Unverified Commit 6d81e10f authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14819 [OLK-6.6]Hygon: Support CSV3 Attestation 

Merge Pull Request from: @hanliyang 
 
issue:
https://gitee.com/open_euler/dashboard?issue_id=IBGDHO

The CSV3 guest linux provide csv-guest kernel module to respond userspace request,
and return CSV3 attestation report to userspace. The CSV3 guest linux issue secure
call command to get attestation report from the CSV3 firmware. 
 
Link:https://gitee.com/openeuler/kernel/pulls/14819

 

Reviewed-by: default avatarWenkuan Wang <wenkuan.wang@amd.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 02a28d02 f1fd34b6

arch/x86/configs/openeuler_defconfig

+9 −2
Original line number Diff line number Diff line
@@ -2218,7 +2218,7 @@ CONFIG_APPLE_PROPERTIES=y 
CONFIG_EFI_EARLYCON=y

CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y

# CONFIG_EFI_DISABLE_RUNTIME is not set

# CONFIG_EFI_COCO_SECRET is not set

CONFIG_EFI_COCO_SECRET=y

CONFIG_UNACCEPTED_MEMORY=y

# end of EFI (Extensible Firmware Interface) Support
@@ -7136,7 +7136,14 @@ CONFIG_QAT_VFIO_PCI=m 


CONFIG_VFIO_MDEV=m

CONFIG_IRQ_BYPASS_MANAGER=m

# CONFIG_VIRT_DRIVERS is not set

CONFIG_VIRT_DRIVERS=y

CONFIG_VMGENID=y

# CONFIG_VBOXGUEST is not set

# CONFIG_NITRO_ENCLAVES is not set

CONFIG_EFI_SECRET=m

CONFIG_SEV_GUEST=m

# CONFIG_TDX_GUEST_DRIVER is not set

CONFIG_CSV_GUEST=m

CONFIG_VIRTIO_ANCHOR=y

CONFIG_VIRTIO=y

CONFIG_VIRTIO_PCI_LIB=y

arch/x86/include/asm/csv.h

+2 −0
Original line number Diff line number Diff line
@@ -66,6 +66,7 @@ void __init csv_early_update_memory_dec(u64 vaddr, u64 pages); 
void __init csv_early_memory_enc_dec(u64 vaddr, u64 size, bool enc);



void csv_memory_enc_dec(u64 vaddr, u64 pages, bool enc);

int csv3_issue_request_report(phys_addr_t paddr, size_t size);



#else	/* !CONFIG_HYGON_CSV */
@@ -79,6 +80,7 @@ static inline void __init csv_early_memory_enc_dec(u64 vaddr, u64 size, 
						   bool enc) { }



static inline void csv_memory_enc_dec(u64 vaddr, u64 pages, bool enc) { }

static inline int csv3_issue_request_report(phys_addr_t paddr, size_t size) { return -EIO; }



#endif	/* CONFIG_HYGON_CSV */

arch/x86/kernel/csv-shared.c

+22 −1
Original line number Diff line number Diff line
@@ -76,12 +76,33 @@ 
 * CSV3_SECURE_CMD_UPDATE_SECURE_CALL_TABLE:

 *	CSV3 guest wants to change the secure call pages.

 *	The secure processor re-init the secure call context.

 *

 * CSV3_SECURE_CMD_REQ_REPORT:

 *      CSV3 guest wants to request attestation report.

 *      The secure processor will update the request message buffer and respond

 *      buffer to indicate the result of this request.

 */

enum csv3_secure_command_type {

	CSV3_SECURE_CMD_ENC	= 1,

	/* The secure call request should below CSV3_SECURE_CMD_ACK */

	CSV3_SECURE_CMD_ENC			= 0x1,

	CSV3_SECURE_CMD_DEC,

	CSV3_SECURE_CMD_RESET,

	CSV3_SECURE_CMD_UPDATE_SECURE_CALL_TABLE,

	CSV3_SECURE_CMD_REQ_REPORT		= 0x7,



	/* SECURE_CMD_ACK indicates secure call request can be handled */

	CSV3_SECURE_CMD_ACK			= 0x6b,



	/*

	 * The following values are the error code of the secure call

	 * when firmware can't handling the specific secure call command

	 * as expected.

