1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* |
3 | * AMD Secure Encrypted Virtualization (SEV) driver interface |
4 | * |
5 | * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. |
6 | * |
7 | * Author: Brijesh Singh <brijesh.singh@amd.com> |
8 | * |
9 | * SEV API spec is available at https://developer.amd.com/sev |
10 | */ |
11 | |
12 | #ifndef __PSP_SEV_H__ |
13 | #define __PSP_SEV_H__ |
14 | |
15 | #include <uapi/linux/psp-sev.h> |
16 | |
17 | #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ |
18 | |
19 | /** |
20 | * SEV platform state |
21 | */ |
22 | enum sev_state { |
23 | SEV_STATE_UNINIT = 0x0, |
24 | SEV_STATE_INIT = 0x1, |
25 | SEV_STATE_WORKING = 0x2, |
26 | |
27 | SEV_STATE_MAX |
28 | }; |
29 | |
30 | /** |
31 | * SEV platform and guest management commands |
32 | */ |
33 | enum sev_cmd { |
34 | /* platform commands */ |
35 | SEV_CMD_INIT = 0x001, |
36 | SEV_CMD_SHUTDOWN = 0x002, |
37 | SEV_CMD_FACTORY_RESET = 0x003, |
38 | SEV_CMD_PLATFORM_STATUS = 0x004, |
39 | SEV_CMD_PEK_GEN = 0x005, |
40 | SEV_CMD_PEK_CSR = 0x006, |
41 | SEV_CMD_PEK_CERT_IMPORT = 0x007, |
42 | SEV_CMD_PDH_CERT_EXPORT = 0x008, |
43 | SEV_CMD_PDH_GEN = 0x009, |
44 | SEV_CMD_DF_FLUSH = 0x00A, |
45 | SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B, |
46 | SEV_CMD_GET_ID = 0x00C, |
47 | SEV_CMD_INIT_EX = 0x00D, |
48 | |
49 | /* Guest commands */ |
50 | SEV_CMD_DECOMMISSION = 0x020, |
51 | SEV_CMD_ACTIVATE = 0x021, |
52 | SEV_CMD_DEACTIVATE = 0x022, |
53 | SEV_CMD_GUEST_STATUS = 0x023, |
54 | |
55 | /* Guest launch commands */ |
56 | SEV_CMD_LAUNCH_START = 0x030, |
57 | SEV_CMD_LAUNCH_UPDATE_DATA = 0x031, |
58 | SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032, |
59 | SEV_CMD_LAUNCH_MEASURE = 0x033, |
60 | SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034, |
61 | SEV_CMD_LAUNCH_FINISH = 0x035, |
62 | SEV_CMD_ATTESTATION_REPORT = 0x036, |
63 | |
64 | /* Guest migration commands (outgoing) */ |
65 | SEV_CMD_SEND_START = 0x040, |
66 | SEV_CMD_SEND_UPDATE_DATA = 0x041, |
67 | SEV_CMD_SEND_UPDATE_VMSA = 0x042, |
68 | SEV_CMD_SEND_FINISH = 0x043, |
69 | SEV_CMD_SEND_CANCEL = 0x044, |
70 | |
71 | /* Guest migration commands (incoming) */ |
72 | SEV_CMD_RECEIVE_START = 0x050, |
73 | SEV_CMD_RECEIVE_UPDATE_DATA = 0x051, |
74 | SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052, |
75 | SEV_CMD_RECEIVE_FINISH = 0x053, |
76 | |
77 | /* Guest debug commands */ |
78 | SEV_CMD_DBG_DECRYPT = 0x060, |
79 | SEV_CMD_DBG_ENCRYPT = 0x061, |
80 | |
81 | /* SNP specific commands */ |
82 | SEV_CMD_SNP_INIT = 0x081, |
83 | SEV_CMD_SNP_SHUTDOWN = 0x082, |
84 | SEV_CMD_SNP_PLATFORM_STATUS = 0x083, |
85 | SEV_CMD_SNP_DF_FLUSH = 0x084, |
86 | SEV_CMD_SNP_INIT_EX = 0x085, |
87 | SEV_CMD_SNP_SHUTDOWN_EX = 0x086, |
88 | SEV_CMD_SNP_DECOMMISSION = 0x090, |
89 | SEV_CMD_SNP_ACTIVATE = 0x091, |
90 | SEV_CMD_SNP_GUEST_STATUS = 0x092, |
91 | SEV_CMD_SNP_GCTX_CREATE = 0x093, |
92 | SEV_CMD_SNP_GUEST_REQUEST = 0x094, |
93 | SEV_CMD_SNP_ACTIVATE_EX = 0x095, |
94 | SEV_CMD_SNP_LAUNCH_START = 0x0A0, |
95 | SEV_CMD_SNP_LAUNCH_UPDATE = 0x0A1, |
96 | SEV_CMD_SNP_LAUNCH_FINISH = 0x0A2, |
97 | SEV_CMD_SNP_DBG_DECRYPT = 0x0B0, |
98 | SEV_CMD_SNP_DBG_ENCRYPT = 0x0B1, |
99 | SEV_CMD_SNP_PAGE_SWAP_OUT = 0x0C0, |
100 | SEV_CMD_SNP_PAGE_SWAP_IN = 0x0C1, |
101 | SEV_CMD_SNP_PAGE_MOVE = 0x0C2, |
102 | SEV_CMD_SNP_PAGE_MD_INIT = 0x0C3, |
103 | SEV_CMD_SNP_PAGE_SET_STATE = 0x0C6, |
104 | SEV_CMD_SNP_PAGE_RECLAIM = 0x0C7, |
105 | SEV_CMD_SNP_PAGE_UNSMASH = 0x0C8, |
106 | SEV_CMD_SNP_CONFIG = 0x0C9, |
107 | SEV_CMD_SNP_DOWNLOAD_FIRMWARE_EX = 0x0CA, |
108 | SEV_CMD_SNP_COMMIT = 0x0CB, |
109 | SEV_CMD_SNP_VLEK_LOAD = 0x0CD, |
110 | |
111 | SEV_CMD_MAX, |
112 | }; |
113 | |
114 | /** |
115 | * struct sev_data_init - INIT command parameters |
116 | * |
117 | * @flags: processing flags |
118 | * @tmr_address: system physical address used for SEV-ES |
119 | * @tmr_len: len of tmr_address |
120 | */ |
121 | struct sev_data_init { |
122 | u32 flags; /* In */ |
123 | u32 reserved; /* In */ |
124 | u64 tmr_address; /* In */ |
125 | u32 tmr_len; /* In */ |
126 | } __packed; |
127 | |
128 | /** |
129 | * struct sev_data_init_ex - INIT_EX command parameters |
130 | * |
