uvdevice.c source code [linux/drivers/s390/char/uvdevice.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* Copyright IBM Corp. 2022
4	* Author(s): Steffen Eiden <seiden@linux.ibm.com>
5	*
6	* This file provides a Linux misc device to give userspace access to some
7	* Ultravisor (UV) functions. The device only accepts IOCTLs and will only
8	* be present if the Ultravisor facility (158) is present.
9	*
10	* When userspace sends a valid IOCTL uvdevice will copy the input data to
11	* kernel space, do some basic validity checks to avoid kernel/system
12	* corruption. Any other check that the Ultravisor does will not be done by
13	* the uvdevice to keep changes minimal when adding new functionalities
14	* to existing UV-calls.
15	* After the checks uvdevice builds a corresponding
16	* Ultravisor Call Control Block, and sends the request to the Ultravisor.
17	* Then, it copies the response, including the return codes, back to userspace.
18	* It is the responsibility of the userspace to check for any error issued
19	* by UV and to interpret the UV response. The uvdevice acts as a communication
20	* channel for userspace to the Ultravisor.
21	*/
22
23	#include <linux/module.h>
24	#include <linux/kernel.h>
25	#include <linux/miscdevice.h>
26	#include <linux/types.h>
27	#include <linux/stddef.h>
28	#include <linux/vmalloc.h>
29	#include <linux/slab.h>
30	#include <linux/cpufeature.h>
31
32	#include <asm/uvdevice.h>
33	#include <asm/uv.h>
34
35	#define BIT_UVIO_INTERNAL U32_MAX
36	/ Mapping from IOCTL-nr to UVC-bit /
37	static const u32 ioctl_nr_to_uvc_bit[] __initconst = {
38	[UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL,
39	[UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST,
40	[UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET,
41	[UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS,
42	[UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS,
43	};
44
45	static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS);
46
47	static struct uvio_uvdev_info uvdev_info = {
48	.supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - `1`, `0`),
49	};
50
51	static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds)
52	{
53	int i;
54
55	for (i = `0`; i < UVIO_IOCTL_NUM_IOCTLS; i++) {
56	if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL)
57	continue;
58	if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list))
59	continue;
60	__set_bit(i, supp_uv_cmds);
61	}
62	}
63
64	/**
65	* uvio_uvdev_info() - get information about the uvdevice
66	*
67	* @uv_ioctl: ioctl control block
68	*
69	* Lists all IOCTLs that are supported by this uvdevice
70	*/
71	static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
72	{
73	void __user user_buf_arg = (void* __user *)uv_ioctl->argument_addr;
74
75	if (uv_ioctl->argument_len < sizeof(uvdev_info))
76	return -EINVAL;
77	if (copy_to_user(to: user_buf_arg, from: &uvdev_info, n: sizeof(uvdev_info)))
78	return -EFAULT;
79
80	uv_ioctl->uv_rc = UVC_RC_EXECUTED;
81	return `0`;
82	}
83
84	static int uvio_build_uvcb_attest(struct uv_cb_attest uvcb_attest, u8 arcb,
85	u8 meas, u8 add_data, struct uvio_attest *uvio_attest)
86	{
87	void __user user_buf_arcb = (void* __user *)uvio_attest->arcb_addr;
88
89	if (copy_from_user(to: arcb, from: user_buf_arcb, n: uvio_attest->arcb_len))
90	return -EFAULT;
91
92	uvcb_attest->header.len = sizeof(*uvcb_attest);
93	uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST;
94	uvcb_attest->arcb_addr = (u64)arcb;
95	uvcb_attest->cont_token = `0`;
96	uvcb_attest->user_data_len = uvio_attest->user_data_len;
97	memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data));
98	uvcb_attest->meas_len = uvio_attest->meas_len;
99	uvcb_attest->meas_addr = (u64)meas;
100	uvcb_attest->add_data_len = uvio_attest->add_data_len;
101	uvcb_attest->add_data_addr = (u64)add_data;
102
103	return `0`;
104	}
105
106	static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest,
107	struct uvio_ioctl_cb *uv_ioctl,
108	u8 measurement, u8 add_data,
109	struct uvio_attest *uvio_attest)
110	{
111	struct uvio_attest __user user_uvio_attest = (void* __user *)uv_ioctl->argument_addr;
112	u32 __user user_buf_add_len = (u32 __user )&user_uvio_attest->add_data_len;
113	void __user user_buf_add = (void* __user *)uvio_attest->add_data_addr;
114	void __user user_buf_meas = (void* __user *)uvio_attest->meas_addr;
115	void __user *user_buf_uid = &user_uvio_attest->config_uid;
116
