From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932363AbdJXSnV (ORCPT ); Tue, 24 Oct 2017 14:43:21 -0400 Received: from mail-co1nam03on0060.outbound.protection.outlook.com ([104.47.40.60]:52928 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932258AbdJXSnK (ORCPT ); Tue, 24 Oct 2017 14:43:10 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Gary.Hook@amd.com; Subject: Re: [Part2 PATCH v6.1 20/38] crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command To: Brijesh Singh , Borislav Petkov Cc: Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Borislav Petkov , Herbert Xu , Tom Lendacky , linux-crypto@vger.kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org References: <20171020023413.122280-21-brijesh.singh@amd.com> <20171023221949.47898-1-brijesh.singh@amd.com> From: Gary R Hook Message-ID: Date: Tue, 24 Oct 2017 13:43:05 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171023221949.47898-1-brijesh.singh@amd.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: BN6PR04CA0044.namprd04.prod.outlook.com (10.174.93.161) To BN6PR12MB1316.namprd12.prod.outlook.com (10.168.228.10) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 23f1b3cb-6aff-4163-ada9-08d51b0f124a X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199);SRVR:BN6PR12MB1316; X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1316;3:lndbUI6c8u8S4TJVsiREAguPigGjX5jUBv+jp5HVzynjV5YGYR9cs9YhGGjU/MxO8r0VgVsTscG4M9oDnyyMdONGBhyqnAIjDzKb4cjmi7Lwrc5Ogto7rDMOzcGSL+awUbfkG2jg67HGOiB7iC9Ja7Ns3ZrOJERV6IrqcEyzMJ6WgLt9dRP7IL5l4D2Ye6cOEC20yY/uHltS6i9TCV8HfD0RaXlRRuAv59R+XpwmZWEmQHoX5UFW+191XFP44RCF;25:XQ+v6112dNisMLNl56tIv3+875wagiS4tSIqAkSxmhKQmKSN2efHtB91lCYZk4DY1Uffn4tD3g3KMoP8QIEZ8wlqdLKe56ZfBQGXCNYJ+bqzU5YRZrhGpzJph/iKBpgqeTsneUJVasURTOmeXENiqJ8QybrED21nrnoYvdnBFi4YyhS6zgvQRlM4YrFrA41GgZBknLuGwc5ZnHiZE8SRM0BQ9++gRcyll0apbkZxd8Tj2ctLcxOVNbyYggx89DUko0iMXUmfFmd6DQgEG3NS3CA+2rBaUCJ+tjb6tonMv3Kfe5e7Ia0pt/LD9DlSDZUQEW3QTauA1ysEB/BJkdsX1Q==;31:UgVMg2TwEkvdmPXNm7Iv0do24S7wqyGNbnDDnH89cy2sxfzpb4cQApdA+PeaSikZOAhdSoRX/0BYlcdrCCOBC/MoEhAfvkKobFqE5pHTQ+tTm00639bMSdq9kaZXGOu+nUdbAzCa1EqbGk5Nv3Q9aSA8zRjAksqlPoED2dB6TZrD7lZSuMguxBZT2kGW6O88QAPLHEEp9x1WMxXxBXsB+tYI+iNot7LkpBLKQaRZ4/Y= X-MS-TrafficTypeDiagnostic: BN6PR12MB1316: X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1316;20:rqYWdwF8PUKiQpRz3E/JBwfGhERL4W5loclZOhxt7jg1vWKORV+PwmJyLkR+9EA+yaahLaR8NYcVERfzPGTJq7S96fNvCkZ5e6D7NwHjjc/eYU7jtHzHBQZbMfOxEtOgfrUARvIagNUI/iVgOxLfIMDJkkxSPAW6NyGHXc/dsy/stGRhk6zTCvMFBBS8Qh1sAnxmoDFlCv9a517r92XNf4ghhIGJbgrJ6GyYa8umYW0Pf8Xn8avS9aC9+wfAyvgwuHtyvyM4YX9LtcMYCJKD+cEwaSYmIZa+InMUCAva/CKlbiG2paOAR3M5FKZrecQXEFzPjfJ3SvlW7oLMAILyhZ6gWAC67tt3+YRWbuuwsMAMM+sXyqsySJfPvFtn8qz2EApLT1MiW9MEfsiA21p2N41xTNZQ8wA2kLIlZnFg+i/WnAczyFA7ypqtN4xWx1eQpUwK5hE5eJBEXwmKz+KTB9SqXSX6dqhob4tmWxr0CR8loVT2wsOBkSunyqEyYuWk;4:o5q+3PU24ov86UT5LMkyCQzoSkXMK5d06xbvBJgoORmu6AqAImRGI9SLlz0LhnTw229lwxu8EaWGzSe2racTIdOl/GKhvfYwTnC17g6h/wGj+4xduMGGu5R9x0qvQVTEMkR+p74XDzrK/Gfbq1wrben4DWKVuhcZCjtx3cUO1hN50iuSoSlNKvSDGQ6lUkS+GtL5Ga0WbySqIdcFh7FStvOrdpQ0MqgiirRNAmnka6Qu/xOBmp4jeq4/ZvDkGzswMgQSfhYfaxCbzfW3zvg8vylcPDhs92oD5bOc9w4QWTxB1b+XXZ2Cggpjsev1vcoqEDAujaI4/7sKpW3vI3EnMA== X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3231020)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN6PR12MB1316;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN6PR12MB1316; X-Forefront-PRVS: 047001DADA X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(6049001)(39860400002)(376002)(346002)(189002)(199003)(24454002)(4326008)(6116002)(31686004)(101416001)(105586002)(76176999)(8936002)(229853002)(54356999)(305945005)(7736002)(81156014)(8676002)(36756003)(81166006)(6486002)(106356001)(97736004)(3846002)(6246003)(189998001)(50986999)(90366009)(77096006)(68736007)(23676002)(83506002)(50466002)(5660300001)(25786009)(53546010)(54906003)(64126003)(316002)(72206003)(31696002)(16526018)(2906002)(110136005)(65826007)(53936002)(478600001)(6666003)(58126008)(2870700001)(66066001)(65956001)(33646002)(47776003)(16576012)(65806001)(86362001)(2950100002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR12MB1316;H:[10.236.19.127];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjZQUjEyTUIxMzE2OzIzOlFsSDI0bDVPTXBHWk8xQVZTcXdwbFBvYktx?= =?utf-8?B?SkxRNjQvZFVxSjA3Z0hEaHh5N2pHQjh5emZ6RWludWtmcS9Ra2xRcEhKbjBl?= =?utf-8?B?NnhpOVh2VEFMM2R0QlI0YW82ODRIRmMvNmY2aDJlTEFRa3R5cWFRQzI3TzFM?= =?utf-8?B?T3g4b0pwVlZ0VGNSL2pFM0lNeVVsRjVNZWNLWGZ0Yjh4RWdnQ1RPNzV5VGJl?= =?utf-8?B?RCtMenMrR0U4UDNvdkx1bEFDQ0NBM0ZXVWZMamcxdFFUN3BPYVJjU0REckJk?= =?utf-8?B?VjNCZk5GT0xPVi8weUwyYzdXMW5BSEdvNXNoMVR0c3pOZ2FCYkI5N2RJWUU1?= =?utf-8?B?YTZFVmNwc0l1N1pxZHJOeGh2ZjNKRUlQK1RpNzFGMHZtcjhCL3pwSldTa3hM?= =?utf-8?B?cnh1RXNnMmNEbUlITjRwTHoyYTd6RDFia0RSNHJQWENrYXJqZVJMUGdwZEFS?= =?utf-8?B?WS95U09RZ0JBSGIrZ09hRVVFUTkyM3lQUXIvc00xM0RRdGNHeDFLaGg3M0FY?= =?utf-8?B?MnMwS3lTWFJYTXhwQ3pGMVpEQXNERlNNUUEzM2JUMTYrWHNCVmw0WHR0aDR1?