1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * AMD Secure Encrypted Virtualization (SEV) driver interface 4 * 5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. 6 * 7 * Author: Brijesh Singh <[email protected]> 8 * 9 * SEV API spec is available at https://developer.amd.com/sev 10 */ 11 12 #ifndef __PSP_SEV_H__ 13 #define __PSP_SEV_H__ 14 15 #include <uapi/linux/psp-sev.h> 16 17 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ 18 19 /** 20 * SEV platform state 21 */ 22 enum sev_state { 23 SEV_STATE_UNINIT = 0x0, 24 SEV_STATE_INIT = 0x1, 25 SEV_STATE_WORKING = 0x2, 26 27 SEV_STATE_MAX 28 }; 29 30 /** 31 * SEV platform and guest management commands 32 */ 33 enum sev_cmd { 34 /* platform commands */ 35 SEV_CMD_INIT = 0x001, 36 SEV_CMD_SHUTDOWN = 0x002, 37 SEV_CMD_FACTORY_RESET = 0x003, 38 SEV_CMD_PLATFORM_STATUS = 0x004, 39 SEV_CMD_PEK_GEN = 0x005, 40 SEV_CMD_PEK_CSR = 0x006, 41 SEV_CMD_PEK_CERT_IMPORT = 0x007, 42 SEV_CMD_PDH_CERT_EXPORT = 0x008, 43 SEV_CMD_PDH_GEN = 0x009, 44 SEV_CMD_DF_FLUSH = 0x00A, 45 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B, 46 SEV_CMD_GET_ID = 0x00C, 47 SEV_CMD_INIT_EX = 0x00D, 48 49 /* Guest commands */ 50 SEV_CMD_DECOMMISSION = 0x020, 51 SEV_CMD_ACTIVATE = 0x021, 52 SEV_CMD_DEACTIVATE = 0x022, 53 SEV_CMD_GUEST_STATUS = 0x023, 54 55 /* Guest launch commands */ 56 SEV_CMD_LAUNCH_START = 0x030, 57 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031, 58 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032, 59 SEV_CMD_LAUNCH_MEASURE = 0x033, 60 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034, 61 SEV_CMD_LAUNCH_FINISH = 0x035, 62 SEV_CMD_ATTESTATION_REPORT = 0x036, 63 64 /* Guest migration commands (outgoing) */ 65 SEV_CMD_SEND_START = 0x040, 66 SEV_CMD_SEND_UPDATE_DATA = 0x041, 67 SEV_CMD_SEND_UPDATE_VMSA = 0x042, 68 SEV_CMD_SEND_FINISH = 0x043, 69 SEV_CMD_SEND_CANCEL = 0x044, 70 71 /* Guest migration commands (incoming) */ 72 SEV_CMD_RECEIVE_START = 0x050, 73 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051, 74 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052, 75 SEV_CMD_RECEIVE_FINISH = 0x053, 76 77 /* Guest debug commands */ 78 SEV_CMD_DBG_DECRYPT = 0x060, 79 SEV_CMD_DBG_ENCRYPT = 0x061, 80 81 SEV_CMD_MAX, 82 }; 83 84 /** 85 * struct sev_data_init - INIT command parameters 86 * 87 * @flags: processing flags 88 * @tmr_address: system physical address used for SEV-ES 89 * @tmr_len: len of tmr_address 90 */ 91 struct sev_data_init { 92 u32 flags; /* In */ 93 u32 reserved; /* In */ 94 u64 tmr_address; /* In */ 95 u32 tmr_len; /* In */ 96 } __packed; 97 98 /** 99 * struct sev_data_init_ex - INIT_EX command parameters 100 * 101 * @length: len of the command buffer read by the PSP 102 * @flags: processing flags 103 * @tmr_address: system physical address used for SEV-ES 104 * @tmr_len: len of tmr_address 105 * @nv_address: system physical address used for PSP NV storage 106 * @nv_len: len of nv_address 107 */ 108 struct sev_data_init_ex { 109 u32 length; /* In */ 110 u32 flags; /* In */ 111 u64 tmr_address; /* In */ 112 u32 tmr_len; /* In */ 113 u32 reserved; /* In */ 114 u64 nv_address; /* In/Out */ 115 u32 nv_len; /* In */ 116 } __packed; 117 118 #define SEV_INIT_FLAGS_SEV_ES 0x01 119 120 /** 121 * struct sev_data_pek_csr - PEK_CSR command parameters 122 * 123 * @address: PEK certificate chain 124 * @len: len of certificate 125 */ 126 struct sev_data_pek_csr { 127 u64 address; /* In */ 128 u32 len; /* In/Out */ 129 } __packed; 130 131 /** 132 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters 133 * 134 * @pek_address: PEK certificate chain 135 * @pek_len: len of PEK certificate 136 * @oca_address: OCA certificate chain 137 * @oca_len: len of OCA certificate 138 */ 139 struct sev_data_pek_cert_import { 140 u64 pek_cert_address; /* In */ 141 u32 pek_cert_len; /* In */ 142 u32 reserved; /* In */ 143 u64 oca_cert_address; /* In */ 144 u32 oca_cert_len; /* In */ 145 } __packed; 146 147 /** 148 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters 149 * 