117	if (copy_to_user(to: user_buf_meas, from: measurement, n: uvio_attest->meas_len))
118	return -EFAULT;
119	if (add_data && copy_to_user(to: user_buf_add, from: add_data, n: uvio_attest->add_data_len))
120	return -EFAULT;
121	if (put_user(uvio_attest->add_data_len, user_buf_add_len))
122	return -EFAULT;
123	if (copy_to_user(to: user_buf_uid, from: uvcb_attest->config_uid, n: sizeof(uvcb_attest->config_uid)))
124	return -EFAULT;
125	return `0`;
126	}
127
128	static int get_uvio_attest(struct uvio_ioctl_cb uv_ioctl, struct* uvio_attest *uvio_attest)
129	{
130	u8 __user user_arg_buf = (u8 __user )uv_ioctl->argument_addr;
131
132	if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest)))
133	return -EFAULT;
134
135	if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN)
136	return -EINVAL;
137	if (uvio_attest->arcb_len == `0`)
138	return -EINVAL;
139	if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN)
140	return -EINVAL;
141	if (uvio_attest->meas_len == `0`)
142	return -EINVAL;
143	if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN)
144	return -EINVAL;
145	if (uvio_attest->reserved136)
146	return -EINVAL;
147	return `0`;
148	}
149
150	/**
151	* uvio_attestation() - Perform a Retrieve Attestation Measurement UVC.
152	*
153	* @uv_ioctl: ioctl control block
154	*
155	* uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call.
156	* It verifies that the given userspace addresses are valid and request sizes
157	* are sane. Every other check is made by the Ultravisor (UV) and won't result
158	* in a negative return value. It copies the input to kernelspace, builds the
159	* request, sends the UV-call, and copies the result to userspace.
160	*
161	* The Attestation Request has two input and two outputs.
162	* ARCB and User Data are inputs for the UV generated by userspace.
163	* Measurement and Additional Data are outputs for userspace generated by UV.
164	*
165	* The Attestation Request Control Block (ARCB) is a cryptographically verified
166	* and secured request to UV and User Data is some plaintext data which is
167	* going to be included in the Attestation Measurement calculation.
168	*
169	* Measurement is a cryptographic measurement of the callers properties,
170	* optional data configured by the ARCB and the user data. If specified by the
171	* ARCB, UV will add some Additional Data to the measurement calculation.
172	* This Additional Data is then returned as well.
173	*
174	* If the Retrieve Attestation Measurement UV facility is not present,
175	* UV will return invalid command rc. This won't be fenced in the driver
176	* and does not result in a negative return value.
177	*
178	* Context: might sleep
179	*
180	* Return: 0 on success or a negative error code on error.
181	*/
182	static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
183	{
184	struct uv_cb_attest *uvcb_attest = NULL;
185	struct uvio_attest *uvio_attest = NULL;
186	u8 *measurement = NULL;
187	u8 *add_data = NULL;
188	u8 *arcb = NULL;
189	int ret;
190
191	ret = -EINVAL;
192	if (uv_ioctl->argument_len != sizeof(*uvio_attest))
193	goto out;
194
195	ret = -ENOMEM;
196	uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL);
197	if (!uvio_attest)
198	goto out;
199
200	ret = get_uvio_attest(uv_ioctl, uvio_attest);
201	if (ret)
202	goto out;
203
204	ret = -ENOMEM;
205	arcb = kvzalloc(size: uvio_attest->arcb_len, GFP_KERNEL);
206	measurement = kvzalloc(size: uvio_attest->meas_len, GFP_KERNEL);
207	if (!arcb \|\| !measurement)
208	goto out;
209
210	if (uvio_attest->add_data_len) {
211	add_data = kvzalloc(size: uvio_attest->add_data_len, GFP_KERNEL);
212	if (!add_data)
213	goto out;
214	}
215
216	uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL);
217	if (!uvcb_attest)
218	goto out;
219
220	ret = uvio_build_uvcb_attest(uvcb_attest, arcb, meas: measurement, add_data, uvio_attest);
221	if (ret)
222	goto out;
223
224	uv_call_sched(`0`, (u64)uvcb_attest);
225
226	uv_ioctl->uv_rc = uvcb_attest->header.rc;
227	uv_ioctl->uv_rrc = uvcb_attest->header.rrc;
228
229	ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data,
230	uvio_attest);
231	out:
232	kvfree(addr: arcb);
233	kvfree(addr: measurement);
234	kvfree(addr: add_data);
235	kfree(objp: uvio_attest);
236	kfree(objp: uvcb_attest);
237	return ret;
238	}
239
240	/* uvio_add_secret() - perform an Add Secret UVC*
241	*
242	* @uv_ioctl: ioctl control block
243	*
244	* uvio_add_secret() performs the Add Secret Ultravisor Call.
