Gitiles
Code Review Sign In
nv-tegra.nvidia.com / linux-5.10 / edd303ff0e9ebc39118e633916278b5ca8558c30 / . / include / linux / psp-sev.h
blob: 1d24962460725d0c6d0b15967bb51bca23b7ebeb [file] [log] [blame]
Brijesh Singh592d5e72017-12-04 10:57:27 -0600[diff] [blame]1/*
2 * AMD Secure Encrypted Virtualization (SEV) driver interface
3 *
4 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc.
5 *
6 * Author: Brijesh Singh <brijesh.singh@amd.com>
7 *
8 * SEV spec 0.14 is available at:
9 * http://support.amd.com/TechDocs/55766_SEV-KM API_Specification.pdf
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2 as
13 * published by the Free Software Foundation.
14 */
15
16#ifndef __PSP_SEV_H__
17#define __PSP_SEV_H__
18
19#include <uapi/linux/psp-sev.h>
20
21#ifdef CONFIG_X86
22#include <linux/mem_encrypt.h>
23
24#define __psp_pa(x) __sme_pa(x)
25#else
26#define __psp_pa(x) __pa(x)
27#endif
28
29#define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */
30
31/**
32 * SEV platform state
33 */
34enum sev_state {
35 SEV_STATE_UNINIT = 0x0,
36 SEV_STATE_INIT = 0x1,
37 SEV_STATE_WORKING = 0x2,
38
39 SEV_STATE_MAX
40};
41
42/**
43 * SEV platform and guest management commands
44 */
45enum sev_cmd {
46 /* platform commands */
47 SEV_CMD_INIT = 0x001,
48 SEV_CMD_SHUTDOWN = 0x002,
49 SEV_CMD_FACTORY_RESET = 0x003,
50 SEV_CMD_PLATFORM_STATUS = 0x004,
51 SEV_CMD_PEK_GEN = 0x005,
52 SEV_CMD_PEK_CSR = 0x006,
53 SEV_CMD_PEK_CERT_IMPORT = 0x007,
54 SEV_CMD_PDH_CERT_EXPORT = 0x008,
55 SEV_CMD_PDH_GEN = 0x009,
56 SEV_CMD_DF_FLUSH = 0x00A,
Janakarajan Natarajanedd303f2018-05-25 15:23:29 -0500[diff] [blame^]57 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B,
Brijesh Singh592d5e72017-12-04 10:57:27 -0600[diff] [blame]58
59 /* Guest commands */
60 SEV_CMD_DECOMMISSION = 0x020,
61 SEV_CMD_ACTIVATE = 0x021,
62 SEV_CMD_DEACTIVATE = 0x022,
63 SEV_CMD_GUEST_STATUS = 0x023,
64
65 /* Guest launch commands */
66 SEV_CMD_LAUNCH_START = 0x030,
67 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031,
68 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032,
69 SEV_CMD_LAUNCH_MEASURE = 0x033,
70 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034,
71 SEV_CMD_LAUNCH_FINISH = 0x035,
72
73 /* Guest migration commands (outgoing) */
74 SEV_CMD_SEND_START = 0x040,
75 SEV_CMD_SEND_UPDATE_DATA = 0x041,
76 SEV_CMD_SEND_UPDATE_VMSA = 0x042,
77 SEV_CMD_SEND_FINISH = 0x043,
78
79 /* Guest migration commands (incoming) */
80 SEV_CMD_RECEIVE_START = 0x050,
81 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051,
82 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052,
83 SEV_CMD_RECEIVE_FINISH = 0x053,
84
85 /* Guest debug commands */
86 SEV_CMD_DBG_DECRYPT = 0x060,
87 SEV_CMD_DBG_ENCRYPT = 0x061,
88
89 SEV_CMD_MAX,
90};
91
92/**
93 * struct sev_data_init - INIT command parameters
94 *
95 * @flags: processing flags
96 * @tmr_address: system physical address used for SEV-ES
97 * @tmr_len: len of tmr_address
98 */
99struct sev_data_init {
100 u32 flags; /* In */
101 u32 reserved; /* In */
102 u64 tmr_address; /* In */
103 u32 tmr_len; /* In */
104} __packed;
105
106/**
107 * struct sev_data_pek_csr - PEK_CSR command parameters
108 *
109 * @address: PEK certificate chain
110 * @len: len of certificate
111 */
112struct sev_data_pek_csr {
113 u64 address; /* In */
114 u32 len; /* In/Out */
115} __packed;
116
117/**
118 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters
119 *
120 * @pek_address: PEK certificate chain
121 * @pek_len: len of PEK certificate
122 * @oca_address: OCA certificate chain
123 * @oca_len: len of OCA certificate
124 */
125struct sev_data_pek_cert_import {
126 u64 pek_cert_address; /* In */
127 u32 pek_cert_len; /* In */
128 u32 reserved; /* In */
129 u64 oca_cert_address; /* In */
130 u32 oca_cert_len; /* In */
131} __packed;
132
133/**