131 | * @length: len of the command buffer read by the PSP |
132 | * @flags: processing flags |
133 | * @tmr_address: system physical address used for SEV-ES |
134 | * @tmr_len: len of tmr_address |
135 | * @nv_address: system physical address used for PSP NV storage |
136 | * @nv_len: len of nv_address |
137 | */ |
138 | struct sev_data_init_ex { |
139 | u32 length; /* In */ |
140 | u32 flags; /* In */ |
141 | u64 tmr_address; /* In */ |
142 | u32 tmr_len; /* In */ |
143 | u32 reserved; /* In */ |
144 | u64 nv_address; /* In/Out */ |
145 | u32 nv_len; /* In */ |
146 | } __packed; |
147 | |
148 | #define SEV_INIT_FLAGS_SEV_ES 0x01 |
149 | |
150 | /** |
151 | * struct sev_data_pek_csr - PEK_CSR command parameters |
152 | * |
153 | * @address: PEK certificate chain |
154 | * @len: len of certificate |
155 | */ |
156 | struct sev_data_pek_csr { |
157 | u64 address; /* In */ |
158 | u32 len; /* In/Out */ |
159 | } __packed; |
160 | |
161 | /** |
162 | * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters |
163 | * |
164 | * @pek_address: PEK certificate chain |
165 | * @pek_len: len of PEK certificate |
166 | * @oca_address: OCA certificate chain |
167 | * @oca_len: len of OCA certificate |
168 | */ |
169 | struct sev_data_pek_cert_import { |
170 | u64 pek_cert_address; /* In */ |
171 | u32 pek_cert_len; /* In */ |
172 | u32 reserved; /* In */ |
173 | u64 oca_cert_address; /* In */ |
174 | u32 oca_cert_len; /* In */ |
175 | } __packed; |
176 | |
177 | /** |
178 | * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters |
179 | * |
180 | * @address: physical address of firmware image |
181 | * @len: len of the firmware image |
182 | */ |
183 | struct sev_data_download_firmware { |
184 | u64 address; /* In */ |
185 | u32 len; /* In */ |
186 | } __packed; |
187 | |
188 | /** |
189 | * struct sev_data_get_id - GET_ID command parameters |
190 | * |
191 | * @address: physical address of region to place unique CPU ID(s) |
192 | * @len: len of the region |
193 | */ |
194 | struct sev_data_get_id { |
195 | u64 address; /* In */ |
196 | u32 len; /* In/Out */ |
197 | } __packed; |
198 | /** |
199 | * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters |
200 | * |
201 | * @pdh_address: PDH certificate address |
202 | * @pdh_len: len of PDH certificate |
203 | * @cert_chain_address: PDH certificate chain |
204 | * @cert_chain_len: len of PDH certificate chain |
205 | */ |
206 | struct sev_data_pdh_cert_export { |
207 | u64 pdh_cert_address; /* In */ |
208 | u32 pdh_cert_len; /* In/Out */ |
209 | u32 reserved; /* In */ |
210 | u64 cert_chain_address; /* In */ |
211 | u32 cert_chain_len; /* In/Out */ |
212 | } __packed; |
213 | |
214 | /** |
215 | * struct sev_data_decommission - DECOMMISSION command parameters |
216 | * |
217 | * @handle: handle of the VM to decommission |
218 | */ |
219 | struct sev_data_decommission { |
220 | u32 handle; /* In */ |
221 | } __packed; |
222 | |
223 | /** |
224 | * struct sev_data_activate - ACTIVATE command parameters |
225 | * |
226 | * @handle: handle of the VM to activate |
227 | * @asid: asid assigned to the VM |
228 | */ |
229 | struct sev_data_activate { |
230 | u32 handle; /* In */ |
231 | u32 asid; /* In */ |
232 | } __packed; |
233 | |
234 | /** |
235 | * struct sev_data_deactivate - DEACTIVATE command parameters |
236 | * |
237 | * @handle: handle of the VM to deactivate |
238 | */ |
239 | struct sev_data_deactivate { |
240 | u32 handle; /* In */ |
241 | } __packed; |
242 | |
243 | /** |
244 | * struct sev_data_guest_status - SEV GUEST_STATUS command parameters |
245 | * |
246 | * @handle: handle of the VM to retrieve status |
247 | * @policy: policy information for the VM |
248 | * @asid: current ASID of the VM |
249 | * @state: current state of the VM |
250 | */ |
251 | struct sev_data_guest_status { |
252 | u32 handle; /* In */ |
253 | u32 policy; /* Out */ |
254 | u32 asid; /* Out */ |
255 | u8 state; /* Out */ |
256 | } __packed; |
257 | |
258 | /** |
259 | * struct sev_data_launch_start - LAUNCH_START command parameters |
260 | * |
261 | * @handle: handle assigned to the VM |
262 | * @policy: guest launch policy |
263 | * @dh_cert_address: physical address of DH certificate blob |
