mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-28 21:33:52 +00:00
4338e40da8
commit0f4a1e8098upstream. SEV-SNP requires encrypted memory to be validated before access. Because the ROM memory range is not part of the e820 table, it is not pre-validated by the BIOS. Therefore, if a SEV-SNP guest kernel wishes to access this range, the guest must first validate the range. The current SEV-SNP code does indeed scan the ROM range during early boot and thus attempts to validate the ROM range in probe_roms(). However, this behavior is neither sufficient nor necessary for the following reasons: * With regards to sufficiency, if EFI_CONFIG_TABLES are not enabled and CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK is set, the kernel will attempt to access the memory at SMBIOS_ENTRY_POINT_SCAN_START (which falls in the ROM range) prior to validation. For example, Project Oak Stage 0 provides a minimal guest firmware that currently meets these configuration conditions, meaning guests booting atop Oak Stage 0 firmware encounter a problematic call chain during dmi_setup() -> dmi_scan_machine() that results in a crash during boot if SEV-SNP is enabled. * With regards to necessity, SEV-SNP guests generally read garbage (which changes across boots) from the ROM range, meaning these scans are unnecessary. The guest reads garbage because the legacy ROM range is unencrypted data but is accessed via an encrypted PMD during early boot (where the PMD is marked as encrypted due to potentially mapping actually-encrypted data in other PMD-contained ranges). In one exceptional case, EISA probing treats the ROM range as unencrypted data, which is inconsistent with other probing. Continuing to allow SEV-SNP guests to use garbage and to inconsistently classify ROM range encryption status can trigger undesirable behavior. For instance, if garbage bytes appear to be a valid signature, memory may be unnecessarily reserved for the ROM range. Future code or other use cases may result in more problematic (arbitrary) behavior that should be avoided. While one solution would be to overhaul the early PMD mapping to always treat the ROM region of the PMD as unencrypted, SEV-SNP guests do not currently rely on data from the ROM region during early boot (and even if they did, they would be mostly relying on garbage data anyways). As a simpler solution, skip the ROM range scans (and the otherwise- necessary range validation) during SEV-SNP guest early boot. The potential SEV-SNP guest crash due to lack of ROM range validation is thus avoided by simply not accessing the ROM range. In most cases, skip the scans by overriding problematic x86_init functions during sme_early_init() to SNP-safe variants, which can be likened to x86_init overrides done for other platforms (ex: Xen); such overrides also avoid the spread of cc_platform_has() checks throughout the tree. In the exceptional EISA case, still use cc_platform_has() for the simplest change, given (1) checks for guest type (ex: Xen domain status) are already performed here, and (2) these checks occur in a subsys initcall instead of an x86_init function. [ bp: Massage commit message, remove "we"s. ] Fixes:9704c07bf9("x86/kernel: Validate ROM memory before accessing when SEV-SNP is active") Signed-off-by: Kevin Loughlin <kevinloughlin@google.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: <stable@kernel.org> Link: https://lore.kernel.org/r/20240313121546.2964854-1-kevinloughlin@google.com Signed-off-by: Kevin Loughlin <kevinloughlin@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
246 lines
7 KiB
C
246 lines
7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* AMD Encrypted Register State Support
|
|
*
|
|
* Author: Joerg Roedel <jroedel@suse.de>
|
|
*/
|
|
|
|
#ifndef __ASM_ENCRYPTED_STATE_H
|
|
#define __ASM_ENCRYPTED_STATE_H
