1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Copyright IBM Corp. 2022 |
4 | * Author(s): Steffen Eiden <seiden@linux.ibm.com> |
5 | * |
6 | * This file provides a Linux misc device to give userspace access to some |
7 | * Ultravisor (UV) functions. The device only accepts IOCTLs and will only |
8 | * be present if the Ultravisor facility (158) is present. |
9 | * |
10 | * When userspace sends a valid IOCTL uvdevice will copy the input data to |
11 | * kernel space, do some basic validity checks to avoid kernel/system |
12 | * corruption. Any other check that the Ultravisor does will not be done by |
13 | * the uvdevice to keep changes minimal when adding new functionalities |
14 | * to existing UV-calls. |
15 | * After the checks uvdevice builds a corresponding |
16 | * Ultravisor Call Control Block, and sends the request to the Ultravisor. |
17 | * Then, it copies the response, including the return codes, back to userspace. |
18 | * It is the responsibility of the userspace to check for any error issued |
19 | * by UV and to interpret the UV response. The uvdevice acts as a communication |
20 | * channel for userspace to the Ultravisor. |
21 | */ |
22 | |
23 | #include <linux/module.h> |
24 | #include <linux/kernel.h> |
25 | #include <linux/miscdevice.h> |
26 | #include <linux/types.h> |
27 | #include <linux/stddef.h> |
28 | #include <linux/vmalloc.h> |
29 | #include <linux/slab.h> |
30 | #include <linux/cpufeature.h> |
31 | |
32 | #include <asm/uvdevice.h> |
33 | #include <asm/uv.h> |
34 | |
35 | #define BIT_UVIO_INTERNAL U32_MAX |
36 | /* Mapping from IOCTL-nr to UVC-bit */ |
37 | static const u32 ioctl_nr_to_uvc_bit[] __initconst = { |
38 | [UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL, |
39 | [UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST, |
40 | [UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET, |
41 | [UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS, |
42 | [UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS, |
43 | }; |
44 | |
45 | static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS); |
46 | |
47 | static struct uvio_uvdev_info uvdev_info = { |
48 | .supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0), |
49 | }; |
50 | |
51 | static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds) |
52 | { |
53 | int i; |
54 | |
55 | for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) { |
56 | if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL) |
57 | continue; |
58 | if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list)) |
59 | continue; |
60 | __set_bit(i, supp_uv_cmds); |
61 | } |
62 | } |
63 | |
64 | /** |
65 | * uvio_uvdev_info() - get information about the uvdevice |
66 | * |
67 | * @uv_ioctl: ioctl control block |
68 | * |
69 | * Lists all IOCTLs that are supported by this uvdevice |
70 | */ |
71 | static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl) |
72 | { |
73 | void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr; |
74 | |
75 | if (uv_ioctl->argument_len < sizeof(uvdev_info)) |
76 | return -EINVAL; |
77 | if (copy_to_user(to: user_buf_arg, from: &uvdev_info, n: sizeof(uvdev_info))) |
78 | return -EFAULT; |
79 | |
80 | uv_ioctl->uv_rc = UVC_RC_EXECUTED; |
81 | return 0; |
82 | } |
83 | |
84 | static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb, |
85 | u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest) |
86 | { |
87 | void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr; |
88 | |
89 | if (copy_from_user(to: arcb, from: user_buf_arcb, n: uvio_attest->arcb_len)) |
90 | return -EFAULT; |
91 | |
92 | uvcb_attest->header.len = sizeof(*uvcb_attest); |
93 | uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST; |
94 | uvcb_attest->arcb_addr = (u64)arcb; |
95 | uvcb_attest->cont_token = 0; |
96 | uvcb_attest->user_data_len = uvio_attest->user_data_len; |
97 | memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data)); |
98 | uvcb_attest->meas_len = uvio_attest->meas_len; |
99 | uvcb_attest->meas_addr = (u64)meas; |
100 | uvcb_attest->add_data_len = uvio_attest->add_data_len; |
101 | uvcb_attest->add_data_addr = (u64)add_data; |
102 | |
103 | return 0; |
104 | } |
105 | |
106 | static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest, |
107 | struct uvio_ioctl_cb *uv_ioctl, |
108 | u8 *measurement, u8 *add_data, |
109 | struct uvio_attest *uvio_attest) |
110 | { |