264 | * @dh_cert_len: len of DH certificate blob |
265 | * @session_address: physical address of session parameters |
266 | * @session_len: len of session parameters |
267 | */ |
268 | struct sev_data_launch_start { |
269 | u32 handle; /* In/Out */ |
270 | u32 policy; /* In */ |
271 | u64 dh_cert_address; /* In */ |
272 | u32 dh_cert_len; /* In */ |
273 | u32 reserved; /* In */ |
274 | u64 session_address; /* In */ |
275 | u32 session_len; /* In */ |
276 | } __packed; |
277 | |
278 | /** |
279 | * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter |
280 | * |
281 | * @handle: handle of the VM to update |
282 | * @len: len of memory to be encrypted |
283 | * @address: physical address of memory region to encrypt |
284 | */ |
285 | struct sev_data_launch_update_data { |
286 | u32 handle; /* In */ |
287 | u32 reserved; |
288 | u64 address; /* In */ |
289 | u32 len; /* In */ |
290 | } __packed; |
291 | |
292 | /** |
293 | * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command |
294 | * |
295 | * @handle: handle of the VM |
296 | * @address: physical address of memory region to encrypt |
297 | * @len: len of memory region to encrypt |
298 | */ |
299 | struct sev_data_launch_update_vmsa { |
300 | u32 handle; /* In */ |
301 | u32 reserved; |
302 | u64 address; /* In */ |
303 | u32 len; /* In */ |
304 | } __packed; |
305 | |
306 | /** |
307 | * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters |
308 | * |
309 | * @handle: handle of the VM to process |
310 | * @address: physical address containing the measurement blob |
311 | * @len: len of measurement blob |
312 | */ |
313 | struct sev_data_launch_measure { |
314 | u32 handle; /* In */ |
315 | u32 reserved; |
316 | u64 address; /* In */ |
317 | u32 len; /* In/Out */ |
318 | } __packed; |
319 | |
320 | /** |
321 | * struct sev_data_launch_secret - LAUNCH_SECRET command parameters |
322 | * |
323 | * @handle: handle of the VM to process |
324 | * @hdr_address: physical address containing the packet header |
325 | * @hdr_len: len of packet header |
326 | * @guest_address: system physical address of guest memory region |
327 | * @guest_len: len of guest_paddr |
328 | * @trans_address: physical address of transport memory buffer |
329 | * @trans_len: len of transport memory buffer |
330 | */ |
331 | struct sev_data_launch_secret { |
332 | u32 handle; /* In */ |
333 | u32 reserved1; |
334 | u64 hdr_address; /* In */ |
335 | u32 hdr_len; /* In */ |
336 | u32 reserved2; |
337 | u64 guest_address; /* In */ |
338 | u32 guest_len; /* In */ |
339 | u32 reserved3; |
340 | u64 trans_address; /* In */ |
341 | u32 trans_len; /* In */ |
342 | } __packed; |
343 | |
344 | /** |
345 | * struct sev_data_launch_finish - LAUNCH_FINISH command parameters |
346 | * |
347 | * @handle: handle of the VM to process |
348 | */ |
349 | struct sev_data_launch_finish { |
350 | u32 handle; /* In */ |
351 | } __packed; |
352 | |
353 | /** |
354 | * struct sev_data_send_start - SEND_START command parameters |
355 | * |
356 | * @handle: handle of the VM to process |
357 | * @policy: policy information for the VM |
358 | * @pdh_cert_address: physical address containing PDH certificate |
359 | * @pdh_cert_len: len of PDH certificate |
360 | * @plat_certs_address: physical address containing platform certificate |
361 | * @plat_certs_len: len of platform certificate |
362 | * @amd_certs_address: physical address containing AMD certificate |
363 | * @amd_certs_len: len of AMD certificate |
364 | * @session_address: physical address containing Session data |
365 | * @session_len: len of session data |
366 | */ |
367 | struct sev_data_send_start { |
368 | u32 handle; /* In */ |
369 | u32 policy; /* Out */ |
370 | u64 pdh_cert_address; /* In */ |
371 | u32 pdh_cert_len; /* In */ |
372 | u32 reserved1; |
373 | u64 plat_certs_address; /* In */ |
374 | u32 plat_certs_len; /* In */ |
375 | u32 reserved2; |
376 | u64 amd_certs_address; /* In */ |
377 | u32 amd_certs_len; /* In */ |
378 | u32 reserved3; |
379 | u64 session_address; /* In */ |
380 | u32 session_len; /* In/Out */ |
381 | } __packed; |
382 | |
383 | /** |
384 | * struct sev_data_send_update - SEND_UPDATE_DATA command |
385 | * |
