > + return -ENOMEM; > + > + /* copy PEK certificate blobs from userspace */ > + pek_blob = psp_copy_user_blob(input.pek_cert_address, input.pek_cert_len); > + if (IS_ERR(pek_blob)) { > + ret = PTR_ERR(pek_blob); > + goto e_free; > + } > + > + data->pek_cert_address = __psp_pa(pek_blob); > + data->pek_cert_len = input.pek_cert_len; > + > + /* copy PEK certificate blobs from userspace */ > + oca_blob = psp_copy_user_blob(input.oca_cert_address, input.oca_cert_len); > + if (IS_ERR(oca_blob)) { > + ret = PTR_ERR(oca_blob); > + goto e_free_pek; > + } > + > + data->oca_cert_address = __psp_pa(oca_blob); > + data->oca_cert_len = input.oca_cert_len; > + > + ret = sev_platform_init(NULL, &argp->error); > + if (ret) > + goto e_free_oca; > + > + ret = sev_do_cmd(SEV_CMD_PEK_CERT_IMPORT, data, &argp->error); > + > + if (sev_platform_shutdown(&err)) { > + /* > + * If both sev_do_cmd() and sev_platform_shutdown() commands > + * failed then propogate the error code from the sev_do_cmd() > + * because it contains a useful status code for the command > + * failure. > + */ > + if (ret) > + goto e_free_oca; > + > + ret = -EIO; > + argp->error = err; > + } > + > +e_free_oca: > + kfree(oca_blob); > +e_free_pek: > + kfree(pek_blob); > +e_free: > + kfree(data); > + return ret; > +} > + > static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) > { > void __user *argp = (void __user *)arg; > @@ -333,6 +422,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) > case SEV_PEK_CSR: > ret = sev_ioctl_do_pek_csr(&input); > break; > + case SEV_PEK_CERT_IMPORT: > + ret = sev_ioctl_do_pek_cert_import(&input); > + break; > default: > ret = -EINVAL; > goto out; > diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h > index eac850a97610..d535153ca82d 100644 > --- a/include/linux/psp-sev.h > +++ b/include/linux/psp-sev.h > @@ -620,6 +620,8 @@ int sev_guest_df_flush(int *error); > */ > int sev_guest_decommission(struct sev_data_decommission *data, int *error); > > +void *psp_copy_user_blob(u64 __user uaddr, u32 len); > + > #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ > > static inline int > @@ -648,6 +650,8 @@ sev_issue_cmd_external_user(struct file *filep, > return -ENODEV; > } > > +static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } > + > #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ > > #endif /* __PSP_SEV_H__ */ >