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/sev-guest.h>
|
|
|
|
#include <asm/insn.h>
|
|
#include <asm/sev-common.h>
|
|
#include <asm/bootparam.h>
|
|
#include <asm/coco.h>
|
|
|
|
#define GHCB_PROTOCOL_MIN 1ULL
|
|
#define GHCB_PROTOCOL_MAX 2ULL
|
|
#define GHCB_DEFAULT_USAGE 0ULL
|
|
|
|
#define VMGEXIT() { asm volatile("rep; vmmcall\n\r"); }
|
|
|
|
enum es_result {
|
|
ES_OK, /* All good */
|
|
ES_UNSUPPORTED, /* Requested operation not supported */
|
|
ES_VMM_ERROR, /* Unexpected state from the VMM */
|
|
ES_DECODE_FAILED, /* Instruction decoding failed */
|
|
ES_EXCEPTION, /* Instruction caused exception */
|
|
ES_RETRY, /* Retry instruction emulation */
|
|
};
|
|
|
|
struct es_fault_info {
|
|
unsigned long vector;
|
|
unsigned long error_code;
|
|
unsigned long cr2;
|
|
};
|
|
|
|
struct pt_regs;
|
|
|
|
/* ES instruction emulation context */
|
|
struct es_em_ctxt {
|
|
struct pt_regs *regs;
|
|
struct insn insn;
|
|
struct es_fault_info fi;
|
|
};
|
|
|
|
/*
|
|
* AMD SEV Confidential computing blob structure. The structure is
|
|
* defined in OVMF UEFI firmware header:
|
|
* https://github.com/tianocore/edk2/blob/master/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h
|
|
*/
|
|
#define CC_BLOB_SEV_HDR_MAGIC 0x45444d41
|
|
struct cc_blob_sev_info {
|
|
u32 magic;
|
|
u16 version;
|
|
u16 reserved;
|
|
u64 secrets_phys;
|
|
u32 secrets_len;
|
|
u32 rsvd1;
|
|
u64 cpuid_phys;
|
|
u32 cpuid_len;
|
|
u32 rsvd2;
|
|
} __packed;
|
|
|
|
void do_vc_no_ghcb(struct pt_regs *regs, unsigned long exit_code);
|
|
|
|
static inline u64 lower_bits(u64 val, unsigned int bits)
|
|
{
|
|
u64 mask = (1ULL << bits) - 1;
|
|
|
|
return (val & mask);
|
|
}
|
|
|
|
struct real_mode_header;
|
|
enum stack_type;
|
|
|
|
/* Early IDT entry points for #VC handler */
|
|
extern void vc_no_ghcb(void);
|
|
extern void vc_boot_ghcb(void);
|
|
extern bool handle_vc_boot_ghcb(struct pt_regs *regs);
|
|
|
|
/* PVALIDATE return codes */
|
|
#define PVALIDATE_FAIL_SIZEMISMATCH 6
|
|
|
|
/* Software defined (when rFlags.CF = 1) */
|
|
#define PVALIDATE_FAIL_NOUPDATE 255
|
|
|
|
/* RMP page size */
|
|
#define RMP_PG_SIZE_4K 0
|
|
#define RMP_PG_SIZE_2M 1
|
|
|
|
#define RMPADJUST_VMSA_PAGE_BIT BIT(16)
|
|
|
|
/* SNP Guest message request */
|
|
struct snp_req_data {
|
|
unsigned long req_gpa;
|
|
unsigned long resp_gpa;
|
|
unsigned long data_gpa;
|
|
unsigned int data_npages;
|
|
};
|
|
|
|
struct sev_guest_platform_data {
|
|
u64 secrets_gpa;
|
|
};
|
|
|
|
/*
|
|
* The secrets page contains 96-bytes of reserved field that can be used by
|
|
* the guest OS. The guest OS uses the area to save the message sequence
|
|
* number for each VMPCK.
|
|
*
|
|
* See the GHCB spec section Secret page layout for the format for this area.
|
|
*/
|
|
struct secrets_os_area {
|
|
u32 msg_seqno_0;
|
|
u32 msg_seqno_1;
|
|
u32 msg_seqno_2;
|
|
u32 msg_seqno_3;
|
|
u64 ap_jump_table_pa;
|
|
u8 rsvd[40];
|
|
u8 guest_usage[32];
|
|
} __packed;
|
|
|
|
#define VMPCK_KEY_LEN 32
|
|
|
|
/* See the SNP spec version 0.9 for secrets page format */
|
|
struct snp_secrets_page_layout {
|
|
u32 version;
|
|
u32 imien : 1,
|
|
rsvd1 : 31;
|
|
u32 fms;
|
|
u32 rsvd2;
|
|
u8 gosvw[16];
|
|
u8 vmpck0[VMPCK_KEY_LEN];
|
|
u8 vmpck1[VMPCK_KEY_LEN];
|
|
u8 vmpck2[VMPCK_KEY_LEN];
|
|
u8 vmpck3[VMPCK_KEY_LEN];
|
|
struct secrets_os_area os_area;
|
|
u8 rsvd3[3840];
|
|
} __packed;
|
|
|
|
#ifdef CONFIG_AMD_MEM_ENCRYPT
|
|
extern void __sev_es_ist_enter(struct pt_regs *regs);
|
|
extern void __sev_es_ist_exit(void);
|
|
static __always_inline void sev_es_ist_enter(struct pt_regs *regs)
|
|
{
|
|
if (cc_vendor == CC_VENDOR_AMD &&
|
|
cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT))
|
|
__sev_es_ist_enter(regs);
|
|
}
|
|
static __always_inline void sev_es_ist_exit(void)
|
|
{
|
|
if (cc_vendor == CC_VENDOR_AMD &&
|
|
cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT))
