1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * TDX guest user interface driver |
4 | * |
5 | * Copyright (C) 2022 Intel Corporation |
6 | */ |
7 | |
8 | #include <linux/kernel.h> |
9 | #include <linux/miscdevice.h> |
10 | #include <linux/mm.h> |
11 | #include <linux/module.h> |
12 | #include <linux/mod_devicetable.h> |
13 | #include <linux/string.h> |
14 | #include <linux/uaccess.h> |
15 | #include <linux/set_memory.h> |
16 | #include <linux/io.h> |
17 | #include <linux/delay.h> |
18 | #include <linux/tsm.h> |
19 | #include <linux/sizes.h> |
20 | |
21 | #include <uapi/linux/tdx-guest.h> |
22 | |
23 | #include <asm/cpu_device_id.h> |
24 | #include <asm/tdx.h> |
25 | |
26 | /* |
27 | * Intel's SGX QE implementation generally uses Quote size less |
28 | * than 8K (2K Quote data + ~5K of certificate blob). |
29 | */ |
30 | #define GET_QUOTE_BUF_SIZE SZ_8K |
31 | |
32 | #define GET_QUOTE_CMD_VER 1 |
33 | |
34 | /* TDX GetQuote status codes */ |
35 | #define GET_QUOTE_SUCCESS 0 |
36 | #define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff |
37 | |
38 | /* struct tdx_quote_buf: Format of Quote request buffer. |
39 | * @version: Quote format version, filled by TD. |
40 | * @status: Status code of Quote request, filled by VMM. |
41 | * @in_len: Length of TDREPORT, filled by TD. |
42 | * @out_len: Length of Quote data, filled by VMM. |
43 | * @data: Quote data on output or TDREPORT on input. |
44 | * |
45 | * More details of Quote request buffer can be found in TDX |
46 | * Guest-Host Communication Interface (GHCI) for Intel TDX 1.0, |
47 | * section titled "TDG.VP.VMCALL<GetQuote>" |
48 | */ |
49 | struct tdx_quote_buf { |
50 | u64 version; |
51 | u64 status; |
52 | u32 in_len; |
53 | u32 out_len; |
54 | u8 data[]; |
55 | }; |
56 | |
57 | /* Quote data buffer */ |
58 | static void *quote_data; |
59 | |
60 | /* Lock to streamline quote requests */ |
61 | static DEFINE_MUTEX(quote_lock); |
62 | |
63 | /* |
64 | * GetQuote request timeout in seconds. Expect that 30 seconds |
65 | * is enough time for QE to respond to any Quote requests. |
66 | */ |
67 | static u32 getquote_timeout = 30; |
68 | |
69 | static long tdx_get_report0(struct tdx_report_req __user *req) |
70 | { |
71 | u8 *reportdata, *tdreport; |
72 | long ret; |
73 | |
74 | reportdata = kmalloc(TDX_REPORTDATA_LEN, GFP_KERNEL); |
75 | if (!reportdata) |
76 | return -ENOMEM; |
77 | |
78 | tdreport = kzalloc(TDX_REPORT_LEN, GFP_KERNEL); |
79 | if (!tdreport) { |
80 | ret = -ENOMEM; |
81 | goto out; |
82 | } |
83 | |
84 | if (copy_from_user(to: reportdata, from: req->reportdata, TDX_REPORTDATA_LEN)) { |
85 | ret = -EFAULT; |
86 | goto out; |
87 | } |
88 | |
89 | /* Generate TDREPORT0 using "TDG.MR.REPORT" TDCALL */ |
90 | ret = tdx_mcall_get_report0(reportdata, tdreport); |
91 | if (ret) |
92 | goto out; |
93 | |
94 | if (copy_to_user(to: req->tdreport, from: tdreport, TDX_REPORT_LEN)) |
95 | ret = -EFAULT; |
96 | |
97 | out: |
98 | kfree(objp: reportdata); |
99 | kfree(objp: tdreport); |
100 | |
101 | return ret; |
102 | } |
103 | |
104 | static void free_quote_buf(void *buf) |
105 | { |
106 | size_t len = PAGE_ALIGN(GET_QUOTE_BUF_SIZE); |
107 | unsigned int count = len >> PAGE_SHIFT; |
108 | |
109 | if (set_memory_encrypted(addr: (unsigned long)buf, numpages: count)) { |
