1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3 * AMD Secure Encrypted Virtualization (SEV) driver interface
4 *
5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc.
6 *
7 * Author: Brijesh Singh <brijesh.singh@amd.com>
8 *
9 * SEV API spec is available at https://developer.amd.com/sev
10 */
11
12 #ifndef __PSP_SEV_H__
13 #define __PSP_SEV_H__
14
15 #include <uapi/linux/psp-sev.h>
16
17 #ifdef CONFIG_X86
18 #include <linux/mem_encrypt.h>
19
20 #define __psp_pa(x) __sme_pa(x)
21 #else
22 #define __psp_pa(x) __pa(x)
23 #endif
24
25 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */
26
27 /**
28 * SEV platform state
29 */
30 enum sev_state {
31 SEV_STATE_UNINIT = 0x0,
32 SEV_STATE_INIT = 0x1,
33 SEV_STATE_WORKING = 0x2,
34
35 SEV_STATE_MAX
36 };
37
38 /**
39 * SEV platform and guest management commands
40 */
41 enum sev_cmd {
42 /* platform commands */
43 SEV_CMD_INIT = 0x001,
44 SEV_CMD_SHUTDOWN = 0x002,
45 SEV_CMD_FACTORY_RESET = 0x003,
46 SEV_CMD_PLATFORM_STATUS = 0x004,
47 SEV_CMD_PEK_GEN = 0x005,
48 SEV_CMD_PEK_CSR = 0x006,
49 SEV_CMD_PEK_CERT_IMPORT = 0x007,
50 SEV_CMD_PDH_CERT_EXPORT = 0x008,
51 SEV_CMD_PDH_GEN = 0x009,
52 SEV_CMD_DF_FLUSH = 0x00A,
53 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B,
54 SEV_CMD_GET_ID = 0x00C,
55
56 /* Guest commands */
57 SEV_CMD_DECOMMISSION = 0x020,
58 SEV_CMD_ACTIVATE = 0x021,
59 SEV_CMD_DEACTIVATE = 0x022,
60 SEV_CMD_GUEST_STATUS = 0x023,
61
62 /* Guest launch commands */
63 SEV_CMD_LAUNCH_START = 0x030,
64 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031,
65 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032,
66 SEV_CMD_LAUNCH_MEASURE = 0x033,
67 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034,
68 SEV_CMD_LAUNCH_FINISH = 0x035,
69
70 /* Guest migration commands (outgoing) */
71 SEV_CMD_SEND_START = 0x040,
72 SEV_CMD_SEND_UPDATE_DATA = 0x041,
73 SEV_CMD_SEND_UPDATE_VMSA = 0x042,
74 SEV_CMD_SEND_FINISH = 0x043,
75
76 /* Guest migration commands (incoming) */
77 SEV_CMD_RECEIVE_START = 0x050,
78 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051,
79 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052,
80 SEV_CMD_RECEIVE_FINISH = 0x053,
81
82 /* Guest debug commands */
83 SEV_CMD_DBG_DECRYPT = 0x060,
84 SEV_CMD_DBG_ENCRYPT = 0x061,
85
86 SEV_CMD_MAX,
87 };
88
89 /**
90 * struct sev_data_init - INIT command parameters
91 *
92 * @flags: processing flags
93 * @tmr_address: system physical address used for SEV-ES
94 * @tmr_len: len of tmr_address
95 */
96 struct sev_data_init {
97 u32 flags; /* In */
98 u32 reserved; /* In */
99 u64 tmr_address; /* In */
100 u32 tmr_len; /* In */
101 } __packed;
102
103 /**
104 * struct sev_data_pek_csr - PEK_CSR command parameters
105 *
106 * @address: PEK certificate chain
107 * @len: len of certificate
108 */
109 struct sev_data_pek_csr {
110 u64 address; /* In */
111 u32 len; /* In/Out */
112 } __packed;
113
114 /**
115 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters
116 *
117 * @pek_address: PEK certificate chain
118 * @pek_len: len of PEK certificate
119 * @oca_address: OCA certificate chain
120 * @oca_len: len of OCA certificate
121 */
122 struct sev_data_pek_cert_import {
123 u64 pek_cert_address; /* In */
124 u32 pek_cert_len; /* In */
125 u32 reserved; /* In */
126 u64 oca_cert_address; /* In */
127 u32 oca_cert_len; /* In */
128 } __packed;
129
130 /**
131 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters
132 *
133 * @address: physical address of firmware image
134 * @len: len of the firmware image
135 */
136 struct sev_data_download_firmware {
137 u64 address; /* In */
138 u32 len; /* In */
139 } __packed;
140
141 /**
142 * struct sev_data_get_id - GET_ID command parameters
143 *
144 * @address: physical address of region to place unique CPU ID(s)