111 | struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr; |
112 | u32 __user *user_buf_add_len = (u32 __user *)&user_uvio_attest->add_data_len; |
113 | void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr; |
114 | void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr; |
115 | void __user *user_buf_uid = &user_uvio_attest->config_uid; |
116 | |
117 | if (copy_to_user(to: user_buf_meas, from: measurement, n: uvio_attest->meas_len)) |
118 | return -EFAULT; |
119 | if (add_data && copy_to_user(to: user_buf_add, from: add_data, n: uvio_attest->add_data_len)) |
120 | return -EFAULT; |
121 | if (put_user(uvio_attest->add_data_len, user_buf_add_len)) |
122 | return -EFAULT; |
123 | if (copy_to_user(to: user_buf_uid, from: uvcb_attest->config_uid, n: sizeof(uvcb_attest->config_uid))) |
124 | return -EFAULT; |
125 | return 0; |
126 | } |
127 | |
128 | static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest) |
129 | { |
130 | u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr; |
131 | |
132 | if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest))) |
133 | return -EFAULT; |
134 | |
135 | if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN) |
136 | return -EINVAL; |
137 | if (uvio_attest->arcb_len == 0) |
138 | return -EINVAL; |
139 | if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN) |
140 | return -EINVAL; |
141 | if (uvio_attest->meas_len == 0) |
142 | return -EINVAL; |
143 | if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN) |
144 | return -EINVAL; |
145 | if (uvio_attest->reserved136) |
146 | return -EINVAL; |
147 | return 0; |
148 | } |
149 | |
150 | /** |
151 | * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC. |
152 | * |
153 | * @uv_ioctl: ioctl control block |
154 | * |
155 | * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call. |
156 | * It verifies that the given userspace addresses are valid and request sizes |
157 | * are sane. Every other check is made by the Ultravisor (UV) and won't result |
158 | * in a negative return value. It copies the input to kernelspace, builds the |
159 | * request, sends the UV-call, and copies the result to userspace. |
160 | * |
161 | * The Attestation Request has two input and two outputs. |
162 | * ARCB and User Data are inputs for the UV generated by userspace. |
163 | * Measurement and Additional Data are outputs for userspace generated by UV. |
164 | * |
165 | * The Attestation Request Control Block (ARCB) is a cryptographically verified |
166 | * and secured request to UV and User Data is some plaintext data which is |
167 | * going to be included in the Attestation Measurement calculation. |
168 | * |
169 | * Measurement is a cryptographic measurement of the callers properties, |
170 | * optional data configured by the ARCB and the user data. If specified by the |
171 | * ARCB, UV will add some Additional Data to the measurement calculation. |
172 | * This Additional Data is then returned as well. |
173 | * |
174 | * If the Retrieve Attestation Measurement UV facility is not present, |
175 | * UV will return invalid command rc. This won't be fenced in the driver |
176 | * and does not result in a negative return value. |
177 | * |
178 | * Context: might sleep |
179 | * |
180 | * Return: 0 on success or a negative error code on error. |
181 | */ |
182 | static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl) |
183 | { |
184 | struct uv_cb_attest *uvcb_attest = NULL; |
185 | struct uvio_attest *uvio_attest = NULL; |
186 | u8 *measurement = NULL; |
187 | u8 *add_data = NULL; |
188 | u8 *arcb = NULL; |
189 | int ret; |
190 | |
191 | ret = -EINVAL; |
192 | if (uv_ioctl->argument_len != sizeof(*uvio_attest)) |
193 | goto out; |
194 | |
195 | ret = -ENOMEM; |
196 | uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL); |
197 | if (!uvio_attest) |
198 | goto out; |
199 | |
200 | ret = get_uvio_attest(uv_ioctl, uvio_attest); |
201 | if (ret) |
202 | goto out; |
203 | |
204 | ret = -ENOMEM; |
205 | arcb = kvzalloc(size: uvio_attest->arcb_len, GFP_KERNEL); |
206 | measurement = kvzalloc(size: uvio_attest->meas_len, GFP_KERNEL); |
207 | if (!arcb || !measurement) |
208 | goto out; |
209 | |
210 | if (uvio_attest->add_data_len) { |
211 | add_data = kvzalloc(size: uvio_attest->add_data_len, GFP_KERNEL); |
212 | if (!add_data) |
213 | goto out; |
214 | } |
215 | |
216 | uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL); |