	 */

	CSV3_SECURE_CMD_ERROR_INTERNAL		= 0x6c,

	CSV3_SECURE_CMD_ERROR_INVALID_COMMAND	= 0x6d,

	CSV3_SECURE_CMD_ERROR_INVALID_PARAM	= 0x6e,

	CSV3_SECURE_CMD_ERROR_INVALID_ADDRESS	= 0x6f,

	CSV3_SECURE_CMD_ERROR_INVALID_LENGTH	= 0x70,

};



/*

arch/x86/kernel/csv.c

+73 −0
Original line number Diff line number Diff line
@@ -285,3 +285,76 @@ void csv_memory_enc_dec(u64 vaddr, u64 pages, bool enc) 


	__csv3_memory_enc_dec(csv3_secure_call, vaddr & PAGE_MASK, pages, enc);

}



static void print_secure_call_error(enum csv3_secure_command_type code)

{

	switch (code) {

	case CSV3_SECURE_CMD_ACK:

		pr_debug("secure call: handled\n");

		break;

	case CSV3_SECURE_CMD_ERROR_INTERNAL:

		pr_err("secure call: internal error\n");

		break;

	case CSV3_SECURE_CMD_ERROR_INVALID_COMMAND:

		pr_err("secure call: unsupported cmd\n");

		break;

	case CSV3_SECURE_CMD_ERROR_INVALID_PARAM:

		pr_err("secure call: invalid param\n");

		break;

	case CSV3_SECURE_CMD_ERROR_INVALID_ADDRESS:

		pr_err("secure call: invalid address\n");

		break;

	case CSV3_SECURE_CMD_ERROR_INVALID_LENGTH:

		pr_err("secure call: invalid length\n");

		break;

	default:

		pr_err("secure call: shouldn't reach here\n");

		break;

	}

}



int csv3_issue_request_report(phys_addr_t paddr, size_t size)

{

	struct secure_call_pages *sc_page_info;

	struct csv3_secure_call_cmd *sc_wr, *sc_rd;

	unsigned long flags;

	int sc_page_idx;

	enum csv3_secure_command_type sc_return_code;



	/*

	 * secure call pages needs to access with IRQs disabled because it is

	 * using a per-CPU data.

	 */

	local_irq_save(flags);



	sc_page_info = this_cpu_read(secure_call_data);

	sc_page_idx = this_cpu_read(secure_call_page_idx);



	sc_wr = sc_page_idx ? &sc_page_info->page_a : &sc_page_info->page_b;

	sc_rd = sc_page_idx ? &sc_page_info->page_b : &sc_page_info->page_a;



	sc_wr->cmd_type = CSV3_SECURE_CMD_REQ_REPORT;

	sc_wr->nums = 1;

	sc_wr->unused = 0;

	sc_wr->entry[0].base_address = (u64)paddr;

	sc_wr->entry[0].size = size;



	/*

	 * Write command in sc_wr must be done before retrieve status code

	 * from sc_rd, and it's ensured by the smp_mb below.

	 */

	smp_mb();



	sc_return_code = sc_rd->cmd_type;



	this_cpu_write(secure_call_page_idx, sc_page_idx ^ 1);



	/* Leave per-CPU data access */

	local_irq_restore(flags);



	/* Print return code of the secure call */

	print_secure_call_error(sc_return_code);



	return sc_return_code == CSV3_SECURE_CMD_ACK ? 0 : -EIO;

}

EXPORT_SYMBOL_GPL(csv3_issue_request_report);

arch/x86/mm/mem_encrypt_hygon.c

+1 −0
Original line number Diff line number Diff line
@@ -130,6 +130,7 @@ bool csv3_active(void) 
	else

		return false;

}

EXPORT_SYMBOL_GPL(csv3_active);



/******************************************************************************/

/**************************** CSV3 CMA interfaces *****************************/