145 * @len: len of the region
146 */
147 struct sev_data_get_id {
148 u64 address; /* In */
149 u32 len; /* In/Out */
150 } __packed;
151 /**
152 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters
153 *
154 * @pdh_address: PDH certificate address
155 * @pdh_len: len of PDH certificate
156 * @cert_chain_address: PDH certificate chain
157 * @cert_chain_len: len of PDH certificate chain
158 */
159 struct sev_data_pdh_cert_export {
160 u64 pdh_cert_address; /* In */
161 u32 pdh_cert_len; /* In/Out */
162 u32 reserved; /* In */
163 u64 cert_chain_address; /* In */
164 u32 cert_chain_len; /* In/Out */
165 } __packed;
166
167 /**
168 * struct sev_data_decommission - DECOMMISSION command parameters
169 *
170 * @handle: handle of the VM to decommission
171 */
172 struct sev_data_decommission {
173 u32 handle; /* In */
174 } __packed;
175
176 /**
177 * struct sev_data_activate - ACTIVATE command parameters
178 *
179 * @handle: handle of the VM to activate
180 * @asid: asid assigned to the VM
181 */
182 struct sev_data_activate {
183 u32 handle; /* In */
184 u32 asid; /* In */
185 } __packed;
186
187 /**
188 * struct sev_data_deactivate - DEACTIVATE command parameters
189 *
190 * @handle: handle of the VM to deactivate
191 */
192 struct sev_data_deactivate {
193 u32 handle; /* In */
194 } __packed;
195
196 /**
197 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters
198 *
199 * @handle: handle of the VM to retrieve status
200 * @policy: policy information for the VM
201 * @asid: current ASID of the VM
202 * @state: current state of the VM
203 */
204 struct sev_data_guest_status {
205 u32 handle; /* In */
206 u32 policy; /* Out */
207 u32 asid; /* Out */
208 u8 state; /* Out */
209 } __packed;
210
211 /**
212 * struct sev_data_launch_start - LAUNCH_START command parameters
213 *
214 * @handle: handle assigned to the VM
215 * @policy: guest launch policy
216 * @dh_cert_address: physical address of DH certificate blob
217 * @dh_cert_len: len of DH certificate blob
218 * @session_address: physical address of session parameters
219 * @session_len: len of session parameters
220 */
221 struct sev_data_launch_start {
222 u32 handle; /* In/Out */
223 u32 policy; /* In */
224 u64 dh_cert_address; /* In */
225 u32 dh_cert_len; /* In */
226 u32 reserved; /* In */
227 u64 session_address; /* In */
228 u32 session_len; /* In */
229 } __packed;
230
231 /**
232 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter
233 *
234 * @handle: handle of the VM to update
235 * @len: len of memory to be encrypted
236 * @address: physical address of memory region to encrypt
237 */
238 struct sev_data_launch_update_data {
239 u32 handle; /* In */
240 u32 reserved;
241 u64 address; /* In */
242 u32 len; /* In */
243 } __packed;
244
245 /**
246 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command
247 *
248 * @handle: handle of the VM
249 * @address: physical address of memory region to encrypt
250 * @len: len of memory region to encrypt
251 */
252 struct sev_data_launch_update_vmsa {
253 u32 handle; /* In */
254 u32 reserved;
255 u64 address; /* In */
256 u32 len; /* In */
257 } __packed;
258
259 /**
260 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters
261 *
262 * @handle: handle of the VM to process
263 * @address: physical address containing the measurement blob
264 * @len: len of measurement blob
265 */
266 struct sev_data_launch_measure {
267 u32 handle; /* In */
268 u32 reserved;
269 u64 address; /* In */
270 u32 len; /* In/Out */
271 } __packed;
272
273 /**
274 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters
275 *
276 * @handle: handle of the VM to process
277 * @hdr_address: physical address containing the packet header
278 * @hdr_len: len of packet header