= =?utf-8?B?QjVoY0RlbUZTLzliSHNkSFd3L0paV0FLQmcvZzM4N2EvYkpaTkcyU3pmdFNm?= =?utf-8?B?MnJXWEc5b08rSzZSdFhySGVhOFUvNmRsd3dzc2dvZTJzdFdMN1k0OTdZRjBN?= =?utf-8?B?NVFqL2ZmWXZKYWlPSHprZVZZS2I4TURKZ09wZWZ1amFmdUhFWS9uWVpJcnZW?= =?utf-8?B?emtUYzc2NkJYTjNVK2NaOEx6UFZoUENJZTl3SVB5eXFta2p6UUNFVEozL1E1?= =?utf-8?B?WGJXdm5DVFBaQ053MmdOYnZNUzFDbmVpbzNjeE1KMHVXbjJ6Yks3MFJac20z?= =?utf-8?B?K1dyMlJWMzZJMDlXTTI2QitXY200dzJpZmVxditLWnZFbVUvNjJ2WWNoYndJ?= =?utf-8?B?WjM4QUtUWVNRanBoLzRCS2JMZWhKQmlLSXpVRlplWGlsak9PUDYxdlU0STJT?= =?utf-8?B?bnlHTXgzY1dpUVRCbzBXQ0VmWmVIVXQxU1FsbzZEQlRDbkNDNS9SQUszS1Jn?= =?utf-8?B?ZlMrejAyaEMvSi9pd0toUHNrMFJrZTdrRzFJbnVQcnlRam4zNDJDUjdDd1RK?= =?utf-8?B?ZFhVMFBGMmVCWml3YisvNlhaWkJlRU5XdnZMdU1sOUJkL0x0SHduZ3I4c1ho?= =?utf-8?B?QlJzcTRxOVZRZVdvdG1wSUlTbWlNanc0Sm1WUVdaK21RL2FxUGJ3THFiam5B?= =?utf-8?B?K3YwZlhEV3hXaDhkWEhNMlZkQmhxSWNuRCtXUU5PRmo3TG9BZENWcVUrYmNt?= =?utf-8?B?SUZxKzdUL2lNcTB5ZnU0VGRrZ2xQTUp6YkxmMVBMVStnSm5NNG96SVhKc2dj?= =?utf-8?B?OXA1QVcrWWNTZjJUdlFORWhnM1pTM05neTlSRHdwSjh0WTNwZHl0TnlNOURk?= =?utf-8?B?a2ZrRXNWaWFMVjNEQkNoWFJYbS81dEJta3ZBWGJFaWZlMFBUbkgwclpWd3p3?= =?utf-8?B?TDRzVCtyMGY5dEtDb21Gck1RWFVrNFJIL1Q2dk5RRm9jRWl5ZGhzdnRzaEJE?= =?utf-8?B?bnkzZ0IzQWkwemNHbVQ3Z0JoUllaa250anNxRkNzY21MVm5TQUZRcE9ucVJM?= =?utf-8?B?NGszbmVvVDdIZVFxMUVJTEg4d3A2MWh4Rnd3Uy95ZzJDc1FZRGtXT25GOTd4?= =?utf-8?B?NmNsWFRlY2Fwd0oxdzk2VzZzb3RyaGdybjRzNVVzMEUya1BaZ05oK0lTSWRs?= =?utf-8?B?K0lFNjJSZ2hRaEVvL0RVK1c1SFJzUjFlYkRaU1pkT1QzWmxtcnZwbjNJdHJT?= =?utf-8?B?VG5XbmprUXgzQ0V0STh0UFJ3WHJ5STNjUmdnSENUN21QSFVySzZuaXovM3A2?= =?utf-8?Q?T8M7vOf/7PIFIIOgxGi5MFxpHGI6TcG+?= X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1316;6:9mLucdswu70akx8exbYl6N5CAqqmjRUjQmYL8BbfMzE/JVYsBufTsbByUYSUARmzDBTqjCQ05VGypf31HeIdcb1XO4P5jx/8kWQae3bF28URd99vZleUFszGFm7G8z2qTDL3GknFsRjNL/hCr3a3K/K1GuiOBmJ4GP/gvJn0wYOpwtMQxz16kNhYd4Y807KbGg05mixK3HP6fM5nPaHZa1ACPug4waN1rHKqG2AuLkmkX68AjYFsua/cY/UsKwKUtI0MP5CpvNUyJygSoSRSEFPPbpeciJB3Fq3eCz+vcZHHgVwzCBAFJKgk6sRgvb8n5gFH3Phl31kUCIIGc0u3Hg==;5:w8sEhCgT7KSPfY8oW5cD6VS9GICA7ZprA9OkClKEVQq1P2e25Mo9Bp+l5PV6ZUNm1d0mUDTYRZ8DtXNhAN2KkVACZPgtskkezimsmRf/DCL/l2ZAIpTjvN65VdnP5MoYlh6IUWKOSVqtmubUp7DuaA==;24:n67ZQBdUfyMjL48uwvxnZotjOxG1+oMp+cdKoLw2rZ6Oq/ckZAmf+8vNTrXSvRm4hGcqE7jXMmBchzPc0YAN6c3587ZTFGTH1i+ZM1g0/8A=;7:svgwSvZ0zQ2oroY5YO+TiWOlojEwZCHsCPyIA4MIQdXFOfiZHvrZ1m9eVvDNdIr/ysJ8prx1QUJStNabMwXGvjmC8ZVJLFg5J89LO8ty71FASofzF5yPfgPtl+4PLiq3C3rwdUjJgYDpFGSjTivQp2ZKIwqjqCr4kW0Dz2FANdYoQt4cMw9sRpTflSTbBY0/ERSxh+wTUP8cJ2P5LW8kiS2tsFbVtdkRb7SDSsVhuv8= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1316;20:ZxM3TeQ5UIiHNokG4NT+KxgGICh5VyZnB7v0fuek/pM8eRi7LuMB9X+O+2XsPJ8kot4HrCkBHpkd9IMDiuQTuKghB1IxVHk+BzWDaJKFT9hBEyTFWQP3wUwqPY+tW/roIpX1TPhOdiKIRBmeB07euHPd5D0twFZPoBFA+fERZx/ZTjvhJsLLL387mm7RQfNeczjUB8OPfjE8OFsJ+ydmQ17L3w5w/YivpeJHPIXa6sF6//pkBHDqdusxOtAgDqf3 