110 | pr_err("Failed to restore encryption mask for Quote buffer, leak it\n" ); |
111 | return; |
112 | } |
113 | |
114 | free_pages_exact(virt: buf, size: len); |
115 | } |
116 | |
117 | static void *alloc_quote_buf(void) |
118 | { |
119 | size_t len = PAGE_ALIGN(GET_QUOTE_BUF_SIZE); |
120 | unsigned int count = len >> PAGE_SHIFT; |
121 | void *addr; |
122 | |
123 | addr = alloc_pages_exact(size: len, GFP_KERNEL | __GFP_ZERO); |
124 | if (!addr) |
125 | return NULL; |
126 | |
127 | if (set_memory_decrypted(addr: (unsigned long)addr, numpages: count)) { |
128 | free_pages_exact(virt: addr, size: len); |
129 | return NULL; |
130 | } |
131 | |
132 | return addr; |
133 | } |
134 | |
135 | /* |
136 | * wait_for_quote_completion() - Wait for Quote request completion |
137 | * @quote_buf: Address of Quote buffer. |
138 | * @timeout: Timeout in seconds to wait for the Quote generation. |
139 | * |
140 | * As per TDX GHCI v1.0 specification, sec titled "TDG.VP.VMCALL<GetQuote>", |
141 | * the status field in the Quote buffer will be set to GET_QUOTE_IN_FLIGHT |
142 | * while VMM processes the GetQuote request, and will change it to success |
143 | * or error code after processing is complete. So wait till the status |
144 | * changes from GET_QUOTE_IN_FLIGHT or the request being timed out. |
145 | */ |
146 | static int wait_for_quote_completion(struct tdx_quote_buf *quote_buf, u32 timeout) |
147 | { |
148 | int i = 0; |
149 | |
150 | /* |
151 | * Quote requests usually take a few seconds to complete, so waking up |
152 | * once per second to recheck the status is fine for this use case. |
153 | */ |
154 | while (quote_buf->status == GET_QUOTE_IN_FLIGHT && i++ < timeout) { |
155 | if (msleep_interruptible(MSEC_PER_SEC)) |
156 | return -EINTR; |
157 | } |
158 | |
159 | return (i == timeout) ? -ETIMEDOUT : 0; |
160 | } |
161 | |
162 | static int tdx_report_new(struct tsm_report *report, void *data) |
163 | { |
164 | u8 *buf, *reportdata = NULL, *tdreport = NULL; |
165 | struct tdx_quote_buf *quote_buf = quote_data; |
166 | struct tsm_desc *desc = &report->desc; |
167 | int ret; |
168 | u64 err; |
169 | |
170 | /* TODO: switch to guard(mutex_intr) */ |
171 | if (mutex_lock_interruptible("e_lock)) |
172 | return -EINTR; |
173 | |
174 | /* |
175 | * If the previous request is timedout or interrupted, and the |
176 | * Quote buf status is still in GET_QUOTE_IN_FLIGHT (owned by |
177 | * VMM), don't permit any new request. |
178 | */ |
179 | if (quote_buf->status == GET_QUOTE_IN_FLIGHT) { |
180 | ret = -EBUSY; |
181 | goto done; |
182 | } |
183 | |
184 | if (desc->inblob_len != TDX_REPORTDATA_LEN) { |
185 | ret = -EINVAL; |
186 | goto done; |
187 | } |
188 | |
189 | reportdata = kmalloc(TDX_REPORTDATA_LEN, GFP_KERNEL); |
190 | if (!reportdata) { |
191 | ret = -ENOMEM; |
192 | goto done; |
193 | } |
194 | |
195 | tdreport = kzalloc(TDX_REPORT_LEN, GFP_KERNEL); |
196 | if (!tdreport) { |
197 | ret = -ENOMEM; |
198 | goto done; |
199 | } |
200 | |
201 | memcpy(reportdata, desc->inblob, desc->inblob_len); |
202 | |
203 | /* Generate TDREPORT0 using "TDG.MR.REPORT" TDCALL */ |
204 | ret = tdx_mcall_get_report0(reportdata, tdreport); |
205 | if (ret) { |
206 | pr_err("GetReport call failed\n" ); |
207 | goto done; |
208 | } |
209 | |
210 | memset(quote_data, 0, GET_QUOTE_BUF_SIZE); |
211 | |
212 | /* Update Quote buffer header */ |