217 | if (!uvcb_attest) |
218 | goto out; |
219 | |
220 | ret = uvio_build_uvcb_attest(uvcb_attest, arcb, meas: measurement, add_data, uvio_attest); |
221 | if (ret) |
222 | goto out; |
223 | |
224 | uv_call_sched(0, (u64)uvcb_attest); |
225 | |
226 | uv_ioctl->uv_rc = uvcb_attest->header.rc; |
227 | uv_ioctl->uv_rrc = uvcb_attest->header.rrc; |
228 | |
229 | ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data, |
230 | uvio_attest); |
231 | out: |
232 | kvfree(addr: arcb); |
233 | kvfree(addr: measurement); |
234 | kvfree(addr: add_data); |
235 | kfree(objp: uvio_attest); |
236 | kfree(objp: uvcb_attest); |
237 | return ret; |
238 | } |
239 | |
240 | /** uvio_add_secret() - perform an Add Secret UVC |
241 | * |
242 | * @uv_ioctl: ioctl control block |
243 | * |
244 | * uvio_add_secret() performs the Add Secret Ultravisor Call. |
245 | * |
246 | * The given userspace argument address and size are verified to be |
247 | * valid but every other check is made by the Ultravisor |
248 | * (UV). Therefore UV errors won't result in a negative return |
249 | * value. The request is then copied to kernelspace, the UV-call is |
250 | * performed and the results are copied back to userspace. |
251 | * |
252 | * The argument has to point to an Add Secret Request Control Block |
253 | * which is an encrypted and cryptographically verified request that |
254 | * inserts a protected guest's secrets into the Ultravisor for later |
255 | * use. |
256 | * |
257 | * If the Add Secret UV facility is not present, UV will return |
258 | * invalid command rc. This won't be fenced in the driver and does not |
259 | * result in a negative return value. |
260 | * |
261 | * Context: might sleep |
262 | * |
263 | * Return: 0 on success or a negative error code on error. |
264 | */ |
265 | static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl) |
266 | { |
267 | void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr; |
268 | struct uv_cb_guest_addr uvcb = { |
269 | .header.len = sizeof(uvcb), |
270 | .header.cmd = UVC_CMD_ADD_SECRET, |
271 | }; |
272 | void *asrcb = NULL; |
273 | int ret; |
274 | |
275 | if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN) |
276 | return -EINVAL; |
277 | if (uv_ioctl->argument_len == 0) |
278 | return -EINVAL; |
279 | |
280 | asrcb = kvzalloc(size: uv_ioctl->argument_len, GFP_KERNEL); |
281 | if (!asrcb) |
282 | return -ENOMEM; |
283 | |
284 | ret = -EFAULT; |
285 | if (copy_from_user(to: asrcb, from: user_buf_arg, n: uv_ioctl->argument_len)) |
286 | goto out; |
287 | |
288 | ret = 0; |
289 | uvcb.addr = (u64)asrcb; |
290 | uv_call_sched(0, (u64)&uvcb); |
291 | uv_ioctl->uv_rc = uvcb.header.rc; |
292 | uv_ioctl->uv_rrc = uvcb.header.rrc; |
293 | |
294 | out: |
295 | kvfree(addr: asrcb); |
296 | return ret; |
297 | } |
298 | |
299 | /** uvio_list_secrets() - perform a List Secret UVC |
300 | * @uv_ioctl: ioctl control block |
301 | * |
302 | * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies |
303 | * that the given userspace argument address is valid and its size is sane. |
304 | * Every other check is made by the Ultravisor (UV) and won't result in a |
305 | * negative return value. It builds the request, performs the UV-call, and |
306 | * copies the result to userspace. |
307 | * |
308 | * The argument specifies the location for the result of the UV-Call. |
309 | * |
310 | * If the List Secrets UV facility is not present, UV will return invalid |
311 | * command rc. This won't be fenced in the driver and does not result in a |
312 | * negative return value. |
313 | * |
314 | * Context: might sleep |
315 | * |
316 | * Return: 0 on success or a negative error code on error. |
317 | */ |
318 | static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl) |
319 | { |
320 | void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr; |
321 | struct uv_cb_guest_addr uvcb = { |
322 | .header.len = sizeof(uvcb), |
323 | .header.cmd = UVC_CMD_LIST_SECRETS, |
324 | }; |
325 | void *secrets = NULL; |
326 | int ret = 0; |
327 | |
328 | if (uv_ioctl->argument_len != UVIO_LIST_SECRETS_LEN) |
329 | return -EINVAL; |
330 | |
331 | secrets = kvzalloc(size: UVIO_LIST_SECRETS_LEN, GFP_KERNEL); |
332 | if (!secrets) |
333 | return -ENOMEM; |
334 | |
335 | uvcb.addr = (u64)secrets; |
336 | uv_call_sched(0, (u64)&uvcb); |
337 | uv_ioctl->uv_rc = uvcb.header.rc; |
338 | uv_ioctl->uv_rrc = uvcb.header.rrc; |
