1 | /* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ |
2 | /* |
3 | * Userspace interface for AMD Secure Encrypted Virtualization (SEV) |
4 | * platform management commands. |
5 | * |
6 | * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. |
7 | * |
8 | * Author: Brijesh Singh <brijesh.singh@amd.com> |
9 | * |
10 | * SEV API specification is available at: https://developer.amd.com/sev/ |
11 | */ |
12 | |
13 | #ifndef __PSP_SEV_USER_H__ |
14 | #define __PSP_SEV_USER_H__ |
15 | |
16 | #include <linux/types.h> |
17 | |
18 | /** |
19 | * SEV platform commands |
20 | */ |
21 | enum { |
22 | SEV_FACTORY_RESET = 0, |
23 | SEV_PLATFORM_STATUS, |
24 | SEV_PEK_GEN, |
25 | SEV_PEK_CSR, |
26 | SEV_PDH_GEN, |
27 | SEV_PDH_CERT_EXPORT, |
28 | SEV_PEK_CERT_IMPORT, |
29 | SEV_GET_ID, /* This command is deprecated, use SEV_GET_ID2 */ |
30 | SEV_GET_ID2, |
31 | |
32 | SEV_MAX, |
33 | }; |
34 | |
35 | /** |
36 | * SEV Firmware status code |
37 | */ |
38 | typedef enum { |
39 | /* |
40 | * This error code is not in the SEV spec. Its purpose is to convey that |
41 | * there was an error that prevented the SEV firmware from being called. |
42 | * The SEV API error codes are 16 bits, so the -1 value will not overlap |
43 | * with possible values from the specification. |
44 | */ |
45 | SEV_RET_NO_FW_CALL = -1, |
46 | SEV_RET_SUCCESS = 0, |
47 | SEV_RET_INVALID_PLATFORM_STATE, |
48 | SEV_RET_INVALID_GUEST_STATE, |
49 | SEV_RET_INAVLID_CONFIG, |
50 | SEV_RET_INVALID_LEN, |
51 | SEV_RET_ALREADY_OWNED, |
52 | SEV_RET_INVALID_CERTIFICATE, |
53 | SEV_RET_POLICY_FAILURE, |
54 | SEV_RET_INACTIVE, |
55 | SEV_RET_INVALID_ADDRESS, |
56 | SEV_RET_BAD_SIGNATURE, |
57 | SEV_RET_BAD_MEASUREMENT, |
58 | SEV_RET_ASID_OWNED, |
59 | SEV_RET_INVALID_ASID, |
60 | SEV_RET_WBINVD_REQUIRED, |
61 | SEV_RET_DFFLUSH_REQUIRED, |
62 | SEV_RET_INVALID_GUEST, |
63 | SEV_RET_INVALID_COMMAND, |
64 | SEV_RET_ACTIVE, |
65 | SEV_RET_HWSEV_RET_PLATFORM, |
66 | SEV_RET_HWSEV_RET_UNSAFE, |
67 | SEV_RET_UNSUPPORTED, |
68 | SEV_RET_INVALID_PARAM, |
69 | SEV_RET_RESOURCE_LIMIT, |
70 | SEV_RET_SECURE_DATA_INVALID, |
71 | SEV_RET_INVALID_KEY = 0x27, |
72 | SEV_RET_MAX, |
73 | } sev_ret_code; |
74 | |
75 | /** |
76 | * struct sev_user_data_status - PLATFORM_STATUS command parameters |
77 | * |
78 | * @major: major API version |
79 | * @minor: minor API version |
80 | * @state: platform state |
81 | * @flags: platform config flags |
82 | * @build: firmware build id for API version |
83 | * @guest_count: number of active guests |
84 | */ |
85 | struct sev_user_data_status { |
86 | __u8 api_major; /* Out */ |
87 | __u8 api_minor; /* Out */ |
88 | __u8 state; /* Out */ |
89 | __u32 flags; /* Out */ |
90 | __u8 build; /* Out */ |
91 | __u32 guest_count; /* Out */ |
92 | } __packed; |
93 | |
94 | #define SEV_STATUS_FLAGS_CONFIG_ES 0x0100 |
95 | |
96 | /** |
97 | * struct sev_user_data_pek_csr - PEK_CSR command parameters |
98 | * |
99 | * @address: PEK certificate chain |
100 | * @length: length of certificate |
101 | */ |
102 | struct sev_user_data_pek_csr { |
103 | __u64 address; /* In */ |
104 | __u32 length; /* In/Out */ |
105 | } __packed; |
106 | |
107 | /** |
108 | * struct sev_user_data_cert_import - PEK_CERT_IMPORT command parameters |
109 | * |
110 | * @pek_address: PEK certificate chain |
111 | * @pek_len: length of PEK certificate |
112 | * @oca_address: OCA certificate chain |
113 | * @oca_len: length of OCA certificate |
114 | */ |
115 | struct sev_user_data_pek_cert_import { |
116 | __u64 pek_cert_address; /* In */ |
117 | __u32 pek_cert_len; /* In */ |
118 | __u64 oca_cert_address; /* In */ |
119 | __u32 oca_cert_len; /* In */ |
120 | } __packed; |
121 | |
122 | /** |
123 | * struct sev_user_data_pdh_cert_export - PDH_CERT_EXPORT command parameters |
124 | * |
125 | * @pdh_address: PDH certificate address |
126 | * @pdh_len: length of PDH certificate |
127 | * @cert_chain_address: PDH certificate chain |
128 | * @cert_chain_len: length of PDH certificate chain |
129 | */ |
130 | struct sev_user_data_pdh_cert_export { |
131 | __u64 pdh_cert_address; /* In */ |
132 | __u32 pdh_cert_len; /* In/Out */ |
133 | __u64 cert_chain_address; /* In */ |
134 | __u32 cert_chain_len; /* In/Out */ |
135 | } __packed; |
136 | |
137 | /** |
138 | * struct sev_user_data_get_id - GET_ID command parameters (deprecated) |
139 | * |
140 | * @socket1: Buffer to pass unique ID of first socket |
141 | * @socket2: Buffer to pass unique ID of second socket |
142 | */ |
143 | struct sev_user_data_get_id { |
144 | __u8 socket1[64]; /* Out */ |
145 | __u8 socket2[64]; /* Out */ |
146 | } __packed; |
147 | |
148 | /** |
149 | * struct sev_user_data_get_id2 - GET_ID command parameters |
150 | * @address: Buffer to store unique ID |
151 | * @length: length of the unique ID |
152 | */ |
153 | struct sev_user_data_get_id2 { |
154 | __u64 address; /* In */ |
155 | __u32 length; /* In/Out */ |
156 | } __packed; |
157 | |
158 | /** |
159 | * struct sev_issue_cmd - SEV ioctl parameters |
160 | * |
161 | * @cmd: SEV commands to execute |
162 | * @opaque: pointer to the command structure |
163 | * @error: SEV FW return code on failure |
164 | */ |
165 | struct sev_issue_cmd { |
166 | __u32 cmd; /* In */ |
167 | __u64 data; /* In */ |
168 | __u32 error; /* Out */ |
169 | } __packed; |
170 | |
171 | #define SEV_IOC_TYPE 'S' |
172 | #define SEV_ISSUE_CMD _IOWR(SEV_IOC_TYPE, 0x0, struct sev_issue_cmd) |
173 | |
174 | #endif /* __PSP_USER_SEV_H */ |
175 | |