1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * AMD Secure Encrypted Virtualization (SEV) driver interface 4 * 5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. 6 * 7 * Author: Brijesh Singh <brijesh.singh@amd.com> 8 * 9 * SEV API spec is available at https://developer.amd.com/sev 10 */ 11 12 #ifndef __PSP_SEV_H__ 13 #define __PSP_SEV_H__ 14 15 #include <uapi/linux/psp-sev.h> 16 17 #ifdef CONFIG_X86 18 #include <linux/mem_encrypt.h> 19 20 #define __psp_pa(x) __sme_pa(x) 21 #else 22 #define __psp_pa(x) __pa(x) 23 #endif 24 25 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ 26 27 /** 28 * SEV platform state 29 */ 30 enum sev_state { 31 SEV_STATE_UNINIT = 0x0, 32 SEV_STATE_INIT = 0x1, 33 SEV_STATE_WORKING = 0x2, 34 35 SEV_STATE_MAX 36 }; 37 38 /** 39 * SEV platform and guest management commands 40 */ 41 enum sev_cmd { 42 /* platform commands */ 43 SEV_CMD_INIT = 0x001, 44 SEV_CMD_SHUTDOWN = 0x002, 45 SEV_CMD_FACTORY_RESET = 0x003, 46 SEV_CMD_PLATFORM_STATUS = 0x004, 47 SEV_CMD_PEK_GEN = 0x005, 48 SEV_CMD_PEK_CSR = 0x006, 49 SEV_CMD_PEK_CERT_IMPORT = 0x007, 50 SEV_CMD_PDH_CERT_EXPORT = 0x008, 51 SEV_CMD_PDH_GEN = 0x009, 52 SEV_CMD_DF_FLUSH = 0x00A, 53 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B, 54 SEV_CMD_GET_ID = 0x00C, 55 56 /* Guest commands */ 57 SEV_CMD_DECOMMISSION = 0x020, 58 SEV_CMD_ACTIVATE = 0x021, 59 SEV_CMD_DEACTIVATE = 0x022, 60 SEV_CMD_GUEST_STATUS = 0x023, 61 62 /* Guest launch commands */ 63 SEV_CMD_LAUNCH_START = 0x030, 64 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031, 65 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032, 66 SEV_CMD_LAUNCH_MEASURE = 0x033, 67 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034, 68 SEV_CMD_LAUNCH_FINISH = 0x035, 69 70 /* Guest migration commands (outgoing) */ 71 SEV_CMD_SEND_START = 0x040, 72 SEV_CMD_SEND_UPDATE_DATA = 0x041, 73 SEV_CMD_SEND_UPDATE_VMSA = 0x042, 74 SEV_CMD_SEND_FINISH = 0x043, 75 76 /* Guest migration commands (incoming) */ 77 SEV_CMD_RECEIVE_START = 0x050, 78 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051, 79 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052, 80 SEV_CMD_RECEIVE_FINISH = 0x053, 81 82 /* Guest debug commands */ 83 SEV_CMD_DBG_DECRYPT = 0x060, 84 SEV_CMD_DBG_ENCRYPT = 0x061, 85 86 SEV_CMD_MAX, 87 }; 88 89 /** 90 * struct sev_data_init - INIT command parameters 91 * 92 * @flags: processing flags 93 * @tmr_address: system physical address used for SEV-ES 94 * @tmr_len: len of tmr_address 95 */ 96 struct sev_data_init { 97 u32 flags; /* In */ 98 u32 reserved; /* In */ 99 u64 tmr_address; /* In */ 100 u32 tmr_len; /* In */ 101 } __packed; 102 103 /** 104 * struct sev_data_pek_csr - PEK_CSR command parameters 105 * 106 * @address: PEK certificate chain 107 * @len: len of certificate 108 */ 109 struct sev_data_pek_csr { 110 u64 address; /* In */ 111 u32 len; /* In/Out */ 112 } __packed; 113 114 /** 115 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters 116 * 117 * @pek_address: PEK certificate chain 118 * @pek_len: len of PEK certificate 119 * @oca_address: OCA certificate chain 120 * @oca_len: len of OCA certificate 121 */ 122 struct sev_data_pek_cert_import { 123 u64 pek_cert_address; /* In */ 124 u32 pek_cert_len; /* In */ 125 u32 reserved; /* In */ 126 u64 oca_cert_address; /* In */ 127 u32 oca_cert_len; /* In */ 128 } __packed; 129 130 /** 131 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters 132 * 133 * @address: physical address of firmware image 134 * @len: len of the firmware image 135 */ 136 struct sev_data_download_firmware { 137 u64 address; /* In */ 138 u32 len; /* In */ 139 } __packed; 140 141 /** 142 * struct sev_data_get_id - GET_ID command parameters 143 * 144 * @address: physical address of region to place