Janakarajan Natarajanedd303f2018-05-25 15:23:29 -0500[diff] [blame^]134 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters
135 *
136 * @address: physical address of firmware image
137 * @len: len of the firmware image
138 */
139struct sev_data_download_firmware {
140 u64 address; /* In */
141 u32 len; /* In */
142} __packed;
143
144/**
Brijesh Singh592d5e72017-12-04 10:57:27 -0600[diff] [blame]145 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters
146 *
147 * @pdh_address: PDH certificate address
148 * @pdh_len: len of PDH certificate
149 * @cert_chain_address: PDH certificate chain
150 * @cert_chain_len: len of PDH certificate chain
151 */
152struct sev_data_pdh_cert_export {
153 u64 pdh_cert_address; /* In */
154 u32 pdh_cert_len; /* In/Out */
155 u32 reserved; /* In */
156 u64 cert_chain_address; /* In */
157 u32 cert_chain_len; /* In/Out */
158} __packed;
159
160/**
161 * struct sev_data_decommission - DECOMMISSION command parameters
162 *
163 * @handle: handle of the VM to decommission
164 */
165struct sev_data_decommission {
166 u32 handle; /* In */
167} __packed;
168
169/**
170 * struct sev_data_activate - ACTIVATE command parameters
171 *
172 * @handle: handle of the VM to activate
173 * @asid: asid assigned to the VM
174 */
175struct sev_data_activate {
176 u32 handle; /* In */
177 u32 asid; /* In */
178} __packed;
179
180/**
181 * struct sev_data_deactivate - DEACTIVATE command parameters
182 *
183 * @handle: handle of the VM to deactivate
184 */
185struct sev_data_deactivate {
186 u32 handle; /* In */
187} __packed;
188
189/**
190 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters
191 *
192 * @handle: handle of the VM to retrieve status
193 * @policy: policy information for the VM
194 * @asid: current ASID of the VM
195 * @state: current state of the VM
196 */
197struct sev_data_guest_status {
198 u32 handle; /* In */
199 u32 policy; /* Out */
200 u32 asid; /* Out */
201 u8 state; /* Out */
202} __packed;
203
204/**
205 * struct sev_data_launch_start - LAUNCH_START command parameters
206 *
207 * @handle: handle assigned to the VM
208 * @policy: guest launch policy
209 * @dh_cert_address: physical address of DH certificate blob
210 * @dh_cert_len: len of DH certificate blob
211 * @session_address: physical address of session parameters
212 * @session_len: len of session parameters
213 */
214struct sev_data_launch_start {
215 u32 handle; /* In/Out */
216 u32 policy; /* In */
217 u64 dh_cert_address; /* In */
218 u32 dh_cert_len; /* In */
219 u32 reserved; /* In */
220 u64 session_address; /* In */
221 u32 session_len; /* In */
222} __packed;
223
224/**
225 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter
226 *
227 * @handle: handle of the VM to update
228 * @len: len of memory to be encrypted
229 * @address: physical address of memory region to encrypt
230 */
231struct sev_data_launch_update_data {
232 u32 handle; /* In */
233 u32 reserved;
234 u64 address; /* In */
235 u32 len; /* In */
236} __packed;
237
238/**
239 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command
240 *
241 * @handle: handle of the VM
242 * @address: physical address of memory region to encrypt
243 * @len: len of memory region to encrypt
244 */
245struct sev_data_launch_update_vmsa {
246 u32 handle; /* In */
247 u32 reserved;
248 u64 address; /* In */
249 u32 len; /* In */
250} __packed;
251
252/**
253 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters
254 *
255 * @handle: handle of the VM to process
256 * @address: physical address containing the measurement blob
257 * @len: len of measurement blob
258 */
259struct sev_data_launch_measure {
260 u32 handle; /* In */
261 u32 reserved;
262 u64 address; /* In */
263 u32 len; /* In/Out */
264} __packed;
265
266/**
267 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters
268 *
269 * @handle: handle of the VM to process