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2017 18:43:08.2042 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 23f1b3cb-6aff-4163-ada9-08d51b0f124a X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1316 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/23/2017 05:19 PM, Brijesh Singh wrote: > The SEV_PDH_CERT_EXPORT command can be used to export the PDH and its > certificate chain. The command is defined in SEV spec section 5.10. > > Cc: Paolo Bonzini > Cc: "Radim Krčmář" > Cc: Borislav Petkov > Cc: Herbert Xu > Cc: Gary Hook > Cc: Tom Lendacky > Cc: linux-crypto@vger.kernel.org > Cc: kvm@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Signed-off-by: Brijesh Singh Acked-by: Gary R Hook > --- > > Changes since v6: > * when sev_do_cmd() and sev_platform_shutdown() fails then propogate > the error status code from sev_do_cmd() because it can give us > much better reason for the failure. > > drivers/crypto/ccp/psp-dev.c | 110 +++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 110 insertions(+) > > diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c > index 108fc06bcdb3..b9f594cb10c1 100644 > --- a/drivers/crypto/ccp/psp-dev.c > +++ b/drivers/crypto/ccp/psp-dev.c > @@ -390,6 +390,113 @@ static int sev_ioctl_do_pek_cert_import(struct sev_issue_cmd *argp) > return ret; > } > > +static int sev_ioctl_do_pdh_cert_export(struct sev_issue_cmd *argp) > +{ > + struct sev_user_data_pdh_cert_export input; > + void *pdh_blob = NULL, *cert_blob = NULL; > + struct sev_data_pdh_cert_export *data; > + int ret, err; > + > + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) > + return -EFAULT; > + > + data = kzalloc(sizeof(*data), GFP_KERNEL); > + if (!data) > + return -ENOMEM; > + > + /* Userspace wants to query the certificate length */ > + if (!input.pdh_cert_address || !input.pdh_cert_len || > + !input.cert_chain_address || !input.cert_chain_address) > + goto cmd; > + > + /* allocate a physically contiguous buffer to store the PDH blob */ > + if (!access_ok(VERIFY_WRITE, input.pdh_cert_address, input.pdh_cert_len) || > + (input.pdh_cert_len > SEV_FW_BLOB_MAX_SIZE)) { > + ret = -EFAULT; > + goto e_free; > + } > + > + pdh_blob = kmalloc(input.pdh_cert_len, GFP_KERNEL); > + if (!pdh_blob) { > + ret = -ENOMEM; > + goto e_free; > + } > + > + data->pdh_cert_address = __psp_pa(pdh_blob); > + data->pdh_cert_len = input.pdh_cert_len; > + > + /* allocate a physically contiguous buffer to store the cert chain blob */ > + if (!access_ok(VERIFY_WRITE, input.cert_chain_address, input.cert_chain_len) || > + (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE)) { > + ret = -EFAULT; > + goto e_free_pdh; > + } > + > + cert_blob = kmalloc(input.cert_chain_len, GFP_KERNEL); > + if (!cert_blob) { > + ret = -ENOMEM; > + goto e_free_pdh; > + } > + > + data->cert_chain_address = __psp_pa(cert_blob); > + data->cert_chain_len = input.cert_chain_len; > + > +cmd: > + ret = sev_platform_init(NULL, &argp->error); > + if (ret) > + goto e_free_cert; > + > + ret = sev_do_cmd(SEV_CMD_PDH_CERT_EXPORT, data, &argp->error); > + > + /* > + * If we query the length, FW responded with expected data > + */ > + input.cert_chain_len = data->cert_chain_len; > + input.pdh_cert_len = data->pdh_cert_len; > + > + if (sev_platform_shutdown(&err)) { > + /* > + * If both sev_do_cmd() and sev_platform_shutdown() commands > + * failed then propogate the error code from the sev_do_cmd() > + * because it contains a useful status code for the command > + * failure. > + */ > + if (ret) > + goto e_free_cert; > + > + ret = -EIO; > + argp->error = err; > + goto e_free_cert; > + } > + > + if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) { > + ret = -EFAULT; > + goto e_free_cert; > + } > + > + if (pdh_blob) { > + if (copy_to_user((void __user *)input.pdh_cert_address, > + pdh_blob, input.pdh_cert_len)) { > + ret = -EFAULT; > + goto e_free_cert; > + } > + } > + > + if (cert_blob) { > + if (copy_to_user((void __user *)input.cert_chain_address, > + cert_blob, input.cert_chain_len)) > + ret = -EFAULT; > + } > + > +e_free_cert: > + kfree(cert_blob); > +e_free_pdh: > + kfree(pdh_blob); > +e_free: > + kfree(data); > + return ret; > +} > + > static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) > { > void __user *argp = (void __user *)arg; > @@ -425,6 +532,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) > case SEV_PEK_CERT_IMPORT: > ret = sev_ioctl_do_pek_cert_import(&input); > break; > + case SEV_PDH_CERT_EXPORT: > + ret = sev_ioctl_do_pdh_cert_export(&input); > + break; > default: > ret = -EINVAL; > goto out; >