unique CPU ID(s) 145 * @len: len of the region 146 */ 147 struct sev_data_get_id { 148 u64 address; /* In */ 149 u32 len; /* In/Out */ 150 } __packed; 151 /** 152 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters 153 * 154 * @pdh_address: PDH certificate address 155 * @pdh_len: len of PDH certificate 156 * @cert_chain_address: PDH certificate chain 157 * @cert_chain_len: len of PDH certificate chain 158 */ 159 struct sev_data_pdh_cert_export { 160 u64 pdh_cert_address; /* In */ 161 u32 pdh_cert_len; /* In/Out */ 162 u32 reserved; /* In */ 163 u64 cert_chain_address; /* In */ 164 u32 cert_chain_len; /* In/Out */ 165 } __packed; 166 167 /** 168 * struct sev_data_decommission - DECOMMISSION command parameters 169 * 170 * @handle: handle of the VM to decommission 171 */ 172 struct sev_data_decommission { 173 u32 handle; /* In */ 174 } __packed; 175 176 /** 177 * struct sev_data_activate - ACTIVATE command parameters 178 * 179 * @handle: handle of the VM to activate 180 * @asid: asid assigned to the VM 181 */ 182 struct sev_data_activate { 183 u32 handle; /* In */ 184 u32 asid; /* In */ 185 } __packed; 186 187 /** 188 * struct sev_data_deactivate - DEACTIVATE command parameters 189 * 190 * @handle: handle of the VM to deactivate 191 */ 192 struct sev_data_deactivate { 193 u32 handle; /* In */ 194 } __packed; 195 196 /** 197 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters 198 * 199 * @handle: handle of the VM to retrieve status 200 * @policy: policy information for the VM 201 * @asid: current ASID of the VM 202 * @state: current state of the VM 203 */ 204 struct sev_data_guest_status { 205 u32 handle; /* In */ 206 u32 policy; /* Out */ 207 u32 asid; /* Out */ 208 u8 state; /* Out */ 209 } __packed; 210 211 /** 212 * struct sev_data_launch_start - LAUNCH_START command parameters 213 * 214 * @handle: handle assigned to the VM 215 * @policy: guest launch policy 216 * @dh_cert_address: physical address of DH certificate blob 217 * @dh_cert_len: len of DH certificate blob 218 * @session_address: physical address of session parameters 219 * @session_len: len of session parameters 220 */ 221 struct sev_data_launch_start { 222 u32 handle; /* In/Out */ 223 u32 policy; /* In */ 224 u64 dh_cert_address; /* In */ 225 u32 dh_cert_len; /* In */ 226 u32 reserved; /* In */ 227 u64 session_address; /* In */ 228 u32 session_len; /* In */ 229 } __packed; 230 231 /** 232 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter 233 * 234 * @handle: handle of the VM to update 235 * @len: len of memory to be encrypted 236 * @address: physical address of memory region to encrypt 237 */ 238 struct sev_data_launch_update_data { 239 u32 handle; /* In */ 240 u32 reserved; 241 u64 address; /* In */ 242 u32 len; /* In */ 243 } __packed; 244 245 /** 246 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command 247 * 248 * @handle: handle of the VM 249 * @address: physical address of memory region to encrypt 250 * @len: len of memory region to encrypt 251 */ 252 struct sev_data_launch_update_vmsa { 253 u32 handle; /* In */ 254 u32 reserved; 255 u64 address; /* In */ 256 u32 len; /* In */ 257 } __packed; 258 259 /** 260 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters 261 * 262 * @handle: handle of the VM to process 263 * @address: physical address containing the measurement blob 264 * @len: len of measurement blob 265 */ 266 struct sev_data_launch_measure { 267 u32 handle; /* In */ 268 u32 reserved; 269 u64 address; /* In */ 270 u32 len; /* In/Out */ 271 } __packed; 272 273 /** 274 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters 275 * 276 * @handle: handle of the VM to process 277 * @hdr_address: physical address containing the packet header 278 * @hdr_len: len of packet header 279 * @guest_address: system physical address of guest memory region 280 * @guest_len: len of guest_paddr 281 * @trans_address: physical address of transport memory buffer 282 * @trans_len: len of transport memory buffer 283 */ 284 struct sev_data_launch_secret { 285 u32 handle; /* In */ 286 u32 reserved1; 287 u64 hdr_address; /* In */ 288 u32 hdr_len; /* In */ 289 u32 reserved2; 290 u64 guest_address; /* In */ 291 u32 guest_len; /* In */ 292 u32 reserved3; 293 u64 trans_address; /* In */ 294 u32 trans_len; /* In */ 295 } __packed; 296 297 /** 298 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters 299 * 300 * @handle: handle of the VM to process 301 */ 302 struct sev_data_launch_finish { 303 u32 handle; /* In */ 304 } __packed; 305 306 /** 307 * struct sev_data_send_start - SEND_START command parameters 308 * 309 * @handle: handle of the VM to process 310 * @policy: policy information for the VM 311 * @pdh_cert_address: physical address containing PDH certificate 312 * @pdh_cert_len: len of PDH certificate 313 * @plat_certs_address: physical address containing platform certificate 314 * @plat_certs_len: len of platform certificate 315 * @amd_certs_address: physical address containing AMD certificate 316 * @amd_certs_len: len of AMD certificate 317 * @session_address: physical address containing Session data 318 * @session_len: len of session data 319 */ 320 struct sev_data_send_start { 321 u32 handle; /* In */ 322 u32 policy; /* Out */ 323 u64 pdh_cert_address; /* In */ 324 u32 pdh_cert_len; /* In */ 325 u32 reserved1; 326 u64 plat_cert_address; /* In */ 327 u32 plat_cert_len; /* In */ 328 u32 reserved2; 329 u64 amd_cert_address; /* In */ 330 u32 amd_cert_len; /* In */ 331 u32 reserved3; 332 u64 session_address; /* In */ 333 u32 session_len; /* In/Out */ 334 } __packed; 335 336 /** 337 * struct sev_data_send_update - SEND_UPDATE_DATA command 338 * 339 * @handle: handle of the VM to process 340 * @hdr_address: physical address containing packet header 341 * @hdr_len: len of packet header 342 * @guest_address: physical address of guest memory region to send 343 * @guest_len: len of guest memory region to send 344 * @trans_address: physical address of host memory region 345 * @trans_len: len of host memory region 346 */ 347 struct sev_data_send_update_data { 348 u32 handle; /* In */ 349 u32 reserved1; 350 u64 hdr_address; /* In */ 351 u32 hdr_len; /* In/Out */ 352 u32 reserved2; 353 u64 guest_address; /* In */ 354 u32 guest_len; /* In */ 355 u32 reserved3; 356 u64 trans_address; /* In */ 357 u32 trans_len; /* In */ 358 } __packed; 359 360 /** 361 * struct sev_data_send_update - SEND_UPDATE_VMSA command 362 * 363 * @handle: handle of the VM to process 364 * @hdr_address: physical address containing packet header 365 * @hdr_len: len of packet header 366 * @guest_address: physical address of guest memory region to send 367 * @guest_len: len of guest memory region to send 368 * @trans_address: physical address of host memory region 369 * @trans_len: len of host memory region 370 */ 371 struct sev_data_send_update_vmsa { 372 u32 handle; /* In */ 373 u64 hdr_address; /* In */ 374 u32 hdr_len; /* In/Out */ 375 u32 reserved2; 376 u64 guest_address; /* In */ 377 u32 guest_len; /* In */ 378 u32 reserved3; 379 u64 trans_address; /* In */ 380 u32 trans_len; /* In */ 381 } __packed; 382 383 /** 384 * struct sev_data_send_finish - SEND_FINISH command parameters 385 * 386 * @handle: handle of the VM to process 387 */ 388 struct sev_data_send_finish { 389 u32 handle; /* In */ 390 } __packed; 391 392 /** 393 * struct sev_data_receive_start - RECEIVE_START command parameters 394 * 395 * @handle: handle of the VM to perform receive operation 396 * @pdh_cert_address: system physical address containing