150 * @address: physical address of firmware image 151 * @len: len of the firmware image 152 */ 153 struct sev_data_download_firmware { 154 u64 address; /* In */ 155 u32 len; /* In */ 156 } __packed; 157 158 /** 159 * struct sev_data_get_id - GET_ID command parameters 160 * 161 * @address: physical address of region to place unique CPU ID(s) 162 * @len: len of the region 163 */ 164 struct sev_data_get_id { 165 u64 address; /* In */ 166 u32 len; /* In/Out */ 167 } __packed; 168 /** 169 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters 170 * 171 * @pdh_address: PDH certificate address 172 * @pdh_len: len of PDH certificate 173 * @cert_chain_address: PDH certificate chain 174 * @cert_chain_len: len of PDH certificate chain 175 */ 176 struct sev_data_pdh_cert_export { 177 u64 pdh_cert_address; /* In */ 178 u32 pdh_cert_len; /* In/Out */ 179 u32 reserved; /* In */ 180 u64 cert_chain_address; /* In */ 181 u32 cert_chain_len; /* In/Out */ 182 } __packed; 183 184 /** 185 * struct sev_data_decommission - DECOMMISSION command parameters 186 * 187 * @handle: handle of the VM to decommission 188 */ 189 struct sev_data_decommission { 190 u32 handle; /* In */ 191 } __packed; 192 193 /** 194 * struct sev_data_activate - ACTIVATE command parameters 195 * 196 * @handle: handle of the VM to activate 197 * @asid: asid assigned to the VM 198 */ 199 struct sev_data_activate { 200 u32 handle; /* In */ 201 u32 asid; /* In */ 202 } __packed; 203 204 /** 205 * struct sev_data_deactivate - DEACTIVATE command parameters 206 * 207 * @handle: handle of the VM to deactivate 208 */ 209 struct sev_data_deactivate { 210 u32 handle; /* In */ 211 } __packed; 212 213 /** 214 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters 215 * 216 * @handle: handle of the VM to retrieve status 217 * @policy: policy information for the VM 218 * @asid: current ASID of the VM 219 * @state: current state of the VM 220 */ 221 struct sev_data_guest_status { 222 u32 handle; /* In */ 223 u32 policy; /* Out */ 224 u32 asid; /* Out */ 225 u8 state; /* Out */ 226 } __packed; 227 228 /** 229 * struct sev_data_launch_start - LAUNCH_START command parameters 230 * 231 * @handle: handle assigned to the VM 232 * @policy: guest launch policy 233 * @dh_cert_address: physical address of DH certificate blob 234 * @dh_cert_len: len of DH certificate blob 235 * @session_address: physical address of session parameters 236 * @session_len: len of session parameters 237 */ 238 struct sev_data_launch_start { 239 u32 handle; /* In/Out */ 240 u32 policy; /* In */ 241 u64 dh_cert_address; /* In */ 242 u32 dh_cert_len; /* In */ 243 u32 reserved; /* In */ 244 u64 session_address; /* In */ 245 u32 session_len; /* In */ 246 } __packed; 247 248 /** 249 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter 250 * 251 * @handle: handle of the VM to update 252 * @len: len of memory to be encrypted 253 * @address: physical address of memory region to encrypt 254 */ 255 struct sev_data_launch_update_data { 256 u32 handle; /* In */ 257 u32 reserved; 258 u64 address; /* In */ 259 u32 len; /* In */ 260 } __packed; 261 262 /** 263 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command 264 * 265 * @handle: handle of the VM 266 * @address: physical address of memory region to encrypt 267 * @len: len of memory region to encrypt 268 */ 269 struct sev_data_launch_update_vmsa { 270 u32 handle; /* In */ 271 u32 reserved; 272 u64 address; /* In */ 273 u32 len; /* In */ 274 } __packed; 275 276 /** 277 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters 278 * 279 * @handle: handle of the VM to process 280 * @address: physical address containing the measurement blob 281 * @len: len of measurement blob 282 */ 283 struct sev_data_launch_measure { 284 u32 handle; /* In */ 285 u32 reserved; 286 u64 address; /* In */ 287 u32 len; /* In/Out */ 288 } __packed; 289 290 /** 291 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters 292 * 293 * @handle: handle of the VM to process 294 * @hdr_address: physical address