Commit 0f13b863 authored by hanliyang's avatar hanliyang
Browse files

KVM: x86: Support VM_ATTESTATION hypercall 

hygon inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I98W95


CVE: NA

---------------------------

When sev guest wants to collect the attestation report, it cannot directly
communicate with psp. Add VM_ATTESTATION hypercall to allow sev guest to
tell host to help get the attestation report. Since sev guest memory is
encrypted, host cannot tamper with the report data.

Signed-off-by: default avatarhanliyang <hanliyang@hygon.cn>
parent 7f1817c1

arch/x86/include/asm/kvm-x86-ops.h

+1 −0
Original line number Diff line number Diff line
@@ -136,6 +136,7 @@ KVM_X86_OP(complete_emulated_msr) 
KVM_X86_OP(vcpu_deliver_sipi_vector)

KVM_X86_OP_OPTIONAL_RET0(vcpu_get_apicv_inhibit_reasons);

KVM_X86_OP_OPTIONAL(get_untagged_addr)

KVM_X86_OP_OPTIONAL(vm_attestation)



#undef KVM_X86_OP

#undef KVM_X86_OP_OPTIONAL

arch/x86/include/asm/kvm_host.h

+5 −0
Original line number Diff line number Diff line
@@ -1771,6 +1771,11 @@ struct kvm_x86_ops { 
	unsigned long (*vcpu_get_apicv_inhibit_reasons)(struct kvm_vcpu *vcpu);



	gva_t (*get_untagged_addr)(struct kvm_vcpu *vcpu, gva_t gva, unsigned int flags);



	/*

	 * Attestation interface for HYGON CSV guest

	 */

	int (*vm_attestation)(struct kvm *kvm, unsigned long gpa, unsigned long len);

};



struct kvm_x86_nested_ops {

arch/x86/kvm/Makefile

+2 −0
Original line number Diff line number Diff line
@@ -33,6 +33,8 @@ ifdef CONFIG_HYPERV 
kvm-amd-y		+= svm/svm_onhyperv.o

endif



kvm-amd-$(CONFIG_HYGON_CSV)	+= svm/csv.o



obj-$(CONFIG_KVM)	+= kvm.o

obj-$(CONFIG_KVM_INTEL)	+= kvm-intel.o

obj-$(CONFIG_KVM_AMD)	+= kvm-amd.o

arch/x86/kvm/svm/csv.c

0 → 100644
+112 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * CSV driver for KVM

 *

 * HYGON CSV support

 *

 * Copyright (C) Hygon Info Technologies Ltd.

 */



#include <linux/kvm_host.h>

#include <linux/psp-sev.h>

#include <linux/psp-hygon.h>

#include <linux/memory.h>

#include <linux/kvm_types.h>

#include <asm/cacheflush.h>

#include "kvm_cache_regs.h"

#include "svm.h"

#include "csv.h"

#include "x86.h"



#undef  pr_fmt

#define pr_fmt(fmt) "CSV: " fmt



/* Function and variable pointers for hooks */

struct hygon_kvm_hooks_table hygon_kvm_hooks;



static struct kvm_x86_ops csv_x86_ops;

static const char csv_vm_mnonce[] = "VM_ATTESTATION";



int csv_vm_attestation(struct kvm *kvm, unsigned long gpa, unsigned long len)

{

	struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;

	struct sev_data_attestation_report *data = NULL;

	struct page **pages;

	unsigned long guest_uaddr, n;

	int ret = 0, offset, error;



	if (!sev_guest(kvm) || !hygon_kvm_hooks.sev_hooks_installed)

		return -ENOTTY;



	/*

	 * The physical address of guest must valid and page aligned, and

	 * the length of guest memory region must be page size aligned.

	 */

	if (!gpa || (gpa & ~PAGE_MASK) || (len & ~PAGE_MASK)) {

		pr_err("invalid guest address or length\n");

		return -EFAULT;

	}



	guest_uaddr = gfn_to_hva(kvm, gpa_to_gfn(gpa));

	pages = hygon_kvm_hooks.sev_pin_memory(kvm, guest_uaddr, len, &n, 1);

	if (IS_ERR(pages))

		return PTR_ERR(pages);



	/*

	 * The attestation report must be copied into contiguous memory region,

	 * lets verify that userspace memory pages are contiguous before we

	 * issue commmand.

	 */

	if (hygon_kvm_hooks.get_num_contig_pages(0, pages, n) != n) {

		ret = -EINVAL;

		goto e_unpin_memory;

	}



	ret = -ENOMEM;

	data = kzalloc(sizeof(*data), GFP_KERNEL);

	if (!data)

		goto e_unpin_memory;



	/* csv_vm_mnonce indicates attestation request from guest */

	if (sizeof(csv_vm_mnonce) >= sizeof(data->mnonce)) {

		ret = -EINVAL;

		goto e_free;

	}



	memcpy(data->mnonce, csv_vm_mnonce, sizeof(csv_vm_mnonce));



	offset = guest_uaddr & (PAGE_SIZE - 1);

	data->address = __sme_page_pa(pages[0]) + offset;

	data->len = len;



	data->handle = sev->handle;

	ret = hygon_kvm_hooks.sev_issue_cmd(kvm, SEV_CMD_ATTESTATION_REPORT,

					    data, &error);



	if (ret)

		pr_err("vm attestation ret %#x, error %#x\n", ret, error);



e_free:

	kfree(data);

e_unpin_memory:

	hygon_kvm_hooks.sev_unpin_memory(kvm, pages, n);

	return ret;

}



void csv_exit(void)

{

}



void __init csv_init(struct kvm_x86_ops *ops)

{

	/*

	 * Hygon CSV is indicated by X86_FEATURE_SEV, return directly if CSV

	 * is unsupported.

	 */

	if (!boot_cpu_has(X86_FEATURE_SEV))

		return;



	memcpy(&csv_x86_ops, ops, sizeof(struct kvm_x86_ops));



	ops->vm_attestation = csv_vm_attestation;

}

arch/x86/kvm/svm/csv.h

0 → 100644
+44 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0-only */

/*

 * CSV driver for KVM

 *

 * HYGON CSV support

 *

 * Copyright (C) Hygon Info Technologies Ltd.

 */



#ifndef __SVM_CSV_H

#define __SVM_CSV_H



#include <asm/processor-hygon.h>



#ifdef CONFIG_HYGON_CSV



/*

 * Hooks table: a table of function and variable pointers filled in

 * when module init.

 */

extern struct hygon_kvm_hooks_table {

	bool sev_hooks_installed;

	int (*sev_issue_cmd)(struct kvm *kvm, int id, void *data, int *error);

	unsigned long (*get_num_contig_pages)(unsigned long idx,

					      struct page **inpages,

					      unsigned long npages);

	struct page **(*sev_pin_memory)(struct kvm *kvm, unsigned long uaddr,

					unsigned long ulen, unsigned long *n,

					int write);

	void (*sev_unpin_memory)(struct kvm *kvm, struct page **pages,

				 unsigned long npages);

} hygon_kvm_hooks;



void __init csv_init(struct kvm_x86_ops *ops);

void csv_exit(void);



#else	/* !CONFIG_HYGON_CSV */



static inline void __init csv_init(struct kvm_x86_ops *ops) { }

static inline void csv_exit(void) { }



#endif	/* CONFIG_HYGON_CSV */



#endif	/* __SVM_CSV_H */