PDH certificate blob 397 * @pdh_cert_len: len of PDH certificate blob 398 * @session_address: system physical address containing session blob 399 * @session_len: len of session blob 400 */ 401 struct sev_data_receive_start { 402 u32 handle; /* In/Out */ 403 u32 policy; /* In */ 404 u64 pdh_cert_address; /* In */ 405 u32 pdh_cert_len; /* In */ 406 u32 reserved1; 407 u64 session_address; /* In */ 408 u32 session_len; /* In */ 409 } __packed; 410 411 /** 412 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters 413 * 414 * @handle: handle of the VM to update 415 * @hdr_address: physical address containing packet header blob 416 * @hdr_len: len of packet header 417 * @guest_address: system physical address of guest memory region 418 * @guest_len: len of guest memory region 419 * @trans_address: system physical address of transport buffer 420 * @trans_len: len of transport buffer 421 */ 422 struct sev_data_receive_update_data { 423 u32 handle; /* In */ 424 u32 reserved1; 425 u64 hdr_address; /* In */ 426 u32 hdr_len; /* In */ 427 u32 reserved2; 428 u64 guest_address; /* In */ 429 u32 guest_len; /* In */ 430 u32 reserved3; 431 u64 trans_address; /* In */ 432 u32 trans_len; /* In */ 433 } __packed; 434 435 /** 436 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters 437 * 438 * @handle: handle of the VM to update 439 * @hdr_address: physical address containing packet header blob 440 * @hdr_len: len of packet header 441 * @guest_address: system physical address of guest memory region 442 * @guest_len: len of guest memory region 443 * @trans_address: system physical address of transport buffer 444 * @trans_len: len of transport buffer 445 */ 446 struct sev_data_receive_update_vmsa { 447 u32 handle; /* In */ 448 u32 reserved1; 449 u64 hdr_address; /* In */ 450 u32 hdr_len; /* In */ 451 u32 reserved2; 452 u64 guest_address; /* In */ 453 u32 guest_len; /* In */ 454 u32 reserved3; 455 u64 trans_address; /* In */ 456 u32 trans_len; /* In */ 457 } __packed; 458 459 /** 460 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters 461 * 462 * @handle: handle of the VM to finish 463 */ 464 struct sev_data_receive_finish { 465 u32 handle; /* In */ 466 } __packed; 467 468 /** 469 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 470 * 471 * @handle: handle of the VM to perform debug operation 472 * @src_addr: source address of data to operate on 473 * @dst_addr: destination address of data to operate on 474 * @len: len of data to operate on 475 */ 476 struct sev_data_dbg { 477 u32 handle; /* In */ 478 u32 reserved; 479 u64 src_addr; /* In */ 480 u64 dst_addr; /* In */ 481 u32 len; /* In */ 482 } __packed; 483 484 #ifdef CONFIG_CRYPTO_DEV_SP_PSP 485 486 /** 487 * sev_platform_init - perform SEV INIT command 488 * 489 * @error: SEV command return code 490 * 491 * Returns: 492 * 0 if the SEV successfully processed the command 493 * -%ENODEV if the SEV device is not available 494 * -%ENOTSUPP if the SEV does not support SEV 495 * -%ETIMEDOUT if the SEV command timed out 496 * -%EIO if the SEV returned a non-zero return code 497 */ 498 int sev_platform_init(int *error); 499 500 /** 501 * sev_platform_status - perform SEV PLATFORM_STATUS command 502 * 503 * @status: sev_user_data_status structure to be processed 504 * @error: SEV command return code 505 * 506 * Returns: 507 * 0 if the SEV successfully processed the command 508 * -%ENODEV if the SEV device is not available 509 * -%ENOTSUPP if the SEV does not support SEV 510 * -%ETIMEDOUT if the SEV command timed out 511 * -%EIO if the SEV returned a non-zero return code 512 */ 513 int sev_platform_status(struct sev_user_data_status *status, int *error); 514 515 /** 516 * sev_issue_cmd_external_user - issue SEV command by other driver with a file 517 * handle. 