270 * @hdr_address: physical address containing the packet header
271 * @hdr_len: len of packet header
272 * @guest_address: system physical address of guest memory region
273 * @guest_len: len of guest_paddr
274 * @trans_address: physical address of transport memory buffer
275 * @trans_len: len of transport memory buffer
276 */
277struct sev_data_launch_secret {
278 u32 handle; /* In */
279 u32 reserved1;
280 u64 hdr_address; /* In */
281 u32 hdr_len; /* In */
282 u32 reserved2;
283 u64 guest_address; /* In */
284 u32 guest_len; /* In */
285 u32 reserved3;
286 u64 trans_address; /* In */
287 u32 trans_len; /* In */
288} __packed;
289
290/**
291 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters
292 *
293 * @handle: handle of the VM to process
294 */
295struct sev_data_launch_finish {
296 u32 handle; /* In */
297} __packed;
298
299/**
300 * struct sev_data_send_start - SEND_START command parameters
301 *
302 * @handle: handle of the VM to process
303 * @policy: policy information for the VM
304 * @pdh_cert_address: physical address containing PDH certificate
305 * @pdh_cert_len: len of PDH certificate
306 * @plat_certs_address: physical address containing platform certificate
307 * @plat_certs_len: len of platform certificate
308 * @amd_certs_address: physical address containing AMD certificate
309 * @amd_certs_len: len of AMD certificate
310 * @session_address: physical address containing Session data
311 * @session_len: len of session data
312 */
313struct sev_data_send_start {
314 u32 handle; /* In */
315 u32 policy; /* Out */
316 u64 pdh_cert_address; /* In */
317 u32 pdh_cert_len; /* In */
318 u32 reserved1;
319 u64 plat_cert_address; /* In */
320 u32 plat_cert_len; /* In */
321 u32 reserved2;
322 u64 amd_cert_address; /* In */
323 u32 amd_cert_len; /* In */
324 u32 reserved3;
325 u64 session_address; /* In */
326 u32 session_len; /* In/Out */
327} __packed;
328
329/**
330 * struct sev_data_send_update - SEND_UPDATE_DATA command
331 *
332 * @handle: handle of the VM to process
333 * @hdr_address: physical address containing packet header
334 * @hdr_len: len of packet header
335 * @guest_address: physical address of guest memory region to send
336 * @guest_len: len of guest memory region to send
337 * @trans_address: physical address of host memory region
338 * @trans_len: len of host memory region
339 */
340struct sev_data_send_update_data {
341 u32 handle; /* In */
342 u32 reserved1;
343 u64 hdr_address; /* In */
344 u32 hdr_len; /* In/Out */
345 u32 reserved2;
346 u64 guest_address; /* In */
347 u32 guest_len; /* In */
348 u32 reserved3;
349 u64 trans_address; /* In */
350 u32 trans_len; /* In */
351} __packed;
352
353/**
354 * struct sev_data_send_update - SEND_UPDATE_VMSA command
355 *
356 * @handle: handle of the VM to process
357 * @hdr_address: physical address containing packet header
358 * @hdr_len: len of packet header
359 * @guest_address: physical address of guest memory region to send
360 * @guest_len: len of guest memory region to send
361 * @trans_address: physical address of host memory region
362 * @trans_len: len of host memory region
363 */
364struct sev_data_send_update_vmsa {
365 u32 handle; /* In */
366 u64 hdr_address; /* In */
367 u32 hdr_len; /* In/Out */
368 u32 reserved2;
369 u64 guest_address; /* In */
370 u32 guest_len; /* In */
371 u32 reserved3;
372 u64 trans_address; /* In */
373 u32 trans_len; /* In */
374} __packed;
375
376/**
377 * struct sev_data_send_finish - SEND_FINISH command parameters
378 *
379 * @handle: handle of the VM to process
380 */
381struct sev_data_send_finish {
382 u32 handle; /* In */
383} __packed;
384
385/**
386 * struct sev_data_receive_start - RECEIVE_START command parameters
387 *
388 * @handle: handle of the VM to perform receive operation