279 * @guest_address: system physical address of guest memory region
280 * @guest_len: len of guest_paddr
281 * @trans_address: physical address of transport memory buffer
282 * @trans_len: len of transport memory buffer
283 */
284 struct sev_data_launch_secret {
285 u32 handle; /* In */
286 u32 reserved1;
287 u64 hdr_address; /* In */
288 u32 hdr_len; /* In */
289 u32 reserved2;
290 u64 guest_address; /* In */
291 u32 guest_len; /* In */
292 u32 reserved3;
293 u64 trans_address; /* In */
294 u32 trans_len; /* In */
295 } __packed;
296
297 /**
298 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters
299 *
300 * @handle: handle of the VM to process
301 */
302 struct sev_data_launch_finish {
303 u32 handle; /* In */
304 } __packed;
305
306 /**
307 * struct sev_data_send_start - SEND_START command parameters
308 *
309 * @handle: handle of the VM to process
310 * @policy: policy information for the VM
311 * @pdh_cert_address: physical address containing PDH certificate
312 * @pdh_cert_len: len of PDH certificate
313 * @plat_certs_address: physical address containing platform certificate
314 * @plat_certs_len: len of platform certificate
315 * @amd_certs_address: physical address containing AMD certificate
316 * @amd_certs_len: len of AMD certificate
317 * @session_address: physical address containing Session data
318 * @session_len: len of session data
319 */
320 struct sev_data_send_start {
321 u32 handle; /* In */
322 u32 policy; /* Out */
323 u64 pdh_cert_address; /* In */
324 u32 pdh_cert_len; /* In */
325 u32 reserved1;
326 u64 plat_cert_address; /* In */
327 u32 plat_cert_len; /* In */
328 u32 reserved2;
329 u64 amd_cert_address; /* In */
330 u32 amd_cert_len; /* In */
331 u32 reserved3;
332 u64 session_address; /* In */
333 u32 session_len; /* In/Out */
334 } __packed;
335
336 /**
337 * struct sev_data_send_update - SEND_UPDATE_DATA command
338 *
339 * @handle: handle of the VM to process
340 * @hdr_address: physical address containing packet header
341 * @hdr_len: len of packet header
342 * @guest_address: physical address of guest memory region to send
343 * @guest_len: len of guest memory region to send
344 * @trans_address: physical address of host memory region
345 * @trans_len: len of host memory region
346 */
347 struct sev_data_send_update_data {
348 u32 handle; /* In */
349 u32 reserved1;
350 u64 hdr_address; /* In */
351 u32 hdr_len; /* In/Out */
352 u32 reserved2;
353 u64 guest_address; /* In */
354 u32 guest_len; /* In */
355 u32 reserved3;
356 u64 trans_address; /* In */
357 u32 trans_len; /* In */
358 } __packed;
359
360 /**
361 * struct sev_data_send_update - SEND_UPDATE_VMSA command
362 *
363 * @handle: handle of the VM to process
364 * @hdr_address: physical address containing packet header
365 * @hdr_len: len of packet header
366 * @guest_address: physical address of guest memory region to send
367 * @guest_len: len of guest memory region to send
368 * @trans_address: physical address of host memory region
369 * @trans_len: len of host memory region
370 */
371 struct sev_data_send_update_vmsa {
372 u32 handle; /* In */
373 u64 hdr_address; /* In */
374 u32 hdr_len; /* In/Out */
375 u32 reserved2;
376 u64 guest_address; /* In */
377 u32 guest_len; /* In */
378 u32 reserved3;
379 u64 trans_address; /* In */
380 u32 trans_len; /* In */
381 } __packed;
382
383 /**
384 * struct sev_data_send_finish - SEND_FINISH command parameters
385 *
386 * @handle: handle of the VM to process
387 */
388 struct sev_data_send_finish {
389 u32 handle; /* In */
390 } __packed;
391
392 /**
393 * struct sev_data_receive_start - RECEIVE_START command parameters
394 *
395 * @handle: handle of the VM to perform receive operation
396 * @pdh_cert_address: system physical address containing PDH certificate blob