518 * 519 * This function can be used by other drivers to issue a SEV command on 520 * behalf of userspace. The caller must pass a valid SEV file descriptor 521 * so that we know that it has access to SEV device. 522 * 523 * @filep - SEV device file pointer 524 * @cmd - command to issue 525 * @data - command buffer 526 * @error: SEV command return code 527 * 528 * Returns: 529 * 0 if the SEV successfully processed the command 530 * -%ENODEV if the SEV device is not available 531 * -%ENOTSUPP if the SEV does not support SEV 532 * -%ETIMEDOUT if the SEV command timed out 533 * -%EIO if the SEV returned a non-zero return code 534 * -%EINVAL if the SEV file descriptor is not valid 535 */ 536 int sev_issue_cmd_external_user(struct file *filep, unsigned int id, 537 void *data, int *error); 538 539 /** 540 * sev_guest_deactivate - perform SEV DEACTIVATE command 541 * 542 * @deactivate: sev_data_deactivate structure to be processed 543 * @sev_ret: sev command return code 544 * 545 * Returns: 546 * 0 if the sev successfully processed the command 547 * -%ENODEV if the sev device is not available 548 * -%ENOTSUPP if the sev does not support SEV 549 * -%ETIMEDOUT if the sev command timed out 550 * -%EIO if the sev returned a non-zero return code 551 */ 552 int sev_guest_deactivate(struct sev_data_deactivate *data, int *error); 553 554 /** 555 * sev_guest_activate - perform SEV ACTIVATE command 556 * 557 * @activate: sev_data_activate structure to be processed 558 * @sev_ret: sev command return code 559 * 560 * Returns: 561 * 0 if the sev successfully processed the command 562 * -%ENODEV if the sev device is not available 563 * -%ENOTSUPP if the sev does not support SEV 564 * -%ETIMEDOUT if the sev command timed out 565 * -%EIO if the sev returned a non-zero return code 566 */ 567 int sev_guest_activate(struct sev_data_activate *data, int *error); 568 569 /** 570 * sev_guest_df_flush - perform SEV DF_FLUSH command 571 * 572 * @sev_ret: sev command return code 573 * 574 * Returns: 575 * 0 if the sev successfully processed the command 576 * -%ENODEV if the sev device is not available 577 * -%ENOTSUPP if the sev does not support SEV 578 * -%ETIMEDOUT if the sev command timed out 579 * -%EIO if the sev returned a non-zero return code 580 */ 581 int sev_guest_df_flush(int *error); 582 583 /** 584 * sev_guest_decommission - perform SEV DECOMMISSION command 585 * 586 * @decommission: sev_data_decommission structure to be processed 587 * @sev_ret: sev command return code 588 * 589 * Returns: 590 * 0 if the sev successfully processed the command 591 * -%ENODEV if the sev device is not available 592 * -%ENOTSUPP if the sev does not support SEV 593 * -%ETIMEDOUT if the sev command timed out 594 * -%EIO if the sev returned a non-zero return code 595 */ 596 int sev_guest_decommission(struct sev_data_decommission *data, int *error); 597 598 void *psp_copy_user_blob(u64 __user uaddr, u32 len); 599 600 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ 601 602 static inline int 603 sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; } 604 605 static inline int sev_platform_init(int *error) { return -ENODEV; } 606 607 static inline int 608 sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; } 609 610 static inline int 611 sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; } 612 613 static inline int 614 sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; } 615 616 static inline int sev_guest_df_flush(int *error) { return -ENODEV; } 617 618 static inline int 619 sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } 620 621 static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } 622 623 #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ 624 625 #endif /* __PSP_SEV_H__ */