Merge tag 'x86_tdx_for_6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

.. SPDX-License-Identifier: GPL-2.0

===================================================================

TDX Guest API Documentation

===================================================================

1. General description

======================

The TDX guest driver exposes IOCTL interfaces via the /dev/tdx-guest misc

device to allow userspace to get certain TDX guest-specific details.

2. API description

==================

In this section, for each supported IOCTL, the following information is

provided along with a generic description.

:Input parameters: Parameters passed to the IOCTL and related details.

:Output: Details about output data and return value (with details about

         the non common error values).

2.1 TDX_CMD_GET_REPORT0

-----------------------

:Input parameters: struct tdx_report_req

:Output: Upon successful execution, TDREPORT data is copied to

         tdx_report_req.tdreport and return 0. Return -EINVAL for invalid

         operands, -EIO on TDCALL failure or standard error number on other

         common failures.

The TDX_CMD_GET_REPORT0 IOCTL can be used by the attestation software to get

the TDREPORT0 (a.k.a. TDREPORT subtype 0) from the TDX module using

TDCALL[TDG.MR.REPORT].

A subtype index is added at the end of this IOCTL CMD to uniquely identify the

subtype-specific TDREPORT request. Although the subtype option is mentioned in

the TDX Module v1.0 specification, section titled "TDG.MR.REPORT", it is not

currently used, and it expects this value to be 0. So to keep the IOCTL

implementation simple, the subtype option was not included as part of the input

ABI. However, in the future, if the TDX Module supports more than one subtype,

a new IOCTL CMD will be created to handle it. To keep the IOCTL naming

consistent, a subtype index is added as part of the IOCTL CMD.

Reference

---------

TDX reference material is collected here:

https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html

The driver is based on TDX module specification v1.0 and TDX GHCI specification v1.0.

   ne_overview

   acrn/index

   coco/sev-guest

   coco/tdx-guest

   hyperv/index

.. only:: html and subproject

For coherent DMA allocation, the DMA buffer gets converted on the

allocation. Check force_dma_unencrypted() for details.

Attestation

===========

Attestation is used to verify the TDX guest trustworthiness to other

entities before provisioning secrets to the guest. For example, a key

server may want to use attestation to verify that the guest is the

desired one before releasing the encryption keys to mount the encrypted

rootfs or a secondary drive.

The TDX module records the state of the TDX guest in various stages of

the guest boot process using the build time measurement register (MRTD)

and runtime measurement registers (RTMR). Measurements related to the

guest initial configuration and firmware image are recorded in the MRTD

register. Measurements related to initial state, kernel image, firmware

image, command line options, initrd, ACPI tables, etc are recorded in

RTMR registers. For more details, as an example, please refer to TDX

Virtual Firmware design specification, section titled "TD Measurement".

At TDX guest runtime, the attestation process is used to attest to these

measurements.

The attestation process consists of two steps: TDREPORT generation and

Quote generation.

TDX guest uses TDCALL[TDG.MR.REPORT] to get the TDREPORT (TDREPORT_STRUCT)

from the TDX module. TDREPORT is a fixed-size data structure generated by

the TDX module which contains guest-specific information (such as build

and boot measurements), platform security version, and the MAC to protect

the integrity of the TDREPORT. A user-provided 64-Byte REPORTDATA is used

as input and included in the TDREPORT. Typically it can be some nonce

provided by attestation service so the TDREPORT can be verified uniquely.

More details about the TDREPORT can be found in Intel TDX Module

specification, section titled "TDG.MR.REPORT Leaf".

After getting the TDREPORT, the second step of the attestation process

is to send it to the Quoting Enclave (QE) to generate the Quote. TDREPORT

by design can only be verified on the local platform as the MAC key is

bound to the platform. To support remote verification of the TDREPORT,

TDX leverages Intel SGX Quoting Enclave to verify the TDREPORT locally

and convert it to a remotely verifiable Quote. Method of sending TDREPORT

to QE is implementation specific. Attestation software can choose

whatever communication channel available (i.e. vsock or TCP/IP) to

send the TDREPORT to QE and receive the Quote.

References

==========

#define pr_fmt(fmt)     "tdx: " fmt

#include <linux/cpufeature.h>

#include <linux/export.h>

#include <linux/io.h>

#include <asm/coco.h>

#include <asm/tdx.h>

#include <asm/vmx.h>

/* TDX module Call Leaf IDs */

#define TDX_GET_INFO			1

#define TDX_GET_VEINFO			3

#define TDX_GET_REPORT			4

#define TDX_ACCEPT_PAGE			6

/* TDX hypercall Leaf IDs */

#define ATTR_SEPT_VE_DISABLE	BIT(28)

/* TDX Module call error codes */

#define TDCALL_RETURN_CODE(a)	((a) >> 32)

#define TDCALL_INVALID_OPERAND	0xc0000100

#define TDREPORT_SUBTYPE_0	0

/*

 * Wrapper for standard use of __tdx_hypercall with no output aside from

 * return code.

		panic("TDCALL %lld failed (Buggy TDX module!)\n", fn);

}

/**

 * tdx_mcall_get_report0() - Wrapper to get TDREPORT0 (a.k.a. TDREPORT

 *                           subtype 0) using TDG.MR.REPORT TDCALL.

 * @reportdata: Address of the input buffer which contains user-defined

 *              REPORTDATA to be included into TDREPORT.

 * @tdreport: Address of the output buffer to store TDREPORT.

 *

 * Refer to section titled "TDG.MR.REPORT leaf" in the TDX Module

 * v1.0 specification for more information on TDG.MR.REPORT TDCALL.

 * It is used in the TDX guest driver module to get the TDREPORT0.

 *

 * Return 0 on success, -EINVAL for invalid operands, or -EIO on

 * other TDCALL failures.

 */

int tdx_mcall_get_report0(u8 *reportdata, u8 *tdreport)

{

	u64 ret;

	ret = __tdx_module_call(TDX_GET_REPORT, virt_to_phys(tdreport),

				virt_to_phys(reportdata), TDREPORT_SUBTYPE_0,

				0, NULL);

	if (ret) {

		if (TDCALL_RETURN_CODE(ret) == TDCALL_INVALID_OPERAND)

			return -EINVAL;

		return -EIO;

	}

	return 0;

}

EXPORT_SYMBOL_GPL(tdx_mcall_get_report0);

static void tdx_parse_tdinfo(u64 *cc_mask)

{

	struct tdx_module_output out;

bool tdx_early_handle_ve(struct pt_regs *regs);

int tdx_mcall_get_report0(u8 *reportdata, u8 *tdreport);

#else

static inline void tdx_early_init(void) { };