386 | * @handle: handle of the VM to process |
387 | * @hdr_address: physical address containing packet header |
388 | * @hdr_len: len of packet header |
389 | * @guest_address: physical address of guest memory region to send |
390 | * @guest_len: len of guest memory region to send |
391 | * @trans_address: physical address of host memory region |
392 | * @trans_len: len of host memory region |
393 | */ |
394 | struct sev_data_send_update_data { |
395 | u32 handle; /* In */ |
396 | u32 reserved1; |
397 | u64 hdr_address; /* In */ |
398 | u32 hdr_len; /* In/Out */ |
399 | u32 reserved2; |
400 | u64 guest_address; /* In */ |
401 | u32 guest_len; /* In */ |
402 | u32 reserved3; |
403 | u64 trans_address; /* In */ |
404 | u32 trans_len; /* In */ |
405 | } __packed; |
406 | |
407 | /** |
408 | * struct sev_data_send_update - SEND_UPDATE_VMSA command |
409 | * |
410 | * @handle: handle of the VM to process |
411 | * @hdr_address: physical address containing packet header |
412 | * @hdr_len: len of packet header |
413 | * @guest_address: physical address of guest memory region to send |
414 | * @guest_len: len of guest memory region to send |
415 | * @trans_address: physical address of host memory region |
416 | * @trans_len: len of host memory region |
417 | */ |
418 | struct sev_data_send_update_vmsa { |
419 | u32 handle; /* In */ |
420 | u64 hdr_address; /* In */ |
421 | u32 hdr_len; /* In/Out */ |
422 | u32 reserved2; |
423 | u64 guest_address; /* In */ |
424 | u32 guest_len; /* In */ |
425 | u32 reserved3; |
426 | u64 trans_address; /* In */ |
427 | u32 trans_len; /* In */ |
428 | } __packed; |
429 | |
430 | /** |
431 | * struct sev_data_send_finish - SEND_FINISH command parameters |
432 | * |
433 | * @handle: handle of the VM to process |
434 | */ |
435 | struct sev_data_send_finish { |
436 | u32 handle; /* In */ |
437 | } __packed; |
438 | |
439 | /** |
440 | * struct sev_data_send_cancel - SEND_CANCEL command parameters |
441 | * |
442 | * @handle: handle of the VM to process |
443 | */ |
444 | struct sev_data_send_cancel { |
445 | u32 handle; /* In */ |
446 | } __packed; |
447 | |
448 | /** |
449 | * struct sev_data_receive_start - RECEIVE_START command parameters |
450 | * |
451 | * @handle: handle of the VM to perform receive operation |
452 | * @pdh_cert_address: system physical address containing PDH certificate blob |
453 | * @pdh_cert_len: len of PDH certificate blob |
454 | * @session_address: system physical address containing session blob |
455 | * @session_len: len of session blob |
456 | */ |
457 | struct sev_data_receive_start { |
458 | u32 handle; /* In/Out */ |
459 | u32 policy; /* In */ |
460 | u64 pdh_cert_address; /* In */ |
461 | u32 pdh_cert_len; /* In */ |
462 | u32 reserved1; |
463 | u64 session_address; /* In */ |
464 | u32 session_len; /* In */ |
465 | } __packed; |
466 | |
467 | /** |
468 | * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters |
469 | * |
470 | * @handle: handle of the VM to update |
471 | * @hdr_address: physical address containing packet header blob |
472 | * @hdr_len: len of packet header |
473 | * @guest_address: system physical address of guest memory region |
474 | * @guest_len: len of guest memory region |
475 | * @trans_address: system physical address of transport buffer |
476 | * @trans_len: len of transport buffer |
477 | */ |
478 | struct sev_data_receive_update_data { |
479 | u32 handle; /* In */ |
480 | u32 reserved1; |
481 | u64 hdr_address; /* In */ |
482 | u32 hdr_len; /* In */ |
483 | u32 reserved2; |
484 | u64 guest_address; /* In */ |
485 | u32 guest_len; /* In */ |
486 | u32 reserved3; |
487 | u64 trans_address; /* In */ |
488 | u32 trans_len; /* In */ |
489 | } __packed; |
490 | |
491 | /** |
492 | * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters |
493 | * |
494 | * @handle: handle of the VM to update |
495 | * @hdr_address: physical address containing packet header blob |
496 | * @hdr_len: len of packet header |
497 | * @guest_address: system physical address of guest memory region |
498 | * @guest_len: len of guest memory region |
499 | * @trans_address: system physical address of transport buffer |
500 | * @trans_len: len of transport buffer |
501 | */ |