245	*
246	* The given userspace argument address and size are verified to be
247	* valid but every other check is made by the Ultravisor
248	* (UV). Therefore UV errors won't result in a negative return
249	* value. The request is then copied to kernelspace, the UV-call is
250	* performed and the results are copied back to userspace.
251	*
252	* The argument has to point to an Add Secret Request Control Block
253	* which is an encrypted and cryptographically verified request that
254	* inserts a protected guest's secrets into the Ultravisor for later
255	* use.
256	*
257	* If the Add Secret UV facility is not present, UV will return
258	* invalid command rc. This won't be fenced in the driver and does not
259	* result in a negative return value.
260	*
261	* Context: might sleep
262	*
263	* Return: 0 on success or a negative error code on error.
264	*/
265	static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
266	{
267	void __user user_buf_arg = (void* __user *)uv_ioctl->argument_addr;
268	struct uv_cb_guest_addr uvcb = {
269	.header.len = sizeof(uvcb),
270	.header.cmd = UVC_CMD_ADD_SECRET,
271	};
272	void *asrcb = NULL;
273	int ret;
274
275	if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN)
276	return -EINVAL;
277	if (uv_ioctl->argument_len == `0`)
278	return -EINVAL;
279
280	asrcb = kvzalloc(size: uv_ioctl->argument_len, GFP_KERNEL);
281	if (!asrcb)
282	return -ENOMEM;
283
284	ret = -EFAULT;
285	if (copy_from_user(to: asrcb, from: user_buf_arg, n: uv_ioctl->argument_len))
286	goto out;
287
288	ret = `0`;
289	uvcb.addr = (u64)asrcb;
290	uv_call_sched(`0`, (u64)&uvcb);
291	uv_ioctl->uv_rc = uvcb.header.rc;
292	uv_ioctl->uv_rrc = uvcb.header.rrc;
293
294	out:
295	kvfree(addr: asrcb);
296	return ret;
297	}
298
299	/* uvio_list_secrets() - perform a List Secret UVC*
300	* @uv_ioctl: ioctl control block
301	*
302	* uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies
303	* that the given userspace argument address is valid and its size is sane.
304	* Every other check is made by the Ultravisor (UV) and won't result in a
305	* negative return value. It builds the request, performs the UV-call, and
306	* copies the result to userspace.
307	*
308	* The argument specifies the location for the result of the UV-Call.
309	*
310	* If the List Secrets UV facility is not present, UV will return invalid
311	* command rc. This won't be fenced in the driver and does not result in a
312	* negative return value.
313	*
314	* Context: might sleep
315	*
316	* Return: 0 on success or a negative error code on error.
317	*/
318	static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
319	{
320	void __user user_buf_arg = (void* __user *)uv_ioctl->argument_addr;
321	struct uv_cb_guest_addr uvcb = {
322	.header.len = sizeof(uvcb),
323	.header.cmd = UVC_CMD_LIST_SECRETS,
324	};
325	void *secrets = NULL;
326	int ret = `0`;
327
328	if (uv_ioctl->argument_len != UVIO_LIST_SECRETS_LEN)
329	return -EINVAL;
330
331	secrets = kvzalloc(size: UVIO_LIST_SECRETS_LEN, GFP_KERNEL);
332	if (!secrets)
333	return -ENOMEM;
334
335	uvcb.addr = (u64)secrets;
336	uv_call_sched(`0`, (u64)&uvcb);
337	uv_ioctl->uv_rc = uvcb.header.rc;
338	uv_ioctl->uv_rrc = uvcb.header.rrc;
339
340	if (copy_to_user(to: user_buf_arg, from: secrets, n: UVIO_LIST_SECRETS_LEN))
341	ret = -EFAULT;
342
343	kvfree(addr: secrets);
344	return ret;
345	}
346
347	/* uvio_lock_secrets() - perform a Lock Secret Store UVC*
348	* @uv_ioctl: ioctl control block
349	*
350	* uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It
351	* performs the UV-call and copies the return codes to the ioctl control block.
352	* After this call was dispatched successfully every following Add Secret UVC
353	* and Lock Secrets UVC will fail with return code 0x102.