389 * @pdh_cert_address: system physical address containing PDH certificate blob
390 * @pdh_cert_len: len of PDH certificate blob
391 * @session_address: system physical address containing session blob
392 * @session_len: len of session blob
393 */
394struct sev_data_receive_start {
395 u32 handle; /* In/Out */
396 u32 policy; /* In */
397 u64 pdh_cert_address; /* In */
398 u32 pdh_cert_len; /* In */
399 u32 reserved1;
400 u64 session_address; /* In */
401 u32 session_len; /* In */
402} __packed;
403
404/**
405 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters
406 *
407 * @handle: handle of the VM to update
408 * @hdr_address: physical address containing packet header blob
409 * @hdr_len: len of packet header
410 * @guest_address: system physical address of guest memory region
411 * @guest_len: len of guest memory region
412 * @trans_address: system physical address of transport buffer
413 * @trans_len: len of transport buffer
414 */
415struct sev_data_receive_update_data {
416 u32 handle; /* In */
417 u32 reserved1;
418 u64 hdr_address; /* In */
419 u32 hdr_len; /* In */
420 u32 reserved2;
421 u64 guest_address; /* In */
422 u32 guest_len; /* In */
423 u32 reserved3;
424 u64 trans_address; /* In */
425 u32 trans_len; /* In */
426} __packed;
427
428/**
429 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters
430 *
431 * @handle: handle of the VM to update
432 * @hdr_address: physical address containing packet header blob
433 * @hdr_len: len of packet header
434 * @guest_address: system physical address of guest memory region
435 * @guest_len: len of guest memory region
436 * @trans_address: system physical address of transport buffer
437 * @trans_len: len of transport buffer
438 */
439struct sev_data_receive_update_vmsa {
440 u32 handle; /* In */
441 u32 reserved1;
442 u64 hdr_address; /* In */
443 u32 hdr_len; /* In */
444 u32 reserved2;
445 u64 guest_address; /* In */
446 u32 guest_len; /* In */
447 u32 reserved3;
448 u64 trans_address; /* In */
449 u32 trans_len; /* In */
450} __packed;
451
452/**
453 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters
454 *
455 * @handle: handle of the VM to finish
456 */
457struct sev_data_receive_finish {
458 u32 handle; /* In */
459} __packed;
460
461/**
462 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters
463 *
464 * @handle: handle of the VM to perform debug operation
465 * @src_addr: source address of data to operate on
466 * @dst_addr: destination address of data to operate on
467 * @len: len of data to operate on
468 */
469struct sev_data_dbg {
470 u32 handle; /* In */
471 u32 reserved;
472 u64 src_addr; /* In */
473 u64 dst_addr; /* In */
474 u32 len; /* In */
475} __packed;
476
Brijesh Singh200664d2017-12-04 10:57:28 -0600[diff] [blame]477#ifdef CONFIG_CRYPTO_DEV_SP_PSP
478
479/**
480 * sev_platform_init - perform SEV INIT command
481 *
482 * @error: SEV command return code
483 *
484 * Returns:
485 * 0 if the SEV successfully processed the command
486 * -%ENODEV if the SEV device is not available
487 * -%ENOTSUPP if the SEV does not support SEV
488 * -%ETIMEDOUT if the SEV command timed out
489 * -%EIO if the SEV returned a non-zero return code
490 */
491int sev_platform_init(int *error);
492
493/**
494 * sev_platform_status - perform SEV PLATFORM_STATUS command
495 *
496 * @status: sev_user_data_status structure to be processed
497 * @error: SEV command return code
498 *
499 * Returns:
500 * 0 if the SEV successfully processed the command
501 * -%ENODEV if the SEV device is not available
502 * -%ENOTSUPP if the SEV does not support SEV
503 * -%ETIMEDOUT if the SEV command timed out
504 * -%EIO if the SEV returned a non-zero return code
505 */
506int sev_platform_status(struct sev_user_data_status *status, int *error);
507
508/**
509 * sev_issue_cmd_external_user - issue SEV command by other driver with a file
510 * handle.