containing the packet header 295 * @hdr_len: len of packet header 296 * @guest_address: system physical address of guest memory region 297 * @guest_len: len of guest_paddr 298 * @trans_address: physical address of transport memory buffer 299 * @trans_len: len of transport memory buffer 300 */ 301 struct sev_data_launch_secret { 302 u32 handle; /* In */ 303 u32 reserved1; 304 u64 hdr_address; /* In */ 305 u32 hdr_len; /* In */ 306 u32 reserved2; 307 u64 guest_address; /* In */ 308 u32 guest_len; /* In */ 309 u32 reserved3; 310 u64 trans_address; /* In */ 311 u32 trans_len; /* In */ 312 } __packed; 313 314 /** 315 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters 316 * 317 * @handle: handle of the VM to process 318 */ 319 struct sev_data_launch_finish { 320 u32 handle; /* In */ 321 } __packed; 322 323 /** 324 * struct sev_data_send_start - SEND_START command parameters 325 * 326 * @handle: handle of the VM to process 327 * @policy: policy information for the VM 328 * @pdh_cert_address: physical address containing PDH certificate 329 * @pdh_cert_len: len of PDH certificate 330 * @plat_certs_address: physical address containing platform certificate 331 * @plat_certs_len: len of platform certificate 332 * @amd_certs_address: physical address containing AMD certificate 333 * @amd_certs_len: len of AMD certificate 334 * @session_address: physical address containing Session data 335 * @session_len: len of session data 336 */ 337 struct sev_data_send_start { 338 u32 handle; /* In */ 339 u32 policy; /* Out */ 340 u64 pdh_cert_address; /* In */ 341 u32 pdh_cert_len; /* In */ 342 u32 reserved1; 343 u64 plat_certs_address; /* In */ 344 u32 plat_certs_len; /* In */ 345 u32 reserved2; 346 u64 amd_certs_address; /* In */ 347 u32 amd_certs_len; /* In */ 348 u32 reserved3; 349 u64 session_address; /* In */ 350 u32 session_len; /* In/Out */ 351 } __packed; 352 353 /** 354 * struct sev_data_send_update - SEND_UPDATE_DATA command 355 * 356 * @handle: handle of the VM to process 357 * @hdr_address: physical address containing packet header 358 * @hdr_len: len of packet header 359 * @guest_address: physical address of guest memory region to send 360 * @guest_len: len of guest memory region to send 361 * @trans_address: physical address of host memory region 362 * @trans_len: len of host memory region 363 */ 364 struct sev_data_send_update_data { 365 u32 handle; /* In */ 366 u32 reserved1; 367 u64 hdr_address; /* In */ 368 u32 hdr_len; /* In/Out */ 369 u32 reserved2; 370 u64 guest_address; /* In */ 371 u32 guest_len; /* In */ 372 u32 reserved3; 373 u64 trans_address; /* In */ 374 u32 trans_len; /* In */ 375 } __packed; 376 377 /** 378 * struct sev_data_send_update - SEND_UPDATE_VMSA command 379 * 380 * @handle: handle of the VM to process 381 * @hdr_address: physical address containing packet header 382 * @hdr_len: len of packet header 383 * @guest_address: physical address of guest memory region to send 384 * @guest_len: len of guest memory region to send 385 * @trans_address: physical address of host memory region 386 * @trans_len: len of host memory region 387 */ 388 struct sev_data_send_update_vmsa { 389 u32 handle; /* In */ 390 u64 hdr_address; /* In */ 391 u32 hdr_len; /* In/Out */ 392 u32 reserved2; 393 u64 guest_address; /* In */ 394 u32 guest_len; /* In */ 395 u32 reserved3; 396 u64 trans_address; /* In */ 397 u32 trans_len; /* In */ 398 } __packed; 399 400 /** 401 * struct sev_data_send_finish - SEND_FINISH command parameters 402 * 403 * @handle: handle of the VM to process 404 */ 405 struct sev_data_send_finish { 406 u32 handle; /* In */ 407 } __packed; 408 409 /** 410 * struct sev_data_send_cancel - SEND_CANCEL command parameters 411 * 412 * @handle: handle of the VM to process 413 */ 414 struct sev_data_send_cancel { 415 u32 handle; /* In */ 416 } __packed; 417 418 /** 419 * struct sev_data_receive_start - RECEIVE_START command parameters 420 * 421 * @handle: handle of the VM to perform receive operation 422 * @pdh_cert_address: system physical