502 | struct sev_data_receive_update_vmsa { |
503 | u32 handle; /* In */ |
504 | u32 reserved1; |
505 | u64 hdr_address; /* In */ |
506 | u32 hdr_len; /* In */ |
507 | u32 reserved2; |
508 | u64 guest_address; /* In */ |
509 | u32 guest_len; /* In */ |
510 | u32 reserved3; |
511 | u64 trans_address; /* In */ |
512 | u32 trans_len; /* In */ |
513 | } __packed; |
514 | |
515 | /** |
516 | * struct sev_data_receive_finish - RECEIVE_FINISH command parameters |
517 | * |
518 | * @handle: handle of the VM to finish |
519 | */ |
520 | struct sev_data_receive_finish { |
521 | u32 handle; /* In */ |
522 | } __packed; |
523 | |
524 | /** |
525 | * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters |
526 | * |
527 | * @handle: handle of the VM to perform debug operation |
528 | * @src_addr: source address of data to operate on |
529 | * @dst_addr: destination address of data to operate on |
530 | * @len: len of data to operate on |
531 | */ |
532 | struct sev_data_dbg { |
533 | u32 handle; /* In */ |
534 | u32 reserved; |
535 | u64 src_addr; /* In */ |
536 | u64 dst_addr; /* In */ |
537 | u32 len; /* In */ |
538 | } __packed; |
539 | |
540 | /** |
541 | * struct sev_data_attestation_report - SEV_ATTESTATION_REPORT command parameters |
542 | * |
543 | * @handle: handle of the VM |
544 | * @mnonce: a random nonce that will be included in the report. |
545 | * @address: physical address where the report will be copied. |
546 | * @len: length of the physical buffer. |
547 | */ |
548 | struct sev_data_attestation_report { |
549 | u32 handle; /* In */ |
550 | u32 reserved; |
551 | u64 address; /* In */ |
552 | u8 mnonce[16]; /* In */ |
553 | u32 len; /* In/Out */ |
554 | } __packed; |
555 | |
556 | /** |
557 | * struct sev_data_snp_download_firmware - SNP_DOWNLOAD_FIRMWARE command params |
558 | * |
559 | * @address: physical address of firmware image |
560 | * @len: length of the firmware image |
561 | */ |
562 | struct sev_data_snp_download_firmware { |
563 | u64 address; /* In */ |
564 | u32 len; /* In */ |
565 | } __packed; |
566 | |
567 | /** |
568 | * struct sev_data_snp_activate - SNP_ACTIVATE command params |
569 | * |
570 | * @gctx_paddr: system physical address guest context page |
571 | * @asid: ASID to bind to the guest |
572 | */ |
573 | struct sev_data_snp_activate { |
574 | u64 gctx_paddr; /* In */ |
575 | u32 asid; /* In */ |
576 | } __packed; |
577 | |
578 | /** |
579 | * struct sev_data_snp_addr - generic SNP command params |
580 | * |
581 | * @address: physical address of generic data param |
582 | */ |
583 | struct sev_data_snp_addr { |
584 | u64 address; /* In/Out */ |
585 | } __packed; |
586 | |
587 | /** |
588 | * struct sev_data_snp_launch_start - SNP_LAUNCH_START command params |
589 | * |
590 | * @gctx_paddr: system physical address of guest context page |
591 | * @policy: guest policy |
592 | * @ma_gctx_paddr: system physical address of migration agent |
593 | * @ma_en: the guest is associated with a migration agent |
594 | * @imi_en: launch flow is launching an IMI (Incoming Migration Image) for the |
595 | * purpose of guest-assisted migration. |
596 | * @rsvd: reserved |
597 | * @gosvw: guest OS-visible workarounds, as defined by hypervisor |
598 | */ |
599 | struct sev_data_snp_launch_start { |
600 | u64 gctx_paddr; /* In */ |
601 | u64 policy; /* In */ |
602 | u64 ma_gctx_paddr; /* In */ |
603 | u32 ma_en:1; /* In */ |
604 | u32 imi_en:1; /* In */ |
605 | u32 rsvd:30; |
606 | u8 gosvw[16]; /* In */ |
607 | } __packed; |
608 | |
609 | /* SNP support page type */ |
610 | enum { |
611 | SNP_PAGE_TYPE_NORMAL = 0x1, |
612 | SNP_PAGE_TYPE_VMSA = 0x2, |
613 | SNP_PAGE_TYPE_ZERO = 0x3, |
614 | SNP_PAGE_TYPE_UNMEASURED = 0x4, |
615 | SNP_PAGE_TYPE_SECRET = 0x5, |
616 | SNP_PAGE_TYPE_CPUID = 0x6, |
617 | |
618 | SNP_PAGE_TYPE_MAX |
619 | }; |
620 | |
621 | /** |
622 | * struct sev_data_snp_launch_update - SNP_LAUNCH_UPDATE command params |
623 | * |
624 | * @gctx_paddr: system physical address of guest context page |
625 | * @page_size: page size 0 indicates 4K and 1 indicates 2MB page |
626 | * @page_type: encoded page type |
627 | * @imi_page: indicates that this page is part of the IMI (Incoming Migration |