354	*
355	* The argument address and size must be 0.
356	*
357	* If the Lock Secrets UV facility is not present, UV will return invalid
358	* command rc. This won't be fenced in the driver and does not result in a
359	* negative return value.
360	*
361	* Context: might sleep
362	*
363	* Return: 0 on success or a negative error code on error.
364	*/
365	static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
366	{
367	struct uv_cb_nodata uvcb = {
368	.header.len = sizeof(uvcb),
369	.header.cmd = UVC_CMD_LOCK_SECRETS,
370	};
371
372	if (ioctl->argument_addr \|\| ioctl->argument_len)
373	return -EINVAL;
374
375	uv_call(`0`, (u64)&uvcb);
376	ioctl->uv_rc = uvcb.header.rc;
377	ioctl->uv_rrc = uvcb.header.rrc;
378
379	return `0`;
380	}
381
382	static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb ioctl, void* __user *argp,
383	unsigned long cmd)
384	{
385	u8 nr = _IOC_NR(cmd);
386
387	if (_IOC_DIR(cmd) != (_IOC_READ \| _IOC_WRITE))
388	return -ENOIOCTLCMD;
389	if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC)
390	return -ENOIOCTLCMD;
391	if (nr >= UVIO_IOCTL_NUM_IOCTLS)
392	return -ENOIOCTLCMD;
393	if (_IOC_SIZE(cmd) != sizeof(*ioctl))
394	return -ENOIOCTLCMD;
395	if (copy_from_user(ioctl, argp, sizeof(*ioctl)))
396	return -EFAULT;
397	if (ioctl->flags != `0`)
398	return -EINVAL;
399	if (memchr_inv(ioctl->reserved14, `0`, sizeof(ioctl->reserved14)))
400	return -EINVAL;
401
402	return nr;
403	}
404
405	/*
406	* IOCTL entry point for the Ultravisor device.
407	*/
408	static long uvio_ioctl(struct file filp, unsigned* int cmd, unsigned long arg)
409	{
410	void __user argp = (void* __user *)arg;
411	struct uvio_ioctl_cb uv_ioctl = { };
412	long ret;
413	int nr;
414
415	nr = uvio_copy_and_check_ioctl(ioctl: &uv_ioctl, argp, cmd);
416	if (nr < `0`)
417	return nr;
418
419	switch (nr) {
420	case UVIO_IOCTL_UVDEV_INFO_NR:
421	ret = uvio_uvdev_info(uv_ioctl: &uv_ioctl);
422	break;
423	case UVIO_IOCTL_ATT_NR:
424	ret = uvio_attestation(uv_ioctl: &uv_ioctl);
425	break;
426	case UVIO_IOCTL_ADD_SECRET_NR:
427	ret = uvio_add_secret(uv_ioctl: &uv_ioctl);
428	break;
429	case UVIO_IOCTL_LIST_SECRETS_NR:
430	ret = uvio_list_secrets(uv_ioctl: &uv_ioctl);
431	break;
432	case UVIO_IOCTL_LOCK_SECRETS_NR:
433	ret = uvio_lock_secrets(ioctl: &uv_ioctl);
434	break;
435	default:
436	ret = -ENOIOCTLCMD;
437	break;
438	}
439	if (ret)
440	return ret;
441
442	if (copy_to_user(to: argp, from: &uv_ioctl, n: sizeof(uv_ioctl)))
443	ret = -EFAULT;
444
445	return ret;
446	}
447
448	static const struct file_operations uvio_dev_fops = {
449	.owner = THIS_MODULE,
450	.unlocked_ioctl = uvio_ioctl,
451	.llseek = no_llseek,
452	};
453
454	static struct miscdevice uvio_dev_miscdev = {
455	.minor = MISC_DYNAMIC_MINOR,
456	.name = UVIO_DEVICE_NAME,
457	.fops = &uvio_dev_fops,
458	};
459
460	static void __exit uvio_dev_exit(void)
461	{
462	misc_deregister(misc: &uvio_dev_miscdev);
463	}
464
465	static int __init uvio_dev_init(void)
466	{
467	set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds);
468	return misc_register(misc: &uvio_dev_miscdev);
469	}
470
471	module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init);
472	module_exit(uvio_dev_exit);
473
474	MODULE_AUTHOR("IBM Corporation");
475	MODULE_LICENSE("GPL");
476	MODULE_DESCRIPTION("Ultravisor UAPI driver");
477

source code of linux/drivers/s390/char/uvdevice.c