address containing PDH certificate blob 423 * @pdh_cert_len: len of PDH certificate blob 424 * @session_address: system physical address containing session blob 425 * @session_len: len of session blob 426 */ 427 struct sev_data_receive_start { 428 u32 handle; /* In/Out */ 429 u32 policy; /* In */ 430 u64 pdh_cert_address; /* In */ 431 u32 pdh_cert_len; /* In */ 432 u32 reserved1; 433 u64 session_address; /* In */ 434 u32 session_len; /* In */ 435 } __packed; 436 437 /** 438 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters 439 * 440 * @handle: handle of the VM to update 441 * @hdr_address: physical address containing packet header blob 442 * @hdr_len: len of packet header 443 * @guest_address: system physical address of guest memory region 444 * @guest_len: len of guest memory region 445 * @trans_address: system physical address of transport buffer 446 * @trans_len: len of transport buffer 447 */ 448 struct sev_data_receive_update_data { 449 u32 handle; /* In */ 450 u32 reserved1; 451 u64 hdr_address; /* In */ 452 u32 hdr_len; /* In */ 453 u32 reserved2; 454 u64 guest_address; /* In */ 455 u32 guest_len; /* In */ 456 u32 reserved3; 457 u64 trans_address; /* In */ 458 u32 trans_len; /* In */ 459 } __packed; 460 461 /** 462 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters 463 * 464 * @handle: handle of the VM to update 465 * @hdr_address: physical address containing packet header blob 466 * @hdr_len: len of packet header 467 * @guest_address: system physical address of guest memory region 468 * @guest_len: len of guest memory region 469 * @trans_address: system physical address of transport buffer 470 * @trans_len: len of transport buffer 471 */ 472 struct sev_data_receive_update_vmsa { 473 u32 handle; /* In */ 474 u32 reserved1; 475 u64 hdr_address; /* In */ 476 u32 hdr_len; /* In */ 477 u32 reserved2; 478 u64 guest_address; /* In */ 479 u32 guest_len; /* In */ 480 u32 reserved3; 481 u64 trans_address; /* In */ 482 u32 trans_len; /* In */ 483 } __packed; 484 485 /** 486 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters 487 * 488 * @handle: handle of the VM to finish 489 */ 490 struct sev_data_receive_finish { 491 u32 handle; /* In */ 492 } __packed; 493 494 /** 495 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 496 * 497 * @handle: handle of the VM to perform debug operation 498 * @src_addr: source address of data to operate on 499 * @dst_addr: destination address of data to operate on 500 * @len: len of data to operate on 501 */ 502 struct sev_data_dbg { 503 u32 handle; /* In */ 504 u32 reserved; 505 u64 src_addr; /* In */ 506 u64 dst_addr; /* In */ 507 u32 len; /* In */ 508 } __packed; 509 510 /** 511 * struct sev_data_attestation_report - SEV_ATTESTATION_REPORT command parameters 512 * 513 * @handle: handle of the VM 514 * @mnonce: a random nonce that will be included in the report. 515 * @address: physical address where the report will be copied. 516 * @len: length of the physical buffer. 517 */ 518 struct sev_data_attestation_report { 519 u32 handle; /* In */ 520 u32 reserved; 521 u64 address; /* In */ 522 u8 mnonce[16]; /* In */ 523 u32 len; /* In/Out */ 524 } __packed; 525 526 #ifdef CONFIG_CRYPTO_DEV_SP_PSP 527 528 /** 529 * sev_platform_init - perform SEV INIT command 530 * 531 * @error: SEV command return code 532 * 533 * Returns: 534 * 0 if the SEV successfully processed the command 535 * -%ENODEV if the SEV device is not available 536 * -%ENOTSUPP if the SEV does not support SEV 537 * -%ETIMEDOUT if the SEV command timed out 538 * -%EIO if the SEV returned a non-zero return code 539 */ 540 int sev_platform_init(int *error); 541 542 /** 543 * sev_platform_status - perform SEV PLATFORM_STATUS command 544 * 545 * @status: sev_user_data_status structure to be processed 546 * @error: SEV command return code 547 * 548 * Returns: 549 * 0 if the SEV successfully processed the command 550 * -%ENODEV if the SEV device is not available 551 * -%ENOTSUPP if the SEV does not support SEV 552 * -%ETIMEDOUT if the SEV command timed out 553 * -%EIO if the SEV returned a non-zero return code 554 */ 555 int sev_platform_status(struct sev_user_data_status *status, int *error); 556 557 /** 558 * sev_issue_cmd_external_user - issue SEV command by other driver with a file 559 * handle. 