628 | * Image) of the guest |
629 | * @rsvd: reserved |
630 | * @rsvd2: reserved |
631 | * @address: system physical address of destination page to encrypt |
632 | * @rsvd3: reserved |
633 | * @vmpl1_perms: VMPL permission mask for VMPL1 |
634 | * @vmpl2_perms: VMPL permission mask for VMPL2 |
635 | * @vmpl3_perms: VMPL permission mask for VMPL3 |
636 | * @rsvd4: reserved |
637 | */ |
638 | struct sev_data_snp_launch_update { |
639 | u64 gctx_paddr; /* In */ |
640 | u32 page_size:1; /* In */ |
641 | u32 page_type:3; /* In */ |
642 | u32 imi_page:1; /* In */ |
643 | u32 rsvd:27; |
644 | u32 rsvd2; |
645 | u64 address; /* In */ |
646 | u32 rsvd3:8; |
647 | u32 vmpl1_perms:8; /* In */ |
648 | u32 vmpl2_perms:8; /* In */ |
649 | u32 vmpl3_perms:8; /* In */ |
650 | u32 rsvd4; |
651 | } __packed; |
652 | |
653 | /** |
654 | * struct sev_data_snp_launch_finish - SNP_LAUNCH_FINISH command params |
655 | * |
656 | * @gctx_paddr: system physical address of guest context page |
657 | * @id_block_paddr: system physical address of ID block |
658 | * @id_auth_paddr: system physical address of ID block authentication structure |
659 | * @id_block_en: indicates whether ID block is present |
660 | * @auth_key_en: indicates whether author key is present in authentication structure |
661 | * @rsvd: reserved |
662 | * @host_data: host-supplied data for guest, not interpreted by firmware |
663 | */ |
664 | struct sev_data_snp_launch_finish { |
665 | u64 gctx_paddr; |
666 | u64 id_block_paddr; |
667 | u64 id_auth_paddr; |
668 | u8 id_block_en:1; |
669 | u8 auth_key_en:1; |
670 | u64 rsvd:62; |
671 | u8 host_data[32]; |
672 | } __packed; |
673 | |
674 | /** |
675 | * struct sev_data_snp_guest_status - SNP_GUEST_STATUS command params |
676 | * |
677 | * @gctx_paddr: system physical address of guest context page |
678 | * @address: system physical address of guest status page |
679 | */ |
680 | struct sev_data_snp_guest_status { |
681 | u64 gctx_paddr; |
682 | u64 address; |
683 | } __packed; |
684 | |
685 | /** |
686 | * struct sev_data_snp_page_reclaim - SNP_PAGE_RECLAIM command params |
687 | * |
688 | * @paddr: system physical address of page to be claimed. The 0th bit in the |
689 | * address indicates the page size. 0h indicates 4KB and 1h indicates |
690 | * 2MB page. |
691 | */ |
692 | struct sev_data_snp_page_reclaim { |
693 | u64 paddr; |
694 | } __packed; |
695 | |
696 | /** |
697 | * struct sev_data_snp_page_unsmash - SNP_PAGE_UNSMASH command params |
698 | * |
699 | * @paddr: system physical address of page to be unsmashed. The 0th bit in the |
700 | * address indicates the page size. 0h indicates 4 KB and 1h indicates |
701 | * 2 MB page. |
702 | */ |
703 | struct sev_data_snp_page_unsmash { |
704 | u64 paddr; |
705 | } __packed; |
706 | |
707 | /** |
708 | * struct sev_data_snp_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters |
709 | * |
710 | * @gctx_paddr: system physical address of guest context page |
711 | * @src_addr: source address of data to operate on |
712 | * @dst_addr: destination address of data to operate on |
713 | */ |
714 | struct sev_data_snp_dbg { |
715 | u64 gctx_paddr; /* In */ |
716 | u64 src_addr; /* In */ |
717 | u64 dst_addr; /* In */ |
718 | } __packed; |
719 | |
720 | /** |
721 | * struct sev_data_snp_guest_request - SNP_GUEST_REQUEST command params |
722 | * |
723 | * @gctx_paddr: system physical address of guest context page |
724 | * @req_paddr: system physical address of request page |
725 | * @res_paddr: system physical address of response page |
726 | */ |
727 | struct sev_data_snp_guest_request { |
728 | u64 gctx_paddr; /* In */ |
729 | u64 req_paddr; /* In */ |
730 | u64 res_paddr; /* In */ |
731 | } __packed; |
732 | |
733 | /** |
734 | * struct sev_data_snp_init_ex - SNP_INIT_EX structure |
735 | * |
736 | * @init_rmp: indicate that the RMP should be initialized. |
737 | * @list_paddr_en: indicate that list_paddr is valid |
738 | * @rsvd: reserved |
739 | * @rsvd1: reserved |
740 | * @list_paddr: system physical address of range list |
741 | * @rsvd2: reserved |
742 | */ |
743 | struct sev_data_snp_init_ex { |
744 | u32 init_rmp:1; |
745 | u32 list_paddr_en:1; |
746 | u32 rsvd:30; |
747 | u32 rsvd1; |