511 *
512 * This function can be used by other drivers to issue a SEV command on
513 * behalf of userspace. The caller must pass a valid SEV file descriptor
514 * so that we know that it has access to SEV device.
515 *
516 * @filep - SEV device file pointer
517 * @cmd - command to issue
518 * @data - command buffer
519 * @error: SEV command return code
520 *
521 * Returns:
522 * 0 if the SEV successfully processed the command
523 * -%ENODEV if the SEV device is not available
524 * -%ENOTSUPP if the SEV does not support SEV
525 * -%ETIMEDOUT if the SEV command timed out
526 * -%EIO if the SEV returned a non-zero return code
527 * -%EINVAL if the SEV file descriptor is not valid
528 */
529int sev_issue_cmd_external_user(struct file *filep, unsigned int id,
530 void *data, int *error);
531
532/**
533 * sev_guest_deactivate - perform SEV DEACTIVATE command
534 *
535 * @deactivate: sev_data_deactivate structure to be processed
536 * @sev_ret: sev command return code
537 *
538 * Returns:
539 * 0 if the sev successfully processed the command
540 * -%ENODEV if the sev device is not available
541 * -%ENOTSUPP if the sev does not support SEV
542 * -%ETIMEDOUT if the sev command timed out
543 * -%EIO if the sev returned a non-zero return code
544 */
545int sev_guest_deactivate(struct sev_data_deactivate *data, int *error);
546
547/**
548 * sev_guest_activate - perform SEV ACTIVATE command
549 *
550 * @activate: sev_data_activate structure to be processed
551 * @sev_ret: sev command return code
552 *
553 * Returns:
554 * 0 if the sev successfully processed the command
555 * -%ENODEV if the sev device is not available
556 * -%ENOTSUPP if the sev does not support SEV
557 * -%ETIMEDOUT if the sev command timed out
558 * -%EIO if the sev returned a non-zero return code
559 */
560int sev_guest_activate(struct sev_data_activate *data, int *error);
561
562/**
563 * sev_guest_df_flush - perform SEV DF_FLUSH command
564 *
565 * @sev_ret: sev command return code
566 *
567 * Returns:
568 * 0 if the sev successfully processed the command
569 * -%ENODEV if the sev device is not available
570 * -%ENOTSUPP if the sev does not support SEV
571 * -%ETIMEDOUT if the sev command timed out
572 * -%EIO if the sev returned a non-zero return code
573 */
574int sev_guest_df_flush(int *error);
575
576/**
577 * sev_guest_decommission - perform SEV DECOMMISSION command
578 *
579 * @decommission: sev_data_decommission structure to be processed
580 * @sev_ret: sev command return code
581 *
582 * Returns:
583 * 0 if the sev successfully processed the command
584 * -%ENODEV if the sev device is not available
585 * -%ENOTSUPP if the sev does not support SEV
586 * -%ETIMEDOUT if the sev command timed out
587 * -%EIO if the sev returned a non-zero return code
588 */
589int sev_guest_decommission(struct sev_data_decommission *data, int *error);
590
Brijesh Singh7360e4b2017-12-04 10:57:31 -0600[diff] [blame]591void *psp_copy_user_blob(u64 __user uaddr, u32 len);
592
Brijesh Singh200664d2017-12-04 10:57:28 -0600[diff] [blame]593#else /* !CONFIG_CRYPTO_DEV_SP_PSP */
594
595static inline int
596sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; }
597
598static inline int sev_platform_init(int *error) { return -ENODEV; }
599
600static inline int
601sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; }
602
603static inline int
604sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; }
605
606static inline int
607sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; }
608
609static inline int sev_guest_df_flush(int *error) { return -ENODEV; }
610
611static inline int
612sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; }
613
Brijesh Singh7360e4b2017-12-04 10:57:31 -0600[diff] [blame]614static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); }
615
Brijesh Singh200664d2017-12-04 10:57:28 -0600[diff] [blame]616#endif /* CONFIG_CRYPTO_DEV_SP_PSP */
617
Brijesh Singh592d5e72017-12-04 10:57:27 -0600[diff] [blame]618#endif /* __PSP_SEV_H__ */