560 * 561 * This function can be used by other drivers to issue a SEV command on 562 * behalf of userspace. The caller must pass a valid SEV file descriptor 563 * so that we know that it has access to SEV device. 564 * 565 * @filep - SEV device file pointer 566 * @cmd - command to issue 567 * @data - command buffer 568 * @error: SEV command return code 569 * 570 * Returns: 571 * 0 if the SEV successfully processed the command 572 * -%ENODEV if the SEV device is not available 573 * -%ENOTSUPP if the SEV does not support SEV 574 * -%ETIMEDOUT if the SEV command timed out 575 * -%EIO if the SEV returned a non-zero return code 576 * -%EINVAL if the SEV file descriptor is not valid 577 */ 578 int sev_issue_cmd_external_user(struct file *filep, unsigned int id, 579 void *data, int *error); 580 581 /** 582 * sev_guest_deactivate - perform SEV DEACTIVATE command 583 * 584 * @deactivate: sev_data_deactivate structure to be processed 585 * @sev_ret: sev command return code 586 * 587 * Returns: 588 * 0 if the sev successfully processed the command 589 * -%ENODEV if the sev device is not available 590 * -%ENOTSUPP if the sev does not support SEV 591 * -%ETIMEDOUT if the sev command timed out 592 * -%EIO if the sev returned a non-zero return code 593 */ 594 int sev_guest_deactivate(struct sev_data_deactivate *data, int *error); 595 596 /** 597 * sev_guest_activate - perform SEV ACTIVATE command 598 * 599 * @activate: sev_data_activate structure to be processed 600 * @sev_ret: sev command return code 601 * 602 * Returns: 603 * 0 if the sev successfully processed the command 604 * -%ENODEV if the sev device is not available 605 * -%ENOTSUPP if the sev does not support SEV 606 * -%ETIMEDOUT if the sev command timed out 607 * -%EIO if the sev returned a non-zero return code 608 */ 609 int sev_guest_activate(struct sev_data_activate *data, int *error); 610 611 /** 612 * sev_guest_df_flush - perform SEV DF_FLUSH command 613 * 614 * @sev_ret: sev command return code 615 * 616 * Returns: 617 * 0 if the sev successfully processed the command 618 * -%ENODEV if the sev device is not available 619 * -%ENOTSUPP if the sev does not support SEV 620 * -%ETIMEDOUT if the sev command timed out 621 * -%EIO if the sev returned a non-zero return code 622 */ 623 int sev_guest_df_flush(int *error); 624 625 /** 626 * sev_guest_decommission - perform SEV DECOMMISSION command 627 * 628 * @decommission: sev_data_decommission structure to be processed 629 * @sev_ret: sev command return code 630 * 631 * Returns: 632 * 0 if the sev successfully processed the command 633 * -%ENODEV if the sev device is not available 634 * -%ENOTSUPP if the sev does not support SEV 635 * -%ETIMEDOUT if the sev command timed out 636 * -%EIO if the sev returned a non-zero return code 637 */ 638 int sev_guest_decommission(struct sev_data_decommission *data, int *error); 639 640 void *psp_copy_user_blob(u64 uaddr, u32 len); 641 642 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ 643 644 static inline int 645 sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; } 646 647 static inline int sev_platform_init(int *error) { return -ENODEV; } 648 649 static inline int 650 sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; } 651 652 static inline int 653 sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; } 654 655 static inline int 656 sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; } 657 658 static inline int sev_guest_df_flush(int *error) { return -ENODEV; } 659 660 static inline int 661 sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } 662 663 static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } 664 665 #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ 666 667 #endif /* __PSP_SEV_H__ */ 668