748 | u64 list_paddr; |
749 | u8 rsvd2[48]; |
750 | } __packed; |
751 | |
752 | /** |
753 | * struct sev_data_range - RANGE structure |
754 | * |
755 | * @base: system physical address of first byte of range |
756 | * @page_count: number of 4KB pages in this range |
757 | * @rsvd: reserved |
758 | */ |
759 | struct sev_data_range { |
760 | u64 base; |
761 | u32 page_count; |
762 | u32 rsvd; |
763 | } __packed; |
764 | |
765 | /** |
766 | * struct sev_data_range_list - RANGE_LIST structure |
767 | * |
768 | * @num_elements: number of elements in RANGE_ARRAY |
769 | * @rsvd: reserved |
770 | * @ranges: array of num_elements of type RANGE |
771 | */ |
772 | struct sev_data_range_list { |
773 | u32 num_elements; |
774 | u32 rsvd; |
775 | struct sev_data_range ranges[]; |
776 | } __packed; |
777 | |
778 | /** |
779 | * struct sev_data_snp_shutdown_ex - SNP_SHUTDOWN_EX structure |
780 | * |
781 | * @len: length of the command buffer read by the PSP |
782 | * @iommu_snp_shutdown: Disable enforcement of SNP in the IOMMU |
783 | * @rsvd1: reserved |
784 | */ |
785 | struct sev_data_snp_shutdown_ex { |
786 | u32 len; |
787 | u32 iommu_snp_shutdown:1; |
788 | u32 rsvd1:31; |
789 | } __packed; |
790 | |
791 | /** |
792 | * struct sev_platform_init_args |
793 | * |
794 | * @error: SEV firmware error code |
795 | * @probe: True if this is being called as part of CCP module probe, which |
796 | * will defer SEV_INIT/SEV_INIT_EX firmware initialization until needed |
797 | * unless psp_init_on_probe module param is set |
798 | */ |
799 | struct sev_platform_init_args { |
800 | int error; |
801 | bool probe; |
802 | }; |
803 | |
804 | /** |
805 | * struct sev_data_snp_commit - SNP_COMMIT structure |
806 | * |
807 | * @len: length of the command buffer read by the PSP |
808 | */ |
809 | struct sev_data_snp_commit { |
810 | u32 len; |
811 | } __packed; |
812 | |
813 | #ifdef CONFIG_CRYPTO_DEV_SP_PSP |
814 | |
815 | /** |
816 | * sev_platform_init - perform SEV INIT command |
817 | * |
818 | * @args: struct sev_platform_init_args to pass in arguments |
819 | * |
820 | * Returns: |
821 | * 0 if the SEV successfully processed the command |
822 | * -%ENODEV if the SEV device is not available |
823 | * -%ENOTSUPP if the SEV does not support SEV |
824 | * -%ETIMEDOUT if the SEV command timed out |
825 | * -%EIO if the SEV returned a non-zero return code |
826 | */ |
827 | int sev_platform_init(struct sev_platform_init_args *args); |
828 | |
829 | /** |
830 | * sev_platform_status - perform SEV PLATFORM_STATUS command |
831 | * |
832 | * @status: sev_user_data_status structure to be processed |
833 | * @error: SEV command return code |
834 | * |
835 | * Returns: |
836 | * 0 if the SEV successfully processed the command |
837 | * -%ENODEV if the SEV device is not available |
838 | * -%ENOTSUPP if the SEV does not support SEV |
839 | * -%ETIMEDOUT if the SEV command timed out |
840 | * -%EIO if the SEV returned a non-zero return code |
841 | */ |
842 | int sev_platform_status(struct sev_user_data_status *status, int *error); |
843 | |
844 | /** |
845 | * sev_issue_cmd_external_user - issue SEV command by other driver with a file |
846 | * handle. |
847 | * |
848 | * This function can be used by other drivers to issue a SEV command on |
849 | * behalf of userspace. The caller must pass a valid SEV file descriptor |
850 | * so that we know that it has access to SEV device. |
851 | * |
852 | * @filep - SEV device file pointer |
853 | * @cmd - command to issue |
854 | * @data - command buffer |
855 | * @error: SEV command return code |
856 | * |
857 | * Returns: |
858 | * 0 if the SEV successfully processed the command |
859 | * -%ENODEV if the SEV device is not available |
860 | * -%ENOTSUPP if the SEV does not support SEV |
861 | * -%ETIMEDOUT if the SEV command timed out |
862 | * -%EIO if the SEV returned a non-zero return code |
863 | * -%EINVAL if the SEV file descriptor is not valid |
864 | */ |
865 | int sev_issue_cmd_external_user(struct file *filep, unsigned int id, |
866 | void *data, int *error); |
867 | |
868 | /** |
869 | * sev_guest_deactivate - perform SEV DEACTIVATE command |
870 | * |
871 | * @deactivate: sev_data_deactivate structure to be processed |