339 | |
340 | if (copy_to_user(to: user_buf_arg, from: secrets, n: UVIO_LIST_SECRETS_LEN)) |
341 | ret = -EFAULT; |
342 | |
343 | kvfree(addr: secrets); |
344 | return ret; |
345 | } |
346 | |
347 | /** uvio_lock_secrets() - perform a Lock Secret Store UVC |
348 | * @uv_ioctl: ioctl control block |
349 | * |
350 | * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It |
351 | * performs the UV-call and copies the return codes to the ioctl control block. |
352 | * After this call was dispatched successfully every following Add Secret UVC |
353 | * and Lock Secrets UVC will fail with return code 0x102. |
354 | * |
355 | * The argument address and size must be 0. |
356 | * |
357 | * If the Lock Secrets UV facility is not present, UV will return invalid |
358 | * command rc. This won't be fenced in the driver and does not result in a |
359 | * negative return value. |
360 | * |
361 | * Context: might sleep |
362 | * |
363 | * Return: 0 on success or a negative error code on error. |
364 | */ |
365 | static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl) |
366 | { |
367 | struct uv_cb_nodata uvcb = { |
368 | .header.len = sizeof(uvcb), |
369 | .header.cmd = UVC_CMD_LOCK_SECRETS, |
370 | }; |
371 | |
372 | if (ioctl->argument_addr || ioctl->argument_len) |
373 | return -EINVAL; |
374 | |
375 | uv_call(0, (u64)&uvcb); |
376 | ioctl->uv_rc = uvcb.header.rc; |
377 | ioctl->uv_rrc = uvcb.header.rrc; |
378 | |
379 | return 0; |
380 | } |
381 | |
382 | static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp, |
383 | unsigned long cmd) |
384 | { |
385 | u8 nr = _IOC_NR(cmd); |
386 | |
387 | if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE)) |
388 | return -ENOIOCTLCMD; |
389 | if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC) |
390 | return -ENOIOCTLCMD; |
391 | if (nr >= UVIO_IOCTL_NUM_IOCTLS) |
392 | return -ENOIOCTLCMD; |
393 | if (_IOC_SIZE(cmd) != sizeof(*ioctl)) |
394 | return -ENOIOCTLCMD; |
395 | if (copy_from_user(ioctl, argp, sizeof(*ioctl))) |
396 | return -EFAULT; |
397 | if (ioctl->flags != 0) |
398 | return -EINVAL; |
399 | if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14))) |
400 | return -EINVAL; |
401 | |
402 | return nr; |
403 | } |
404 | |
405 | /* |
406 | * IOCTL entry point for the Ultravisor device. |
407 | */ |
408 | static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) |
409 | { |
410 | void __user *argp = (void __user *)arg; |
411 | struct uvio_ioctl_cb uv_ioctl = { }; |
412 | long ret; |
413 | int nr; |
414 | |
415 | nr = uvio_copy_and_check_ioctl(ioctl: &uv_ioctl, argp, cmd); |
416 | if (nr < 0) |
417 | return nr; |
418 | |
419 | switch (nr) { |
420 | case UVIO_IOCTL_UVDEV_INFO_NR: |
421 | ret = uvio_uvdev_info(uv_ioctl: &uv_ioctl); |
422 | break; |
423 | case UVIO_IOCTL_ATT_NR: |
424 | ret = uvio_attestation(uv_ioctl: &uv_ioctl); |
425 | break; |
426 | case UVIO_IOCTL_ADD_SECRET_NR: |
427 | ret = uvio_add_secret(uv_ioctl: &uv_ioctl); |
428 | break; |
429 | case UVIO_IOCTL_LIST_SECRETS_NR: |
430 | ret = uvio_list_secrets(uv_ioctl: &uv_ioctl); |
431 | break; |
432 | case UVIO_IOCTL_LOCK_SECRETS_NR: |
433 | ret = uvio_lock_secrets(ioctl: &uv_ioctl); |
434 | break; |
435 | default: |
436 | ret = -ENOIOCTLCMD; |
437 | break; |
438 | } |
439 | if (ret) |
440 | return ret; |
441 | |
442 | if (copy_to_user(to: argp, from: &uv_ioctl, n: sizeof(uv_ioctl))) |
443 | ret = -EFAULT; |
444 | |
445 | return ret; |
446 | } |
447 | |
448 | static const struct file_operations uvio_dev_fops = { |
449 | .owner = THIS_MODULE, |
450 | .unlocked_ioctl = uvio_ioctl, |
451 | .llseek = no_llseek, |
452 | }; |
453 | |
454 | static struct miscdevice uvio_dev_miscdev = { |
455 | .minor = MISC_DYNAMIC_MINOR, |
456 | .name = UVIO_DEVICE_NAME, |
457 | .fops = &uvio_dev_fops, |
458 | }; |
459 | |
460 | static void __exit uvio_dev_exit(void) |
461 | { |
462 | misc_deregister(misc: &uvio_dev_miscdev); |
463 | } |
464 | |
465 | static int __init uvio_dev_init(void) |
466 | { |
467 | set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds); |
468 | return misc_register(misc: &uvio_dev_miscdev); |
469 | } |
470 | |
471 | module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init); |
472 | module_exit(uvio_dev_exit); |
473 | |
474 | MODULE_AUTHOR("IBM Corporation" ); |
475 | MODULE_LICENSE("GPL" ); |
476 | MODULE_DESCRIPTION("Ultravisor UAPI driver" ); |
477 | |