213 | quote_buf->version = GET_QUOTE_CMD_VER; |
214 | quote_buf->in_len = TDX_REPORT_LEN; |
215 | |
216 | memcpy(quote_buf->data, tdreport, TDX_REPORT_LEN); |
217 | |
218 | err = tdx_hcall_get_quote(buf: quote_data, GET_QUOTE_BUF_SIZE); |
219 | if (err) { |
220 | pr_err("GetQuote hypercall failed, status:%llx\n" , err); |
221 | ret = -EIO; |
222 | goto done; |
223 | } |
224 | |
225 | ret = wait_for_quote_completion(quote_buf, timeout: getquote_timeout); |
226 | if (ret) { |
227 | pr_err("GetQuote request timedout\n" ); |
228 | goto done; |
229 | } |
230 | |
231 | buf = kvmemdup(src: quote_buf->data, len: quote_buf->out_len, GFP_KERNEL); |
232 | if (!buf) { |
233 | ret = -ENOMEM; |
234 | goto done; |
235 | } |
236 | |
237 | report->outblob = buf; |
238 | report->outblob_len = quote_buf->out_len; |
239 | |
240 | /* |
241 | * TODO: parse the PEM-formatted cert chain out of the quote buffer when |
242 | * provided |
243 | */ |
244 | done: |
245 | mutex_unlock(lock: "e_lock); |
246 | kfree(objp: reportdata); |
247 | kfree(objp: tdreport); |
248 | |
249 | return ret; |
250 | } |
251 | |
252 | static long tdx_guest_ioctl(struct file *file, unsigned int cmd, |
253 | unsigned long arg) |
254 | { |
255 | switch (cmd) { |
256 | case TDX_CMD_GET_REPORT0: |
257 | return tdx_get_report0(req: (struct tdx_report_req __user *)arg); |
258 | default: |
259 | return -ENOTTY; |
260 | } |
261 | } |
262 | |
263 | static const struct file_operations tdx_guest_fops = { |
264 | .owner = THIS_MODULE, |
265 | .unlocked_ioctl = tdx_guest_ioctl, |
266 | .llseek = no_llseek, |
267 | }; |
268 | |
269 | static struct miscdevice tdx_misc_dev = { |
270 | .name = KBUILD_MODNAME, |
271 | .minor = MISC_DYNAMIC_MINOR, |
272 | .fops = &tdx_guest_fops, |
273 | }; |
274 | |
275 | static const struct x86_cpu_id tdx_guest_ids[] = { |
276 | X86_MATCH_FEATURE(X86_FEATURE_TDX_GUEST, NULL), |
277 | {} |
278 | }; |
279 | MODULE_DEVICE_TABLE(x86cpu, tdx_guest_ids); |
280 | |
281 | static const struct tsm_ops tdx_tsm_ops = { |
282 | .name = KBUILD_MODNAME, |
283 | .report_new = tdx_report_new, |
284 | }; |
285 | |
286 | static int __init tdx_guest_init(void) |
287 | { |
288 | int ret; |
289 | |
290 | if (!x86_match_cpu(match: tdx_guest_ids)) |
291 | return -ENODEV; |
292 | |
293 | ret = misc_register(misc: &tdx_misc_dev); |
294 | if (ret) |
295 | return ret; |
296 | |
297 | quote_data = alloc_quote_buf(); |
298 | if (!quote_data) { |
299 | pr_err("Failed to allocate Quote buffer\n" ); |
300 | ret = -ENOMEM; |
301 | goto free_misc; |
302 | } |
303 | |
304 | ret = tsm_register(ops: &tdx_tsm_ops, NULL, NULL); |
305 | if (ret) |
306 | goto free_quote; |
307 | |
308 | return 0; |
309 | |
310 | free_quote: |
311 | free_quote_buf(buf: quote_data); |
312 | free_misc: |
313 | misc_deregister(misc: &tdx_misc_dev); |
314 | |
315 | return ret; |
316 | } |
317 | module_init(tdx_guest_init); |
318 | |
319 | static void __exit tdx_guest_exit(void) |
320 | { |
321 | tsm_unregister(ops: &tdx_tsm_ops); |
322 | free_quote_buf(buf: quote_data); |
323 | misc_deregister(misc: &tdx_misc_dev); |
324 | } |
325 | module_exit(tdx_guest_exit); |
326 | |
327 | MODULE_AUTHOR("Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>" ); |
328 | MODULE_DESCRIPTION("TDX Guest Driver" ); |
329 | MODULE_LICENSE("GPL" ); |
330 | |