872 | * @sev_ret: sev command return code |
873 | * |
874 | * Returns: |
875 | * 0 if the sev successfully processed the command |
876 | * -%ENODEV if the sev device is not available |
877 | * -%ENOTSUPP if the sev does not support SEV |
878 | * -%ETIMEDOUT if the sev command timed out |
879 | * -%EIO if the sev returned a non-zero return code |
880 | */ |
881 | int sev_guest_deactivate(struct sev_data_deactivate *data, int *error); |
882 | |
883 | /** |
884 | * sev_guest_activate - perform SEV ACTIVATE command |
885 | * |
886 | * @activate: sev_data_activate structure to be processed |
887 | * @sev_ret: sev command return code |
888 | * |
889 | * Returns: |
890 | * 0 if the sev successfully processed the command |
891 | * -%ENODEV if the sev device is not available |
892 | * -%ENOTSUPP if the sev does not support SEV |
893 | * -%ETIMEDOUT if the sev command timed out |
894 | * -%EIO if the sev returned a non-zero return code |
895 | */ |
896 | int sev_guest_activate(struct sev_data_activate *data, int *error); |
897 | |
898 | /** |
899 | * sev_guest_df_flush - perform SEV DF_FLUSH command |
900 | * |
901 | * @sev_ret: sev command return code |
902 | * |
903 | * Returns: |
904 | * 0 if the sev successfully processed the command |
905 | * -%ENODEV if the sev device is not available |
906 | * -%ENOTSUPP if the sev does not support SEV |
907 | * -%ETIMEDOUT if the sev command timed out |
908 | * -%EIO if the sev returned a non-zero return code |
909 | */ |
910 | int sev_guest_df_flush(int *error); |
911 | |
912 | /** |
913 | * sev_guest_decommission - perform SEV DECOMMISSION command |
914 | * |
915 | * @decommission: sev_data_decommission structure to be processed |
916 | * @sev_ret: sev command return code |
917 | * |
918 | * Returns: |
919 | * 0 if the sev successfully processed the command |
920 | * -%ENODEV if the sev device is not available |
921 | * -%ENOTSUPP if the sev does not support SEV |
922 | * -%ETIMEDOUT if the sev command timed out |
923 | * -%EIO if the sev returned a non-zero return code |
924 | */ |
925 | int sev_guest_decommission(struct sev_data_decommission *data, int *error); |
926 | |
927 | /** |
928 | * sev_do_cmd - issue an SEV or an SEV-SNP command |
929 | * |
930 | * @cmd: SEV or SEV-SNP firmware command to issue |
931 | * @data: arguments for firmware command |
932 | * @psp_ret: SEV command return code |
933 | * |
934 | * Returns: |
935 | * 0 if the SEV device successfully processed the command |
936 | * -%ENODEV if the PSP device is not available |
937 | * -%ENOTSUPP if PSP device does not support SEV |
938 | * -%ETIMEDOUT if the SEV command timed out |
939 | * -%EIO if PSP device returned a non-zero return code |
940 | */ |
941 | int sev_do_cmd(int cmd, void *data, int *psp_ret); |
942 | |
943 | void *psp_copy_user_blob(u64 uaddr, u32 len); |
944 | void *snp_alloc_firmware_page(gfp_t mask); |
945 | void snp_free_firmware_page(void *addr); |
946 | |
947 | #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ |
948 | |
949 | static inline int |
950 | sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; } |
951 | |
952 | static inline int sev_platform_init(struct sev_platform_init_args *args) { return -ENODEV; } |
953 | |
954 | static inline int |
955 | sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; } |
956 | |
957 | static inline int |
958 | sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; } |
959 | |
960 | static inline int |
961 | sev_do_cmd(int cmd, void *data, int *psp_ret) { return -ENODEV; } |
962 | |
963 | static inline int |
964 | sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; } |
965 | |
966 | static inline int sev_guest_df_flush(int *error) { return -ENODEV; } |
967 | |
968 | static inline int |
969 | sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } |
970 | |
971 | static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } |
972 | |
973 | static inline void *snp_alloc_firmware_page(gfp_t mask) |
974 | { |
975 | return NULL; |
976 | } |
977 | |
978 | static inline void snp_free_firmware_page(void *addr) { } |
979 | |
980 | #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ |
981 | |
982 | #endif /* __PSP_SEV_H__ */ |
983 | |