397 * @pdh_cert_len: len of PDH certificate blob
398 * @session_address: system physical address containing session blob
399 * @session_len: len of session blob
400 */
401 struct sev_data_receive_start {
402 u32 handle; /* In/Out */
403 u32 policy; /* In */
404 u64 pdh_cert_address; /* In */
405 u32 pdh_cert_len; /* In */
406 u32 reserved1;
407 u64 session_address; /* In */
408 u32 session_len; /* In */
409 } __packed;
410
411 /**
412 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters
413 *
414 * @handle: handle of the VM to update
415 * @hdr_address: physical address containing packet header blob
416 * @hdr_len: len of packet header
417 * @guest_address: system physical address of guest memory region
418 * @guest_len: len of guest memory region
419 * @trans_address: system physical address of transport buffer
420 * @trans_len: len of transport buffer
421 */
422 struct sev_data_receive_update_data {
423 u32 handle; /* In */
424 u32 reserved1;
425 u64 hdr_address; /* In */
426 u32 hdr_len; /* In */
427 u32 reserved2;
428 u64 guest_address; /* In */
429 u32 guest_len; /* In */
430 u32 reserved3;
431 u64 trans_address; /* In */
432 u32 trans_len; /* In */
433 } __packed;
434
435 /**
436 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters
437 *
438 * @handle: handle of the VM to update
439 * @hdr_address: physical address containing packet header blob
440 * @hdr_len: len of packet header
441 * @guest_address: system physical address of guest memory region
442 * @guest_len: len of guest memory region
443 * @trans_address: system physical address of transport buffer
444 * @trans_len: len of transport buffer
445 */
446 struct sev_data_receive_update_vmsa {
447 u32 handle; /* In */
448 u32 reserved1;
449 u64 hdr_address; /* In */
450 u32 hdr_len; /* In */
451 u32 reserved2;
452 u64 guest_address; /* In */
453 u32 guest_len; /* In */
454 u32 reserved3;
455 u64 trans_address; /* In */
456 u32 trans_len; /* In */
457 } __packed;
458
459 /**
460 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters
461 *
462 * @handle: handle of the VM to finish
463 */
464 struct sev_data_receive_finish {
465 u32 handle; /* In */
466 } __packed;
467
468 /**
469 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters
470 *
471 * @handle: handle of the VM to perform debug operation
472 * @src_addr: source address of data to operate on
473 * @dst_addr: destination address of data to operate on
474 * @len: len of data to operate on
475 */
476 struct sev_data_dbg {
477 u32 handle; /* In */
478 u32 reserved;
479 u64 src_addr; /* In */
480 u64 dst_addr; /* In */
481 u32 len; /* In */
482 } __packed;
483
484 #ifdef CONFIG_CRYPTO_DEV_SP_PSP
485
486 /**
487 * sev_platform_init - perform SEV INIT command
488 *
489 * @error: SEV command return code
490 *
491 * Returns:
492 * 0 if the SEV successfully processed the command
493 * -%ENODEV if the SEV device is not available
494 * -%ENOTSUPP if the SEV does not support SEV
495 * -%ETIMEDOUT if the SEV command timed out
496 * -%EIO if the SEV returned a non-zero return code
497 */
498 int sev_platform_init(int *error);
499
500 /**
501 * sev_platform_status - perform SEV PLATFORM_STATUS command
502 *
503 * @status: sev_user_data_status structure to be processed
504 * @error: SEV command return code
505 *
506 * Returns:
507 * 0 if the SEV successfully processed the command
508 * -%ENODEV if the SEV device is not available
509 * -%ENOTSUPP if the SEV does not support SEV
510 * -%ETIMEDOUT if the SEV command timed out
511 * -%EIO if the SEV returned a non-zero return code
512 */
513 int sev_platform_status(struct sev_user_data_status *status, int *error);
514
515 /**
516 * sev_issue_cmd_external_user - issue SEV command by other driver with a file
517 * handle.