|
|
__sev_es_ist_exit();
|
|
}
|
|
extern int sev_es_setup_ap_jump_table(struct real_mode_header *rmh);
|
|
extern void __sev_es_nmi_complete(void);
|
|
static __always_inline void sev_es_nmi_complete(void)
|
|
{
|
|
if (cc_vendor == CC_VENDOR_AMD &&
|
|
cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT))
|
|
__sev_es_nmi_complete();
|
|
}
|
|
extern int __init sev_es_efi_map_ghcbs(pgd_t *pgd);
|
|
extern void sev_enable(struct boot_params *bp);
|
|
|
|
static inline int rmpadjust(unsigned long vaddr, bool rmp_psize, unsigned long attrs)
|
|
{
|
|
int rc;
|
|
|
|
/* "rmpadjust" mnemonic support in binutils 2.36 and newer */
|
|
asm volatile(".byte 0xF3,0x0F,0x01,0xFE\n\t"
|
|
: "=a"(rc)
|
|
: "a"(vaddr), "c"(rmp_psize), "d"(attrs)
|
|
: "memory", "cc");
|
|
|
|
return rc;
|
|
}
|
|
static inline int pvalidate(unsigned long vaddr, bool rmp_psize, bool validate)
|
|
{
|
|
bool no_rmpupdate;
|
|
int rc;
|
|
|
|
/* "pvalidate" mnemonic support in binutils 2.36 and newer */
|
|
asm volatile(".byte 0xF2, 0x0F, 0x01, 0xFF\n\t"
|
|
CC_SET(c)
|
|
: CC_OUT(c) (no_rmpupdate), "=a"(rc)
|
|
: "a"(vaddr), "c"(rmp_psize), "d"(validate)
|
|
: "memory", "cc");
|
|
|
|
if (no_rmpupdate)
|
|
return PVALIDATE_FAIL_NOUPDATE;
|
|
|
|
return rc;
|
|
}
|
|
|
|
struct snp_guest_request_ioctl;
|
|
|
|
void setup_ghcb(void);
|
|
void __init early_snp_set_memory_private(unsigned long vaddr, unsigned long paddr,
|
|
unsigned long npages);
|
|
void __init early_snp_set_memory_shared(unsigned long vaddr, unsigned long paddr,
|
|
unsigned long npages);
|
|
void snp_set_memory_shared(unsigned long vaddr, unsigned long npages);
|
|
void snp_set_memory_private(unsigned long vaddr, unsigned long npages);
|
|
void snp_set_wakeup_secondary_cpu(void);
|
|
bool snp_init(struct boot_params *bp);
|
|
void __init __noreturn snp_abort(void);
|
|
void snp_dmi_setup(void);
|
|
int snp_issue_guest_request(u64 exit_code, struct snp_req_data *input, struct snp_guest_request_ioctl *rio);
|
|
void snp_accept_memory(phys_addr_t start, phys_addr_t end);
|
|
u64 snp_get_unsupported_features(u64 status);
|
|
u64 sev_get_status(void);
|
|
#else
|
|
static inline void sev_es_ist_enter(struct pt_regs *regs) { }
|
|
static inline void sev_es_ist_exit(void) { }
|
|
static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) { return 0; }
|
|
static inline void sev_es_nmi_complete(void) { }
|
|
static inline int sev_es_efi_map_ghcbs(pgd_t *pgd) { return 0; }
|
|
static inline void sev_enable(struct boot_params *bp) { }
|
|
static inline int pvalidate(unsigned long vaddr, bool rmp_psize, bool validate) { return 0; }
|
|
static inline int rmpadjust(unsigned long vaddr, bool rmp_psize, unsigned long attrs) { return 0; }
|
|
static inline void setup_ghcb(void) { }
|
|
static inline void __init
|
|
early_snp_set_memory_private(unsigned long vaddr, unsigned long paddr, unsigned long npages) { }
|
|
static inline void __init
|
|
early_snp_set_memory_shared(unsigned long vaddr, unsigned long paddr, unsigned long npages) { }
|
|
static inline void snp_set_memory_shared(unsigned long vaddr, unsigned long npages) { }
|
|
static inline void snp_set_memory_private(unsigned long vaddr, unsigned long npages) { }
|
|
static inline void snp_set_wakeup_secondary_cpu(void) { }
|
|
static inline bool snp_init(struct boot_params *bp) { return false; }
|
|
static inline void snp_abort(void) { }
|
|
static inline void snp_dmi_setup(void) { }
|
|
static inline int snp_issue_guest_request(u64 exit_code, struct snp_req_data *input, struct snp_guest_request_ioctl *rio)
|
|
{
|
|
return -ENOTTY;
|
|
}
|
|
|
|
static inline void snp_accept_memory(phys_addr_t start, phys_addr_t end) { }
|
|
static inline u64 snp_get_unsupported_features(u64 status) { return 0; }
|
|
static inline u64 sev_get_status(void) { return 0; }
|
|
#endif
|
|
|
|
#endif
|