518 *
519 * This function can be used by other drivers to issue a SEV command on
520 * behalf of userspace. The caller must pass a valid SEV file descriptor
521 * so that we know that it has access to SEV device.
522 *
523 * @filep - SEV device file pointer
524 * @cmd - command to issue
525 * @data - command buffer
526 * @error: SEV command return code
527 *
528 * Returns:
529 * 0 if the SEV successfully processed the command
530 * -%ENODEV if the SEV device is not available
531 * -%ENOTSUPP if the SEV does not support SEV
532 * -%ETIMEDOUT if the SEV command timed out
533 * -%EIO if the SEV returned a non-zero return code
534 * -%EINVAL if the SEV file descriptor is not valid
535 */
536 int sev_issue_cmd_external_user(struct file *filep, unsigned int id,
537 void *data, int *error);
538
539 /**
540 * sev_guest_deactivate - perform SEV DEACTIVATE command
541 *
542 * @deactivate: sev_data_deactivate structure to be processed
543 * @sev_ret: sev command return code
544 *
545 * Returns:
546 * 0 if the sev successfully processed the command
547 * -%ENODEV if the sev device is not available
548 * -%ENOTSUPP if the sev does not support SEV
549 * -%ETIMEDOUT if the sev command timed out
550 * -%EIO if the sev returned a non-zero return code
551 */
552 int sev_guest_deactivate(struct sev_data_deactivate *data, int *error);
553
554 /**
555 * sev_guest_activate - perform SEV ACTIVATE command
556 *
557 * @activate: sev_data_activate structure to be processed
558 * @sev_ret: sev command return code
559 *
560 * Returns:
561 * 0 if the sev successfully processed the command
562 * -%ENODEV if the sev device is not available
563 * -%ENOTSUPP if the sev does not support SEV
564 * -%ETIMEDOUT if the sev command timed out
565 * -%EIO if the sev returned a non-zero return code
566 */
567 int sev_guest_activate(struct sev_data_activate *data, int *error);
568
569 /**
570 * sev_guest_df_flush - perform SEV DF_FLUSH command
571 *
572 * @sev_ret: sev command return code
573 *
574 * Returns:
575 * 0 if the sev successfully processed the command
576 * -%ENODEV if the sev device is not available
577 * -%ENOTSUPP if the sev does not support SEV
578 * -%ETIMEDOUT if the sev command timed out
579 * -%EIO if the sev returned a non-zero return code
580 */
581 int sev_guest_df_flush(int *error);
582
583 /**
584 * sev_guest_decommission - perform SEV DECOMMISSION command
585 *
586 * @decommission: sev_data_decommission structure to be processed
587 * @sev_ret: sev command return code
588 *
589 * Returns:
590 * 0 if the sev successfully processed the command
591 * -%ENODEV if the sev device is not available
592 * -%ENOTSUPP if the sev does not support SEV
593 * -%ETIMEDOUT if the sev command timed out
594 * -%EIO if the sev returned a non-zero return code
595 */
596 int sev_guest_decommission(struct sev_data_decommission *data, int *error);
597
598 void *psp_copy_user_blob(u64 __user uaddr, u32 len);
599
600 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */
601
602 static inline int
603 sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; }
604
605 static inline int sev_platform_init(int *error) { return -ENODEV; }
606
607 static inline int
608 sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; }
609
610 static inline int
611 sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; }
612
613 static inline int
614 sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; }
615
616 static inline int sev_guest_df_flush(int *error) { return -ENODEV; }
617
618 static inline int
619 sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; }
620
621 static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); }
622
623 #endif /* CONFIG_CRYPTO_DEV_SP_PSP */
624
625 #endif /* __PSP_SEV_H__ */